McAfee Endpoint Security 10 · Our endpoint protection stops greyware, ransomware, and other...

McAfee Endpoint Security 10.7

Customer POC Guide

McAfee ENS POC Guide

Date : 12/2019



Copyright © McAfee LLC, 2019. All rights reserved.

2

Important note:

The enclosed material is proprietary to McAfee Inc. and is copyrighted. This document may not be

disclosed in any manner to anyone other than the addressee and the employees or representatives of the

addressed firm who are directly responsible for evaluation of its contents. This document may not be used

in any manner other than for the purpose it was distributed. Any unauthorized use; reproduction or

transmission in any form is strictly prohibited.

®Copyright 2019 McAfee Inc.




3

Table of Contents

1 Business Case ................................................................................................................................................. 5

2 Proof of Concept Pre-Requisites ................................................................................................................. 7

3 POC Use Cases ............................................................................................................................................ 22

4 Customer success criteria ........................................................................................................................... 37

5 Assumptions: ................................................................................................................................................. 40

6 Limitations...................................................................................................................................................... 40

7 Customer acceptance .................................................................................................................................. 40




4

The following contacts will be available to assist throughout the execution of this proof of concept. Please complete the following details before the agreed evaluation commencement date. Customer Contacts:

Name Title Telephone Number(s) Email

Partner Contacts:


McAfee Contacts: Sales Executives:


Sales Engineering Team:





5

1 Business Case Today’s corporations face the challenge in security of defending the corporate network and users from malicious code disrupting business, in the past 18 months, both corporate and home users have been exposed to new types of malicious code in the form of ransomware attacks on networks. Based on the industry trends, the malicious code writers are creating malware faster and with more sophisticated and devastating payloads then the Security Industry can keep pace with, added to this is the fact that almost all the security vendors current Anti-Malware solutions are based on what is deemed legacy code, meaning that some changes have been made to the Anti-virus solution but not enough to provide the next generation of protection needed to protect against these next generation attacks. Below is a graphic of the growth of malware over the past 5 years, you can see the total growth number of known malware to date (ref: AV test.org- https://www.av-test.org/en/statistics/malware/)

McAfee Endpoint Security 10 (ENS)




6

New endpoint protection solution emphasizes integration, automation, and orchestration as the foundation of the threat defense lifecycle. It harnesses the power of machine learning to detect zero-day threats in near real-time and streamlines the ability to quickly expose and remediate advanced attacks. Detect zero-day malware ENS can unmask evasive threats by combining reputation analysis with new machine learning classification and behavioral modelling. Our endpoint protection stops greyware, ransomware, and other advanced threats before they infect patient zero or spread to other systems. Dynamic application containment pre-emptively blocks suspicious files from using common malicious processes to shield the first endpoint and isolate the network from infection. Real protect offers static pre-execution analysis and post-execution dynamic behavioral analysis, leveraging machine learning classification from the cloud, to detect zero-day malware in near real time, without relying on traditional signatures. Other capabilities include:

• Centralized (ePO/SaaS) and standalone management.

• Threat Prevention module that scans for and lets you act on detected malware and

unwanted programs (McAfee Endpoint Security capabilities).

• Ability to create custom exploit prevention rules that give customers unparalleled

granular control over what’s important to them.

• Firewall module that acts as a filter between computer and network or Internet

(McAfee ENS - Firewall capabilities).

• Web Control module for protection while browsing or searching websites (McAfee

ENS Web Control and Global Threat Intelligence - GTI capabilities).

• Adaptive Threat Protection module provides advanced machine learning capabilities,

integration with ATD, and dynamic application containment.

• Anti-Malware Core Engine (AMCore) technology with built-in intelligence strategy to

practice scan avoidance and only scan items that really need to be scanned, instead

of scanning all items equally.

• Policy migration tool to migrate policies and client tasks and remove McAfee products

that are no longer needed, such as VirusScan Enterprise and Host Intrusion

Prevention Firewall.

• Guided and automated migration using the Endpoint Upgrade Assistant extension

and Endpoint Automation tool.

• Optional integration with McAfee Data Exchange Layer (DXL) and McAfee Threat

Intelligence Exchange (TIE) solutions.




7

2 Proof of Concept Pre-Requisites

Below are the software and hardware pre-requisites to setup an evaluation environment to run through business use cases. Please refer to below given KB article for more details. (https://kc.mcafee.com/corporate/index?page=content&id=KB82761 )

Supported Windows Operating Systems: Below is the list of supported workstation operating systems, recommended to pick OS for testing which represent product environment.

Microsoft Operating System ENS 10.7.0, 10.7.0 February 2020 Update

Windows 10 November 2019 Update - version 19091, 3 Yes

Windows 10 May 2019 Update - version 19031, 3 Yes

Windows 10 October 2018 Update - version 18091, 3 Yes

Windows 10 April 2018 Update - version 18031, 3 Yes

Windows 10 Fall Creators Update - version 17091, 3 Yes

Windows 10 Creators Update - version 17031, 3, 4 Yes

Windows 10 Anniversary Update - version 16071, 3 Yes

Windows 10 November Update - version 15111, 3, 7 No

Windows 10 Enterprise 2015 LTSB1, 3 Yes

Windows 10 version 15071, 3, 7 No

Windows 10 IoT Enterprise1, 3 Yes

Windows 8.1 Update 16 Yes

Windows 8 (Not including Windows 8 RT [Runtime] edition)6 Yes

Windows To Go - all versions Yes

Windows 7 SP1 (and later)5 Yes

Windows Vista SP2 (and later) No

Windows XP SP3 Professional x86 (XP x64 is not supported) SP3 (and later)2 See below. No longer supported by Microsoft.

No

Windows Embedded 8: Pro, Standard, and Industry1 Yes

Windows Embedded Standard 74 Yes

Below is the list of supported server operating system, recommended to pick OS for testing which represent product environment.

https://kc.mcafee.com/corporate/index?page=content&id=KB82761




8

Microsoft Operating System ENS 10.7.0, 10.7.0 February 2020 Update

Windows Server 2019 version 1909 (including Essentials, Standard, and Datacenter)

Yes

Windows Server 2019 version 1903 (including Essentials, Standard, and Datacenter)

Yes

Windows Server 2019 version 1809 (including Essentials, Standard, Datacenter, and Server Core Mode)

Yes


Yes


Yes


Yes

Windows Storage Server 2016 Yes

Windows Server 2012 R2 Update 1: Essentials, Standard, and Datacenter (including Server Core Mode)

Yes

Windows Server 2012 R21 Yes

Windows Server 2012 Yes

Windows Storage Server 2012 and 2012 R2 Yes

Windows Server 2008 R23: Standard, Datacenter, Enterprise, and Web (including Server Core Mode)

Yes

Windows Server 20083 No

Windows Storage Server 2008 No

Windows Storage Server 2008 R2 Yes

Windows Small Business Server 2011 Yes

Windows Small Business Server 2008 No

Windows Server 2003 and 2003 R22 See below. No longer supported by Microsoft.

No

Supported McAfee Agent version for POC is,

Product Minimum MA Version

ENS 10.7 MA 5.0.5 or later / MA 5.6.4 is recommended




9

Below is the list of supported virtual infrastructure:

Please NOTE: - If a product and/or version is not listed, we do not support it. - Citrix VDI-in-a-Box environments are not supported.

Virtualization Server and Application

Versions Tested

AWS 2012 R2

Azure Win 81

Citrix XenApp 7.6

Citrix XenDesktop 7.0, 7.11, 7.13

Citrix XenServer 6.2

Microsoft Hyper-V Server 2016 2016

Microsoft Hyper-V Server 2012 R2 2012

MSFT AAP V 5.2

VMware ESXi 5.5, 6.0, 6.5

VMware Player 6.0.3

VMware vSphere 5.5, 6.0

VMware Workstation 10

Hardware requirements

- CPU - Intel® Pentium processor or compatible architecture - RAM as follows as shown below,

Operating System Service Pack 32-bit

64-bit

Processor RAM Minimum Hard Disk Space Free

Windows 10 X X 2 GHz or higher

3 GB 1 GB

Windows 8.1 Update 1 X X 2 GHz or higher

3 GB 1 GB

Windows 8 - except Runtime X X 2 GHz or higher

3 GB 1 GB

Windows 7 SP1 X X 1.4 GHz or higher

2 GB 1 GB

Windows Embedded Standard 7

X X 1 GHz or higher

1 GB 1 GB

Windows Embedded 8 X X 1 GHz or higher

1 GB 1 GB

Windows Server 2019 X 2 GHz or higher

3 GB 1 GB


3 GB 1 GB




10

Windows Server 2012 R2 X 2 GHz or higher

3 GB 1 GB


3 GB 1 GB

Windows Storage Server 2012 and 2012 R2

X 2 GHz or higher

3 GB 1 GB

Windows Server 2008 R2 X X 1.4 GHz or greater

2 GB 1 GB

Windows Storage Server 2008 R2

X X 1.4 GHz or higher

2 GB 1 GB

Windows Small Business Server 2011

X 1.4 GHz or higher

2 GB 1 GB

Windows Point of Service 1.1 X 1 GHz or higher

1 GB 1 GB

Supported Internet browsers: Browser ENS 10.x Web

Control Comments

Google Chrome Yes

Microsoft Edge Yes

ENS Web Control 10.7.0 supports Edge on Windows 10 Version 1703 (Creators Update) and later. ENS Web Control 10.6.1 adds support for Edge in Windows 10 version 1809 (October 2018 Update) and later.

Microsoft Edge Chromium

No ENS Web Control currently does not support Edge Chromium. This article will be updated when ENS Web Control adds support for Edge Chromium.

Mozilla Firefox Yes

• Firefox 74 or later: ENS Web Control does not support new installations for Firefox 74 or later. For more information, see known

issue KB92605.

• Firefox 56 or later: ENS Web Control 10.5.4 adds support for Firefox

56. For more information, see KB89947.

• Firefox 51: ENS Web Control 10.5.1 adds support for Firefox 51.

Microsoft Internet Explorer 11

Yes

NOTES:

• Because of the high frequency with which Chrome and Firefox browsers are released, ENS Web Control support for Chrome or Firefox may not support new browser version. The next ENS patch release will target adding back support for the browser.






11

• ENS Web Control is not 64-bit and does not support native 64-bit browsers, but it does support 64-bit browsers in 32-bit mode.

• Enhanced Protected Mode in Internet Explorer is not supported

Supported platforms, environments, and operating systems for Endpoint Security for Mac

Please refer to below given KB article for more details on Mac support.

(https://kc.mcafee.com/corporate/index?page=content&id=KB84934)

Supported Operating Systems

Operating System

Version ENSM 10.1.0-10.2.0

ENSM 10.2.1-10.2.2

ENSM 10.2.3-10.5.0

ENSM 10.5.5-10.5.9

ENSM 10.6.0-10.6.4

ENSM 10.6.5-10.6.8

Catalina 10.15.x

Both Client and Server

No No No No No Yes

Mojave 10.14.x1


No No No Yes Yes Yes

High Sierra 10.13.x


No No Yes Yes Yes No

Sierra 10.12.x Both Client and Server

No Yes Yes Yes No No

El Capitan 10.11.x


Yes Yes Yes No No No

Yosemite 10.10.x


Yes Yes No No No No

Mavericks 10.9.x


Yes No No No No No

Supported McAfee Agent Versions

Product Minimum Supported Version

ENSM 10.1.0-10.2.0

ENSM 10.2.1

ENSM 10.2.2

ENSM 10.2.3-10.5.0

ENSM 10.5.5-10.6.4

ENSM 10.6.5-10.6.8

McAfee Agent

McAfee Agent for Mac

No No No No Yes Yes





12

Version: 5.6.2 and later Minor Version: 209

McAfee Agent

McAfee Agent for Mac on macOS Mojave Version: 5.6.0 and later Minor Version: 702

Yes Yes Yes Yes Yes No

McAfee Agent

McAfee Agent for Mac on macOS Mojave Version: 5.5.1 and later Minor Version: 374

Yes Yes Yes Yes Yes No

McAfee Agent

McAfee Agent for Mac on macOS High Sierra Version: 5.0.6 and later Minor Version: 347

Yes Yes Yes Yes No No

McAfee Agent

McAfee Agent for Mac on macOS El Capitan and Sierra Version: 5.0.5 and later Minor Version: 658

Yes Yes Yes Yes No No

McAfee Agent

McAfee Agent for Mac Version: 5.0.4 and later Minor Version: 470

Yes Yes Yes No No No

McAfee Agent


Yes Yes No No No No

McAfee Agent


Yes No No No No No

Supported Internet Browser Versions




13

Browser Version ENSM 10.1.0-10.1.1

ENSM 10.2.0

ENSM 10.2.1-10.2.2

ENSM 10.2.3-10.5.0

ENSM 10.5.5-10.5.9

ENSM 10.6.0-10.6.4

ENSM 10.6.5-10.6.8

Google Chrome

76 and later

No Yes Yes Yes Yes Yes Yes

Google Chrome

49 to 75 No Yes Yes Yes Yes Yes No

Safari 13.0.x No No No No No No Yes

Safari 12.0.x No No No No Yes Yes Yes

Safari 11.0.x No No No Yes Yes Yes No

Safari 10.1.x No No No Yes Yes No No

Safari 10.0.x No No Yes No No No No

Safari 9.0.x Yes Yes Yes No No No No

Safari 8.0.x Yes Yes Yes No No No No

Safari 7.1.x Yes Yes No No No No No

Supported platforms, environments, and operating systems for Endpoint Security for Linux Threat Prevention Please refer to below given KB article for more details on Linux support. (https://kc.mcafee.com/corporate/index?page=content&id=KB87073)

Supported Operating Systems NOTE: ENSLTP cannot be used on 32-bit platforms.

Operating System ENSLTP 10.6.9

ENSLTP 10.6.8

ENSLTP 10.6.7

ENSLTP 10.6.4-10.6.6

ENSLTP 10.6.3

ENSLTP 10.6.2

ENSLTP 10.6.1

ENSLTP 10.6.0

Amazon Linux 2 (2.0.20180622.1) (64-bit)

Yes Yes Yes Yes Yes Yes Yes Yes

Amazon Linux 2 (2017.12) (64-bit)


Amazon Linux AMI 2018.03 (64-bit)


Amazon Linux AMI 2017.9 (64-bit)


Amazon Linux AMI 2014.03 / 2014.09 / 2015.03 / 2015.09 / 2016.03 / 2016.09 / 2017.03 (64-bit)






14

CentOS 8.1 (64-bit) Yes No No No No No No No

CentOS 8.0 (64-bit) Yes Yes Yes No No No No No

CentOS 7.7 (64-bit) Yes Yes Yes Yes Yes No No No

CentOS 7.6 (64-bit) 1 Yes Yes Yes Yes Yes Yes Yes Yes

CentOS 7.5 (64-bit) Yes Yes Yes Yes Yes Yes Yes Yes


CentOS 7.0 / 7.1 / 7.2 / 7.3 (64-bit)




CentOS 6.0 / 6.1 / 6.2 / 6.3 / 6.4 / 6.5 / 6.6 / 6.7 / 6.8 (64-bit)


CentOS on Amazon Elastic Compute Cloud (Amazon EC2) (64-bit)


Debian 9.6 Yes Yes Yes Yes Yes Yes Yes No

Debian 9.0 / 9.1 / 9.2 / 9.3 / 9.4 / 9.5 (on-demand scanning and on-access scanning)


Debian 9.0 / 9.1 / 9.2 / 9.3 / 9.4 / 9.5 (on-demand scanning only)


Debian 8.0 / 8.1 / 8.2 / 8.3 / 8.4 / 8.5 / 8.6 / 8.7 / 8.8 / 8.9 (on-demand scanning only)


Fedora 31 (desktop and server)

Yes Yes No No No No No No

Fedora 30 (desktop and server)

Yes Yes Yes No No No No No

Oracle Enterprise Linux 8.0

Yes Yes Yes Yes No No No No

Oracle Enterprise Linux 7.x both Red Hat and UEK (64-bit)


Oracle Enterprise Linux 6.x both Red Hat and UEK (64-bit)





15

Red Hat Enterprise Linux Server 8.1 (64-bit)


Red Hat Enterprise Linux Server 8.0 (64-bit) 3

Yes Yes Yes Yes Yes Yes No No


Yes Yes Yes Yes Yes No No No







Red Hat Enterprise Linux Server 7.1 / 7.2 / 7.3 (64-bit)






Red Hat Enterprise Linux Server 6.0 / 6.1 / 6.2 / 6.3 / 6.4 / 6.5 / 6.6 / 6.7 / 6.8 (64-bit)


Red Hat Enterprise Linux Server 5.10 / 5.11 (64-bit)


Red Hat Enterprise Linux Workstation 8.1 (64-bit)


Red Hat Enterprise Linux Workstation 8.0 (64-bit)

Yes Yes Yes Yes Yes Yes No No

Red Hat Enterprise Linux Workstation 7.7 (64-bit) 1

Yes Yes Yes Yes Yes No No No

Red Hat Enterprise Linux Workstation 7.6 (64-bit) 1





16

Red Hat Enterprise Linux Workstation 7.5




Red Hat Enterprise Linux Workstation 7.1 / 7.2 / 7.3






Red Hat Enterprise Linux Workstation 6.0 / 6.1 / 6.2 / 6.3 / 6.4 / 6.5 / 6.6 / 6.7 / 6.8


Red Hat Enterprise Linux 7 on Amazon Elastic Compute Cloud (Amazon EC2) (64-bit)


SUSE Linux Enterprise Server 15 SP1 (64-bit)


SUSE Linux Enterprise Server 15 (64-bit) 1


SUSE Linux Enterprise Server 12 (64-bit) SP4

Yes Yes Yes Yes No No No No



SUSE Linux Enterprise Server 12 (64-bit) SP1, SP2


SUSE Linux Enterprise Server 11 (64-bit) SP3, SP4




SUSE on Amazon Elastic Compute Cloud (Amazon EC2) (64-bit)


Ubuntu 19.10 (64-bit) Yes Yes No No No No No No

Ubuntu 18.04 (64-bit) 2 Yes Yes Yes Yes Yes Yes Yes Yes

Ubuntu 16.04 (64-bit) Yes Yes Yes Yes Yes Yes Yes Yes

Ubuntu 15.10 (64-bit) No No No No No No No No




17

Ubuntu 14.04 (64-bit) Yes Yes Yes Yes Yes Yes Yes Yes

Ubuntu on Amazon Elastic Compute Cloud (Amazon EC2) (64-bit)


Supported ePolicy Orchestrator (ePO) Versions

ePO Version ENSLTP 10.2.x ENSLTP 10.5.x ENSLTP 10.6.x

5.10.x Yes Yes Yes

5.9.x Yes Yes Yes

Supported McAfee Agent Versions

McAfee Agent Version

ENSLTP 10.2.0-10.2.1

ENSLTP 10.2.2-10.2.3

ENSLTP 10.5.x

ENSLTP 10.6.0-10.6.6

ENSLTP 10.6.7-10.6.9

5.6.3-5.6.4 No Yes Yes Yes Yes

5.6.2 Yes Yes Yes Yes Yes

5.6.0-5.6.1 Yes Yes Yes Yes No

5.5.x Yes Yes Yes No No

5.0.6 Yes Yes Yes No No

5.0.5 Yes Yes No No No

5.0.3-5.0.4 Yes No No No No

System Requirements

Component Requirements

Processors

1. Intel x86_64 architecture-based processor that supports Intel Extended Memory 64-bit technology (Intel EM64T)

2. AMD x86_64 architecture-based processor with AMD 64-bit technology

Memory • Minimum: 2 GB RAM • Recommended: 4 GB RAM




18

Free disk space Minimum: 1 GB

Virtual platforms

• Citrix Xen • KVM • Virtual box • VMware • Xen

Para virtual environment

Guest operating system on Xen Hypervisor

Ports required for ePO management

Port Default Description Traffic direction

Agent-server communication port

80 TCP port that the ePO server service uses to receive requests from agents.

Inbound connection to the Agent Handler and the ePO server from the McAfee Agent. Inbound connection to the ePO server from the remote Agent Handler.

Agent-server communication secure port Software Manager, Product Compatibility List, and License Manager port

443 TCP port that the ePO server service uses to receive requests from agents and remote Agent Handlers. TCP port that the ePO server's Software Manager uses to connect to McAfee. TCP port that the ePO server uses to connect to the McAfee software updates server (s-download.mcafee.com), McAfee license server (lc.mcafee.com), and McAfee Product Compatibility List (epo.mcafee.com).

Inbound connection to the Agent Handler and the ePO server from the McAfee Agent. Inbound connection to the ePO server from the remote Agent Handler. Outbound connection from the ePO server to McAfee servers.

Agent wake-up communication port Super Agent repository port

8081 TCP port that agents use to receive agent wake-up requests from the ePO server or Agent Handler. TCP port that the SuperAgents configured as repositories that are used to receive content from the ePO server during repository replication, and to serve content to client machines.

Inbound connection from the ePO server/Agent Handler to the McAfee Agent. Inbound connection from client machines to Super Agents configured as repositories.




19

Agent broadcast communication port

8082 UDP port that the Super Agents use to forward messages from the ePO server/Agent Handler.

Outbound connection from the Super Agents to other McAfee Agents.

Console-to-application server communication port

8443 TCP port that the ePO Application Server service uses to allow web browser UI access.

Inbound connection to the ePO server from the ePO console.

Client-to-server authenticated communication port

8444 TCP Port that the Agent Handler uses to communicate with the ePO server to get required information (such as LDAP servers).

Outbound connection from remote Agent Handlers to the ePO server.

SQL server TCP port

1433 TCP port used to communicate with the SQL server. This port is specified or determined automatically during the setup process.

Outbound connection from the ePO server/Agent Handler to the SQL server.

SQL server UDP port

1434 UDP port used to request the TCP port that the SQL instance hosting the ePO database is using.

Outbound connection from the ePO server/Agent Handler to the SQL server.

LDAP server port 389 TCP port used to retrieve LDAP information from Active Directory servers.

Outbound connection from the ePO server/Agent Handler to an LDAP server.

SSL LDAP server port

636 TCP port used to retrieve LDAP information from Active Directory servers.

Outbound connection from the ePO server/Agent Handler to an LDAP server.

SMB Windows domain controller port

445 TCP port used for ePO console login when authenticating Active Directory users.

Outbound connection from the ePO server to the domain controller (Active Directory) server.

ePO (Ports/Traffic Quick Reference)

ePO Server

Default port Protocol Traffic direction

80 TCP Inbound connection to the ePO server

389 TCP Outbound connection from the ePO server

443 TCP Inbound/outbound connection to/from the ePO server

445 SMB Outbound connection from the ePO server




20



1434 UDP Outbound connection from the ePO server




Remote Agent Handler(s)


80 TCP Inbound/outbound connection to/from the Agent Handler

389 TCP Outbound connection from the Agent Handler

443 TCP Inbound/outbound connection to/from the Agent Handler



1434 UDP Outbound connection from the Agent Handler




McAfee Agent

Default port

Protocol Traffic direction

80 TCP Outbound connection to the ePO server/Agent Handler

443 TCP Outbound connection to the ePO server/Agent Handler

8081 TCP Inbound connection from the ePO server/Agent Handler. If the agent is a Super Agent repository, inbound connection from other McAfee Agents.

8082 UDP Inbound connection to agents. Inbound/outbound connection from/to Super Agents.

8083 UDP Relay server discovery for version 4.8 agents




21

SQL Server


1433 TCP Inbound connection from the ePO server/Agent Handler

1434 UDP Inbound connection from the ePO server/Agent Handler

McAfee Updates

Default port

Protocol Traffic direction

21 TCP Outbound from the ePO server to ftp://ftp.nai.com

80 TCP Outbound from the ePO server to http://update.nai.com

443 TCF Outbound from the ePO server to s-download.mcafee.com and epo.mcafee.com NOTE: These URLs are not accessible in browsers.

ftp://ftp.nai.com/

http://update.nai.com/




22

3 POC Use Cases

Use Case 1 -Deploy Endpoint Protection via management solution. 1. Check in the software to the ePO server, make sure that you have all extensions

checked in as per image provided. Run the Update Repository Server Task. For

information on installing ePO, please refer to the Product/Install Guide.

Make sure that all the following extensions are checked in:

1. Endpoint Security Platform

2. Endpoint Security Threat Prevention

3. Endpoint Security Web Control

4. Endpoint Security Firewall

5. Endpoint Security Migration Assistant

6. Endpoint Security Adaptive Threat Protection

7. Endpoint Upgrade Assistant

2) Verify the packages are check-in to the master repository




23

3. Identify the pilot machines to be used for the proof of concept pilot prior to

deployment. Make sure that the following is enable on the Pilot machines:

1. You have an account that has rights to deploy to the endpoint.

2. You can reach the Admin$ share from ePO.

4. Create a product deployment Task within ePO to deploy ENS to the pilot group of

machines.

5. Select the New Deployment button to create a new deployment for the pilot.




24

6. Provide details of the deployment for reference as seen below, make sure to

select fixed method if not this task will continue to run indefinably.




25

7. Select the ENS components to be deployed in the deployment




26

8. Make sure to select the systems identified for deployment

9. If required, schedule the deployment or use the run immediately option

If the customer has existing McAfee VirusScan enterprise 8.8, Make sure to use the Migration Assistant and Endpoint Upgrade Assistant prior to migrating test machines to ENS. This guide does not cover the usage of those tools.




27

Use Case 2 – Enable Enhanced Remediation

1. Enhanced Remediation is able to rollback modifications made by processes that have been convicted by Dynamic Real Protect (Behavioral Machine Learning). This is extremely powerful since behavioral detections methods are able to identify threats that static methods are unable to, but the behavioral detected may be malicious. With Enhanced Remediation, we have the ability to identify threats and remediate the damage that they inflict, even if the activities are traditionally one way actions such as files being encrypted.

2. Enable Cloud-based scanning in the Adaptive Threat Protection policies

3. Enable the “Enhanced Remediation” and “Monitor and remediate deleted and changed” files in the Adaptive Threat Protection policies – Action Enforcement




28

4. **Please contact your McAfee representative or McAfee Enterprise Sales for access to the ransomware test file**

5. Put the “pictures” directory on the desktop

6. Open the “pictures” directory so that you can view its contents. You can customize these pictures as well for your demo

7. With the “pictures” directory still open, execute the run_test.bat file

8. You will see the pictures become encrypted, but a few seconds later, a real protect Dynamic conviction will occur and the pictures will be restored automatically.

9. You will also be able to see the story graph of the processunder Threat Events in ePO and identify that it is accessing the individual picture files.

https://www.mcafee.com/enterprise/en-us/forms/contact-me.html




29

Use Case 3 - Configure endpoint policies to test Dynamic Application Containment (DAC) feature

10. Access the policy for DAC (Dynamic Application Containment), as below:

11. Select the options policy first to configure how DAC will behave.




30

12. The default configuration is set to observe only, as shown in the screen capture below. In this mode “Adaptive Threat Protection” module would not contain or block any detections.

13. Remove the check to disable Observe mode, as below,




31

14. Contact your account team for the DAC Rule Testing utility.

Here are the best practices for Endpoint Security Dynamic Application Containment rules https://kc.mcafee.com/corporate/index?page=content&id=KB87843

15. Extract the DAC Rule Testing utility that you had received from your account team and follow these steps to change hash of the test file to create a unique sample.

16. Use hex editor tool (or Notepad ++ works too) and just add any random numbers to the file at any location to change the hash of the sample. You can download hex editor on below link. (http://www.hhdsoftware.com/Downloads/free-hex-editor)

17. To modify the testing tool, open with hex editor as shown in here, then locate any row and add a few random numbers to the testing file, save this as it will create a new binary never seen by GTI and thus get blocked by DAC.

Example below

Make sure Observe Mode is turned OFF otherwise it will not prompt


http://www.hhdsoftware.com/Downloads/free-hex-editor




32

10. Once In the policy, by default all DAC rules are set to report only, however for POC purpose please enable all to BLOCK.

11. If a false positive is observed, click on the show Advanced radio button to add it as an exclusion. Note this is for windows only




33

Use Case 4 - Configure policies to test Real Protect (RP) feature

1. With the policy note that by default Real Protect both client based and cloud based scanning are

enabled as you can see in the policy screen shot below.

2. Confirm client system has access to the Internet before testing Real Protect sample files.

3. As suggested above please change the hash of the file before testing each time so that TIE

reputation does not trigger block, using the method given previously.

4. Please note to trigger Real Protect you may have to disable TIE and DAC if required.




34

5. Use these RP sample files for testing the module.


6. Once you are able to trigger RP event you can find the events on the client side on the ENS event

logs.





35

Use Case 5 - Configure policy to test HIPS Expert Rules

With HIPS expert rules within ENS, we’ll demonstrate the ability to block all encoded powershell

commands except for the command that we exclude from being blocked.

1. Open the ENS Threat Prevention Exploit Prevention Policy.

2. Click Expert Rules

3. Choose Processes

4. Make policy selections.

a. Title – Exclude powershell parameters

b. Dropdown level – Low

c. Action – Check Block and Report

d. Rule Type – Processes

e. Rule Content – copy the following text and copy/paste it into the Rule Content Section.

Rule {




36

Process {

Include OBJECT_NAME {-v"**\powershell*"} #Identifies rule as a powershell rule

Include PROCESS_CMD_LINE {-v "*-NoLogo*"} #includes the -nologo switch in the items that should be blocked

#Include PROCESS_CMD_LINE {-v "*-e*"}

Include PROCESS_CMD_LINE {-v "*-E*"} #Blocks and command starting with -e.

Exclude PROCESS_CMD_LINE {-v "*-EncodedCommand powershell -EncodedCommand ZABpAHIAIAAnAGMAOgBcAHAAcgBvAGcAcgBhAG0AIABmAGkAbABlAHMAJwAgAA==*"} #Excludes this specific command which pulls a directory of Program Files.

}

Target {

Match SECTION {Include -access "CREATE"}

}

}

f. Enter any applicable notes.

g. This rule will do the following

i. Block powershell when used with the -NoLogo switch.

ii. Block any “Encoded commands, or any command that starts with ‘e’.

iii. Allow the above embedded command which pulls a directory listing of

C:\Program Files.

5. To test the created rule, ensure it is applied to your test system, open up a command window and

type the following commands.

a. powershell -nologo #This command will be blocked

b. powershell #This command will be allowed

c. exit #To exit the shell you just entered

d. powershell -E dir “C:\Program Files”. This will be blocked because it includes a parameter

that tries to encode the command.

e. powershell -EncodedCommand

ZABpAHIAIAAnAGMAOgBcAHAAcgBvAGcAcgBhAG0AIABmAGkAbABlAHMAJwAgAA=

=

i. This command will be allowed and should pull a dir of C:\Program files




37

4 Customer success criteria Below are the success criteria for ENS, please note that customer requirement’s may be needed to be added in case they are not listed

Test Description Result On-Demand Detection While in its Default

Configuration, the product must demonstrate through On-Demand testing that it Detects Malware.

On-Access Detection While in its Default Configuration, the product must demonstrate through On-Access testing that it Detects Malware.

Administrative Functions Testing

The product must be configurable both locally and using the management platform to perform the following changes:

• Enable and disable the Detection of Malware;

• Retrieve and apply the latest Engine and Signatures over the Internet;

Review Required Log Data.

The product must have the ability to block uninstallation of the solution and tampering of services.

Malware Detection Required Log Events

The product must have the capability to log the results of all Malware Detections and other threat events from all modules of ENS.

Log Data Presentation All Required Log presented in a Log must be presented in a human readable format.

Web Protection The product must provide a website rating based on the following:

2) Safe/good 3) Unknown 4) High Risk 5) Medium risk




38

Block malicious websites The solution must be able to block a website based on its reputation.

Secure Search future The product must ability to search securely on the internet

Desktop Firewall The product must: • Provide the ability to

block specific application communication.

• Provide the ability to block a port or range of ports.

• Provide IP spoofing protection.

Provide exploit prevention, example would be buffer overflows etc.

Dynamic Application Blocking

The solution must provide ability to block malicious activity without Signatures.

User notification The user must be provided with a prompt when action happens

Administrative Functions The product must provide configuration for exclusions for false positive or in-house applications.

Real Protect Blocking The solution should provide the ability to block malicious behavior of a sample which are not present in the current DAT signature.

Report RP event on client and ePO

The admin should be able to get local events for users and events recorded on ePO for further action.

Zero day / unknown malware protection

The product should be able to block under the following conditions: • Create a new file out of

the sample file and change the hash of the file using one of the techniques.




39

• Execute the sample file to block the execution or action.

Read details on the event viewer.




40

5 Assumptions: • All pre-requisite infrastructure is in place prior to the POC

• Customer will have assigned team in place to assist with the POC in a timeous fashion.

• POC setup should have ePO, DXL, and TIE infrastructure built. Please refer to TIE and DXL

product guide for detailed instruction on building DXL and TIE.

6 Limitations • McAfee will not be responsible for creation of any accounts on customer’s site except for

within the McAfee ePO console.

• Our definition of a POC is defined as a max of 25 endpoints/servers

• The POC will be limited to a testing environment, unless negotiated prior to POC

• If the POC is to be in live production, McAfee will not be held responsible for support of

systems damaged, loss of production or any incidents arising from the POC

• McAfee will not supply live malware samples for testing.

7 Customer acceptance

By signing this document, I acknowledge that I have delivered all the stated deliverables at the agreed to for the proof of concept project.

By signing this document, I acknowledge that I have received all the stated deliverables at the agreed to Proof of concept project

McAfee SE Name and Signature:

Customer Name and Signature:

Date: Date:

Date post:	22-Jul-2020
Category:	Documents
Upload:	others
View:	9 times
Download:	0 times

McAfee Endpoint Security 10 · Our endpoint protection stops greyware, ransomware, and other...

Documents