McAfee DAT Reputation Implementation Guide. Version 1.0 for Enterprise

Similar documents
Data Center Connector for OpenStack

McAfee Threat Intelligence Exchange Software

Performance Optimizer Software

McAfee Public Cloud Server Security Suite

McAfee MOVE AntiVirus Multi-Platform 3.5.0

Data Center Connector for vsphere 3.0.0

Anti-Spyware Enterprise Module software

McAfee Client Proxy 2.0

POC Installation Guide for McAfee EEFF v4.1.x using McAfee epo 4.6. New Deployments Only Windows Deployment

McAfee Optimized Virtual Environments - Antivirus for VDI. Installation Guide

McAfee VirusScan and epolicy Orchestrator Administration Course

McAfee Host Intrusion Prevention Patch 6 Software

Product Guide. McAfee Endpoint Security 10

McAfee VirusScan Enterprise for Linux Software

McAfee Application Control / Change Control Administration Intel Security Education Services Administration Course

McAfee Endpoint Security Software

McAfee Certified Product Specialist McAfee epolicy Orchestrator

McAfee Endpoint Encryption for PC 7.0

McAfee Client Proxy Software

Release Notes for McAfee epolicy Orchestrator 4.5

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Altiris Patch Management Solution for Windows 7.1 from Symantec Release Notes

Microsoft Corporation. Project Server 2010 Installation Guide

About this release. McAfee Application Control and Change Control Addendum. Content change tracking. Configure content change tracking rule

Detecting rogue systems

McAfee Content Security Reporter Software

Product Guide. McAfee epolicy Orchestrator Software

McAfee Database Activity Monitoring 5.0.0

McAfee MOVE / VMware Collaboration Best Practices

McAfee Optimized Virtual Environments for Servers. Installation Guide

McAfee Solidcore Change Reconciliation and Ticket-based Enforcement

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Moving the TRITON Reporting Databases

Manual. 3CX Phone System integration with Microsoft Outlook and Salesforce Version 1.0

Desktop Release Notes. Desktop Release Notes 5.2.1

McAfee SiteAdvisor Enterprise 3.5 Patch 2

McAfee GTI Proxy Administration Guide

Product Guide. McAfee Endpoint Protection for Mac 2.1.0

McAfee Solidcore Product Guide

About Help Desk. McAfee Help Desk 2.0 Software. Product Guide. Functions of McAfee Help Desk software. Quarantine release.

McAfee Data Loss Prevention Endpoint

McAfee Host Data Loss Prevention 9.1 Cluster Installation Guide

How To Encrypt Files And Folders With A Password Protected By A Password Encrypted By A Safesafe (Mafee) (Eeff) 4

Practice Fusion API Client Installation Guide for Windows

USER GUIDE. Ethernet Configuration Guide (Lantronix) P/N: Rev 6

Colligo Manager 6.2. Offline Mode - User Guide

Millennium Drive. Installation Guide

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2

McAfee epolicy Orchestrator

VIPERVAULT APPASSURE REPLICATION SETUP GUIDE

Shakambaree Technologies Pvt. Ltd.

McAfee Content Security Reporter 2.0.0

McAfee Policy Auditor software Installation Guide

Reconfiguring VMware vsphere Update Manager

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

MadCap Software. Upgrading Guide. Pulse

Product Guide. McAfee SaaS Endpoint Protection (October, 2012 release)

Release Notes McAfee Risk Advisor Software For use with epolicy Orchestrator and Software

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Providing Patch Management With N-central. Version 7.2

Application Performance Monitoring for WhatsUp Gold v16.1 User Guide

ProperSync 1.3 User Manual. Rev 1.2

Setup Guide. Archiving for Microsoft Exchange Server 2010

Setup Guide Revision B. McAfee SaaS Archiving for Microsoft Exchange Server 2010

Implementing McAfee Device Control Security

McAfee Security for Microsoft SharePoint User Guide

Providing Patch Management with N-central. Version 9.1

Product Guide. McAfee epolicy Orchestrator Software

StruxureWare Power Monitoring 7.0.1

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Hardware Sizing and Bandwidth Usage Guide. McAfee epolicy Orchestrator Software

ECA IIS Instructions. January 2005

Application Performance Monitoring for WhatsUp Gold v16.2 User Guide

Secret Server Installation Windows Server 2008 R2

Certificate Management for your ICE Server

Product Guide. McAfee epolicy Orchestrator Software

EVENT LOG MANAGEMENT...

Office of Information Technology Resources Handbook for NSC Employees

Installation and Configuration Guide

Update Instructions

Virtual Data Centre. User Guide

SafeGuard Enterprise upgrade guide. Product version: 6.1

Bandwidth consumption: Adaptive Defense and Adaptive Defense 360

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Witango Application Server 6. Installation Guide for Windows

Asset Track Getting Started Guide. An Introduction to Asset Track

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

vcloud Suite Licensing

K7 Business Lite User Manual

Cloud Services for Backup Exec. Planning and Deployment Guide

BarTender Version Upgrades. Best practices for updating your BarTender installation WHITE PAPER

HTTP Server Setup for McAfee Endpoint Encryption (Formerly SafeBoot) Table of Contents

Please check for updates to make sure you install the most recent version of our software.

Sophos Anti-Virus for NetApp Storage Systems startup guide

How to install and use the File Sharing Outlook Plugin

Docufide Client Installation Guide for Windows

Upgrade Guide. McAfee Vulnerability Manager Microsoft Windows Server 2008 R2

Spector 360 Deployment Guide. Version 7.3 January 3, 2012

Transcription:

McAfee DAT Reputation Implementation Guide Version 1.0 for Enterprise

McAfee DAT Reputation... 2 What is McAfee DAT Reputation?... 2 Rollout phases: Elective Download, AutoUpdate & AutoEnable... 3 DAT Reputation Installation Files... 4 Configuration before AutoUpdate/AutoEnable... 5 epo Configuration... 5 Installing the McAfee epo Management Extension... 5 Managing McAfee DAT Reputation policies on multiple client systems... 5 Modifying McAfee DAT Reputation policies... 6 Run DAT Reputation Reports in epo... 6 Standalone Configuration Files... 7 Manually verifying DAT Reputation policies... 7 Testing DAT Reputation... 8 Issues or Questions... 9 1

McAfee DAT Reputation What is McAfee DAT Reputation? McAfee DAT Reputation technology can prevent endpoints from updating to a DAT that has been seen to cause unpredicted results in the field. While these types of events are very rare, they can occasionally cause significant impact to our customers. McAfee takes content quality and safety very seriously, and performs stringent quality assurance tests before every content release. This technology is an extra safety mechanism that identifies and contains an issue if one occurs after the content has been released. McAfee DAT Reputation includes two components: DAT Reputation Before updating, DAT Reputation performs a McAfee Global Threat Intelligence (McAfee GTI) lookup to request the reputation of the DAT file. If the DAT is classified as block, the endpoint does not complete the update. The data transferred during the DAT Reputation check is minimal the DAT version number and the type of DAT (V2/V3) are securely hashed and sent via SSL as the outbound request. The returned response will with be a hashed value which will be interpreted by DAT Reputation as good, unknown or block. Endpoint Safety Pulse Endpoint Safety Pulse runs a series of health checks to alert McAfee to potentially significant field issues caused by a content update. Prompt identification of such issues is critical to providing timely containment and remediation. Endpoint Safety Pulse collects the following types of data: operating system version and locale; McAfee product version; DAT and engine version; and McAfee and Microsoft running process information. McAfee uses this data to look for potential content-related issues after DATs have been released. The health check results are encrypted and sent to McAfee using SSL. The data is then aggregated and analyzed by McAfee to check for anomalies. McAfee incident response processes are invoked if a significant issue is discovered. Customers with endpoints that do not have Internet access can disable McAfee DAT Reputation using McAfee epolicy Orchestrator (McAfee epo). They can also download the standalone configuration file for use on unmanaged systems. Privacy Protection: The data collected by McAfee DAT Reputation is used only to look for content-related issues across our entire global customer base. No personally identifiable information is collected or transmitted. For more information about McAfee DAT Reputation, please review our frequently asked questions. 2

Rollout phases: Elective Download, AutoUpdate & AutoEnable Elective Download McAfee Customers who wish to enable DAT Reputation across their environment can use CommonUpdater3 from Tuesday November 18th 2014, when posting will occur seven days per week. Previous to this date, DATs and DAT reputation binaries were posted to this site Monday Friday only. The URLs for CommonUpdater3 are: http://update.nai.com/products/commonupdater3 ftp://ftp.mcafee.com/commonupdater3 The default configuration for CommonUpdater3 is: DAT Reputation On, Endpoint safety pulse Off. AutoUpdate DAT Reputation AutoUpdate is scheduled for the mid-q1 2015. On this day all endpoints updating from CommonUpdater will have DAT Reputation binaries downloaded and installed on supported Operating System / Point Product combinations. This also includes endpoints belonging to customers who pull or mirror from these download sites. DAT Reputation and endpoint safety pulse will both be disabled by default at this time. This is to allow epo managed machines time to collect any pre-configured policies during the two week period before AutoEnable. AutoUpdate for CommonUpdater2 is scheduled for the end of Q2 2015. Customers using CommonUpdater who are unable to complete change control processes by mid-q1 2015 need to reconfigure their pull tasks and fallback repositories to CommonUpdater2. AutoEnable AutoEnable for DAT Reputation only (not endpoint safety pulse) will occur two weeks after each AutoUpdate milestone. On this day, customers who have not preconfigured a policy will have DAT Reputation enabled automatically. Customers will not be automatically enabled via an update task into using Endpoint safety pulse on existing McAfee product versions currently in the field. McAfee recommend that customers please enable this function, where possible, on their endpoints. McAfee may release a product patch to enable safety pulse at a later date, which will be communicated accordingly. Customers who have pre-configured policies via epo or the standalone configuration files will not have their policies changed by McAfee. All dates are subject to change. 3

DAT Reputation Installation Files McAfee DAT Reputation installs to %programfiles(x86)%\ Common Files\McAfee\DATReputation The following files are installed: File name mcdatrep.exe datrepmp.dll extradrep.rul mcnrdhck.lua mcnrdutl.lua ts.dll DATRep Client Legal.rtf Description McAfee DAT Reputation executable DLL responsible for reporting the DAT Reputation policies as well as enforcing the epo policies in the clients (epo plugin) Rul File for access protecting the DATReputation binaries Lua files defining the endpoint safety pulse healthchecks to be run Utility lua file for communicating the rules to mcdatrep.exe DLL responsible for performing the DAT Reputation lookup Legal Approval document for use of Third Party libraries in use 4

Configuration before AutoUpdate/AutoEnable epo Configuration Customers can use epo to preconfigure policies. These policies will be enforced by the agent only once DAT Reputation is installed (which will happen as part of AutoUpdate). This is because the epo plugin for DAT Reputation will be installed as part of the DAT Reputation installation. Attempts to enforce policies without the plugin present on the endpoint will fail. Reports can be generated in epo to view the policy settings once the plugin has been installed and the first ASCI has completed. Policy enforcement can be triggered by sending an agent wake up call to the endpoints. There are two epo extensions available. One supports epo 4.6.4 and above. This extension can be downloaded from Software Download Manager (SDM) or from a direct download here: http://downloadcenter.mcafee.com/products/mcafee-avert/datrep/datreputationextension46.zip McAfee have also provided an extension for older epo versions (4.5.0 4.6.3) which is available here: http://downloadcenter.mcafee.com/products/mcafee-avert/datrep/datreputationextension45.zip Policy options are: 1. DAT Reputation enabled, endpoint safety pulse enabled 2. DAT Reputation enabled, endpoint safety pulse disabled 3. DAT Reputation disabled, endpoint safety pulse disabled (greyed out) Installing the McAfee epo Management Extension Before you begin, you must have administrator rights to install McAfee DAT Reputation Extension. 1. Log on to the McAfee epo server as an administrator. 2. Click Menu Software Extensions, click Install Extension. 3. On Install Extension dialog, click Choose File, browse for the path where McAfee DAT Reputation extension is downloaded from Software Manager, click Open. 4. Click OK in the Install Extension dialog. 5. Extensions page displays the McAfee DAT Reputation extension details. Click OK. 6. Extension gets installed and McAfee DAT Reputation is listed in the installed extensions list. 7. Enforce policies on client systems Managing McAfee DAT Reputation policies on multiple client systems 1. Click Menu Systems System Tree, then select a group in the System Tree. All systems within this group (but not its subgroups) appear in the details pane. 2. Select the required systems, then click Actions Agent Set Policy & Inheritance. 5

3. Select McAfee DAT Reputation as the Product, General as the Category, then select the required policy. See the epolicy Orchestrator product documentation for more information about creating and editing policies. 4. Select Reset inheritance or Break inheritance, then click Save. Modifying McAfee DAT Reputation policies 1. Click Menu Policy Policy Catalog. 2. Select McAfee DAT Reputation as the Product, General as the Category, then click the required policy. 3. Select/de-select the policy options as required and click Save. Run DAT Reputation Reports in epo Once DAT Reputation is installed, you can run reports in epo. 1. Click Menu Reporting Queries & Reports. 2. Click New. 3. Select Managed Systems and click Next. 4. Select the required chart type from Display Result As list on left side. 5. From Labels dropdown, select required option under McAfee DAT Reputation Service. 6. Click Next. 7. Select required columns and click Next. 8. Select required criteria and click Save. 9. Give an appropriate query name, description, and query group and click Save. 10. Click the group created on the Queries and reports page and select Run on the created query to display the result of the query. From now on, the same query can be run to view the data. 6

Standalone Configuration Files Customers with unmanaged endpoints can use standalone configuration files to pre-set policies. These configuration files write registry keys and values which determine the policy for DAT Reputation and endpoint safety pulse. Policy options are: 1. DAT Reputation enabled, endpoint safety pulse enabled 2. DAT Reputation enabled, endpoint safety pulse disabled 3. DAT Reputation disabled, endpoint safety pulse disabled Customers with epo can also use these configuration files if they want to ensure the endpoints have received the policy locally in advance of AutoUpdate. Customers will not be able to report via epo on the policies set using these files via until the plugin has been installed. The standalone configuration files can be downloaded from KB82935 (SupportPortal login required) Manually verifying DAT Reputation policies To verify that DAT reputation policies have been applied you can check the registry on the endpoint. Go to the following registry hive: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\DATReputation in case of a 64 bit system HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DATReputation on a 32 bit system Check the following values: dword Feature Enabled Feature Disabled dwdisabledatreputation 0 1 dwdisableendpointsafetypulse 0 1 Platinum customers can also use System Information Reporter to check registry value settings 7

Testing DAT Reputation McAfee have created some test DAT packages which can be used to check that endpoints are able to successfully receive the reputation of a DAT file. epo is required to be able to test this functionality. McAfee do not recommend distributing the DATs across all of your endpoints, they are to be used in a test environment that is representative of your network. The zip containing the packages is available here These test DATs were created on September 12 th 14th 2014 (inclusive) and contain all drivers contained in the V2 DATs which were posted on these dates. McAfee do not recommend distributing these DATs across all of your endpoints, they are to be used in a test environment that is representative of your network. Within the zip file there are three files which have different reputations in the McAfee cloud: 1. avvepo2000dat.zip - this test DAT file has no reputation 2. avvepo2001dat.zip this test DAT file has a reputation of block 3. avvepo2002dat.zip this test DAT file have a reputation of good Minimum testing requirements: epo server (4.5 or above) A Windows endpoint (Microsoft Vista or above) running: VirusScan Enterprise (8.7i p4 or above), and MA (4.6 or above). The endpoint needs an internet connection, with SSL access over port 443. Steps to test that the endpoint can receive DAT Reputations. 1. Check AVVDAT2000ePO.zip into your test epo repository. 2. Configure and schedule an update task for the test endpoint to update from your test epo server. Select Enable DAT file downgrade when the version in the repository is older than the local version. Send an agent wake up call. 3. Confirm that the endpoint has updated to DAT 2000 successfully 4. Check AVVDAT2001ePO.zip into your test epo repository. 5. Reschedule the client update task and wake up the agent on the test endpoint. 8

6. The endpoint should not update to the 2001 DAT. The agent monitor should show product running latest DATs, which will also be visible in the agent_machinename.log 7. Check AVVDAT2002ePO.zip into your test epo repository 8. Reschedule the client update task and wake up the agent on the test endpoint. 9. Confirm that the endpoint has updated to DAT 2002 successfully 10. In the DATreputation.txt log file you should see two entries: Successfully received DAT Reputation of 1 for DAT number: 2001.0000 Successfully received DAT Reputation of 0 for DAT number: 2002.0000 Issues or Questions If you have any problems or questions during the set-up, installation, configuration or usage of McAfee DAT Reputation, please contact your local McAfee Support Representative. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information