McAfee TEECDE-AA-AA, Total Protection For Endpoint Evaluator Manual
McAfee Total Protection for Endpoint
Lab Evaluation Guide
COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE
EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,
WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in
connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property
of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
McAfee Total Protection for Endpoint Lab Evaluation Guide2
Contents
Welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Setting up McAfee Total Protection for Endpoint suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Logging on to ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Set Up the ePolicy Orchestrator Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Add Systems to Manage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Setting Policies for Endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Setting Policies for Email Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Set Tasks for Endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Deploy the McAfee Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Using Dashboards and Queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Server requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Database requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Operating systems language support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3McAfee Total Protection for Endpoint Lab Evaluation Guide
Welcome
Welcome to McAfee®Total Protection®for Endpoint. This solution incorporates the best and
most comprehensive McAfee security for endpoints, email, web, and data. Compared to
purchasing and maintaining multiple security components from multiple vendors, McAfee Total
Protection for Endpoint saves time, saves money, and provides a more powerful, integrated
defense against the threats that businesses know about, and the threats they can't see coming.
This guide is organized so you can evaluate McAfee Total Protection for Endpoint in a pilot
environment consisting of one ePolicy Orchestrator®(ePO™) server and a number of client
computers. The guide covers the basic steps required to install ePolicy Orchestrator quickly,
configure basic policies and tasks, and deploy these McAfee products for client protection:
• VirusScan®Enterprise 8.7i
• AntiSpyware Enterprise 8.7
• Host Intrusion Prevention 7.0
• SiteAdvisor®Enterprise Plus 3.0
• GroupShield®7.0.1 for Microsoft Exchange
• McAfee Security for Lotus Domino, v7.5 on Windows
This guide provides real examples of steps you take during a live deployment. It does not cover
every possible deployment scenario, nor examine every feature. For complete information on
all aspects of the products included in Total Protection for Endpoint, see their respective product
guides.
Full product documentation is available on the McAfee KnowledgeBase.
Under Self Service, click Product Documentation, choose a product and version, then
choose a document.
Product descriptions
The products in Total Protection for Endpoint are grouped into these categories:
• Management solution
• Endpoint protection
• Email server protection
Management solution
Total Protection for Endpoint provides these products for a management solution.
McAfee ePolicy Orchestrator 4.5
McAfee Total Protection for Endpoint Lab Evaluation Guide4
DescriptionProduct
ePolicy Orchestrator is the industry-leading system security management
solution for the enterprise. It delivers a coordinated, proactive defense
against malicious threats and attacks. ePolicy Orchestrator combines
unmatched global policy control with a single agent and a central console
with custom reporting to easily manage your system security
environment.
Welcome
DescriptionProduct
McAfee Agent 4.5
McAfee Agent is the client-side framework that supports the McAfee
security management infrastructure. It provides secure communication
between point-products and ePolicy Orchestrator, and local services to
point-products. As a framework, the McAfee Agent enables
point-products to focus on enforcing their policies, while delivering an
expanding set of services that includes logging, communication, and
policy storage.
Endpoint protection
Total Protection for Endpoint provides these products for endpoint protection.
DescriptionProduct
McAfee VirusScan®Enterprise 8.7i
McAfee AntiSpyware Enterprise 8.7
McAfee Host Intrusion Prevention 7.0
McAfee SiteAdvisor®Enterprise Plus 3.0
VirusScan Enterprise, a trusted name in security, is a leader in the
advanced, proactive protection for PCs and servers. Businesses rely on
the key features of VirusScan Enterprise during an outbreak, including:
cleaning memory, rootkits, the registry and files, as well as preventing
propagation of malicious code to other systems. VirusScan Enterprise
also contains functionality from anti-virus, intrusion prevention, and
firewalls for protection from known and unknown attacks.
AntiSpyware Enterprise Module, the leading enterprise anti-spyware
software solution, uses true on-access scanning to identify, proactively
block, and safely eliminate potentially unwanted programs (PUPs) for
optimal business availability. Centrally managed with ePolicy
Orchestrator, McAfee AntiSpyware Enterprise Module seamlessly
integrates with VirusScan Enterprise, reducing disruptions due to threats
and PUPs.
Host Intrusion Prevention monitors and blocks intrusions by combining
signature and behavioral protection with a system firewall. Shielding
your assets improves the availability, confidentiality, and integrity of
your business processes. A single agent makes it easy to deploy,
configure, and manage, and patching becomes less frequent and less
urgent.
SiteAdvisor Enterprise Plus allows your employees to surf and search
the web safely as threats like spyware, adware, phishing scams, and
more are blocked. Integrated into McAfee solutions, SiteAdvisor
Enterprise technology adds web security to your comprehensive
protection, guiding and shielding users from online threats.
Email server protection
Total Protection for Endpoint provides these products for email server protection.
McAfee GroupShield®7.0.1 for Microsoft
Exchange
McAfee Security for Lotus Domino, v7.5 on
Windows
DescriptionProduct
GroupShield protects your email and other documents as they enter
and leave your Microsoft Exchange server. GroupShield proactively
scans for viruses, automatically manages outbreaks, and prevents
malicious code from disrupting your systems. The GroupShield content
filter blocks or quarantines messages that contain specific words and
phrases that violate content rules.
McAfee Security for Lotus Domino protects your email and other
documents as they enter and leave your Domino server. McAfee
Security for Lotus Domino proactively scans for viruses, automatically
manages outbreaks, and prevents malicious code from disrupting your
systems. The McAfee Security for Lotus Domino content filter blocks
or quarantines messages that contain specific words and phrases that
violate content rules.
5McAfee Total Protection for Endpoint Lab Evaluation Guide
Welcome
DescriptionProduct
McAfee Anti-Spam add-on
Anti-Spam blocks spam from your Microsoft Exchange and Lotus Domino
mail servers. This increases employee productivity, while also stopping
phishing scams to protect confidential data from being disclosed by
employees. Anti-Spam integrates with McAfee GroupShield and McAfee
Security for Lotus Domino to reduce resource usage on your busy mail
servers.
When you are ready to deploy products to your environment, like VirusScan Enterprise or Host
Intrusion Prevention, you will use ePolicy Orchestrator and the McAfee Agent to handle the
deployment and updates. McAfee recommends that you use the workflow in the following
sections to get started with the solution.
McAfee Total Protection for Endpoint Lab Evaluation Guide6
System requirements
Before setting up McAfee Total Protection for Endpoint software, verify that each component
meets the minimum system requirements that are listed below:
• Server
• Database
Server requirements
Free disk space — 1 GB minimum (first-time installation); 2 GB recommended.
Memory — 1 GB available RAM; 2–4 GB recommended.
Processor — Intel Pentium III-class or higher; 1 GHz or higher.
Monitor — 1024x768, 256-color, VGA monitor.
NIC — Network interface card; 100 MB or higher.
NOTE: If using a server with more than one IP address, ePolicy Orchestrator uses the first
identified IP address.
Dedicated server — If managing more than 250 computers, McAfee recommends using a
dedicated server.
File system — NTFS (NT file system) partition recommended.
IP address — McAfee recommends using static IP addresses for ePO servers.
Server-class operating system — 32bit or 64bit
• Windows Server 2003 Enterprise with Service Pack 2 or later
• Windows Server 2003 Standard with Service Pack 2 or later
• Windows Server 2003 Web with Service Pack 2 or later
• Windows Server 2003 R2 Enterprise with Service Pack 2 or later
• Windows Server 2003 R2 Standard with Service Pack 2 or later
• Windows Server 2008
NOTE: Installation is blocked if you attempt to install on a version of Windows earlier than
Server 2003. In addition, ePolicy Orchestrator stops functioning if, after having been installed
on Windows Server 2003, the server is upgraded to Windows Server 2008.
Browser
• Firefox 3.0
• Microsoft Internet Explorer 7.0 or 8.0
If using Internet Explorer and a proxy, follow these steps to bypass the proxy server.
1 From the Tools menu in Internet Explorer, select Internet Options.
7McAfee Total Protection for Endpoint Lab Evaluation Guide
System requirements
Database requirements
2 Select the Connections tab and click LAN Settings.
3 Select Use a proxy server for your LAN, then select Bypass proxy server for local
addresses.
4 Click OK as needed to close Internet Options.
Domain controllers — The ePolicy Orchestrator server can manage systems in a Workgroup
or Windows Domain. In the installation instructions below, we will use the latter which requires
the server to be a member of your Windows domain. For instructions, see the Microsoft product
documentation.
Security software
• Install and/or update the anti-virus software on the ePolicy Orchestrator server and scan
for viruses.
CAUTION: If running VirusScan Enterprise 8.5i or 8.7i on the system where you are installing
ePolicy Orchestrator, you must ensure that the VSE Access Protection rules are disabled
during the installation process, or the installation fails.
• Install and/or update firewall software on the ePolicy Orchestrator server.
Ports
• McAfee recommends avoiding the use of Port 8443 for HTTPS communication. Although this
is the default port, it is also the primary port used by many web-based activities, is a popular
target for malicious exploitation, and it is likely to be disabled by the system administrator
in response to a security violation or outbreak.
NOTE: Ensure that the ports you choose are not already in use on the ePolicy Orchestrator
server computer.
• Notify the network staff of the ports you intend to use for HTTP and HTTPS communication
via ePolicy Orchestrator.
NOTE: Installing the software on a Primary Domain Controller (PDC) is supported, but not
recommended.
Supported virtual infrastructure software
• VMware ESX 3.5.x
• Microsoft Virtual Server 2005 R2 with Service Pack 1
• Windows Server 2008 Hyper-V
Database requirements
A database must be installed before ePolicy Orchestrator can be installed. Any of the following
databases, if previously installed, meets this requirement.
• SQL Server 2005
• SQL Server 2005 Express
• SQL Server 2008
• SQL Server 2008 Express
NOTE: SQL Server 2000 is not supported.
McAfee Total Protection for Endpoint Lab Evaluation Guide8
System requirements
Database requirements
If none of those databases was previously installed, the ePO installation wizard detects that no
database is present and offers you the opportunity to install SQL Server 2005 Express.
Database installation documented in this Guide
The only database installation scenario described in detail is a first-time installation of SQL
Server 2005 Express. In this scenario, the ePO Setup installs both the ePolicy Orchestrator
software and the database on the same server. If the database is to be installed on a different
server from the ePolicy Orchestrator, manual installation is required on the remote servers.
SQL Server
• Local database server — If using SQL Server on the same system as the ePO server,
McAfee recommends using a fixed memory size in Enterprise Manager that is approximately
two-thirds of the total memory for SQL Server. For example, if the computer has 1GB of
RAM set 660MB as the fixed memory size for SQL Server.
• SQL Server licenses — If using SQL Server, a SQL Server license is required for each
processor on the computer where SQL Server is installed.
CAUTION: If the minimum number of SQL Server licenses is not available after you install
the SQL Server software, you may have issues installing or starting the ePolicy Orchestrator
software.
Other relevant database installations and upgrades
See the documentation provided by the database manufacturer for information about the
following installation scenarios:
• Maintenance settings — McAfee recommends making specific maintenance settings to
ePO databases. For instructions, see
Maintaining ePO databases
in the
ePolicy Orchestrator
Help.
NOTE: For detailed system requirements information about Agent Handlers, Database and
Distributed Repositories, refer to the
ePolicy Orchestrator 4.5 Installation Guide
.
Other software requirements
The following table provides additional information about the other software requirements.
NoteSoftware
You must acquire and install.MSXML 6.0
1
From the Internet Explorer Tools menu, select Windows
Update.
2
Click Custom, then select Software.
3
Select MSXML6.
4 Select Review and install updates, then click Install Updates.
Firefox 3.0
You must acquire and install.Internet Explorer 7 or 8, or
Redistributable
You must acquire and install if using SQL Server 2005 Express..NET Framework 2.0
If not previously installed, the installation wizard installs automatically.Microsoft Visual C++
9McAfee Total Protection for Endpoint Lab Evaluation Guide
System requirements
Operating systems language support
NoteSoftware
Redistributable - x86 9.0.21022
Compatibility
SQL Server 2005 Express
Microsoft updates
If not previously installed, the installation wizard installs automatically.Microsoft Visual C++
If not previously installed, the installation wizard installs automatically.MDAC 2.8
If not previously installed, the installation wizard installs automatically.SQL Server 2005 Backward
If no other database has been previously installed, this database can be installed
automatically at user’s selection.
Update the ePolicy Orchestrator server and the database server with the most
current updates and patches.
The installation fails if using a version of MSI previous to MSI 3.1.MSI 3.1
Microsoft updates and patches
Update both the ePO server and the database server with the latest Microsoft security updates.
If you are upgrading from MSDE 2000 or SQL 2000, be sure to follow Microsoft's required
upgrade scenarios.
Operating systems language support
This version of the ePolicy Orchestrator runs on any supported operating system irrespective
of the language of the operating system.
Following is a list of languages into which the ePolicy Orchestrator has been translated. When
the software is installed on an operating system using a language that is not on this list, the
ePolicy Orchestrator interface attempts to display in English.
• Japanese• Chinese (Simplified)
• Chinese (Traditional) • Korean
• Russian• English
• French (Standard) • Spanish
• German (Standard)
McAfee Total Protection for Endpoint Lab Evaluation Guide10
Setting up McAfee Total Protection for Endpoint
suite
This section guides you to install the McAfee Total Protection for Endpoint suite with the default
options. The McAfee Total Protection for Endpoint suite installer will setup the ePO server and
check-in the endpoint softwares to the ePO repository in one go.
Task
1 From McAfee official site, download and extract the contents of McAfee Total Protection
for Endpoint software to a temporary directory on your ePO server or your intended
management server.
2 Double-click Setup.exe. The Welcome to the McAfee ePolicy Orchestrator setup
for Total Protection for Endpoint suite page appears.
3 Click Next. The Type License Key page appears.
4 Select Evaluation, then click Next. The McAfee Licensing Evaluation page appears.
5 Click OK. The McAfee End User License Agreement page appears.
6 Select I accept the terms in the license agreement, then click OK. The Choose
Software to Evaluate page appears with the following options, enabled by default:
• Base Installation
• Host Intrusion Prevention
• McAfee Security for Lotus Domino and MS Exchange (GroupShield)
7 Click Next. The Set Administrator Information page appears.
8 Type the username and password to use for the ePolicy Orchestrator administrative account
and click Next. The Choose Setup Type page appears.
NOTE: You will use the same credentials later, to log on to ePolicy Orchestrator.
9 Select Default to install ePolicy Orchestrator and Microsoft SQL 2005 Express using the
default location and settings, then click Next. A confirmation dialog box appears.
10 Click OK to install Microsoft SQL 2005 Express. The Set Database Information page
appears.
11 Identify the type of account and authentication details that the ePolicy Orchestrator server
uses to access the database.
• From the Database Server credentials field, select the windows domain from the
drop-down, type the domain user name and password, then click Next. The Start
Copying Files page appears.
NOTE: Windows authentication is enabled, as SQL Express does not allow SA authentication
by default.
11McAfee Total Protection for Endpoint Lab Evaluation Guide
Setting up McAfee Total Protection for Endpoint suite
12 Click Next to begin installation. The InstallShield Wizard Complete page appears with
the following options, enabled by default:
• Select Yes, I want to view the ReadMe file to view the Readme.
• Select Yes, I want to launch McAfee ePolicy Orchestrator now to launch the
ePolicy Orchestrator user interface.
NOTE: During installation, you may be prompted to change one or more of the default port
numbers incase of any conflict.
13 Click Finish.
McAfee Total Protection for Endpoint Lab Evaluation Guide12
Logging on to ePolicy Orchestrator
Use this task to log on to the ePolicy Orchestrator. You must have valid credentials to do this.
Task
1 To launch the ePolicy Orchestrator software, open an Internet browser and go to the URL
of the server (For example:
Orchestrator dialog box appears.
NOTE: You can also double-click the Launch McAfee ePolicy Orchestrator 4.5 console
icon on the desktop to launch ePolicy Orchestrator.
https://<servername>:8443
). The Log On to ePolicy
2 Type the User name and Password of a valid account, created in
"
Setting up McAfee Total Protection for Endpoint suite
NOTE: Passwords are case-sensitive.
3 Select the Language you want the software to display.
4 Click Log On.
" section.
Step 7
under the
13McAfee Total Protection for Endpoint Lab Evaluation Guide
Set Up the ePolicy Orchestrator Server
The ePolicy Orchestrator repository is the central location for all McAfee product installations,
updates, and signature packages. The modular design of ePolicy Orchestrator allows new
products to be added as
such as VirusScan Enterprise, and non-McAfee products from McAfee partners.
components that are checked in to the master repository, then deployed to client systems.
For information about extensions and packages, see these topics in the
Product Guide
•
Extensions and what they do
•
Deployment packages for products and updates
According to your selections during installation, the Total Protection for Endpoint client software
was added to your ePO master repository. To verify the installation, go to the Master
Repository.
Configure a repository pull task
:
extensions
. This includes new or updated versions of McAfee products,
Packages
ePolicy Orchestrator
are
For ePolicy Orchestrator to keep your client systems up-to-date, you must configure a
pull task
NOTE: A repository pull task was created for you automatically during installation.
Task
Use this task to create a repository pull task that adds and updates the client software.
1 Click Menu | Automation | Server Tasks.
2 In the list, find the task named Update Master Repository and, under the Actions
3 On the Description page, set Schedule status to Enabled, then click Next.
4 On the Actions page, there is a gray bar just below the page description labeled 1. Select
5 Select Move existing packages to Previous branch, then click Next.
6 On the Schedule page, choose when you want ePolicy Orchestrator to check the McAfee
that retrieves updates from a McAfee site (HTTP or FTP) at specified intervals.
column, click Edit to open the Server Task Builder.
Respository Pull from the drop-down list.
NOTE: Checking this option allows ePolicy Orchestrator to maintain more than one day's
signature files. When the next pull task runs, today's updates are moved to a directory on
the server called Previous. This allows you to rollback updates, if necessary.
site for updates.
• Schedule the task to run Daily, with No End Date.
• Set Schedule to between 9:00am and 11:00pm.
repository
McAfee Total Protection for Endpoint Lab Evaluation Guide14
Loading...