Student Guide Epo Cloud 55 Essentials v1 Notes

Product Overview and
Architecture
ePO Cloud 5.5 Essentials
Copyright
Copyright © 2015 McAfee LLC. All rights reserved
The training information in this document is provided in connection with McAfee products. No license,
express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document.
Except as provided in McAfee's terms and conditions of sale for such products, McAfee assumes no liability
whatsoever and McAfee disclaims any express or implied warranty, relating to sale and/or use of McAfee
products including liability or warranties relating to fitness for a particular purpose, merchantability, or
infringement of any patent, copyright or other intellectual property right.
McAfee may make changes to specifications and product descriptions at any time, without notice. McAfee
reserves these for future definition and shall have no responsibility whatsoever for conflicts or
incompatibilities arising from future changes to them. The information here is subject to change without
notice. The products described in this document may contain design defects or errors known as errata which
may cause the product to deviate from published specifications. Effort has been made to ensure the accuracy
of information presented as factual; However, errors may exist.
The statements, comments or opinions expressed by users through the use of McAfee technology resources
are those of their respective authors, who are solely responsible for them, and do not necessarily represent
the views of McAfee and/or its affiliates.
About This Learning Material
Intended Audience for this material: Channel Partners, McAfee Support Agent (new to
the product), Support Partners
Intent of this material

• Describe what ePO Cloud is and its intended capabilities
• Explain the features and benefits available with ePO Cloud
• Describe how the ePO Cloud solution works
• Define ePO Cloud architecture component functionality
Why this material is important to YOU:

The information provided in this material will cover:
• Key ePO Terminology
• What is ePolicy Orchestrator?
• ePO Cloud – Customer Needs
• Goals for the Cloud Release
• Supported Products
• Current SaaS Landscape @ McAfee
• Architecture Overview
Estimated time to complete this module: 0.5 hours
3
Purpose
In this module, you will learn to …….
Explain what ePO Cloud is and its intended

capabilities.
Understand ePolicy Orchestrator components and

how they work together to enhance the security of
the systems in the network.
4
Key ePO Terminology
Key ePO Terminology
• Admin: ePO global administrator or network administrator

• ASCI: Agent-to-server communication interval
• ASSC: Agent-to-server secure communication
• Agent: McAfee software used to manage point products on endpoint machines
• Agent GUID: Globally Unique Identifier; random 64-bit value used specifically by ePO
• Client Tasks: Used to deploy product software, perform product updates, and more
• ePO On-Premise: Traditional ePO deployment on customer-supplied and managed
servers
• ePO Cloud: Alternative ePO solution where ePO software is hosted with McAfee owned
and managed servers
• Policy: Settings and configurations applied to point-products on endpoint machines
• Repository: Collection of the software used to deploy and update point products on
endpoint machines
• Point Product: Software installed and managed on endpoint machines (i.e., Threat
Prevention, Firewall, and Web Control)
• Go to https://kc.mcafee.com/content/glossary/index.htm for an online glossary of
technical terms.
6
What is ePolicy Orchestrator?
• McAfee released the first version of ePolicy
Orchestrator (ePO) to meet a growing
demand from customers: a way to better
manage their anti-virus software.
• ePolicy Orchestrator is the only enterprise-

class, open platform to centrally manage
security for systems, networks, data, and
compliance solutions.
• With end-to-end visibility and powerful

automations that slash incident response
times, ePolicy Orchestrator dramatically
strengthens protection and drives down the
cost of managing security.
8
ePO is designed to:
• Deploy - Deployment of security products,

patches and service packs
• Manage - Manage host and network

security products
• Update - Update DATs, Engines and the

like through distributed repositories
• Report - Reporting and monitoring of the

security environment
9
On-Premise vs In-the-Cloud
Our working list of features in and out of ePO Cloud is:
Features only available in Cloud 5.5: Features not supported in Cloud 5.5:
– Multi-tenancy (5.2) – Contacts (Address Book)
– Tomcat Farm (5.2) – Issues
– Partner Branding (5.2) – Certificate Based Authentication
– Provisioning (5.2) – Registered Servers
– Centralized Authentication (5.2) – Ticketing
– Server Tasks (5.4) – User Editable Queries
– Automatic Responses
– LDAP/AD Integration/ Policy
Assignment Rules
– User based policy
– Notifications
– Server Initiated Communication
– External access to Remote commands
– Multiple ePO servers
– Custom dashboards
10
ePO Cloud – Customer Needs
ePO Cloud – Customer Needs
 Market is embracing “the Cloud” with more
and more services, applications,
infrastructure, and solutions moving outside
perimeter
 Security management players moving to the

cloud too
– i.e.., Microsoft, Symantec
 McAfee needs to deliver same management

value to cloud customers as to server-based
enterprise customers OR we will be
dinosaurs
 Our primary focus:

• Primarily mid-sized
• Prefer not to deploy a server
• Some customers will be partner managed
12
Goals for the Cloud Release
Goals for the Cloud Release
• Protect 1 to 10K systems in minutes with the
world’s leading security for business
• Stay ahead of the latest threats with McAfee’s
newest Anti-Malware with Proactive Detection,
industry-leading Host IPS Firewall and web
protection
• Experience better performance
– Signatures/DATs are 40% size of traditional
DAT
– Page refresh and reload times
• Install protection with one click with Getting
Started and McAfee Smart Installer for
Windows & Mac
• Easily keep tabs on your PC security with our
all-new, touch enabled end user experience
• Never upgrade your ePO server again – we do it
for you in our Cloud platform
• Use advanced management features including
tags, policies, client tasks and scheduled
reports
14
Current SaaS Landscape
@ McAfee
Customers Partners
Insight, Support
Security SaaS Email MFE Secure
Center and Web
Endpoint
16
Customers Partners
Direct
Retail
Partners
Partner Direct Partner Direct Partner

Partner Portal Partner Portal
Partner 2 Tier
Portal Channel
Insight, Support
Provision
Logins Subscriptions Logins Subscriptions Logins Subscriptions

Policy Management
Security SaaS Email MFE Secure

Center and Web
Endpoint
API API API
17
One Place to Manage Everything
McAfee Partner Portal

partners.mcafee.com
1000 +
Partners
manage.mcafee.com ePO Cloud and On-Premise

56K +
Customers
(plus 100K + migrated SaaS
customers)
McAfee Agent
62 + Million
Deployed
(plus 4M migrated
SaaS endpoint agents 50+
50+
McAfee Products Partner Products
18
One Place to Manage Everything
Partner Portal Online Store
Add SKU to one price

book…
Write one extension

for Cloud and On-
Premise ePO…
Deploy point product via

one agent extension to
millions of customers.
19
Supported Products
Supported Products
Client Endpoint
McAfee
Endpoint
Security
Threat SaaS Email Product Application Device

Firewall Web Control Improvement Encryption Etc.
Prevention Protection Program Control Control
Modules
McAfee
Agent
ePO Cloud Platform
21
Architecture Overview
ePO Cloud 5.5 Architecture
• Simplified User Experience for SMB
McAfee Partners
• Designed to support the full range of
McAfee commercial products Ordering &
Management
– Not just SaaS product line Partner
APIs
Business
– Subject to availability of extensions Center
Business McAfee
Platform Back Office
Services Systems
• ePolicy Orchestrator – provided in
McAfee's managed data centers (“the
cloud”) ePO Cloud
Simplified (SMB) UX
Product Extensions
• Managed and maintained by McAfee – (Endpoint, Web, Email, …)
customer no longer needs a server
• Multi-tenancy Customers
• Automated provisioning, partner

management, branding
23
Business Platform Services (BPS)
McAfee Partners
Business Platform Services Ordering &

Management
Partner
• ePO integration into Common Business
APIs
Partner Portal Center

Business McAfee
Platform Back Office
Services Systems
• Automated provisioning from

business platform services; Specific ePO Cloud
SKUs to be activated; Sale of Simplified (SMB) UX
additional nodes; Renewal/Expiry Product Extensions

(Endpoint, Web, Email, …)
• Internal webservices and public

applications Customers
24
ePO Cloud Components
 ePO Cloud — The center of your managed environment. ePO Cloud
delivers security policies and tasks, controls updates, and processes
events for all managed systems.
 Database — The central storage component for all data created and
used by ePO Cloud.
 McAfee Agent — A vehicle of information and enforcement between

the ePO server and each managed system. The agent retrieves
updates, ensures task implementation, enforces policies, and
forwards events for each managed system. It uses a separate secure
data channel to transfer data back to the cloud hosted server.
 Master Repository — The central location for all McAfee updates and
signatures, residing on ePO Cloud. The Master repository retrieves
user-specified updates and signatures from McAfee.
25
How it Works - Process
1. Customer purchases ePO Cloud

services.
2. Welcome email sent to customer with logon

details to ePO Cloud.
3. Customer logs on to ePO Cloud to

begin initial configuration and
deployment options.
4. Deploy the products and

manage in ePO Cloud.
26
How it Works - Flow
27
How it Works – Backend Architecture
Target Total End Points Count = 1M Customers, Partners, McAfee Staff
(~50,000 users) DAT
DAT
CDN login.epocloud.mcafee.com
CDN
pod1.epocloud.mcafee.com
End Point ePO Agents
GTM pod2.epocloud.mcafee.com
End Point ePO Agents
Denver DC Miami DC
… AUTH …
Trusted BPS Trusted
Load Balancer Global Plano DC Global Load Balancer

for Directors Directors for
Agent Handlers Cluster Cassandra DB Sync Cluster Agent Handlers
(Ports/Protocol TBD)
POD #1 ePO Deployment POD #1 ePO Deployment

Master Failover
MS SQL Database Sync
(Port range: 14333 – 14353 ??)
POD #1 – Master in Denver
POD #2 ePO Deployment POD #2 ePO Deployment

Failover Master
MS SQL Database Sync
(Port range: 14333 – 14353 ??)
POD #2 – Master in Miami
28
Summary
• McAfee provides full security management
capabilities from our worldwide data centers.
– Fast, secure policy management
– Automatic updates to stay ahead of the latest threats
– Simple yet powerful user experience
• Beta Signup
https://beta.manage.mcafee.com  ePO Cloud 5.4 loaded
in environment as of 10/1/15.
29
Performance Improvements
Policy Catalog – Performance Graph
35
30
25
20
After Fix
15 Before
10
0
Log On ENDPOINT ENDPOINT ENDPOINT McAfee Agent Log Off
SECURITY SECURITY Web SECURITY
FIREWALL Control COMMON
31
Summary
32
Summary
ePO’s powerful management console available in

the cloud – no server or other infrastructure is
needed!
McAfee will provide full security management

capabilities from our worldwide data centers.
• Fast, secure policy management

• Automatic updates to stay ahead of the latest
threats
• Simple yet powerful user experience
33
Initial Configuration


• Walk through the ePO Cloud environment initial configuration

• Getting Started with ePO Cloud
• Guided Configuration
• ePO Console Navigation
35
Purpose
Walk through the ePO Cloud environment initial

configuration
36
Getting Started with ePO Cloud
Getting Started with ePO Cloud 5.5
Major setup and steps for ePO Cloud
1. Activate the ePO Cloud server account - Once the customer has purchased
ePO Cloud software, they can activate their account through an email that
the provider sends them.
2. Log on to the ePO Cloud console – Once the account has been activated,
customers should open an internet browser, navigate to the following URL
and enter their ePO Cloud login information: https://manage.mcafee.com
3. Begin initial deployment - Customize Installation action is ran after the user
logs in the first time, to help get ePO up and running as quickly as possible.
4. Manage the account - Set up and manage the basic features of the account.
5. User accounts - Add additional users to the ePO Cloud server.
6. Dashboards, queries and reports - Dashboards and reports help you keep
constant watch on the environment. The Queries & Reports page gives you
access to the robust reporting features of ePolicy Orchestrator.
38
Activation Email
39
ePO Cloud Login
40
Guided Configuration
Cloud UI – ePO Console
42
Cloud UI – ePO Console
43
Getting Started with ePO Cloud
44
Begin Initial Deployment
• The customer can send this URL to their system users.
• The system users run the deployment URL installer and the McAfee
Agent is then downloaded to the system.
• When the system, running the agent, communicates with ePolicy

Orchestrator, the point products and policies are then downloaded to the
system.
45
McAfee Smart Installer
46
47
Deployment Validation
48
49
50
ePO Cloud Console
ePO Console
ePO uses a menu-based navigation model with a favorites bar you can
customize to get where you need to go quickly.
– Menu sections represent the top-level features of your ePO server.
– As you add new managed products to your server, the associated
interface pages are either added to an existing category, or a new
category is created in the Menu.
– Key navigational controls are the navigation bar and the navigation
Menu, which is accessed by clicking Menu on the navigation bar.
Navigation bar:
Go quickly to top-level Exit Help

features.
52
Customizable User Interface
53
Menu Options
Menu Options
1 2 3
4 5 6
7 8
55
Software
Product Deployment
57
Uninstallation of Product Software
58
59
60
Master Repository
61
Automation
Server Tasks
Server Tasks
• Purge Audit Log
• Purge Server Task Log
• Run Query
• Run Report
• Run Tag Criteria
• System Search by Tag or Group
63
Server Task Log
64
Configuration
Server Settings
• Dashboards – Configure the default dashboard monitor refresh interval

• Printing and Exporting – Change the look of headers and footers used in
exported documents
66
Personal Settings
• System Tree Warning – Show or hide the Drag-And-Drop Warning

Dialog.
• User Session – Set the user session timeout intervals.
67
Summary
68
Summary
It’s easy to get up and running with ePO Cloud.

The guided configuration makes it simple.
The ePolicy Orchestrator interface uses a menu-

based navigation model with a Favorites bar you
can customize to get where you need to go
quickly.
Menu sections represent the top-level features of

the ePolicy Orchestrator software.
69
ePO User Accounts and
Permission Sets
Copyright
Copyright © 2015 McAfee LLC. All rights reserved
The training information in this document is provided in connection with McAfee products. No license,
express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document.
Except as provided in Intel's terms and conditions of sale for such products, McAfee assumes no liability
whatsoever and McAfee disclaims any express or implied warranty, relating to sale and/or use of McAfee
products including liability or warranties relating to fitness for a particular purpose, merchantability, or
infringement of any patent, copyright or other intellectual property right.
McAfee may make changes to specifications and product descriptions at any time, without notice. McAfee
reserves these for future definition and shall have no responsibility whatsoever for conflicts or
incompatibilities arising from future changes to them. The information here is subject to change without
notice. The products described in this document may contain design defects or errors known as errata which
may cause the product to deviate from published specifications. Effort has been made to ensure the accuracy
of information presented as factual; However, errors may exist.
The statements, comments or opinions expressed by users through the use of McAfee technology resources
are those of their respective authors, who are solely responsible for them, and do not necessarily represent
the views of McAfee and/or its affiliates.

• Create user accounts
• Configure settings for Personal Settings, and Users
• Utilize User Management

• User Accounts
• Configuring settings for Personal Settings, and Users
• User Management
72
Purpose
• Create user accounts

• Configure settings for Personal Settings, and Users
• Utilize User Management
• Verify permission rights and access
73
User Accounts
User Account
75
My Account
76
My Account – My Profile
77
My Account – Customer Profile
78
My Account - Users
79
My Account - Subscriptions
80
My Account - Support
81
User Management
User Management
83
Account Permissions
Account Permissions
 Owner users (or owners), who have full administrative rights.
– NOTE: There is only one owner for each customer account.
 Standard users (or simply users), who have limited

permissions.
85
Create User Accounts
Creating a New User
1. To open the New User page, click New User.
2. Type the email address of the person you want to invite to be a user.
3. Click Invite.
87
Audit Log
Audit Log
89
Summary
90
Summary
The Profile page shows your user and logon

information. You can view and make changes
to your profile as well as change your password.
View your active ePO Cloud subscriptions,

utilization, and order history.
User accounts allow you to control how users

access and use the software. Even the smallest
network installations needs to specify and control
the access users have to different parts of the
system.
91
Managing the System Tree


• Provide an overview of the ePO System Tree
• Describe the options available to populate the System Tree
• Describe the various methods of organizing the ePO Cloud System Tree
• Use tagging to manage the System Tree

• Inheritance
• Managing the ePO Cloud System Tree
• Organizing the System Tree
• Creating Groups
• Tagging
• IP Address Sorting
• How ePO Determines Placement
• Sorting Order
93
Purpose
• Provide an overview of the ePO System Tree

• Describe the options available to populate the
System Tree
• Describe the various methods of organizing the
ePO Cloud System Tree
• Use tagging to manage the System Tree
94
The ePO Cloud System Tree
• Contains all of the systems that
ePO manages.
o A system is a managed machine, a
server, workstation, laptop or
appliance.
o Represented in System Tree by its
NetBIOS name.
• Represented internally to ePO by

Globally Unique Identifier (GUID)
• Primary interface for managing
policies and tasks on systems.
95
System Tree Hierarchical Structure
 My Organization:
• Top level of tree.
• Contains all managed systems.
 Groups:
• Created by owners. Top level: My
• Let you manage policies for several Organization
systems at once, and schedule
tasks at any level of System Tree.
• Can contain systems or other Logical
groups, which you can move groups of
between groups. systems
 Lost&Found:
• Contains systems with
Lost&Found
undetermined locations.
96
Lost and Found Group Characteristics
• When a system is sorted into Lost&Found,

it is placed in a subgroup named for the
system’s domain or workgroup
• Users with view permissions to the
System Tree can see systems in
Lost&Found.
• Characteristics:
o Always appears last in the list (not
alphabetized).
o Can NOT be deleted or renamed.
o Its sorting order can NOT be changed.
97
Inheritance
Inheritance
• Simplifies policy and task

administration.
• Child groups can inherit

policies from parent
groups.
• Enabled by default for all

subgroups.
• Can be broken by
applying new policies.
• Can be locked to prevent

broken inheritance by
children.
99
Organizing the System Tree
Creating the System Tree
• An efficient and
well-organized System Tree
can simplify maintenance
• No single way to organize the

System Tree
• Manually create subgroups to

classify systems together
101
Planning the System Tree
Considerations:
Department or group Physical location
 Grouping systems
• Sales
 Policy and task
• Marketing
management
• Production
 Inheritance
IP Address System type or role
172.16.0.0
192.168.100.0
102
Scenario
• Customer has five offices — How should they organize
computers within the System Tree?
New York London
Paris
Dallas
Sydney
103
Creating Groups
1. Select parent group.

2. Select New Subgroups.
1
3. Enter name(s) of subgroups.
4. Click OK.
104
Group Details Tab
105
Tagging
Tags
 Tags are labels that can be applied to one or
more systems.
 You can organize the System Tree using
tags.
 Tagging has several benefits:
• Machines can now be sorted into groups by their tag,
if desired.
• Assign a task according to a tag.
• Tagging provides virtual grouping by associating
related systems.
• Provides an easy way to identify systems for later
action.
• Systems can have more than one tag assigned.
• Tags can be applied as a result of a query.
• Action can then be taken on the systems based on
tag criteria.
107
Working with Tags
 Use these tasks to create and

apply tags to systems in the
System Tree:
o Use Tag Catalog

o Creating tags with the Tag Builder.
o Exclude systems from automatic
tagging.
o Apply tags to selected systems.
o Apply criteria-based tags automatically
to all matching systems.
108
Tag Catalog
109
Tag Grouping
110
Creating Tags
Tag criteria is based on properties reported by every system
111
Tag Builder Evaluation Page
Defines when tags are applied to matching systems:
o Only when Run Tag Criteria action is taken.
o On each agent-to-server communication and when Run Tag
Criteria action is taken.
112
Tag Builder Preview Page
View Summary Information
113
Some Powerful Uses of Tags
 Automatic System Tree sorting
o All systems with OS Type = “Windows
7”, System Name starts with “DSKTP”,
and IP Address is between
“192.168.1.1 – 192.168.1.200” to be
placed into group “Chicago Office
Desktops”.
 System identification
o Example: Tag virtual systems that are
running under VMware ESX
 Tag is applied if the MAC address of a
machine begins with “000C29”.
 Label special case systems

o Exclude from policies.
o Move to a new group.
o Assign a client task to a tag.
114
Viewing Systems with the Tag Applied
• Use this page to view all systems with the selected tag applied.
• From this page, you can take actions on one or more systems listed.
115
Excluding Systems from Automatic Tagging
1. Select the system(s).

2. Click Actions > Tag >
Exclude Tag.
3. Select tag, then OK.
116
Manually Applying Tags

2. Click Actions > Tag > Apply
Tag.
3. Select tag, then OK.
117
Clearing Tags

2. Click Actions > Tag > Clear
Tag.
3. Select tag > Clear All > then
OK.
1
118
Applying Criteria-based Tags
• Run Tag Criteria.
• Schedule to run periodically.
119
Using Tags with Server Tasks
Example:
• Run Query with sub-action of Move Systems and Apply Tag
120
Sorting Systems in the ePO System
Tree
Sort Settings for Systems
122
Criteria-based Sorting
• Systems only need to match one criterion of a group's
sorting criteria to be placed in the group.
• Change Sorting Status
• Move Systems
• Sort Now
• Test Sort
123
Tags as Sorting Criteria
124
IP Address as Sorting Criteria
• You can sort systems into groups based on their IP
address information:
o Subnet mask: 192.168.1.0/24
o IP address range: From 192.168.2.1 – 192.168.2.255
o Single IP: 172.16.1.199
o IPv6 format is supported
125
Using IP Address Filtering
 ePO uses search algorithm to place systems in the
System Tree.
192.168.101.1 - 192.168.103.254
192.168.101.1 - 192.168.101.254
192.168.101.1 - 192.168.101.240
192.168.101.241 - 192.168.101.254
192.168.102.1 - 192.168.102.254
126
Check IP Integrity
 Each IP range or subnet mask in a group’s sorting criteria

should cover a unique set of IP addresses.
 If criteria does overlap, the group where those systems end up
depends on the order of the subgroups on the System Tree >
Groups Details tab.
 You can check for IP overlap using the Check IP Integrity
action in the Group Details tab.
127
Check IP Integrity (cont’d)
128
Resolve Sorting Conflicts
• Resolve IP address sorting conflicts between a group and
a subgroup
129
How Systems are First Placed in System Tree
• On first ASCI, ePO tries to locate system in System

ASCI
Tree using Agent GUID.
• For new systems, server uses sorting algorithm to

Sorting Algorithm
place system in tree.
• Server applies criteria-based tags to system

Criteria-based tags
(if configured) to determine group to place system.
If the sorting is disabled on the system, the system is left where it is.
If sorting is enabled, the system is moved based on the sorting criteria in the System
Tree groups.
130
How ePO Cloud Determines Placement
Starting at the top of the subgroup list:
1. Server searches for a system without an agent GUID (its agent

has never called in before) with a matching name in a group with
the same name as the domain.
2. If there is match, the system is placed in that group.
3. If there is no match, ePO searches for a group of the same name
as the domain from which the system originates.
4. If there is match, the system is placed in that group.
5. If there is no match, a group is created under the Lost&Found
group, and the system placed there.
6. Properties are updated for the system.
131
Changing the Sort Order on Groups
• The system is placed in the first group with matching criteria or a catch-all
group it considers.
• When sorted into a group, each of its subgroups are considered for matching
criteria according to their sorting order on the Group Details tab.
• This continues until there is no subgroup with matching criteria for the system,
and is placed in the last group found with matching criteria.
132
Sort Order
 If top-level group is not found, then subgroups of top-level

groups (without sorting criteria) are considered according
to their sorting.
 If second-level criteria-based group is not found, then

criteria-based third-level groups of the second-level
unrestricted groups considered.
 If the server cannot sort the system into any group, it is

placed in Lost&Found group within subgroup named after
its domain.
Subgroups of groups with un-matching criteria are not considered, a group must
have matching criteria or have no criteria in order for its subgroups to be
considered for a system.
133
Adding Sorting Criteria to Groups
134
Test Sorting Systems
• Displays preview of System Tree structure using the current sort
criteria.
• Lets you test your sorting criteria before committing.
1
1. Select system.
2. Click Actions.
3. Select Directory Management.
4. Select Test Sort.
4
3
2
135
Manually Moving Systems
Two methods move systems from one group to another:
1. From the group System tab:
 Select the system(s) to move and click the Actions button. Choose Directory
Management > Move Systems.
 Select sorting options and the group to which the system is to move.
2. Drag and drop the system onto any group in the System Tree.
 The system inherits the new parent groups sorting criteria and policies.
136
Sequencing Errors and Duplicate GUIDs
• ePO has a feature called sequence checking. This basically enables
the server to keep track of the number of connections the client
makes and detect whether or not the connection falls out of
sequence.
• When a managed client communicates to the ePO Server it’s going to

log a sequence number for that machine.
137
About Sequence Errors
Common Causes:
o Virtual Machines Snapshot
NOTE: Deep Freeze does essentially the same thing. It reverts

the machine back to the original state at every system restart.
o Image machines using a company image with the

McAfee Agent included
Resolution:
o Identify machine(s) with problem – Add a sequence
errors column
o From Actions menu, select Directory Management
 Move GUID to Duplicate List and Delete System
138
Summary
139
Summary
The System Tree is a graphical representation of

how the managed network is organized.
The organizational structure put in place affects

how security policies are inherited and enforced
throughout the environment.
Inheritance is an important property that simplifies

policy and task administration. Because of
inheritance, child groups in the System Tree
hierarchy inherit policies set at their parent groups.
140
Managing Policies


• Describe the purpose of policies
• Create and edit policy objects in the policy catalog
• Manage policy configuration and assignment
• Enforce policy changes on client machines

• Policies
• Policy Catalog
• Policy Assignments
• Enforcement Status
142
Purpose
• Describe the purpose of policies
• Create and edit policy objects in the policy
catalog
• Manage policy configuration and assignment
• Enforce policy changes on client machines
143
Policies
Policy Management
• A policy is a collection of settings that you create,
configure, then enforce. Policies ensure that the
managed security software products are
configured and perform accordingly.
• Some policy settings are the same as the

settings you configure in the interface of the
product installed on the managed system. Other
policy settings are available through ePO as the
primary interface for configuring the product or
component.
• New policies are enforced at the next ASCI

(every 60 min -- by default).
145
Policy Catalog
Policies and the Policy Catalog
• Displays policies for managed products (extensions in
Repository).
o McAfee Default: Cannot be renamed, edited, or deleted but can be duplicated.
Product Name
Category
147
Creating a New Policy
• Policy Catalog > New Policy
o Can be based on existing policy
148
Duplicating a Policy
• From Policy Catalog, click Duplicate link on any policy.
• Provide a new name for the copy.
• Edit policy configuration to meet your needs.
149
Editing a Policy
• Policies can be edited in two locations:
o Policy Catalog, Edit settings by clicking hyperlink name of the policy.
o Policies can be edited from the System Tree by clicking the hyperlink
name of the policy on the Assigned Policies tab of any given group.
150
Renaming or Deleting a Policy
• Use links in Policy Catalog to Rename or Delete a policy.

• When you delete a policy, all groups and systems where it
is currently applied inherit the policy of their parent group.
151
Policy Assignments
Policy Assignment and Inheritance
McAfee Policy
Default Assignment
Inherited
McAfee
Default
Policy A
Inherited
Policy A
Policy B
153
Viewing Policy Assignments
• Select System Tree > Assigned Policies
• Select the group in System Tree, then click Assigned
Policies tab
• Inherited by subgroups by default
154
Assigning a Policy to a Group Node
1. Select the group in System

Tree.
2. Click Assigned Policies tab.
2 3. Click Edit Assignment.
4. Select Inheritance.
5. Select Policy.
1
6. Select Lock/Unlock.
4
5
6
155
Assigning a Policy to a Managed System
 Select the desired system, then click Actions - Agent -
Modify Policies on a Single System.
156
Assigning Policy to Multiple Managed Systems
 Select the desired systems, then click Actions > Agent >
Set Policy & Inheritance.
157
Policy Assignment Rules
 Can be based on:
o System-based policies — Policies that include only system
based criteria. For example, you can create a policy
assignment rule that is enforced for all servers on your network
based on the tags you've applied, or all systems in a specific
location in your System Tree. System based
policies cannot include user based criteria.
158
Creating Policy Assignment Rules
 Select Menu > Policy > Policy Assignment Rules > New
Assignment Rule.
- Assignment can be based on tags.
o System criteria required for all rules
- Select policies to assign.
159
Policy Assignment Rule Priority
160
Policy Assignment Rule Priority (cont’d)
• Consider a user who is included in two policy assignment

rules:
- Rules A and B
• Rule A has priority level 1, and allows included users
unrestricted access to Internet content.
• Rule B has priority level 2, and heavily restricts the same

users access to Internet content.
• In this scenario, Rule A is enforced because it has higher

priority.
• As a result, the user will have unrestricted access to

internet content.
161
Policy Enforcement Status
• Default Enforcement
Status is Enforcing
• Product policies not

enforced are still sent to
client
162
Product Enforcement Status
• Product enforcement status indicates how many groups
have enforcement disabled.
• Click the link to see group(s) where enforcement of this
policy is disabled.
163
Locking Assignment and Enforcement
• Can be locked at any location within the System Tree.
• Locking does not prevent a policy from being modified, it
simply prevents policy assignments from being modified
in subgroups.
164
Resetting Broken Inheritance
1. Select Assigned Policies tab.

2. Select Broken Inheritance
link.
3
3. Click Actions: Reset
Inheritance.
165
Copying and Pasting Assignments
 Copy and paste policy assignments from one group or
system to another.
166
Policy Comparison
• Compare like policies using Policy Comparison.
• This allows you to determine which setting are different
and which are the same.
167
When Policies are Enforced
• At the Policy Enforcement Interval
• At the next agent-server communication interval
Check New Policies button (client)
168
Policy History
New Feature in ePO Cloud 5.4
Policy History - Overview
Click the Policy History entry under Policy to view detailed
historical information.
170
Policy History - Details
The Policy History section logs the following information:
• Date Saved
• User
• Comment
• Product Version
171
DEMO – Policy History
http://bcove.me/gsrac20r
18
Affected Systems Information
New Feature in ePO Cloud 5.4
Affected Systems Information - Tag
Cloud 5.2 Cloud 5.4 (and later)
174
Affected Systems Information - Policy
Cloud 5.2 Cloud 5.4 (and later)
175
DEMO – Affected Systems Information - Tags
http://bcove.me/4j7uzx5r
18
Summary
177
Summary
Policies make sure that a product's features are

configured correctly on the managed systems.
Managing products from a single location is a
central feature of ePolicy Orchestrator. This is
accomplished through application and
enforcement of product policies.
A policy is a collection of settings that you create

and configure, then enforce. Policies make sure
that the managed security software products are
configured and perform accordingly.
178
McAfee Agent Deployment
and Policy Configuration

• Define the options available for McAfee Agent deployment
• Identify troubleshooting steps for Agent deployment/installation
• Explain the details of the McAfee Agent Policy
• Make changes to McAfee Agent Policy Configuration
• Enforce policy changes onto the managed client

• McAfee Agent Overview
• Agent-to-Server Communication
• Installing the McAfee Agent
• System Requirements
• Agent Policy Overview
• Agent Policy Options
180
Purpose
• Define the options available for McAfee Agent

deployment
• Identify troubleshooting steps for Agent
deployment/installation
• Explain the details of the McAfee Agent Policy
• Make changes to McAfee Agent Policy
Configuration
• Enforce policy changes onto the managed client
181
McAfee Agent Overview
McAfee Agent 5.0
 Nex Gen Agent  Deliverables
– New Service-based Architecture – VDI support
– Data channel improvements
– Bandwidth controls
 Objectives – Hierarchical super agents
– To architect a new McAfee Agent – Relay capabilities
as a secure modular framework – Peer to peer
technology enabling consistent – New deployment mechanisms,
and efficient management for a especially for cloud
broad range of mobile,
embedded, traditional system,
appliance, M2M, cloud and virtual
environments.
– To provide an extensible open
services architecture.
– To enable a flexible secure
network friendly delivery
mechanism for content, policy,
events, and products.
183
Requirements for McAfee Agent 5.0
 Message Bus
 McAfee Agent Services
– Property, Policy, Event
– Scheduler/Task
– Licensing
 Common Libraries – Logger, Dispatcher
 Agent Mesh: P2P, Relay
 McAfee Agent ePO Extension
 McAfee Agent Integration SDK
 Backward Compatibility / Legacy Support
– LPC and Plug-In based Integration (will be phased out in future versions)
– Feature parity with MA 4.8 (e.g. Deployment and Updating, UI, Crypto, UBP)
 Native 64 bit support for latest OS releases on supported OS distributions
 Standardization across platforms
– Focus on best implementation, when in doubt use Windows implementation
 OS Support Matrix to be defined through the OS Support Matrix Process
 Languages supported is the superset of VSE/Harvey and ePO languages.
– Extensions, help and documentation will only be in ePO languages.
NOTE: MA 5.0 is supported with ePO 5.1 (and later).

184
McAfee Agent 5.0 Architecture
MA 5.0 Architecture
186
MA 5.0 Architecture
187
MA 5.0 Architecture
188
MA 5.0 Architecture
189
MA 5.0 Architecture
190
Agent-to-Server Communication
Agent-to-Server Communication
 Agent-to-Server (ASC) information is transferred
using our proprietary network protocol (SPIPE)
 Agent-to-Server Communication encrypted using

Transport Layer Security (TLS)
 All encryption is 128-bit strength and, except for Mac

OS X is FIPS 140-2 compliant
 Agent-to-Server Communication can be initiated in

these ways:
o Agent-to-Server Communication Interval (ASCI)
lapses
o A scheduled wake-up task runs on the client
system
o Communication initiated manually from the
managed system
Agent-to-Server Communication Interval
ASCI
 Determines how often McAfee Agent calls server.
 Default is 60 minutes.
 At each ASCI:
o Agent collects and sends properties to server and/or Agent Handler.
o Agent sends events occurring since last ASCI.
o Server sends new policies/tasks.
o Agent enforces policies.
193
ASC Interruption Handling
 Agent-to-Server connection algorithm is designed to re-
attempt communication if its first attempt fails.
 Cycles through these connection methods six times or until a

set of responses is returned.
o IP address
IP
FQDN
o Fully qualified domain name Address
o NetBIOS
NetBIOS
194
ASC Interruption Handling (cont’d)
The agent stops this cycle if a connection attempt results in
any of the following:
• No error
• Download failed
• Upload failed
• Agent is shutting down
• Transfer aborted
• Server busy (status code from ePO)
• Upload success (status code from ePO)
• No package to receive (status code from ePO)
• Agent needs to regenerate GUID (status code from ePO)
195
Installing the McAfee Agent
Agent System Requirements
Minimum
Component
Requirements
Installed disk space 50 MB, excluding log files
Memory 512 MB RAM
Processor Speed 1 GHz

Supported Windows Operating Systems
• Windows 8.1
• Windows 8
• Windows 2012
• Windows 2008
• Windows 7
• Windows Vista
• Windows 2003
• Windows XP
The article KB51573 contains all the details about the latest supported versions of
ePO, Windows workstation and server and Non-Windows Operating Systems.
198
Supported Non-Windows Operating Systems
• Mac OS X
• Oracle Linux
• Red Hat Enterprise Linux
• CentOS
• SUSE Linux
• openSUSE
• McAfee Linux Operating
System (MLOS)
• Ubuntu
• Debian
• iOS
199
Additional Supported Platforms
• Windows 2008 Server Hyper-V

• Citrix XenDesktop
• Citrix XenServer
• ESX
• VMware Workstation
• VMware Server
• VMware player
200
Supported Languages
Brazilian (Portuguese) Italian

Chinese (Simplified) Japanese
Chinese (Traditional) Korean
Czech Norwegian
Danish Polish
Dutch Portuguese
English Russian
Finnish Spanish
French Swedish
German Turkish
201
Agent Installation Options
Agent installation is only available through the Deployment URL.
Can be provided to other users.
202
Creating the Agent Deployment URL
You must send the Agent Deployment URL to all system users whose systems you want to
manage with ePO Cloud.
When you send the Agent Deployment URL to the users of the systems in your network, the
endpoint users navigate to the Agent Deployment URL, open it and the installer starts this process:
• The system communicates back to ePO and adds the system in the System Tree group you created. For
example, the system is added to the group "AllWindowsSystems.“
• The McAfee Agent, configured in the URL, is downloaded to the system and a Product Deployment task is
automatically assigned to the system during the first communication.
• After the McAfee Agent is installed it starts downloading the product software you selected when you
created the Agent Deployment URL.
• After these communications the system appears in the selected group of the System Tree as managed.
203
Creating the Agent Deployment URL
204
Creating the Agent Deployment URL (cont’d)
205
Creating the Agent Deployment URL (cont’d)
206
207
Post Installation - Files and
\Services
Agent Installation Directory
• Windows
o <System_Drive>:\Program Files (Program Files (x86))\McAfee\Agent
• Non-Windows
o /opt/McAfee/agent/
209
McAfee Agent Windows Install Logs
• On Windows client systems, the install logs are saved in:
%TEMP%\McAfeeLogs.
Windows Install Log Description

Install log. It records installation of the McAfee Agent. This file contains:
Frminst_<System_Name>.log Informational messages, Progress messages, and Failure messages if the
installation fails.
Frminst_<System_Name>_Error.log Agent install error log. Contains details about recorded errors.
MFEAgent.msi.<date.time>.log MSI Install log. Contains details about the MSI installation of the agent.
Ma_vscore_install_<date.time>.log It records installation of VSCORE, and the ACC details for MA 5.0.
Ma_vscore_uninstall_<date.time>.log It records uninstallation of VSCORE, and the ACC details for MA 5.0.
Agent installation from the Deployment URL Smart Installer is recorded in

McAfeeSmartInstall_<date.time>.log this file.
This file contains details of the updates to managed products on the client
UpdaterUI_<hostname>.log system.
UpdaterUI_<hostname>_error.log UpdaterUI error log. Contains details about recorded errors.
210
McAfee Agent Data Files
\ProgramData\McAfee\Agent
Data Explanation
Stores events prior to upload. (Only 100 normal events at a time.)

AgentEvents\ • Normal events: .xml
• Priority events: .txml
Current\ Holds temporary files for product installation.
Hosts the default locations for HTTP Server, P2P Server.

Data Also stores, remote logging UI pages/scripts, and event filter .ini
files
DB\ Stores agent log files.
Db\Software\ Used by SuperAgents as a repository folder.
Stores the Agent and Server keys which are used by MA & ePO for
Keystore
ASC.
Stores the logs for each service of MA 50 and also the logs of
Logs
Mue.exe.
Update Stores the scripts for Updates and Deployments of MA.
211
McAfee Agent Activity Logs
• The agent logs are saved in these locations
o Windows client systems: \ProgramData\McAfee\Agent\logs
o Non-Windows client systems: /var/McAfee/agent/logs
Agent Activity Logs Description

MUE log. Contains agent activity performed by update/script during update
McScript.log
or installation of point product.
When the McScript.log reaches its size limit, a backup copy is made. If a
McScript_backup.log
backup copy of a log file already exists, it is overwritten.
Contains the agent activity errors performed by the update/script during an

McScript_error.log
update or installation of a point product. Max size is 2MB.
Use MER Analyzer tool to view to the dynamic logging.
212
McAfee Agent Activity Logs
• Agent data path

o \ProgramData\McAfee\Agent\Logs
Agent Activity Logs Description

Logs of McAfee Agent Service which hosts the agent services such as,
Masvc.log Property service, Policy service, Scheduler service, Tasks, Repository
service, Updater service, and AH Client, etc.
Logs of McAfee Agent Common Service which hosts HTTP Server, P2P
Macmnsvc.log
server, Relay server, etc.
Logs of McAfee Backward Compatibility Service which is responsible for
Ma_brokersvc.log supporting the legacy integration mechanisms for legacy PPs (such as
Plugin integration, LPC integration, COM integration)
213
McAfee Agent Log Files
Policy File Explanation

Policy file. This contains all the policies of MA and PPs installed on the
Ma_policy.db
client node.
Task File Explanation

Ma_task.db Task file. Contains all the local and server tasks.
Property File Explanation

Ma.db Property file. Stores all the properties of MA and PPs.
Use MER Analyzer tool to view McAfee Agent .db files.
214
Agent Files and Services
File Name Explanation

McAfee Service Controller
Mfemms.exe (running)
Manages McAfee Services.
McAfee Agent Service
Masvc.exe (running) This is the service which performs major functionality of Agent (like
Property collection, policy enforcement, scheduling of tasks, ASC,
triggering update session, etc.)
McAfee Agent Common Services
Macmnsvc.exe This services hosts multiple services of McAfee Agent like SuperAgent,
P2P Server, Wake-up, RelayServer.
McAfee Agent Backwards Compatibility service
Macompatsvc.exe This executable is the compatibility service for the McAfee Agent Service. It
is started by the McAfee Agent service and communicates to the
various point product plugins.
McAfee Agent Mirror Task
Ma_mirror_task.exe
Manages McAfee Agent mirror tasks.
215
Agent Files and Services
Filename Explanation
McAfee Agent Configurator – Command line interface to configure MA in
Maconfig.exe
managed and unmanaged mode, configure language, custom props, etc.
McScanCheck.exe McAfee Agent McScanCheck – Tool used by VSE for data updates
McAfee Agent Script Engine – This interprets the scripts of all PPs to
McScript_InUse.exe
perform updates and deployments
UpdaterUI.exe (running) Common User Interface
Single tray icon management tool that runs under same user session and
McTray.exe (running)
is started by UpdaterUI.exe
CmdAgent.exe Agent command line utility
McAfee common script engine. Executes proprietary scripts for updating

Mue.exe
and installing products.
FrmInst.exe Agent installer and uninstaller
216
Using the System Tray Icon Options
• Update Security: Triggers immediate updating of all
installed McAfee software products.
• Quick Settings: Links to product menu items that are

frequently used.
• Manage Features: Displays links to the administrative

console of managed products.
• Scan Computer for: Launches McAfee programs, such

as Endpoint Security Threat Prevention.
• View Security Status: Displays the current system

status of managed McAfee products, including current
events.
• McAfee Agent Status Monitor: Triggers the Agent

Status Monitor, which:
• Displays information on the collection and transmission of
properties.
• Sends events.
• Downloads and enforces policies.
• About: Displays system and product information for

products installed on the system
217
McAfee Agent Status Monitor
• Displays information on the collection and transmission of
properties
• Sends events
• Downloads and enforces policies
218
McAfee Agent Policy Overview
Agent Policies Overview
• General: Basic agent policy configuration.
• Repository: Configure agents to use proxy server settings.
• Troubleshooting: Select language.
220
McAfee Agent Policy Options
McAfee Agent Policy General
• Default policies:
o Large Organization Default: Read-only
o McAfee Default: Read-only
222
General Policies – General Tab
• Contains settings for basic agent functionality
223
General Policies – Super Agent Tab
• Contains settings to enable and customize SuperAgent, as
required.
224
Agent Relay Capability – Super Agent
• Enabling relay capability in the network converts a McAfee
Agent to a RelayServer.
• You can configure more than one agent as a RelayServer

to maintain network load balance.
• On a Windows client system, after the relay capability is

enabled through the policy, a new service macmnsvc.exe
is installed. Start or stop this service to control relay
capability on the client system.
McAfee Agent requires the User Datagram Protocol (UDP) to discover each
RelayServer in the network.
A RelayServer connects only with the servers that are listed in its policy database.
225
General Policies – Events Tab
• Configure how and when the agent sends priority events to
the ePO server. Event priority is predefined by the installed
product.
226
General Policies – Logging Tab
• Controls creation of, and access to, the agent activity log
on managed systems.
227
General Policies – Updates Tab
• Configure options for updating signatures, engines,
patches, and service packs
228
General Policies – Peer-to-Peer Tab
• Enable Peer-to-Peer Communication
229
Agent Peer-to-Peer Service
• Downloading updates from the peer agents in the same

subnet avoids excessive bandwidth consumption.
• McAfee Agent uses global broadcast and multicast for

discovery.
• The peer-to-peer service uses port 8082 to discover peer

servers and port 8081 to serve peer agents with updates.
• The peer-to-peer server by default caches updates in

<agent data folder>\p2p_content
230
Repository Policies – Proxy Tab
231
Troubleshooting Policies
• McAfee Agent user interface and log language
232
Uninstalling the McAfee Agent
Uninstalling the McAfee Agent
• Manually from within the ePO console:
– Delete the machine node(s) from the ePO System Tree. When a node is
deleted from System Tree:
• System entry in DB is flagged for agent uninstall.
• At next ASCI, Agent receives uninstall flag.
• Agent responds back to the server for confirmation.
• Server sends final uninstall command.
• Agent uninstall begins.
• At the Windows client:

– Uninstall switches
• Run Frminst.exe /Remove=Agent
• At the Non-Windows client:

1. Open a terminal window on the client system.
2. Run the command appropriate for your operating system, providing
root credentials when requested. See McAfee Agent Product Guide.
234
Summary
235
Summary
Once end user have installed the McAfee Agent

on their systems, the McAfee Agent
communicates with the ePO server, downloads
the product software, and that brings these system
under ePolicy Orchestrator management.
The ePO interface includes pages where agent

tasks and policies can be configured, and where
system properties, agent properties, and other
McAfee product information can be viewed.
236
Point Product Deployment
and Policy Configuration

• Create a product deployment task
• Deploy a point product to the managed endpoint(s)
• Configure a Point Product’s available policy settings
• Enforce new product setting on the managed endpoint(s)

• Client Tasks
• Deploying Point Products (MES)
• Product Deployment Scheduling
• Troubleshooting Product Deployment
• Policy Application
• Configuring Point Product Policies and Tasks (MES (Threat Prevention))
238
Purpose
• Create a product deployment task

• Deploy a point product to the managed
endpoint(s)
• Configure a Point Product’s available policy
settings
• Enforce new product setting on the managed
endpoint(s)
239
Choosing a Product Deployment Method
There are two processes you
can follow to deploy products
using ePolicy Orchestrator:
1. Product Deployment projects,

which streamline the deployment
process and provide more
functionality.
2. Individually created and managed

client task objects and tasks.
240
Product Deployment Projects
Benefits of Product Deployment Projects
 Run a deployment continuously — This allows you to
configure your deployment project so that when new
systems matching your criteria are added, products are
deployed automatically
 Stop a running deployment — If, for some reason, you

need to stop a deployment once it's started, you can.
Then, you can resume that deployment when you're ready.
 Uninstall a previously deployed product — If a deployment

project has been completed, and you want to uninstall the
associated product from the systems assigned to your
project, select Uninstall from the Action list.
The Product Deployment Page Explained
1 Deployment summary — Lists the product
deployments. If you click a deployment, details Click Menu > Software > Product Deployment
for the deployment are displayed in the
deployment details area.
2 Deployment details — Lists the details of the

selected deployment and includes the following
areas:
o 2a Status monitor — The progress and

status display varies depending on the type
of deployment and its status:
o 2b Details — The details display allows you
to view deployment configuration details,
status, and if needed, click View Task
Details to open the Edit Deployment page.
o 2c System name — Displays a filterable list
of target systems receiving the deployment.
The systems displayed varies depending on
the deployment type and whether the
systems were selected individually, as tags,
as System Tree groups, or query output
tables.
o 2d Status — Displays a three-section bar
indicating the progress of the deployment
and its status.
o 2e Tags — Displays tags associated with the
row of systems.
243
Client Tasks
Client Tasks
 Go to: Menu > Policy > Client Task Catalog.
– Product deployment
– Product functionality (Example: The Endpoint Security Threat Prevention On-
Demand Scan task.)
– Upgrades and updates
Deploying Point Products (MES)
Deploy Products Using a Deployment Project
1 1. Click New Deployment

2. Type a name and description.
3. Choose the type of deployment:
• Continuous — Uses your System

Tree groups or tags to configure the
2
systems receiving the deployment.
• Fixed — Uses a fixed, or defined,
set of systems to receive the
deployment. System selection is
3 done using your System Tree or
Managed Systems Queries table
output.
4. To specify which software to

4 deploy, select a product from the
Package list.
5. In the Command line text field,
specify any command-line
5
installation options.
248
6. Select Group or Systems
7. Pick a start time or schedule
8. Click Save.
8
249
250
Troubleshooting Product
Deployment
Troubleshooting Product Deployment
1. Validate that the agent(s) received the task.

a. Validate that the task is present on the client.
– Check for its presence in the ma_task.db file.
b. If task was not received, validate that the agent is communicating with ePO. If
failing to communicate, investigate as an agent-to-server communication problem
(check the ma.log file).
2. On the ePO Server side, review the client task to validate the scheduling and
settings.
3. Validate that the agents executed the task at the scheduled time. Check the
cma.log, and McScript.log files.
Policy Application
Policy Application
Policies are applied to any system by one of two methods,
inheritance or assignment.
 Inheritance
– Inheritance determines whether the policy settings and client tasks for a
group or system are taken from its parent. By default, inheritance is
enabled throughout the System Tree.
– When the inheritance is broken, by assigning new policy anywhere in the
System Tree, all subgroups and systems that are set to inherit the policy
from this assignment point does so.
 Assignment
– You can assign any policy in the Policy Catalog to any group or system,
provided you have the appropriate permissions. Assignment allows you to
define policy settings once for a specific need, and then apply the policy to
multiple locations.
– When you assign a new policy to a particular group of the System Tree, all
subgroups and systems that are set to inherit the policy from this
assignment point do so.
Configuring Point Product
Policies and Tasks
(MES Threat Prevention)
Creating a New Policy
2 1. Select Product and

Category.
1
2. Click New Policy.
3. Select policy to duplicate,
name it and click OK.
3
Editing the New Policy
Assigning the New Policy
258
When Policies are Enforced
 Policy settings for McAfee products are enforced
immediately at the policy enforcement interval, and at each
agent-to-server communication if policy settings have
changed.
259
Troubleshooting Point Product Policy
Enforcement
Point Product Policy Enforcement Issues
Troubleshooting Point Product Policy Enforcement
 McAfee Agent log files contain actions triggered or taken

by the McAfee Agent.
 ma_policy.db - Generated on client systems when the

server deploys an Agent to them.
• Policy enforcement
• Agent service logs are located in: C:\Windows\Temp.
 Collect masvc.log and ma_brokersvc.log
Summary
262
Summary
ePolicy Orchestrator simplifies the process of
deploying security products to the managed
systems in the network by providing a user
interface to configure and schedule deployments.
Product deployment projects streamline the

deployment process by consolidating many of the
steps needed to create and manage product
deployment tasks individually.
263
Dashboards, Queries and
Reports

• Explain how dashboards help you keep constant watch on the environment.

• Dashboards Overview
• Reporting/Queries
265
Purpose
• Explain how dashboards help you keep

constant watch on the environment.
266
Dashboards
Dashboard Overview
268
Dashboards
269
Default Dashboards and their
Monitors
Default Dashboards and their Monitors
• Audit – User activity in past 30 days
• ePO Summary – High-level information and

links to more information from McAfee
• Executive Dashboard – Number of internal

virus detections over the past quarter
• Getting Started with ePolicy Orchestrator –

Learn about ePO and create the product
software installation URL.
• Product Deployment – Overview of product

deployment and update activities
• Threat Events – Threats event to the

network over time
• Trends – McAfee Agent additions and

product updates over time
271
Queries
Queries and Reports
ePolicy Orchestrator comes with its own querying
and reporting capabilities.
• Queries
o Essentially questions you ask ePO, with the answers
shown in charts, tables, etc.
o Can be included in reports or dashboard monitors
o Actionable
• Reports
o Combine query results and other elements into PDF
documents
o Enable focused, offline analysis
o Used to identify vulnerabilities, usage, events, etc.
o Most recent result for each report is stored within the
system for quick access
Additional Logging Activity
• Additional Logging Activity:
o Audit log
o Server Task log
o Threat Event log
About Queries
• Objects that retrieve and display data from ePO database.
– Displayed in charts/tables.
– Are actionable.
– Exportable, via email, to four formats:
• CSV: Use with spreadsheets.
• XML: Transform data.
• HTML: View as a web page.
• PDF: Obtain printable results.
– Can combine queries in reports.
275
Queries and Reports
276
Working with Queries
• Run a Query
277
Exporting Query Results
278
Reports
About Reports
280
Troubleshooting Report/Query
Generation Issues
Troubleshooting Report\Query Generation
• Default content will not be displayed if a user does not have
permissions for that content. In most cases, permissions are granted
through licensing. For example, if a user has not been granted a
license for Threat Prevention (or the license has been revoked), the
user will not see dashboards, queries, or reports related to the Threat
Prevention extension. Licensing can be verified by navigating to the
user's My Account page.
• In ePO Cloud, user data (e.g. logs) will be periodically purged by

Cloud Operations (ops). User data will be purged if older than 90 days.
Therefore, dashboards, queries, and reports will only show data from
the past 90 days.
• Report or queries that fail to run should be escalated for investigation

and resolution.
Summary
283
Summary
Dashboards help you keep constant watch on the

environment.
Dashboards are collections of monitors. Monitors

condense information about the environment into
easily understood graphs and charts.
Usually, related monitors are grouped together on

a specific dashboard. For example, the Threat
Events dashboard contains four monitors that
display information about threats to the network.
284
General Troubleshooting


• Identify resource locations for specific ePO Cloud documentation
• Recall Support sites, documents and Knowledge Base Articles for ePO Cloud
• Identify issues with ePO Cloud components
• Identify and resolve Agent communication failures
• Use the MERTool to gather required and optional data for troubleshooting and
escalation
• Describe the process for escalating issues
• Identify the required and optional data and information needed for escalating ePO Cloud
issues

• Documentation
• Supportability sites
• Top Call Generators
• Troubleshooting Basics for ePO Cloud and McAfee Agent
• MERTool /MER Analyzer
• Running the MERTool
• BPS and NOC
• Escalation Guidelines
286
Purpose
• Identify resource locations for specific ePO Cloud

documentation
• Recall Support sites, documents and Knowledge
Base Articles for ePO Cloud
• Identify issues with ePO Cloud components
• Identify and resolve Agent communication failures
• Use the MERTool to gather required and optional
data for troubleshooting and escalation
• Describe the process for escalating issues
• Identify the required and optional data and
information needed for escalating ePO Cloud
issues
287
Documentation
Documentation
ServicePortal - (https://support.mcafee.com/)
Product Guides and Release Notes
• Product Guides
o Installation Guide
o User Guide
o Release Notes
o Etc.
Knowledge Center
• Troubleshooting Articles
• Product Documentation
• Procedure Documents
Internal KnowledgeBase is located at: https://agent.mcafee.com

External KnowledgeBase is located at: https://support.mcafee.com
Support Engineering Operations (SEO Internal site)

• Supportability Documents maintained by McAfee Engineering
• Available for internal use by McAfee Support only
ePO Community Forums (Planet McAfee)

• ePO Internal Community Forum:
https://planet.mcafee.com/groups/epolicy-orchestrator
• ePO External Community Forum:
https://community.mcafee.com/groups/endpoint-security
289
Knowledge Center
290
Support Engineering Operations (SEO)
• Supportability Documents
– The ePO Cloud 5.x and the McAfee Agent 5.0 Supportability Documents are
located on the ePolicy Orchestrator page on the Planet McAfee site.
291
NoHold – Troubleshooting Trees
292
ePO Community Forums
Subject line format:

Tier/Region/SR number/Severity/Product/Query
Important details to provide with every question:

• A clear question
• Customer Environment and version information
• Product Configuration settings
• Troubleshooting done so far
• Links to any relevant log files
293
ePO Community Forums (cont’d)
Other Guidelines:
o Do not refer back to the case. All pertinent information should be contained in the
post including MERS or logs.
o Be sure all relevant files are linked to the post before posting. Please do not post
and indicate MERS will be included later rather wait until you have valid MERS to
post.
o Please do not post security vulnerabilities in this forum group rather follow the
process outlined in KB61029 for all security vulnerabilities related to ePO
o Select the appropriate category when starting a new discussion. Only select one
category. The region for the category is based on the customer's region and the tier
is based on the tier of the person posting the question. These are the only
categories you should use when posting a question:
• TierII/Platinum/SAM/RSAM - For use by tier2 agents, product specialists, SAMS or RSAMs

• Tier1/SE/Consultant - APAC - For use by tier1 agents, SEs or Consultants needing
assistance with an APAC customer
• Tier1/SE/Consultant - EMEA - For use by tier1 agents, SEs or Consultants needing
assistance with an EMEA customer
• Tier1/SE/Consultant - LTAM - For use by tier1 agents, SEs or Consultants needing
assistance with an LTAM customer
• Tier1/SE/Consultant - NA - For use by tier1 agents, SEs or consultants needing assistance
with a NA customer
294
Top Call Generators
Top Call Generators
 ePO Cloud
o Server Configuration - Server Settings
o Agent-to-Server communication failure
o Console login failure
o Product deployment issues
o Product policy enforcement issues
 McAfee Agent
o General ASCI failure troubleshooting
o General Updating (content) failure
o Specific content updating failure
o Specific MA installation issue (file locking)
 Links to the Troubleshooting Trees

 ePO Cloud:
http://thezone.corp.mcafee.com/sites/tieriii/ePO/TTree/ePOTTree.htm
 McAfee Agent:
http://thezone.corp.mcafee.com/sites/tieriii/CMA/TTree/MATree_02282013.htm
296
Troubleshooting Basics for ePO
Cloud
Troubleshooting Basics for ePO Cloud
Troubleshooting Basics
 Understanding the problem
 Asking questions
 Identify the real issue
 Reproducing the issue
 Get the MERTool results

Triage Playbook Overview
• Validate Settings
• Search Inquira
• Review
Troubleshooting Tree
• Follow Escalation
Process
299
Support Tools
• McAfee Virtual Technician (MVT) -
http://mvt.mcafee.com
• MERTool / MER Analyzer
300
MERTool and MER Analyzer
Information Collected by the MERTool
• What information is collected by the MERTool?
– Registry details
– File version details
– Files
– Event logs
– Process details
The MERTool can be downloaded from:

https://support.mcafee.com/ServicePortal/faces/tools
302
Downloading the WebMER Tool
https://support.mcafee.com/ServicePortal/faces/tools
303
Installing the MERTool
304
Collecting Data for Review
305
Information Collected by the MERTool
306
Log Files Collected by the MERTool
• Extracted MERTool Capture
307
Using the MER Analyzer
308
Virtual Technician
McAfee Virtual Technician (MVT)
BPS and Support Portal
TPS to BPS Support Portal
312
TPS to BPS Support Portal
313
BPS Support Portal
BPS to Cloud ePO
BPS to Cloud ePO
316
BPS to Cloud ePO
317
McAfee Agent Logs
Agent Log Files for Troubleshooting
Issue Log Files

Agent (general issues) policies ma_policy.db
Frminst_<System_Name>.log
Frminst_<System_Name>_Error.log
Agent installation
MFEAgent.msi.<date.time>.log
McAfeeSmartInstall_<date.time>.log
Frminst_<System_Name>.log
Agent uninstallation
Frminst_<System_Name>_Error.log
Agent Communication ma.db
Client tasks (script issues) ma_task.db
UpdaterUI_<hostname>.log
Client Updating
UpdaterUI_<hostname>_error.log
319
Files to Collect When Issues are Observed
Agent log files:
• Log file path for Windows “C:\ProgramData\McAfee\Agent\Logs”.
NOTE: Collect all the log files under this folder.
Install log files:

• Log file path for Windows “%TEMP%\McAfeeLogs”. Collect the following:
 Frminst_<machine_name>.log
 mfeagent.msi log
 McTray logs:
a) Enable McTray debug trace logging.
1. Create registry key:
32-bit OS: “Win32_GUI_Support_DLL” under HKLM->SOFTWARE->McAfee

OR
64-bit OS: “Win32_GUI_Support_DLL” under HKLM->SOFTWARE->Wow6432Node->McAfee
2. Create a string value “debug_tracing” and set the value to 1.
b) Log file path:

%appdata%\McAfee\Common Framework\DB\Support DLL\DebugTraceFiles
320
Messages Reported
Message Type Description
E (error) Debug error message
W (warning) Debug warning message
I (information) or none Debug information message
X (extended data) Debug extended information message
321
Troubleshooting McAfee Agent
Deployment
322
Troubleshooting McAfee Agent Deployment
• On Windows client systems, the install logs are saved in
%TEMP%\McAfeeLogs.
Windows Install Log Description
Install log. It records installation of the McAfee Agent. This file
Frminst_<System_Name>.log contains: Informational messages, Progress messages, and
Failure messages if the installation fails.
Frminst_<System_Name>_Error.log Agent install error log. Contains details about recorded errors.
MSI Install log. Contains details about the MSI installation of the
MFEAgent.msi.<date.time>.log
agent.
It records installation of VSCORE, and the ACC details for MA
Ma_vscore_install_<date.time>.log
5.0.
It records uninstallation of VSCORE, and the ACC details for
Ma_vscore_uninstall_<date.time>.log
MA 5.0.
Agent installation from the Deployment URL Smart Installer is
McAfeeSmartInstall_<date.time>.log
recorded in this file.
This file contains details of the updates to managed products on
UpdaterUI_<hostname>.log
the client system.
UpdaterUI_<hostname>_error.log UpdaterUI error log. Contains details about recorded errors.
Known issue with downloading the bootstrap agent. It does not work with IE8 (due to a security
issue). There is a link for the workaround (Microsoft KB) on the download page.
323
Agent Log Files to be Collected
List of files to be collected when reporting issues observed:
• Agent log files:

o Log file path for Windows “C:\ProgramData\McAfee\Agent\Logs”.
o Collect all the logfiles under this folder.
• Install log files:
o Log file path for Windows %TEMP%\McAfeeLogs
o Collect Frminst_<machine_name>.log, and mfeagent.msi log
• Agent service logs:
o Log file path for Windows C:\Windows\Temp.
o Collect masvc.log and ma_brokersvc.log
• McTray logs:
o Enable McTray debug trace logging.
o Create registry key “Win32_GUI_Support_DLL” under:
o 32-bit: HKLM->SOFTWARE->McAfee
o 64-bit: HKLM->SOFTWARE-> Wow6432Node->McAfee
o Create a string value “debug_tracing” and set the value to 1

• Log file path:
%appdata%\McAfee\CommonFramework\DB\Support DLL\DebugTraceFiles
324
Troubleshooting Agent
Communication with ePO Cloud
325
McAfee Agent Communication Issues
Steps to Troubleshoot Agent-to-Server
Communication Issues
1. Confirm the agent is installed on the client.

• Make sure the McAfee Agent Service is
present and started.
• Make sure the registry key is present:
[HKLM\Software\Wow6432Node\Network
Associates\ePolicy Orchestrator\Agent]
2. Perform an Agent-to-Server
Communication (ASC) and wait for the
communication to fail.
3. Grab a copy of the Agent log (ma.db) and
look for the failure.
4. Search the KB (http://agent.mcafee.com)
for the errors and apply any relevant
articles.
326
McAfee Agent Ports and Traffic Flows
Default Port Protocol Traffic Direction

80 TCP Outbound connection to the ePO Server
443 TCP Outbound connection to the ePO Server
Inbound connection from the ePO Server. If the agent is
8081 TCP a SuperAgent repository then inbound connection from
other McAfee Agents.
Inbound connection to Agents. Inbound/Outbound
8082 UDP
connection from/to SuperAgents.
327
Forcing Agent Activity from the Client
CmdAgent usage:
• “<Agent_Install_Directory>/cmdAgent.exe“
328
General Troubleshooting
ePO Ports and Traffic Flows
Port Default Description Traffic Direction
TCP port opened by the ePO Bi-directional between the Agent Handler and the ePO
Agent to server
80 Server service to receive requests server and inbound to the Agent Handler from
communication port
from agents. the McAfee Agent.
Agents should communicate

Agent
over SSL (443 by default). This
communicating Inbound connection to the Agent Handler from the
443 port is also used for the remote
over SSL McAfee Agent.
Agent Handler to communicate
with the ePO Master Repository.
Agent wake-up TCP port opened by agents to

Outbound connection from the ePO Server to the
communication port 8081 receive agent wakeup requests
McAfee Agent.
from the ePO server.
UDP port opened by SuperAgents

Agent broadcast Outbound connection from the SuperAgents to other
8082 to forward messages from the
communication port McAfee Agents.
ePO server/Agent Handler.
Console-to- HTTPS port opened by the ePO

Inbound connection to the ePO server from ePO
application server 8443 Application Server service to allow
Console.
communication port web browser UI access.
Client-to-server HTTPS port opened by the ePO Inbound connection to the ePO server from the Rogue
authenticated 8444 Application Server service to System Sensor. Outbound connection from remote
communication port receive RSD connections. Agent Handlers to the ePO server.
330
Policy Update/Enforcement Issues
• McAfee Agent log files contain actions triggered or taken

by the McAfee Agent.
• ma_policy.db - Generated on client systems when the

server deploys an Agent to them.
– Policy enforcement
– Agent service logs are located in: C:\Windows\Temp.
• Collect masvc.log and ma_brokersvc.log
331
Product Deployment/Client Task Issues
1. Validate that the agent(s) received the task.
a. Validate that the task is present on the client.
o Check for its presence in the ma_task.db file.
b. If task was not received, validate that the agent is communicating with ePO. If
failing to communicate, investigate as an agent-to-server communication problem
(check the ma.db file).
2. On the ePO Server side, review the client task to validate the scheduling and
settings.
3. Validate that the agents executed the task at the scheduled time. Check the
ma_scheduler.db, and McScript.log files.
Additionally, see the following:

• ePO Troubleshooting Tree:
http://thezone.corp.mcafee.com/sites/tieriii/ePO/TTree/ePOTTree.htm
• ePO Planet page:

https://planet.mcafee.com/groups/epolicy-
orchestrator/content?filterID=contentstatus%5Bpublished%5D~category%5Be
po-troubleshooting%5D&query=tree
332
Console Login Issues
Trusted Sites
• When accessing the ePO console
using Internet Explorer 8 (and
later), the log on dialog might not
appear.
• This might occur when Enhanced

Security is enabled in Internet
Explorer 8. To work around this
issue, you must add your ePO
console to the Trusted sites list in
IE 8.
• Click Tools > Internet Options and

open the Security tab. Then, click
Trusted Sites > Sites and Add the
URL for the ePO console.
333
Helpful Support Articles
ePO Cloud Known Issues:
 KB79063 – ePolicy Orchestrator 5.x Known Issues
FAQs:
 KB78045 – FAQs for ePolicy Orchestrator Cloud
Documentation:
 PD26163 – ePolicy Orchestrator Cloud 5.5.0 Product Guide
 PD25493 – McAfee Agent 5.0.0 (Cloud) Product Guide
 PD26157 – ePO Cloud 5.5.0 Release Notes
Escalation / Case Codes:

 PR500497 – CORPORATE – Insight Case Codes for ePolicy Orchestrator Cloud (ePO Cloud)
General:
 KB83024 – Initial setup steps for ePO Cloud
 KB81829 – How to create an installation URL from ePO Cloud
 KB84630 – How to deploy products using ePO Cloud
 KB84197 – How to create and assign Endpoint Security policies within ePO Cloud
 KB85135 – How to remove Endpoint Security from client computers managed by ePO Cloud
 KB84629 – How to schedule an On-Demand scan from ePO Cloud
 KB82760 – Installation fails for Endpoint Security products managed by ePO Cloud
334
Escalation Guidelines
335
Minimum Escalation Guidelines
• Article KB78187 outlines the basic escalation guidelines
for all products.
Escalation Guidelines
The Minimum Escalation Guidelines are stored in the KnowledgeBase as
procedure documents, for example:
– ePO – PR500014
– McAfee Agent – PR500033
– Endpoint Security Threat Prevention – PR500104 Multiple Articles
– Endpoint Security Web Control – PR500104 Multiple Articles
– Endpoint Security Firewall - PR500104 Multiple Articles
These articles contain the Minimum Escalation Guidelines for the product, links
to the Issue Specific Escalation Guidelines, and all currently identified KB
articles that are relevant to the product or issue.
The KB article PR500014 is the master article for Minimum Escalation

Guidelines for ePO for all Support Tiers.
It provides a guideline that lists the tasks that one needs to perform before
escalating a case to the next Tier for all issue types with ePO.
337
Escalation Checklist
Escalation Checklist for ePO Cloud

 If the issue is a reporting issue, or a database problem, please obtain screenshots and
attach to the case.
 If the issue is a client side issue, make sure to set Level 8 logging on the client machine
and reproduce the issue. Then gather Level 8 MERs.
 Review the relevant logs to see whether there are errors.
 Make sure that the relevant log files are included in the MER results and attach to the
case.
 Search MAX to find related cases or KB articles that address the issue.
 Attempt to reproduce the issue.
 Provide steps used to reproduce the issue.
 If cannot reproduce, provide the steps that the customer uses to reproduce the issue.
 Provide a summary of all the troubleshooting performed on the case.
338
Documenting Cases Clearly and Accurately
To ensure our documentation is clear and gives the necessary information to the next tier,
McAfee requires you to use the ART/CS format for all cases and on every product.
When populating the Description field in Insight, the ART format is to be used as follows:
A – Action - Document the action taken by the customer that resulted in the issue they are
currently having.
R – Result - Document the result of the customer’s action, including any error messages,
symptoms, or issues seen.
T – Troubleshooting - Document a summary of all the steps taken so far and NOT all of
the activities.
When closing the SR, the Resolution field should be populated with the Cause and
Solution:
C – Cause - Document the cause of the issue, when it is clear (from a McAfee
perspective) what caused it.
S – Solution - Document the solution steps, when the issue has been resolved, so that it
is clear what steps actually resolved it and they can be referred to if the issue re-occurs in
the future.
339
Summary
340
Summary
When supporting ePO Cloud, it’s important that

you be able to:
• List resource locations for specific ePO Cloud

documentation
• Recall how to collect data from ePO Cloud for
troubleshooting
• Identify and isolate issues to the application
components
341

Student Guide Epo Cloud 55 Essentials v1 Notes

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Student Guide Epo Cloud 55 Essentials v1 Notes

Transféré par

Droits d'auteur :

Formats disponibles

Product Overview and

Intent of this material

Why this material is important to YOU:

Estimated time to complete this module: 0.5 hours

In this module, you will learn to …….

Explain what ePO Cloud is and its intended

Understand ePolicy Orchestrator components and

• Admin: ePO global administrator or network administrator

• ePolicy Orchestrator is the only enterprise-

• With end-to-end visibility and powerful

• Deploy - Deployment of security products,

• Manage - Manage host and network

• Update - Update DATs, Engines and the

• Report - Reporting and monitoring of the

 Security management players moving to the

 McAfee needs to deliver same management

 Our primary focus:

Partner Direct Partner Direct Partner

Logins Subscriptions Logins Subscriptions Logins Subscriptions

Security SaaS Email MFE Secure

API API API

McAfee Partner Portal

manage.mcafee.com ePO Cloud and On-Premise

Add SKU to one price

Write one extension

Deploy point product via

Threat SaaS Email Product Application Device

ePO Cloud Platform

• Automated provisioning, partner

Business Platform Services Ordering &

Partner Portal Center

• Automated provisioning from

additional nodes; Renewal/Expiry Product Extensions

• Internal webservices and public

 McAfee Agent — A vehicle of information and enforcement between

1. Customer purchases ePO Cloud

2. Welcome email sent to customer with logon

3. Customer logs on to ePO Cloud to

4. Deploy the products and

Load Balancer Global Plano DC Global Load Balancer

POD #1 ePO Deployment POD #1 ePO Deployment

POD #1 – Master in Denver

POD #2 ePO Deployment POD #2 ePO Deployment

POD #2 – Master in Miami

ePO’s powerful management console available in

McAfee will provide full security management

• Fast, secure policy management

ePO Cloud 5.5 Essentials

Intent of this material

Why this material is important to YOU:

Estimated time to complete this module: 0.5 hours

Walk through the ePO Cloud environment initial

5. User accounts - Add additional users to the ePO Cloud server.

• The customer can send this URL to their system users.

• When the system, running the agent, communicates with ePolicy

Go quickly to top-level Exit Help

• Dashboards – Configure the default dashboard monitor refresh interval

• System Tree Warning – Show or hide the Drag-And-Drop Warning

It’s easy to get up and running with ePO Cloud.

The ePolicy Orchestrator interface uses a menu-

Menu sections represent the top-level features of

Intent of this material

Why this material is important to YOU: