Mcafee EPOLICY ORCHESTRATOR Walkthrough Guide
McAfee ePolicy Orchestrator 4.0.2
Product Guide
COPYRIGHT
Copyright © 2008 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE,
LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD,
PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE,
SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc.
and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other
registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
McAfee ePolicy Orchestrator 4.0.2 Product Guide2
Contents
Introducing ePolicy Orchestrator 4.0.2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configuring ePolicy Orchestrator Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
ePolicy Orchestrator 4.0.2 components and what they do. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
The ePO server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
The McAfee Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Using this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Where to find McAfee enterprise product information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
ePO user accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Global administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
How permission sets work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Contacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Server settings and the behaviors they control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Available server tasks and what they do. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
The Audit Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
The Event Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Data exports from any table or chart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
MyAVERT Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Logging on and off from ePO servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Logging on to ePO servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Logging off of ePO servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Viewing the server version number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Working with user accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Creating user accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Editing user accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Deleting user accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Working with permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Creating permission sets for user accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Duplicating permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Editing permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Deleting permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3McAfee ePolicy Orchestrator 4.0.2 Product Guide
Contents
Working with contacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Creating contacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Editing contacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Deleting contacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Working with server settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Specifying an email server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configuring the template and location for exported reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Determining which events are forwarded to the server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Viewing and changing communication ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Working with the Server Task Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Viewing the Server Task Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Filtering the Server Task Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Purging the Server Task Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Working with the Audit Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Viewing the Audit Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Purging the Audit Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Purging the Audit Log on a schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Working with the Event Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Viewing the Event Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Purging events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Purging the Event Log on a schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Working with MyAvert Security Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Configuring MyAvert update frequency and proxy settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Viewing threat notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Deleting threat notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Exporting tables and charts to other formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Allowed Cron syntax when scheduling a server task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Organizing Systems for Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
The System Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Considerations when planning your System Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Administrator access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Environmental borders and their impact on system organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Subnets and IP address ranges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Tags and systems with similar characteristics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Operating systems and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Tags and how they work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Active Directory and NT domain synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
McAfee ePolicy Orchestrator 4.0.2 Product Guide4
Contents
Active Directory synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
NT domain synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Criteria-based sorting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
How settings affect sorting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
IP address sorting criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Tag-based sorting criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Group order and sorting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Catch-all groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
How a system is first placed in the System Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Working with tags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Creating tags with the Tag Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Excluding systems from automatic tagging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Applying tags to selected systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Applying criteria-based tags automatically to all matching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Creating and populating groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Creating groups manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Adding systems manually to an existing group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Importing systems from a text file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Sorting systems into criteria-based groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Importing Active Directory containers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Importing NT domains to an existing group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Synchronizing the System Tree on a schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Updating the synchronized group with an NT domain manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Moving systems manually within the System Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Distributing Agents to Manage Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Agents and SuperAgents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Agent-server communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
SuperAgents and broadcast wake-up calls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Agent activity logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Agent policy settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Security Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Agent-server secure communication keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Master repository key pair. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Other repository public keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Methods of agent distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Creating custom agent installation packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Distributing agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
5McAfee ePolicy Orchestrator 4.0.2 Product Guide
Contents
Deploying the agent with ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Installing the agent with login scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Installing the agent manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Enabling the agent on unmanaged McAfee products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Including the agent on an image. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Using other deployment products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Distributing the agent to WebShield appliances and Novell NetWare servers. . . . . . . . . . . . . . . . . . 79
Forcing the agent to call in to the server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Upgrading existing agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Upgrading agents using login scripts or manual installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Upgrading agents with ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Removing the agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Running FRMINST.EXE from a command line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Removing agents when deleting systems from the System Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Removing agents when deleting groups from the System Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Removing agents from systems in query results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Maintaining the agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Sending manual wake-up calls to systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Sending manual wake-up calls to a group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Sending wake-up calls on a schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Viewing the agent activity log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Viewing of the agent and product properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Running agent tasks from the managed system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Working with security keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Agent command-line options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Agent installation command-line options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Creating Repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Repository types and what they do. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Types of distributed repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Repository branches and their purposes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Repository list file and its uses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
How repositories work together. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Ensuring access to the source site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Using Internet Explorer proxy settings for the master repository. . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Configuring custom proxy settings for the master repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Working with source and fallback sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Switching source and fallback sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
McAfee ePolicy Orchestrator 4.0.2 Product Guide6
Contents
Creating source sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Editing source and fallback sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Deleting source or fallback sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Using SuperAgents as distributed repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Creating SuperAgent repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Selecting which packages are replicated to SuperAgent repositories. . . . . . . . . . . . . . . . . . . . . . . . 106
Deleting SuperAgent distributed repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Creating and configuring FTP, HTTP, and UNC repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Creating a folder location on an FTP, HTTP server or UNC share. . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Adding the distributed repository to ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Enabling folder sharing for UNC and HTTP repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Editing distributed repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Deleting distributed repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Working with the repository list files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Exporting the repository list SITELIST.XML file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Exporting the repository list SITEMGR.XML file for backup or use by other servers. . . . . . . . . . . . 111
Importing distributed repositories from the SITEMGR.XML file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Importing source sites from the SITEMGR.XML file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Changing credentials on multiple distributed repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Managing Products with Policies and Client Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Extensions and what they do. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Policy management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Policy application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Client tasks and what they do. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Bringing products under management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Viewing policy information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Viewing groups and systems where a policy is assigned. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Viewing the settings of a policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Viewing policy ownership. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Viewing assignments where policy enforcement is disabled. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Viewing policies assigned to a group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Viewing policies assigned to a specific system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Viewing a group’s policy inheritance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Viewing and resetting broken inheritance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Working with the Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Creating a policy on the Policy Catalog page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Duplicating a policy on the Policy Catalog page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
7McAfee ePolicy Orchestrator 4.0.2 Product Guide
Contents
Editing a policy’s settings from the Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Renaming a policy from the Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Deleting a policy from the Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Working with policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Changing the owner of a policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Sharing policies between ePO servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Assigning a policy to a group of the System Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Assigning a policy to a managed system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Assigning a policy to multiple managed systems within a group. . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Enforcing policies for a product on a group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Enforcing policies for a product on a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Copying and pasting assignments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Working with client tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Creating and scheduling client tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Editing client tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Deleting client tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Frequently asked questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Deploying Software and Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Deployment packages for products and updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Product and update deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Deployment tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Update tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Global updating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Pull tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Replication tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Repository selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Server Task Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Checking in packages manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Using the Product Deployment task to deploy products to managed systems. . . . . . . . . . . . . . . . . . . . . . . . 139
Configuring the Deployment task for groups of managed systems. . . . . . . . . . . . . . . . . . . . . . . . . . 140
Configuring the Deployment task to install products on a managed system. . . . . . . . . . . . . . . . . . 140
Deploying update packages automatically with global updating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Deploying update packages with pull and replication tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Using pull tasks to update the master repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Replicating packages from the master repository to distributed repositories. . . . . . . . . . . . . . . . . . 145
Configuring agent policies to use a distributed repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Using local distributed repositories that are not managed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
McAfee ePolicy Orchestrator 4.0.2 Product Guide8
Contents
Checking in engine, DAT and EXTRA.DAT update packages manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Updating managed systems regularly with a scheduled update task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Confirming that clients are using the latest DAT files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Evaluating new DATs and engines before distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Manually moving DAT and engine packages between branches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Deleting DAT or engine packages from the master repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Sending Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Notifications and how it works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Throttling and aggregation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Notification rules and System Tree scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Default rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Determining how events are forwarded. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Determining which events are forwarded immediately. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Determining which events are forwarded. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Setting up ePO Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Giving users appropriate permissions to Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Working with SNMP servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Working with registered executables and external commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Creating and editing Notification rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Describing the rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Setting filters for the rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Setting thresholds of the rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Configuring the notifications for the rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Viewing the history of Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Configuring the Notification Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Viewing the details of Notification Log entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Purging the Notifications Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Product and component list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Frequently asked questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Querying the Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Public and personal queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Query permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Query Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Multi-server roll-up querying. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Preparing for roll-up querying. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
9McAfee ePolicy Orchestrator 4.0.2 Product Guide
Contents
Registering ePO servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Creating a Data Roll Up server task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Working with queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Creating custom queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Running an existing query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Running a query on a schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Making personal queries public. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Duplicating queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Sharing a query between ePO servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Exporting query results to other formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Default queries and what they display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
MA: Agent Communication Summary query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
MA: Agent Version Summary query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
ePO: Compliance History query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
ePO: Compliance Summary query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
ePO: Malware Detection History query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
ePO: Distributed Repository Status query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
ePO: Failed User Actions in ePO Console query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
ePO: Failed Logon Attempts query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
ePO: Multi-Server Compliance History query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
ePO: Systems per Top-Level Group query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
ePO: Systems Tagged as Server query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
ePO: Today’s Detections per Product query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Assessing Your Environment With Dashboards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Dashboards and how they work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Queries as dashboard monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Default dashboard monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Setting up dashboard access and behavior. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Giving users permissions to dashboards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Configuring the refresh frequency of dashboards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Working with Dashboards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Creating dashboards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Making a dashboard active. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Selecting all active dashboards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Making a dashboard public. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Detecting Rogue Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
What are rogue systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
McAfee ePolicy Orchestrator 4.0.2 Product Guide10
Contents
How the Rogue System Sensor works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Passive listening to layer-2 traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Intelligent filtering of network traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Data gathering and communications to the server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Systems that host sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
How detected systems are matched and merged. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Rogue System Detection states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Overall system status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Rogue System Sensor status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Subnet status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Top 25 Subnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Rogue Sensor Blacklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Rogue System Detection policy settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Considerations for policy settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Rogue System Detection permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Setting up Rogue System Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Configuring Rogue System Detection policy settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Configuring server settings for Rogue System Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Editing compliance settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Editing matching settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Editing sensor settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Setting up automatic responses to Rogue System Detection events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Working with detected systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Adding systems to the Exceptions list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Adding systems to the Rogue Sensor Blacklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Editing system comments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Exporting the Exceptions list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Importing systems to the Exceptions list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Merging detected systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Removing systems from the Detected Systems list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Removing systems from the Exceptions list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Removing systems from the Rogue Sensor Blacklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Viewing detected systems and their details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Working with sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Changing the sensor-to-server port number. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Installing sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Editing sensor descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
11McAfee ePolicy Orchestrator 4.0.2 Product Guide
Contents
Removing sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Working with subnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Adding subnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Deleting subnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Ignoring subnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Including subnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Renaming subnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Viewing detected subnets and their details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Rogue System Detection command-line options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Default Rogue System Detection queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Appendix: Maintaining ePolicy Orchestrator databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Performing daily or weekly database maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Performing weekly maintenance of MSDE databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Performing regular maintenance of SQL Server databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Backing up ePolicy Orchestrator databases regularly. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Backing up a SQL database--see your SQL documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Backing up an MSDE database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Changing SQL Server information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Restoring ePolicy Orchestrator databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Restoring a SQL database--see your SQL documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Restoring an MSDE database from a backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
McAfee ePolicy Orchestrator 4.0.2 Product Guide12
Introducing ePolicy Orchestrator 4.0.2
ePolicy Orchestrator 4.0.2 provides a scalable platform for centralized policy management and
enforcement of your security products and the systems on which they reside. It also provides
comprehensive reporting and product deployment capabilities, all through a single point of
control.
Contents
ePolicy Orchestrator 4.0.2 components and what they do
Using this guide
Where to find McAfee enterprise product information
ePolicy Orchestrator 4.0.2 components and what
they do
The ePolicy Orchestrator software is comprised of these components:
• ePO server — The center of your managed environment. The server delivers security policy
and tasks, controls updates, and processes events for all managed systems.
• Master repository — The central location for all McAfee updates and signatures, residing on
the ePO server. Master repository retrieves user-specified updates and signatures from
McAfee or user-defined source sites.
• Distributed repositories — Placed strategically throughout your environment to provide access
for managed systems to receive signatures, product updates, and product installations with
minimal bandwidth impact. Depending on how your network is set up, you can set up
SuperAgent, HTTP, FTP, or UNC share distributed repositories.
• McAfee Agent — A vehicle of information and enforcement between the ePO server and
each managed system. The agent retrieves updates, ensures task implementation, enforces
policies and forwards events for each managed system.
The ePO server
The ePO server provides management, reporting, and enforcement capabilites and includes:
• A robust database that accrues information about product operation on the client systems
in your network.
• A querying system that lets you monitor the security status in your company, and quickly
act on gathered data.
• A software repository that stores the products and product updates (for example, DAT files)
that you deploy to your network.
13McAfee ePolicy Orchestrator 4.0.2 Product Guide
Introducing ePolicy Orchestrator 4.0.2
Using this guide
The ePolicy Orchestrator server can segment the user population into discrete groups for
customized policy management. Each server can manage up to 250,000 systems.
The McAfee Agent
The agent is installed on the systems you intend to manage with ePolicy Orchestrator.
While running silently in the background, the agent:
• Gathers information and events from managed systems and sends them to the ePolicy
Orchestrator server.
• Installs products and updates on managed systems.
• Enforces policies and tasks on managed systems and sends events back to the ePO server.
You can deploy the agent from the console (to Windows systems) or copy the agent installation
package onto removable media or into a network share for manual or login script installation
on your systems. Agents must be installed manually on UNIX systems.
Using this guide
This guide provides information on configuring and using your product. For system requirements
and installation instructions, see the
This material is organized in the order that McAfee recommends to set up ePolicy Orchestrator
in a production environment for the first time, and is also accessible to anyone seeking specific
topics.
Setting up ePolicy Orchestrator for the first time?
This guide serves as a tool to help administrators set up their ePolicy Orchestrator environment
for the first time, and as a reference tool for more experienced users. Depending on your
environment, you may perform some of these tasks in a slightly different order.
McAfee recommends setting up ePolicy Orchestrator for the first time in this order:
1 Configure ePolicy Orchestrator servers — Set up user accounts and permissions, configure
settings, and get familiar with the user interface.
2 Organize systems for management — The System Tree allows you to organize and act on
all systems you manage with ePolicy Orchestrator. Before setting up other features, you
must create your System Tree.
3 Distribute agents — Each system you want to manage must have the McAfee Agent installed.
This section provides detailed information on distributing and maintaining agents in your
environment.
4 Create repositories — Before deploying any products, components, or updates to your
managed systems with ePolicy Orchestrator, you must configure and create update
repositories.
5 Manage product policies and tasks — Before deploying any products, components, or
updates to your managed systems with ePolicy Orchestrator, McAfee recommends
configuring the policy settings for these products and components. Although it is not
required to configure policy settings before deployment, by doing so you can ensure that
the products and components have the desired settings as soon as possible.
Installation Guide
.
McAfee ePolicy Orchestrator 4.0.2 Product Guide14
Introducing ePolicy Orchestrator 4.0.2
Where to find McAfee enterprise product information
6 Deploy software and updates — Once your update repositories and policy settings are
created and configured, deploy the products, components, and updates to the desired
systems with ePolicy Orchestrator.
7 Configure advanced features — Once your managed environment is up and running, you
can configure and implement ePolicy Orchestrator’s advanced features, like Notifications,
queries and dashboards.
Audience
This information is intended primarily for network administrators who are responsible for their
company’s security program, and assumes the customer has installed and used ePolicy
Orchestrator in a lab environment.
Where to find McAfee enterprise product information
The McAfee documentation is designed to provide you with the information you need during
each phase of product implementation, from evaluating a new product to maintaining existing
ones. Depending on the product, additional documents might be available. After a product is
released additional information regarding the product is entered into the online Knowledgebase
available on McAfee ServicePortal.
Maintenance PhaseSetup PhaseInstallation PhaseEvaluation Phase
How can my company
benefit from this product?
Preparing for, installing
and deploying software
in a test environment.
• Detailed instructions for
common tasks.
Before, during, and after
installation.
Release NotesEvaluation Tutorial
•• Known issues in the
current release.
• Issues resolved since
the last release.
• Last-minute changes to
the product or its
documentation.
Installation Guide
• Preparing for, installing
and deploying software
in a production
environment.
with the product.
Product Guide
Help
• Setting up and
customizing the
software for your
environment.
Online Help
• Managing and deploying
products through ePolicy
Orchestrator.
• Detailed information
about options in the
product.
and
Online
Maintaining the software.Getting up-and-running
Online Help
• Maintaining the
software.
• Reference information.
• All information found in
the product guide.
Quick Reference Card
• Detailed instructions for
common and infrequent
important tasks.
Knowledgebase
(knowledge.mcafee.com)
• Release notes and
documentation.
• Supplemental product
information.
• Workarounds to
known issues.
Finding release notes and documentation for McAfee enterprise products
1 Go to knowledge.mcafee.com and select Product Documentation under Useful links.
2 Select <Product Name> | <Product Version> and select the required document from
the list of documents.
15McAfee ePolicy Orchestrator 4.0.2 Product Guide
Configuring ePolicy Orchestrator Servers
The ePO server is the center of your managed environment, providing a single location from
which to administer system security throughout your network.
If your organization is very large or divided into multiple large sites, consider installing a separate
server at each site. This can reduce network traffic when managing agents, sending updates,
and replicating to distributed repositories within a local LAN. Network traffic has a larger impact
on your resources when this communication takes place across WAN, VPN, or other slower
network connections typically found between remote sites.
Are you configuring the ePO server for the first time?
When configuring the ePO server for the first time:
1 Review the conceptual information on user accounts, permission sets, server settings and
server tasks.
2 Decide on how to implement the flexibility of permission sets with user accounts.
3 Create user accounts and permission sets, and assign the permission sets as needed.
4 Set up your contacts list and email server settings.
Contents
ePO user accounts
How permission sets work
Contacts
Server settings and the behaviors they control
Available server tasks and what they do
The Audit Log
The Event Log
Data exports from any table or chart
MyAVERT Security Threats
Logging on and off from ePO servers
Viewing the server version number
Working with user accounts
Working with permission sets
Working with contacts
Working with server settings
Working with the Server Task Log
Working with the Audit Log
McAfee ePolicy Orchestrator 4.0.2 Product Guide16
Configuring ePolicy Orchestrator Servers
ePO user accounts
Working with the Event Log
Working with MyAvert Security Threats
Exporting tables and charts to other formats
Allowed Cron syntax when scheduling a server task
ePO user accounts
User accounts provide a means for users to access and use the software. They are associated
with permission sets, which define what users are allowed to do with the software.
You must create user accounts and permission sets to accommodate the needs of each user
that logs on to the ePO server.
There are two types of users, global administrators and everyone else.
Global administrators
Global administrators have read and write permissions and rights to all operations. When you
install the server a global administrator account with the user name admin is created.
You can create additional global administrator accounts for people who require global
administrative rights.
Permissions exclusive to global administrators include:
• Create, edit, and delete source and fallback sites.
• Change server settings.
• Add and delete user accounts.
• Add, delete, and assign permission sets.
• Import events into ePolicy Orchestrator databases and limit events that are stored there.
How permission sets work
A permission set is a group of permissions that can be granted to any users by assigning it to
those users’ accounts. One or more permission sets can be assigned to any users who are not
global administrators (global administrators have all permissions to all products and features).
Permission sets only grant rights and access — no permission ever removes rights or access.
When multiple permission sets are applied to a user account, they aggregate. For example, if
one permission set does not provide any permissions to server tasks, but another permission
set applied to the same account grants all permissions to server tasks, that account has all
permissions to server tasks. Consider this as you plan your strategy for granting permissions
to the users in your environment.
When are permission sets assigned?
Global administrators can assign existing permission sets when creating or editing user accounts
and when creating or editing permission sets.
17McAfee ePolicy Orchestrator 4.0.2 Product Guide
Configuring ePolicy Orchestrator Servers
Contacts
What happens when I install new products?
When a new product extension is installed it may add one or more groups of permissions to
the permission sets. For example, when you install a VirusScan Enterprise extension, a VirusScan
Enterprise section is added to each permission set. Initially, the newly added section is listed
in each permission set with no permissions yet granted. The global administrators can then
grant permissions to users through existing or new permission sets.
Default permission sets
ePolicy Orchestrator 4.0.2 ships with four default permission sets that provide permissions to
ePolicy Orchestrator functionality. These are:
• Executive Reviewer — Provides view permissions to dashboards, events, contacts, and can
view information that relates to the entire System Tree.
• Global Reviewer — Provides view access globally across functionality, products, and the
System Tree, except for extensions, multi-server roll-up data, registered servers, and software.
• Group Admin — Provides view and change permissions across ePolicy Orchestrator features.
Users that are assigned this permission set each need at least one more permission set that
grants access needed products and groups of the System Tree.
• Group Reviewer — Provides view permissions across ePolicy Orchestrator features. Users
that are assigned this permission set each need at least one more permission set that grants
access needed products and groups of the System Tree.
Contacts
Maintain a list of email addresses that ePolicy Orchestrator uses to send email messages to
specified users in response to events. Currently this list is used by Notifications, queries, and
export functionality.
Server settings and the behaviors they control
Various settings control how the ePolicy Orchestrator server behaves. You can change most
settings at anytime. However, you must reinstall the software to change the name of the server
or the port number the server uses for HTTP communication.
Types of ePO server settings are:
• Email server — Sepcifies the email server that is used when ePolicy Orchestrator sends email
messages.
• Event Filtering — Specifies which events are forwarded by the agent.
• Global Updating — Specifies whether and how global updating is enabled.
• MyAvert Security Threats — Specifies proxy settings and the update frequency for the
MyAvert Security Threats service.
• Ports — Specifies the ports used by the server when communicating with agents and the
database.
• Printing and exporting — Specifies how information is exported to other formats, and the
template for PDF exports.
McAfee ePolicy Orchestrator 4.0.2 Product Guide18
Configuring ePolicy Orchestrator Servers
Available server tasks and what they do
• Repository Packages — Specifies whether any package can be checked in to any branch.
Only agents later then version 3.6 can retrieve packages other than updates from branches
other than Current.
• Security Keys — Specifies and manages the agent-server secure communication keys,
repository keys.
• System Tree Sorting — Specifies whether and how System Tree sorting is enabled in your
environment.
Available server tasks and what they do
The default set of server tasks is described here. For details on each of these, see the appropriate
section of this guide that covers that server task.
Improvements to server tasks
Server tasks are now more configurable, allowing you to chain multiple actions and subactions
within a single task, as well as more flexible scheduling.
Server task actions
• Event Migration — If you upgrade from a previous ePolicy Orchestrator installation, use this
task to migrate events from the old database to the new database, so that you can run
queries against your historical data. McAfee recommends scheduling this task to run at off
hours as soon as you can after upgrading.
• NT Domain/Active Directory Synchronization — Synchronizes select Windows NT domains
and Active Directory containers that are mapped to System Tree groups. This task can also
be performed manually.
• Purge Audit Log — Deletes entries from the Audit Log on user-configured age.
• Purge Event Log — Deletes events from the database based on user-configured criteria.
• Purge Notification Log — Deletes entries from the Notification Log by user-configured time.
• Purge Server Task Log — Deletes entries from the Server Task Log by user-configured age.
• Repository Pull — Retrieves packages from the source site, then places them in the master
repository.
• Repository Replication — Updates distributed repositories from the master repository.
• Roll Up Data: Managed Systems— Imports summary data from other registered ePO servers.
• Roll Up Data: Compliance History — Imports summary compliance data from other registered
ePO servers.
• Run Query — Runs a selected query and allows you to chain subactions related to the query
results. For example, you can email the results to someone in your organization, or deploy
agents to all systems in the query results.
• Run Tag Criteria — Evaluates all managed systems against a selected tag’s criteria, and
applies the tag to all matching systems.
19McAfee ePolicy Orchestrator 4.0.2 Product Guide
Configuring ePolicy Orchestrator Servers
The Audit Log
The Audit Log
Use the Audit Log to maintain and access a record of all ePO user actions. The Audit Log entries
display in a sortable table. For added flexibility, you can also filter the log so that it only displays
failed actions, or only entries that are within a certain age.
The Audit Log displays seven columns:
• Action — The name of the action the ePO user attempted.
• Completion Time — The time the action finished.
• Details — More information about the action.
• Priority — Importance of the action.
• Start Time — The time the action was initiated.
• Success — Specifies whether the action was successfully completed.
• User Name — User name of the logged-on user account that was used to take the action.
Audit Log entries can be queried against. You can create queries with the Query Builder wizard
that target this data, or you can use the default queries that target this data. For example, the
Failed Logon Attempts query retrieves a table of all failed logon attempts.
The Event Log
Use the Event Log to quickly view and sort through events in the database. The Event Log can
be purged only by age.
You can choose which columns are displayed in the sortable table. You can choose from a
variety of event data to use as columns.
Depending on which products you are managing, you can also take certain actions on the
events. Actions are available on the buttons at the bottom of the page.
Common event format
All managed products now use a common event format. The fields of this format can be used
as columns in the Event Log. These include:
• Action Taken — The action that was taken by the product in response to the threat.
• Agent GUID — Unique identifier of the agent that forwarded the event.
• DAT Version — DAT version on the system which sent the event.
• Detecting Product Host Name — Name of the system hosting hosting the detecting product.
• Detecting Product ID — ID of the detecting product.
• Detecting Product IPv4 Address — IPv4 address of the system hosting the detecting product
(if applicable).
• Detecting Product IPv6 Address — IPv6 address of the system hosting the detecting product
(if applicable).
• Detecting Product MAC Address — MAC address of the system hosting the detecting product.
• Detecting Product Name — Name of the detecting managed product.
• Detecting Product Version — Version number of the detecting product.
McAfee ePolicy Orchestrator 4.0.2 Product Guide20
Configuring ePolicy Orchestrator Servers
Data exports from any table or chart
• Engine Version — Version number of the detecting product’s engine (if applicable).
• Event Category — Category of the event. Possible categories depend on the product.
• Event Generated Time (UTC) — Time in Coordinated Universal Time that the event was
detected.
• Event ID — Unique identifier of the event.
• Event Received Time (UTC) — Time in Coordinated Universal Time that the event was
received by the ePO server.
• File Path
• Host Name — Name of the system which sent the event.
• IPv4 Address — IPv4 address of the system which sent the event.
• IPv6 Address — IPv6 address of the system which sent the event.
• MAC Address — MAC address of the system which sent the event.
• Network Protocol — The threat target protocol for network-homed threat classes.
• Port Number — The threat target port for network-homed threat classes.
• Process Name — The target process name (if applicable).
• Server ID
• Threat Name — Name of the threat.
• Threat Source Host Name — System name from which the threat originated.
• Threat Source IPv4 Address — IPv4 address of the system from which the threat originated.
• Threat Source IPv6 Address — IPv6 address of the system from which the threat originated.
• Threat Source MAC Address — MAC address of the system from which the threat originated.
• Threat Source URL — URL from which the threat originated.
• Threat Source User Name — User name from which the threat originated.
• Threat Type — Class of the threat.
• User Name — The threat source user name or email address.
Data exports from any table or chart
Data in any chart or table in ePolicy Orchestrator can be exported to four different formats.
Exported results are historical data and are not refreshed.
Unlike query results in the console, data in exported reports is not actionable.
Reports are available in several formats:
• CSV — Use this format to use the data in a spreadsheet application (for example, Microsoft
Excel).
• XML — Use this format to transform the data for other purposes.
• HTML — Use this report format to view the exported results as a web page.
• PDF — Use this report format when you need to print the results.
Exported data can be named and saved to any location, or emailed as attachments.
21McAfee ePolicy Orchestrator 4.0.2 Product Guide
Configuring ePolicy Orchestrator Servers
MyAVERT Security Threats
MyAVERT Security Threats
The MyAvert Security Threats page informs you of the top ten medium-to-high-risk threats
for corporate users. You no longer need to manually search for this information from the press
(TV, radio, newspapers), informational web sites, mailing lists, or your peers. You are
automatically notified of these threats from McAfee Avert.
Protection status and risk assessment
You can easily determine whether the DAT and engine files in the Current branch of the master
repository provide protection against the top ten threats and, if not, the highest risk level of
any new threats.
Protection available
The DAT and engine files in the repository already provide protection against all threats that
are known to Avert. To determine whether each managed system is protected run a query
against DAT and engine file coveraget.
Protection pending on Mediium-to-Low Risk Threats
The updated DAT file for threats assessed by AVERT as medium risk is pending. However,
updated protection is available in a supplemental virus definition (EXTRA.DAT) file, which you
can manually download if you need protection before the next full DAT file is available, such
as in an outbreak scenario.
Protection Pending on High-Risk Threats
The updated DAT file for threats assessed by AVERT as high risk is pending. However, updated
protection is available in a supplemental virus definition (EXTRA.DAT) file, which you can
manually download if you need protection before the next full DAT file is available, such as in
an outbreak scenario.
Logging on and off from ePO servers
Use these tasks to log on to and off from ePO servers. Before using ePolicy Orchestrator, you
must be logged on to the ePO server with valid account credentials.
Tasks
Logging on to ePO servers
Logging off of ePO servers
Logging on to ePO servers
Use this task to log on to the ePO server. You must have valid credentials to do this. You can
log on to multiple ePO servers by opening a new browser session for each ePO server.
Task
1 Open an Internet browser and go to the URL of the server. The Log On to ePolicy
Orchestrator dialog box appears.
McAfee ePolicy Orchestrator 4.0.2 Product Guide22
Configuring ePolicy Orchestrator Servers
Viewing the server version number
2 Type the User name and Password of a valid account.
NOTE: Passwords are case-sensitive.
3 Select the Language you want the software to display.
4 Click Log On.
Logging off of ePO servers
Use this task to log off of ePO servers. Log off from the ePO server whenever you finish using
the software.
Task
• To log off from the server, click Log Off at the top of any page, or close the browser.
Viewing the server version number
You can view the version number, edition, and license information of the ePolicy Orchestrator
server.
• To view the version number, edition, log on to the desired ePolicy Orchestrator server. This
information appears in the title bar.
• To view license information, go to the logon page.
• To view extension version information, go to Configuration | Extension.
Working with user accounts
Use these tasks to create and maintain user accounts.
Tasks
Creating user accounts
Editing user accounts
Deleting user accounts
Creating user accounts
Use this task to create a user account. You must be a global administrator to add, edit, or delete
user accounts.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Configuration | Users.
2 Click New User. The New User page appears.
3 Type a user name.
23McAfee ePolicy Orchestrator 4.0.2 Product Guide
Configuring ePolicy Orchestrator Servers
Working with permission sets
4 Select whether to enable or disable the logon status of this account. If this account is for
someone who is not yet a part of the organization you may want to disable it.
5 Select whether the new account uses ePO authentication or Windows authentication,
and provide the required credentials.
6 Optionally, provide the user’s full name, email address, phone number, and a description
in the Notes text box.
7 Choose to make the user a global administrator, or select the desired permission sets for
the user.
8 Click Save to save the current entries and return to the Users tab. The new user should
appear in the Users list.
Editing user accounts
Use this task to edit a user account. Global administrators can change passwords on any user
account. Other users can only change passwords on their own accounts.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Configuration | Users.
2 Select the user you want to edit in the Users list, then click Edit.
3 Edit the account as needed.
4 Click Save.
Deleting user accounts
Use this task to delete a user account. You must be a global administrator to delete user
accounts.
NOTE: McAfee recommends disabling the Login status of an account instead of deleting it
until you are sure all valuable information associated with the account has been moved to other
users.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Configuration | Users.
2 Select the user you want to delete in the Users list, then click Delete.
3 Click OK.
Working with permission sets
Use these tasks to create and maintain permission sets.
Tasks
Creating permission sets for user accounts
Duplicating permission sets
McAfee ePolicy Orchestrator 4.0.2 Product Guide24
Configuring ePolicy Orchestrator Servers
Working with permission sets
Editing permission sets
Deleting permission sets
Creating permission sets for user accounts
Use this task to create a permission set.
Before you begin
You must be a global administrator to perform this task.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Configuration | Permission Sets, then click New Permission Set.
Figure 1: New Permission Set page
2 Type a name for the permission set and select the users to which the set is assigned.
3 Click Save. The Permission Sets page appears.
4 Select the new permission set from the Permission Sets list. Its details appear to the
right.
5 Click Edit next to any section from which you want to grant permissions.
6 On the Edit Permission Set page that appears, select the appropriate options, then click
Save.
7 Repeat for all desired sections of the permission set.
Duplicating permission sets
Use this task to duplicate a permission set. Only global administrators can duplicate permission
sets.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Configuration | Permission Sets, then select the permission set you want to edit
in the Permission Sets list. Its details appear to the right.
2 Click Duplicate, type a New name in the Action pane, then click OK.
3 Select the new duplicate in the Permission Sets list. Its details appear to the right.
4 Click edit next to any section with which you want to grant permissions.
5 On the Edit Permission Set page that appears, select the appropriate options, then click
Save.
6 Repeat for all sections of the permission set with which you want to grant permissions.
25McAfee ePolicy Orchestrator 4.0.2 Product Guide
Configuring ePolicy Orchestrator Servers
Working with contacts
Editing permission sets
Use this task to edit a permission set. Only global administrators can edit permission sets.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Configuration | Permission Sets, then select the permission set you want to edit
in the Permission Sets list. Its details appear to the right.
2 Click Edit next to any section from which you want to grant permissions.
3 On the Edit Permission Set page that appears, select the appropriate options, then click
Save.
4 Repeat for all desired sections of the permission set.
Deleting permission sets
Use this task to delete a permission set. Only global administrators can delete permission sets.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Configuration | Permission Sets, then select the permission set you want to
delete in the Permission Sets list. Its details appear to the right.
2 Click Delete, then click OK in the Action pane. The permission set no longer appears in
the Permission Sets list.
Working with contacts
Use these tasks to create and maintain email address information of individuals that may receive
email messages from ePolicy Orchestrator.
Tasks
Creating contacts
Editing contacts
Deleting contacts
Creating contacts
Use this task to add email addresses to Contacts.
Task
For option definitions, click ? on the page displaying the options.
McAfee ePolicy Orchestrator 4.0.2 Product Guide26
Configuring ePolicy Orchestrator Servers
Working with server settings
1 Go to Configuration | Contacts, then click New Contact.
Figure 2: New Contact page
2 Type a first name, last name, and email address for the contact.
3 Click Save. The new contact appears on the Contacts page.
Editing contacts
Use this task to edit information in an existing entry on the Contacts page.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Configuration | Contacts, then select a contact.
2 Click Edit. The Edit Contact page appears.
3 Edit the information as desired.
4 Click Save.
Deleting contacts
Use this task to delete entries from the Contacts page.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Configuration | Contacts, then select a contact.
2 Click Delete, then click OK in the Action pane. The contact no longer appears in the list.
Working with server settings
Use these tasks to configure and maintain server settings. Only the general server settings are
covered here. Feature-specific server settings are covered in the sections that cover those
features. For example, System Tree sorting server settings are covered in
for Management
Tasks
Specifying an email server
Configuring the template and location for exported reports
Determining which events are forwarded to the server
Viewing and changing communication ports
.
Organizing Systems
27McAfee ePolicy Orchestrator 4.0.2 Product Guide
Configuring ePolicy Orchestrator Servers
Working with server settings
Specifying an email server
Use this task to specify an email server that ePolicy Orchestrator usea to send email messages.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Configuration | Server Settings, then click Email Server in the Settings list.
2 Click Edit. The Edit Email Server page appears.
3 Type the SMTP server name and SMTP server port.
4 Select whether to authenticate to the email server, and provide credentials if Authenticate
is selected.
5 Type the email address of the return address on messages sent from ePolicy Orchestrator.
6 Click Save, then select Email Server.
7 In the content area next to Test email, type a valid email address for receiving email
messages, then click Test to validate the settings.
Configuring the template and location for exported reports
Use this task to define the appearance and storage location for tables and dashboards you
export as documents. You can configure:
• Headers and footers, including a custom logo, name, page numbering, etc.
• Page size and orientation for printing.
• Directory where exported tables and dashboards are stored.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Configuration | Server Settings, then select Printing and Exporting in the
Settings list.
2 Click Edit. The Edit Printing and Exporting page appears.
3 Next to Headers and footers for exported documents:
a Click Edit Logo to provide a custom image or text to use as the header.
b Select the desired metadata from the drop-down lists that you want displayed in the
header and footer.
c Select a Page size.
d Select a Page orientation.
4 Type a new location or except the default location to save exported documents.
5 Click Save.
Determining which events are forwarded to the server
Use this task to determine which events are forwarded to the server. This selection impacts the
bandwidth used in your environment, as well as the results of event-based queries.
McAfee ePolicy Orchestrator 4.0.2 Product Guide28
Configuring ePolicy Orchestrator Servers
Working with the Server Task Log
Before you begin
You must be a global administrator to perform this task.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Configuration | Server Settings, select Event Filtering, then click Edit at the
bottom of the page. The Edit Event Filtering page appears.
Figure 3: Edit Event Filtering page
2 Select the events you want the agent to forward to the server, then click Save.
Changes to these settings take effect after all agents have communicated with the ePO server.
Viewing and changing communication ports
Use this task to view the ports ePolicy Orchestrator uses for communication with distributed
components. These ports were originally configured during installation. After installation you
can only change the two ports used for agent communication. If you need to change other
ports, you must reinstall the server and reconfigure the ports in the installation wizard.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Configuration | Server Settings, select Ports, then click Edit at the bottom of
the page. The Edit Ports page appears.
2 Change the agent-server communication or agent broadcast communication ports as
necessary, then click Save.
NOTE: The agent-server communication port is used for agent-server communication; the
agent broadcast port is used for SuperAgent wake-up calls.
Working with the Server Task Log
Use these tasks to view and maintain the Server Task Log.
Tasks
Viewing the Server Task Log
29McAfee ePolicy Orchestrator 4.0.2 Product Guide
Configuring ePolicy Orchestrator Servers
Working with the Server Task Log
Filtering the Server Task Log
Purging the Server Task Log
Viewing the Server Task Log
Use this task to review the status of server tasks and long-running actions.
The status of each server task appears in the Status column:
• Completed — Task completed successfully.
• Failed — Task was started but did not complete successfully.
• In progress — Task has started but not finished.
• Waiting — This message appears when the task is waiting for another task to finish.
• Terminated — Task was terminated before it finished.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Reporting | Server Task Log.
2 Click any entry in the log to view its details.
Figure 4: Server Task Log Details page
Filtering the Server Task Log
As the Server Task Log grows, you can filter it to show only the most recent activity. You can
filter the log to show only entries from the last day, last seven days, last 30 days, or by Failed
or In Progress task statuses.
Task
For option definitions, click ? on the page displaying the options.
1 Go to Reporting | Server Task Log.
McAfee ePolicy Orchestrator 4.0.2 Product Guide30
Loading...