McAfee Endpoint Security 10.7
Customer POC Guide
McAfee ENS POC Guide
Date : 12/2019
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
2
Important note:
The enclosed material is proprietary to McAfee Inc. and is copyrighted. This document may not be
disclosed in any manner to anyone other than the addressee and the employees or representatives of the
addressed firm who are directly responsible for evaluation of its contents. This document may not be used
in any manner other than for the purpose it was distributed. Any unauthorized use; reproduction or
transmission in any form is strictly prohibited.
®Copyright 2019 McAfee Inc.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
3
Table of Contents
1 Business Case ................................................................................................................................................. 5
2 Proof of Concept Pre-Requisites ................................................................................................................. 7
3 POC Use Cases ............................................................................................................................................ 22
4 Customer success criteria ........................................................................................................................... 37
5 Assumptions: ................................................................................................................................................. 40
6 Limitations...................................................................................................................................................... 40
7 Customer acceptance .................................................................................................................................. 40
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
4
The following contacts will be available to assist throughout the execution of this proof of concept. Please complete the following details before the agreed evaluation commencement date. Customer Contacts:
Name Title Telephone Number(s) Email
Partner Contacts:
Name Title Telephone Number(s) Email
McAfee Contacts: Sales Executives:
Name Title Telephone Number(s) Email
Sales Engineering Team:
Name Title Telephone Number(s) Email
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
5
1 Business Case Today’s corporations face the challenge in security of defending the corporate network and users from malicious code disrupting business, in the past 18 months, both corporate and home users have been exposed to new types of malicious code in the form of ransomware attacks on networks. Based on the industry trends, the malicious code writers are creating malware faster and with more sophisticated and devastating payloads then the Security Industry can keep pace with, added to this is the fact that almost all the security vendors current Anti-Malware solutions are based on what is deemed legacy code, meaning that some changes have been made to the Anti-virus solution but not enough to provide the next generation of protection needed to protect against these next generation attacks. Below is a graphic of the growth of malware over the past 5 years, you can see the total growth number of known malware to date (ref: AV test.org- https://www.av-test.org/en/statistics/malware/)
McAfee Endpoint Security 10 (ENS)
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
6
New endpoint protection solution emphasizes integration, automation, and orchestration as the foundation of the threat defense lifecycle. It harnesses the power of machine learning to detect zero-day threats in near real-time and streamlines the ability to quickly expose and remediate advanced attacks. Detect zero-day malware ENS can unmask evasive threats by combining reputation analysis with new machine learning classification and behavioral modelling. Our endpoint protection stops greyware, ransomware, and other advanced threats before they infect patient zero or spread to other systems. Dynamic application containment pre-emptively blocks suspicious files from using common malicious processes to shield the first endpoint and isolate the network from infection. Real protect offers static pre-execution analysis and post-execution dynamic behavioral analysis, leveraging machine learning classification from the cloud, to detect zero-day malware in near real time, without relying on traditional signatures. Other capabilities include:
• Centralized (ePO/SaaS) and standalone management.
• Threat Prevention module that scans for and lets you act on detected malware and
unwanted programs (McAfee Endpoint Security capabilities).
• Ability to create custom exploit prevention rules that give customers unparalleled
granular control over what’s important to them.
• Firewall module that acts as a filter between computer and network or Internet
(McAfee ENS - Firewall capabilities).
• Web Control module for protection while browsing or searching websites (McAfee
ENS Web Control and Global Threat Intelligence - GTI capabilities).
• Adaptive Threat Protection module provides advanced machine learning capabilities,
integration with ATD, and dynamic application containment.
• Anti-Malware Core Engine (AMCore) technology with built-in intelligence strategy to
practice scan avoidance and only scan items that really need to be scanned, instead
of scanning all items equally.
• Policy migration tool to migrate policies and client tasks and remove McAfee products
that are no longer needed, such as VirusScan Enterprise and Host Intrusion
Prevention Firewall.
• Guided and automated migration using the Endpoint Upgrade Assistant extension
and Endpoint Automation tool.
• Optional integration with McAfee Data Exchange Layer (DXL) and McAfee Threat
Intelligence Exchange (TIE) solutions.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
7
2 Proof of Concept Pre-Requisites
Below are the software and hardware pre-requisites to setup an evaluation environment to run through business use cases. Please refer to below given KB article for more details. (https://kc.mcafee.com/corporate/index?page=content&id=KB82761 )
Supported Windows Operating Systems: Below is the list of supported workstation operating systems, recommended to pick OS for testing which represent product environment.
Microsoft Operating System ENS 10.7.0, 10.7.0 February 2020 Update
Windows 10 November 2019 Update - version 19091, 3 Yes
Windows 10 May 2019 Update - version 19031, 3 Yes
Windows 10 October 2018 Update - version 18091, 3 Yes
Windows 10 April 2018 Update - version 18031, 3 Yes
Windows 10 Fall Creators Update - version 17091, 3 Yes
Windows 10 Creators Update - version 17031, 3, 4 Yes
Windows 10 Anniversary Update - version 16071, 3 Yes
Windows 10 November Update - version 15111, 3, 7 No
Windows 10 Enterprise 2015 LTSB1, 3 Yes
Windows 10 version 15071, 3, 7 No
Windows 10 IoT Enterprise1, 3 Yes
Windows 8.1 Update 16 Yes
Windows 8 (Not including Windows 8 RT [Runtime] edition)6 Yes
Windows To Go - all versions Yes
Windows 7 SP1 (and later)5 Yes
Windows Vista SP2 (and later) No
Windows XP SP3 Professional x86 (XP x64 is not supported) SP3 (and later)2 See below. No longer supported by Microsoft.
No
Windows Embedded 8: Pro, Standard, and Industry1 Yes
Windows Embedded Standard 74 Yes
Below is the list of supported server operating system, recommended to pick OS for testing which represent product environment.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
8
Microsoft Operating System ENS 10.7.0, 10.7.0 February 2020 Update
Windows Server 2019 version 1909 (including Essentials, Standard, and Datacenter)
Yes
Windows Server 2019 version 1903 (including Essentials, Standard, and Datacenter)
Yes
Windows Server 2019 version 1809 (including Essentials, Standard, Datacenter, and Server Core Mode)
Yes
Windows Server 2016 version 1803 (including Essentials, Standard, Datacenter, and Server Core Mode)
Yes
Windows Server 2016 version 1709 (including Essentials, Standard, Datacenter, and Server Core Mode)
Yes
Windows Server 2016 version 1607 (including Essentials, Standard, Datacenter, and Server Core Mode)
Yes
Windows Storage Server 2016 Yes
Windows Server 2012 R2 Update 1: Essentials, Standard, and Datacenter (including Server Core Mode)
Yes
Windows Server 2012 R21 Yes
Windows Server 2012 Yes
Windows Storage Server 2012 and 2012 R2 Yes
Windows Server 2008 R23: Standard, Datacenter, Enterprise, and Web (including Server Core Mode)
Yes
Windows Server 20083 No
Windows Storage Server 2008 No
Windows Storage Server 2008 R2 Yes
Windows Small Business Server 2011 Yes
Windows Small Business Server 2008 No
Windows Server 2003 and 2003 R22 See below. No longer supported by Microsoft.
No
Supported McAfee Agent version for POC is,
Product Minimum MA Version
ENS 10.7 MA 5.0.5 or later / MA 5.6.4 is recommended
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
9
Below is the list of supported virtual infrastructure:
Please NOTE: - If a product and/or version is not listed, we do not support it. - Citrix VDI-in-a-Box environments are not supported.
Virtualization Server and Application
Versions Tested
AWS 2012 R2
Azure Win 81
Citrix XenApp 7.6
Citrix XenDesktop 7.0, 7.11, 7.13
Citrix XenServer 6.2
Microsoft Hyper-V Server 2016 2016
Microsoft Hyper-V Server 2012 R2 2012
MSFT AAP V 5.2
VMware ESXi 5.5, 6.0, 6.5
VMware Player 6.0.3
VMware vSphere 5.5, 6.0
VMware Workstation 10
Hardware requirements
- CPU - Intel® Pentium processor or compatible architecture - RAM as follows as shown below,
Operating System Service Pack 32-bit
64-bit
Processor RAM Minimum Hard Disk Space Free
Windows 10 X X 2 GHz or higher
3 GB 1 GB
Windows 8.1 Update 1 X X 2 GHz or higher
3 GB 1 GB
Windows 8 - except Runtime X X 2 GHz or higher
3 GB 1 GB
Windows 7 SP1 X X 1.4 GHz or higher
2 GB 1 GB
Windows Embedded Standard 7
X X 1 GHz or higher
1 GB 1 GB
Windows Embedded 8 X X 1 GHz or higher
1 GB 1 GB
Windows Server 2019 X 2 GHz or higher
3 GB 1 GB
Windows Server 2016 X 2 GHz or higher
3 GB 1 GB
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
10
Windows Server 2012 R2 X 2 GHz or higher
3 GB 1 GB
Windows Server 2012 X 2 GHz or higher
3 GB 1 GB
Windows Storage Server 2012 and 2012 R2
X 2 GHz or higher
3 GB 1 GB
Windows Server 2008 R2 X X 1.4 GHz or greater
2 GB 1 GB
Windows Storage Server 2008 R2
X X 1.4 GHz or higher
2 GB 1 GB
Windows Small Business Server 2011
X 1.4 GHz or higher
2 GB 1 GB
Windows Point of Service 1.1 X 1 GHz or higher
1 GB 1 GB
Supported Internet browsers: Browser ENS 10.x Web
Control Comments
Google Chrome Yes
Microsoft Edge Yes
ENS Web Control 10.7.0 supports Edge on Windows 10 Version 1703 (Creators Update) and later. ENS Web Control 10.6.1 adds support for Edge in Windows 10 version 1809 (October 2018 Update) and later.
Microsoft Edge Chromium
No ENS Web Control currently does not support Edge Chromium. This article will be updated when ENS Web Control adds support for Edge Chromium.
Mozilla Firefox Yes
• Firefox 74 or later: ENS Web Control does not support new installations for Firefox 74 or later. For more information, see known
issue KB92605.
• Firefox 56 or later: ENS Web Control 10.5.4 adds support for Firefox
56. For more information, see KB89947.
• Firefox 51: ENS Web Control 10.5.1 adds support for Firefox 51.
Microsoft Internet Explorer 11
Yes
NOTES:
• Because of the high frequency with which Chrome and Firefox browsers are released, ENS Web Control support for Chrome or Firefox may not support new browser version. The next ENS patch release will target adding back support for the browser.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
11
• ENS Web Control is not 64-bit and does not support native 64-bit browsers, but it does support 64-bit browsers in 32-bit mode.
• Enhanced Protected Mode in Internet Explorer is not supported
Supported platforms, environments, and operating systems for Endpoint Security for Mac
Please refer to below given KB article for more details on Mac support.
(https://kc.mcafee.com/corporate/index?page=content&id=KB84934)
Supported Operating Systems
Operating System
Version ENSM 10.1.0-10.2.0
ENSM 10.2.1-10.2.2
ENSM 10.2.3-10.5.0
ENSM 10.5.5-10.5.9
ENSM 10.6.0-10.6.4
ENSM 10.6.5-10.6.8
Catalina 10.15.x
Both Client and Server
No No No No No Yes
Mojave 10.14.x1
Both Client and Server
No No No Yes Yes Yes
High Sierra 10.13.x
Both Client and Server
No No Yes Yes Yes No
Sierra 10.12.x Both Client and Server
No Yes Yes Yes No No
El Capitan 10.11.x
Both Client and Server
Yes Yes Yes No No No
Yosemite 10.10.x
Both Client and Server
Yes Yes No No No No
Mavericks 10.9.x
Both Client and Server
Yes No No No No No
Supported McAfee Agent Versions
Product Minimum Supported Version
ENSM 10.1.0-10.2.0
ENSM 10.2.1
ENSM 10.2.2
ENSM 10.2.3-10.5.0
ENSM 10.5.5-10.6.4
ENSM 10.6.5-10.6.8
McAfee Agent
McAfee Agent for Mac
No No No No Yes Yes
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
12
Version: 5.6.2 and later Minor Version: 209
McAfee Agent
McAfee Agent for Mac on macOS Mojave Version: 5.6.0 and later Minor Version: 702
Yes Yes Yes Yes Yes No
McAfee Agent
McAfee Agent for Mac on macOS Mojave Version: 5.5.1 and later Minor Version: 374
Yes Yes Yes Yes Yes No
McAfee Agent
McAfee Agent for Mac on macOS High Sierra Version: 5.0.6 and later Minor Version: 347
Yes Yes Yes Yes No No
McAfee Agent
McAfee Agent for Mac on macOS El Capitan and Sierra Version: 5.0.5 and later Minor Version: 658
Yes Yes Yes Yes No No
McAfee Agent
McAfee Agent for Mac Version: 5.0.4 and later Minor Version: 470
Yes Yes Yes No No No
McAfee Agent
McAfee Agent for Mac Version: 5.0.4 and later Minor Version: 283
Yes Yes No No No No
McAfee Agent
McAfee Agent for Mac Version: 5.0.2 and later Minor Version: 185
Yes No No No No No
Supported Internet Browser Versions
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
13
Browser Version ENSM 10.1.0-10.1.1
ENSM 10.2.0
ENSM 10.2.1-10.2.2
ENSM 10.2.3-10.5.0
ENSM 10.5.5-10.5.9
ENSM 10.6.0-10.6.4
ENSM 10.6.5-10.6.8
Google Chrome
76 and later
No Yes Yes Yes Yes Yes Yes
Google Chrome
49 to 75 No Yes Yes Yes Yes Yes No
Safari 13.0.x No No No No No No Yes
Safari 12.0.x No No No No Yes Yes Yes
Safari 11.0.x No No No Yes Yes Yes No
Safari 10.1.x No No No Yes Yes No No
Safari 10.0.x No No Yes No No No No
Safari 9.0.x Yes Yes Yes No No No No
Safari 8.0.x Yes Yes Yes No No No No
Safari 7.1.x Yes Yes No No No No No
Supported platforms, environments, and operating systems for Endpoint Security for Linux Threat Prevention Please refer to below given KB article for more details on Linux support. (https://kc.mcafee.com/corporate/index?page=content&id=KB87073)
Supported Operating Systems NOTE: ENSLTP cannot be used on 32-bit platforms.
Operating System ENSLTP 10.6.9
ENSLTP 10.6.8
ENSLTP 10.6.7
ENSLTP 10.6.4-10.6.6
ENSLTP 10.6.3
ENSLTP 10.6.2
ENSLTP 10.6.1
ENSLTP 10.6.0
Amazon Linux 2 (2.0.20180622.1) (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Amazon Linux 2 (2017.12) (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Amazon Linux AMI 2018.03 (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Amazon Linux AMI 2017.9 (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Amazon Linux AMI 2014.03 / 2014.09 / 2015.03 / 2015.09 / 2016.03 / 2016.09 / 2017.03 (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
14
CentOS 8.1 (64-bit) Yes No No No No No No No
CentOS 8.0 (64-bit) Yes Yes Yes No No No No No
CentOS 7.7 (64-bit) Yes Yes Yes Yes Yes No No No
CentOS 7.6 (64-bit) 1 Yes Yes Yes Yes Yes Yes Yes Yes
CentOS 7.5 (64-bit) Yes Yes Yes Yes Yes Yes Yes Yes
CentOS 7.4 (64-bit) Yes Yes Yes Yes Yes Yes Yes Yes
CentOS 7.0 / 7.1 / 7.2 / 7.3 (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
CentOS 6.10 (64-bit) Yes Yes Yes Yes Yes Yes Yes Yes
CentOS 6.9 (64-bit) Yes Yes Yes Yes Yes Yes Yes Yes
CentOS 6.0 / 6.1 / 6.2 / 6.3 / 6.4 / 6.5 / 6.6 / 6.7 / 6.8 (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
CentOS on Amazon Elastic Compute Cloud (Amazon EC2) (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Debian 9.6 Yes Yes Yes Yes Yes Yes Yes No
Debian 9.0 / 9.1 / 9.2 / 9.3 / 9.4 / 9.5 (on-demand scanning and on-access scanning)
Yes Yes Yes Yes Yes Yes Yes Yes
Debian 9.0 / 9.1 / 9.2 / 9.3 / 9.4 / 9.5 (on-demand scanning only)
Yes Yes Yes Yes Yes Yes Yes Yes
Debian 8.0 / 8.1 / 8.2 / 8.3 / 8.4 / 8.5 / 8.6 / 8.7 / 8.8 / 8.9 (on-demand scanning only)
Yes Yes Yes Yes Yes Yes Yes Yes
Fedora 31 (desktop and server)
Yes Yes No No No No No No
Fedora 30 (desktop and server)
Yes Yes Yes No No No No No
Oracle Enterprise Linux 8.0
Yes Yes Yes Yes No No No No
Oracle Enterprise Linux 7.x both Red Hat and UEK (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Oracle Enterprise Linux 6.x both Red Hat and UEK (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
15
Red Hat Enterprise Linux Server 8.1 (64-bit)
Yes Yes Yes No No No No No
Red Hat Enterprise Linux Server 8.0 (64-bit) 3
Yes Yes Yes Yes Yes Yes No No
Red Hat Enterprise Linux Server 7.7 (64-bit) 1
Yes Yes Yes Yes Yes No No No
Red Hat Enterprise Linux Server 7.6 (64-bit) 1
Yes Yes Yes Yes Yes Yes Yes Yes
Red Hat Enterprise Linux Server 7.5 (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Red Hat Enterprise Linux Server 7.4 (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Red Hat Enterprise Linux Server 7.1 / 7.2 / 7.3 (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Red Hat Enterprise Linux Server 6.10 (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Red Hat Enterprise Linux Server 6.9 (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Red Hat Enterprise Linux Server 6.0 / 6.1 / 6.2 / 6.3 / 6.4 / 6.5 / 6.6 / 6.7 / 6.8 (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Red Hat Enterprise Linux Server 5.10 / 5.11 (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Red Hat Enterprise Linux Workstation 8.1 (64-bit)
Yes Yes Yes No No No No No
Red Hat Enterprise Linux Workstation 8.0 (64-bit)
Yes Yes Yes Yes Yes Yes No No
Red Hat Enterprise Linux Workstation 7.7 (64-bit) 1
Yes Yes Yes Yes Yes No No No
Red Hat Enterprise Linux Workstation 7.6 (64-bit) 1
Yes Yes Yes Yes Yes Yes Yes Yes
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
16
Red Hat Enterprise Linux Workstation 7.5
Yes Yes Yes Yes Yes Yes Yes Yes
Red Hat Enterprise Linux Workstation 7.4
Yes Yes Yes Yes Yes Yes Yes Yes
Red Hat Enterprise Linux Workstation 7.1 / 7.2 / 7.3
Yes Yes Yes Yes Yes Yes Yes Yes
Red Hat Enterprise Linux Workstation 6.10
Yes Yes Yes Yes Yes Yes Yes Yes
Red Hat Enterprise Linux Workstation 6.9
Yes Yes Yes Yes Yes Yes Yes Yes
Red Hat Enterprise Linux Workstation 6.0 / 6.1 / 6.2 / 6.3 / 6.4 / 6.5 / 6.6 / 6.7 / 6.8
Yes Yes Yes Yes Yes Yes Yes Yes
Red Hat Enterprise Linux 7 on Amazon Elastic Compute Cloud (Amazon EC2) (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
SUSE Linux Enterprise Server 15 SP1 (64-bit)
Yes Yes No No No No No No
SUSE Linux Enterprise Server 15 (64-bit) 1
Yes Yes Yes Yes Yes Yes Yes Yes
SUSE Linux Enterprise Server 12 (64-bit) SP4
Yes Yes Yes Yes No No No No
SUSE Linux Enterprise Server 12 (64-bit) SP3
Yes Yes Yes Yes Yes Yes Yes Yes
SUSE Linux Enterprise Server 12 (64-bit) SP1, SP2
Yes Yes Yes Yes Yes Yes Yes Yes
SUSE Linux Enterprise Server 11 (64-bit) SP3, SP4
Yes Yes Yes Yes Yes Yes Yes Yes
SUSE Linux Enterprise Server 11 (64-bit) SP2
Yes Yes No No No No No No
SUSE on Amazon Elastic Compute Cloud (Amazon EC2) (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Ubuntu 19.10 (64-bit) Yes Yes No No No No No No
Ubuntu 18.04 (64-bit) 2 Yes Yes Yes Yes Yes Yes Yes Yes
Ubuntu 16.04 (64-bit) Yes Yes Yes Yes Yes Yes Yes Yes
Ubuntu 15.10 (64-bit) No No No No No No No No
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
17
Ubuntu 14.04 (64-bit) Yes Yes Yes Yes Yes Yes Yes Yes
Ubuntu on Amazon Elastic Compute Cloud (Amazon EC2) (64-bit)
Yes Yes Yes Yes Yes Yes Yes Yes
Supported ePolicy Orchestrator (ePO) Versions
ePO Version ENSLTP 10.2.x ENSLTP 10.5.x ENSLTP 10.6.x
5.10.x Yes Yes Yes
5.9.x Yes Yes Yes
Supported McAfee Agent Versions
McAfee Agent Version
ENSLTP 10.2.0-10.2.1
ENSLTP 10.2.2-10.2.3
ENSLTP 10.5.x
ENSLTP 10.6.0-10.6.6
ENSLTP 10.6.7-10.6.9
5.6.3-5.6.4 No Yes Yes Yes Yes
5.6.2 Yes Yes Yes Yes Yes
5.6.0-5.6.1 Yes Yes Yes Yes No
5.5.x Yes Yes Yes No No
5.0.6 Yes Yes Yes No No
5.0.5 Yes Yes No No No
5.0.3-5.0.4 Yes No No No No
System Requirements
Component Requirements
Processors
1. Intel x86_64 architecture-based processor that supports Intel Extended Memory 64-bit technology (Intel EM64T)
2. AMD x86_64 architecture-based processor with AMD 64-bit technology
Memory • Minimum: 2 GB RAM • Recommended: 4 GB RAM
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
18
Free disk space Minimum: 1 GB
Virtual platforms
• Citrix Xen • KVM • Virtual box • VMware • Xen
Para virtual environment
Guest operating system on Xen Hypervisor
Ports required for ePO management
Port Default Description Traffic direction
Agent-server communication port
80 TCP port that the ePO server service uses to receive requests from agents.
Inbound connection to the Agent Handler and the ePO server from the McAfee Agent. Inbound connection to the ePO server from the remote Agent Handler.
Agent-server communication secure port Software Manager, Product Compatibility List, and License Manager port
443 TCP port that the ePO server service uses to receive requests from agents and remote Agent Handlers. TCP port that the ePO server's Software Manager uses to connect to McAfee. TCP port that the ePO server uses to connect to the McAfee software updates server (s-download.mcafee.com), McAfee license server (lc.mcafee.com), and McAfee Product Compatibility List (epo.mcafee.com).
Inbound connection to the Agent Handler and the ePO server from the McAfee Agent. Inbound connection to the ePO server from the remote Agent Handler. Outbound connection from the ePO server to McAfee servers.
Agent wake-up communication port Super Agent repository port
8081 TCP port that agents use to receive agent wake-up requests from the ePO server or Agent Handler. TCP port that the SuperAgents configured as repositories that are used to receive content from the ePO server during repository replication, and to serve content to client machines.
Inbound connection from the ePO server/Agent Handler to the McAfee Agent. Inbound connection from client machines to Super Agents configured as repositories.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
19
Agent broadcast communication port
8082 UDP port that the Super Agents use to forward messages from the ePO server/Agent Handler.
Outbound connection from the Super Agents to other McAfee Agents.
Console-to-application server communication port
8443 TCP port that the ePO Application Server service uses to allow web browser UI access.
Inbound connection to the ePO server from the ePO console.
Client-to-server authenticated communication port
8444 TCP Port that the Agent Handler uses to communicate with the ePO server to get required information (such as LDAP servers).
Outbound connection from remote Agent Handlers to the ePO server.
SQL server TCP port
1433 TCP port used to communicate with the SQL server. This port is specified or determined automatically during the setup process.
Outbound connection from the ePO server/Agent Handler to the SQL server.
SQL server UDP port
1434 UDP port used to request the TCP port that the SQL instance hosting the ePO database is using.
Outbound connection from the ePO server/Agent Handler to the SQL server.
LDAP server port 389 TCP port used to retrieve LDAP information from Active Directory servers.
Outbound connection from the ePO server/Agent Handler to an LDAP server.
SSL LDAP server port
636 TCP port used to retrieve LDAP information from Active Directory servers.
Outbound connection from the ePO server/Agent Handler to an LDAP server.
SMB Windows domain controller port
445 TCP port used for ePO console login when authenticating Active Directory users.
Outbound connection from the ePO server to the domain controller (Active Directory) server.
ePO (Ports/Traffic Quick Reference)
ePO Server
Default port Protocol Traffic direction
80 TCP Inbound connection to the ePO server
389 TCP Outbound connection from the ePO server
443 TCP Inbound/outbound connection to/from the ePO server
445 SMB Outbound connection from the ePO server
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
20
636 TCP Outbound connection from the ePO server
1433 TCP Outbound connection from the ePO server
1434 UDP Outbound connection from the ePO server
8081 TCP Outbound connection from the ePO server
8443 TCP Inbound connection to the ePO server
8444 TCP Inbound connection to the ePO server
Remote Agent Handler(s)
Default port Protocol Traffic direction
80 TCP Inbound/outbound connection to/from the Agent Handler
389 TCP Outbound connection from the Agent Handler
443 TCP Inbound/outbound connection to/from the Agent Handler
636 TCP Outbound connection from the Agent Handler
1433 TCP Outbound connection from the Agent Handler
1434 UDP Outbound connection from the Agent Handler
8081 TCP Outbound connection from the Agent Handler
8443 TCP Outbound connection from the Agent Handler
8444 TCP Outbound connection from the Agent Handler
McAfee Agent
Default port
Protocol Traffic direction
80 TCP Outbound connection to the ePO server/Agent Handler
443 TCP Outbound connection to the ePO server/Agent Handler
8081 TCP Inbound connection from the ePO server/Agent Handler. If the agent is a Super Agent repository, inbound connection from other McAfee Agents.
8082 UDP Inbound connection to agents. Inbound/outbound connection from/to Super Agents.
8083 UDP Relay server discovery for version 4.8 agents
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
21
SQL Server
Default port Protocol Traffic direction
1433 TCP Inbound connection from the ePO server/Agent Handler
1434 UDP Inbound connection from the ePO server/Agent Handler
McAfee Updates
Default port
Protocol Traffic direction
21 TCP Outbound from the ePO server to ftp://ftp.nai.com
80 TCP Outbound from the ePO server to http://update.nai.com
443 TCF Outbound from the ePO server to s-download.mcafee.com and epo.mcafee.com NOTE: These URLs are not accessible in browsers.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
22
3 POC Use Cases
Use Case 1 -Deploy Endpoint Protection via management solution. 1. Check in the software to the ePO server, make sure that you have all extensions
checked in as per image provided. Run the Update Repository Server Task. For
information on installing ePO, please refer to the Product/Install Guide.
Make sure that all the following extensions are checked in:
1. Endpoint Security Platform
2. Endpoint Security Threat Prevention
3. Endpoint Security Web Control
4. Endpoint Security Firewall
5. Endpoint Security Migration Assistant
6. Endpoint Security Adaptive Threat Protection
7. Endpoint Upgrade Assistant
2) Verify the packages are check-in to the master repository
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
23
3. Identify the pilot machines to be used for the proof of concept pilot prior to
deployment. Make sure that the following is enable on the Pilot machines:
1. You have an account that has rights to deploy to the endpoint.
2. You can reach the Admin$ share from ePO.
4. Create a product deployment Task within ePO to deploy ENS to the pilot group of
machines.
5. Select the New Deployment button to create a new deployment for the pilot.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
24
6. Provide details of the deployment for reference as seen below, make sure to
select fixed method if not this task will continue to run indefinably.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
25
7. Select the ENS components to be deployed in the deployment
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
26
8. Make sure to select the systems identified for deployment
9. If required, schedule the deployment or use the run immediately option
If the customer has existing McAfee VirusScan enterprise 8.8, Make sure to use the Migration Assistant and Endpoint Upgrade Assistant prior to migrating test machines to ENS. This guide does not cover the usage of those tools.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
27
Use Case 2 – Enable Enhanced Remediation
1. Enhanced Remediation is able to rollback modifications made by processes that have been convicted by Dynamic Real Protect (Behavioral Machine Learning). This is extremely powerful since behavioral detections methods are able to identify threats that static methods are unable to, but the behavioral detected may be malicious. With Enhanced Remediation, we have the ability to identify threats and remediate the damage that they inflict, even if the activities are traditionally one way actions such as files being encrypted.
2. Enable Cloud-based scanning in the Adaptive Threat Protection policies
3. Enable the “Enhanced Remediation” and “Monitor and remediate deleted and changed” files in the Adaptive Threat Protection policies – Action Enforcement
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
28
4. **Please contact your McAfee representative or McAfee Enterprise Sales for access to the ransomware test file**
5. Put the “pictures” directory on the desktop
6. Open the “pictures” directory so that you can view its contents. You can customize these pictures as well for your demo
7. With the “pictures” directory still open, execute the run_test.bat file
8. You will see the pictures become encrypted, but a few seconds later, a real protect Dynamic conviction will occur and the pictures will be restored automatically.
9. You will also be able to see the story graph of the processunder Threat Events in ePO and identify that it is accessing the individual picture files.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
29
Use Case 3 - Configure endpoint policies to test Dynamic Application Containment (DAC) feature
10. Access the policy for DAC (Dynamic Application Containment), as below:
11. Select the options policy first to configure how DAC will behave.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
30
12. The default configuration is set to observe only, as shown in the screen capture below. In this mode “Adaptive Threat Protection” module would not contain or block any detections.
13. Remove the check to disable Observe mode, as below,
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
31
14. Contact your account team for the DAC Rule Testing utility.
Here are the best practices for Endpoint Security Dynamic Application Containment rules https://kc.mcafee.com/corporate/index?page=content&id=KB87843
15. Extract the DAC Rule Testing utility that you had received from your account team and follow these steps to change hash of the test file to create a unique sample.
16. Use hex editor tool (or Notepad ++ works too) and just add any random numbers to the file at any location to change the hash of the sample. You can download hex editor on below link. (http://www.hhdsoftware.com/Downloads/free-hex-editor)
17. To modify the testing tool, open with hex editor as shown in here, then locate any row and add a few random numbers to the testing file, save this as it will create a new binary never seen by GTI and thus get blocked by DAC.
Example below
Make sure Observe Mode is turned OFF otherwise it will not prompt
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
32
10. Once In the policy, by default all DAC rules are set to report only, however for POC purpose please enable all to BLOCK.
11. If a false positive is observed, click on the show Advanced radio button to add it as an exclusion. Note this is for windows only
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
33
Use Case 4 - Configure policies to test Real Protect (RP) feature
1. With the policy note that by default Real Protect both client based and cloud based scanning are
enabled as you can see in the policy screen shot below.
2. Confirm client system has access to the Internet before testing Real Protect sample files.
3. As suggested above please change the hash of the file before testing each time so that TIE
reputation does not trigger block, using the method given previously.
4. Please note to trigger Real Protect you may have to disable TIE and DAC if required.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
34
5. Use these RP sample files for testing the module.
https://kc.mcafee.com/corporate/index?page=content&id=KB88828
6. Once you are able to trigger RP event you can find the events on the client side on the ENS event
logs.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
35
Use Case 5 - Configure policy to test HIPS Expert Rules
With HIPS expert rules within ENS, we’ll demonstrate the ability to block all encoded powershell
commands except for the command that we exclude from being blocked.
1. Open the ENS Threat Prevention Exploit Prevention Policy.
2. Click Expert Rules
3. Choose Processes
4. Make policy selections.
a. Title – Exclude powershell parameters
b. Dropdown level – Low
c. Action – Check Block and Report
d. Rule Type – Processes
e. Rule Content – copy the following text and copy/paste it into the Rule Content Section.
Rule {
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
36
Process {
Include OBJECT_NAME {-v"**\powershell*"} #Identifies rule as a powershell rule
Include PROCESS_CMD_LINE {-v "*-NoLogo*"} #includes the -nologo switch in the items that should be blocked
#Include PROCESS_CMD_LINE {-v "*-e*"}
Include PROCESS_CMD_LINE {-v "*-E*"} #Blocks and command starting with -e.
Exclude PROCESS_CMD_LINE {-v "*-EncodedCommand powershell -EncodedCommand ZABpAHIAIAAnAGMAOgBcAHAAcgBvAGcAcgBhAG0AIABmAGkAbABlAHMAJwAgAA==*"} #Excludes this specific command which pulls a directory of Program Files.
}
Target {
Match SECTION {Include -access "CREATE"}
}
}
f. Enter any applicable notes.
g. This rule will do the following
i. Block powershell when used with the -NoLogo switch.
ii. Block any “Encoded commands, or any command that starts with ‘e’.
iii. Allow the above embedded command which pulls a directory listing of
C:\Program Files.
5. To test the created rule, ensure it is applied to your test system, open up a command window and
type the following commands.
a. powershell -nologo #This command will be blocked
b. powershell #This command will be allowed
c. exit #To exit the shell you just entered
d. powershell -E dir “C:\Program Files”. This will be blocked because it includes a parameter
that tries to encode the command.
e. powershell -EncodedCommand
ZABpAHIAIAAnAGMAOgBcAHAAcgBvAGcAcgBhAG0AIABmAGkAbABlAHMAJwAgAA=
=
i. This command will be allowed and should pull a dir of C:\Program files
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
37
4 Customer success criteria Below are the success criteria for ENS, please note that customer requirement’s may be needed to be added in case they are not listed
Test Description Result On-Demand Detection While in its Default
Configuration, the product must demonstrate through On-Demand testing that it Detects Malware.
On-Access Detection While in its Default Configuration, the product must demonstrate through On-Access testing that it Detects Malware.
Administrative Functions Testing
The product must be configurable both locally and using the management platform to perform the following changes:
• Enable and disable the Detection of Malware;
• Retrieve and apply the latest Engine and Signatures over the Internet;
Review Required Log Data.
The product must have the ability to block uninstallation of the solution and tampering of services.
Malware Detection Required Log Events
The product must have the capability to log the results of all Malware Detections and other threat events from all modules of ENS.
Log Data Presentation All Required Log presented in a Log must be presented in a human readable format.
Web Protection The product must provide a website rating based on the following:
2) Safe/good 3) Unknown 4) High Risk 5) Medium risk
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
38
Block malicious websites The solution must be able to block a website based on its reputation.
Secure Search future The product must ability to search securely on the internet
Desktop Firewall The product must: • Provide the ability to
block specific application communication.
• Provide the ability to block a port or range of ports.
• Provide IP spoofing protection.
Provide exploit prevention, example would be buffer overflows etc.
Dynamic Application Blocking
The solution must provide ability to block malicious activity without Signatures.
User notification The user must be provided with a prompt when action happens
Administrative Functions The product must provide configuration for exclusions for false positive or in-house applications.
Real Protect Blocking The solution should provide the ability to block malicious behavior of a sample which are not present in the current DAT signature.
Report RP event on client and ePO
The admin should be able to get local events for users and events recorded on ePO for further action.
Zero day / unknown malware protection
The product should be able to block under the following conditions: • Create a new file out of
the sample file and change the hash of the file using one of the techniques.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
39
• Execute the sample file to block the execution or action.
Read details on the event viewer.
McAfee ENS POC Guide
McAfee ENS POC Guide
Copyright © McAfee LLC, 2019. All rights reserved.
40
5 Assumptions: • All pre-requisite infrastructure is in place prior to the POC
• Customer will have assigned team in place to assist with the POC in a timeous fashion.
• POC setup should have ePO, DXL, and TIE infrastructure built. Please refer to TIE and DXL
product guide for detailed instruction on building DXL and TIE.
6 Limitations • McAfee will not be responsible for creation of any accounts on customer’s site except for
within the McAfee ePO console.
• Our definition of a POC is defined as a max of 25 endpoints/servers
• The POC will be limited to a testing environment, unless negotiated prior to POC
• If the POC is to be in live production, McAfee will not be held responsible for support of
systems damaged, loss of production or any incidents arising from the POC
• McAfee will not supply live malware samples for testing.
7 Customer acceptance
By signing this document, I acknowledge that I have delivered all the stated deliverables at the agreed to for the proof of concept project.
By signing this document, I acknowledge that I have received all the stated deliverables at the agreed to Proof of concept project
McAfee SE Name and Signature:
Customer Name and Signature:
Date: Date: