Skip navigation
1 2 3 Previous Next

Email Gateway

68 posts
eplossl

MEG Cluster Best Practices

Posted by eplossl May 29, 2015

The McAfee Email Gateway appliance provides for the ability to generate clusters of appliances.  A cluster may consist of two or more appliances.  This article will go into a few best practices for the creation and management of MEG clusters.

 

Cluster Creation

 

When setting up a cluster of MEG appliances, determine what your performance needs are.  If you are going to be handling a lot of mail, you will want more cluster members.  If you are not going to be handling as much mail, but are looking for the redundancy the cluster provides, you may just want two cluster members.

 

When configuring a cluster for the first time, choose a cluster ID that is not the default.  If you leave the default ID in place, this can result in new devices finding themselves added directly to the already existing cluster, even though you don't mean them to.  Once your cluster ID is set to something other than the default, it will be necessary to reimage the appliance to change the ID.  We use VRRP to do our clustering, so make sure that you note any other VRRP clusters on the same network the MEG will be on before setting this up.

 

Cluster members must be on the same local network in order to work.  Because we make use of VRRP, if appliances are present in different physical networks and are separated by a router, the devices will be unable to talk to each-other.  If they are separated by a wan link (even on the same VLAN), the devices may be unable to talk to each-other in a reasonable time, thus resulting in the boxes being unable to connect properly.  We do not support configuration of appliances into clusters incorporating a WAN link.

 

When creating clusters of virtual machines, it is necessary to ensure that either the VMs have direct access to the network to which the host machine is attached, *OR* all the cluster members are present in the same host device.  If not, cluster members may be unable to talk to each-other.

 

Clusters may have three types of devices in them:

1.  Cluster Master - This device is the main host in the cluster.  It acts as the primary traffic cop for inbound and outbound traffic, and handles all communications with the outside world.  It may or may not also host a scanning device. 

2.  Cluster Failover - This device is the backup host in the cluster.  Should the Master fail and go offline, the Failover appliance will take up the traffic cop duties until the Master comes back online.  If the Master hosts a scanner, this device will also host a scanner.

3.  Cluster Scanner - This is a standalone scanning device.  It receives its configuration, updates, and traffic to scan from the device currently handling all traffic for the cluster.

 

If a cluster has five or more appliances, the Master (and by extension, the Failover) should not be scanning traffic.  If a cluster has more than six devices, consider purchasing one of our MEG Blade servers instead.  If a cluster has three or fewer members, the Master and Failover devices should be scanners.  Clusters with exactly four members can go either way, as desired.

 

Cluster Administration

 

DO NOT use the configuration push feature built into the MEG appliances to push config from the Master to other devices in the same cluster.  KB82172 has additional details about the results of doing so.  Additionally, if using Configuation Push to push between clusters, push from the Master of one cluster to the Master of the other.  Never do config push to other devices in the destination cluster.

 

When booting your cluster, make sure that the Failover appliance boots first, then the Master.  Any scanners may be brought up any time after the Failover has come up.  Failure to boot in this order may result in communication issues between the master and failover appliances.


When performing software updates, ALWAYS install the update on the Failover first.  After updating the failover, allow it to come back online, then take down the master.  Dedicated scanning devices may be updated any time after the Failover update commences.  Note that if it is necessary to ensure mail flow and your master and failover devices are not scanners, it is necessary to update the failover and at least one scanner, THEN update the master and the rest of the scanners.

 

All cluster members must be running the same version of the software.  If a device in the cluster is on a different version of the software, it may receive traffic for scanning from the Master for a short time, once its configuration gets too far out of date (since the master can no longer update it), that device will stop being used to scan traffic.  Note that if the Failover appliance is the one on a different version, this may result in mailflow problems in the event of the Master becoming unavailable.

 

Cluster Reporting

 

When a cluster is properly formed, all reporting data gets passed to the Master appliance.  Should the Master fail, the Failover will not have the reporting data present on the Master, as it doesn't replicate that data.  Additionally, when the Master comes back online, the Failover's data will not be passed back to the master.  This is due to a limitation present in the way the cluster setup is performed.

 

External Device Integration

 

When integrating Clustered MEG appliances with ePO, only the Master should be connected.  The master and failover are the traffic cops for the cluster, providing logging data and accepting configuration changes.  Note, however, that the way the ePO currently handles the MEG data, connecting the Failover appliance to ePO will result in some dashboard data duplication on the ePO server.

 

When integrating with the MQM, make sure that the master and failover are using the default device ID.  Failure to do so will result in the Master's configuration being pushed to the Failover, and mail may not be quarantined properly (and thus may be unavailable for release).

 

For additional information, please see the following KB articles which cover some of the topics above.

https://kc.mcafee.com/corporate/index?page=content&id=KB76144&actp=null&viewloca le=en_US&showDraft=false&platinum_status=false&locale=en_US#Clustering

https://kc.mcafee.com/corporate/index?page=content&id=KB76204&actp=null&viewloca le=en_US&showDraft=false&platinum_status=false&locale=en_US

When using MQM accounts for administrators and users, certain symbols are explicitly rejected and some others are accepted in the UI, but don't save the account or password.  If you use different symbols, the password is accepted.


The following symbols are acceptable:


<

>

;

"

/

(

)

{

}

Any other symbol will cause issues with MQM. Only use the symbols in this list for passwords with MQM accounts.

hshah

Fresh Installation of MQM 701

Posted by hshah Feb 6, 2015

Any Fresh Install of MQM should have only these build : MQM 701 + Rollup1 + HF993211.

Because HF993211 contains cumulative hotfixes post Rollup1

 

In your MEG message search, you can see the disposition of a message and how it was delivered.  In the properties column, there are a few icons that can tell you if it was inbound vs outbound, original vs modified and if it was delivered securely. 

 

The color of the lock icon tells you if it was delivered via opportunistic TLS or via a policy action.  If the icon is black, then it was via opportunistic TLS configured under Email - Encryption - TLS.  In this case, it can be either a domain where TLS is forced or the * option.  If the icon is gold, then it was triggered via a policy action to encrypt and delivered via the options under Email - Email Policies - Policy Options - Encryption Settings.

 

Gold Lock = Policy based action

Black Lock = Domain based rule or opportunistic TLS

hshah

MQM Database Maintainance

Posted by hshah Jan 7, 2015

Database Purge : Configure the Database Purge Task to Run every 2 weeks during non peak hours periodically clears the database by removing old data, such as old log entries and quarantined items. Purging the database helps you manage the disk space.

 

Database_purge.png

 


Reclaiming Space From Purge

Optimize:

The optimize task is used to re-claim disk space when items in the database have been purged. This task can be run by the customer using the tools provided by the database vendor.

It is not recommended to run the optimize command very frequently because this will result in frequent allocation/de-allocation of space. This may impact MQM performance. Some recommendations for running the optimize command:

1. If you must run the optimize command, run it once every 6 months or so.

2. Before running the optimize command, stop the MQM service. (Note – at this point quarantined items will get queued up on the appliance)

3. Make sure free space on the disk is 150% the size of the MySQL database.

4. MySQL command for optimize: ‘optimize’. MSSQL command for optimize: ‘shrink’


If the customer is using MySQL shipped with MQM, as the database, then run the command “call pOptimize();” from the MySQL prompt. This will call a stored procedure written specifically for MQM, and all the domain tables in MQM will be optimized.

Ensure your spam rules and engine are up-to-date. If your Appliance does not have the latest updates, it will not detect the latest spam messages. You can check the current update status under System, Component Management, Update Status in the Appliance administrator console. The Appliance receives updates from the McAfee update servers. To receive these updates, you must ensure the following ports are open on your firewall:

 

Anti-Spam Engine:
MEG 7.6.2 and later: HTTPS TCP 443, outbound to tau.mcafee.com.
EWS 5.6, MEG 7.0, MEG 7.5, and MEG 7.6 up to 7.6.1: FTP TCP 21, outbound to ftp.nai.com. Uses PASV.

 

Anti-Spam Rules and Streaming updates:
On HTTP TCP 80, outbound to http://su3.mcafee.com/su3, http://sav-su3-1.mcafee.com, 208.69.152.139, and 192.187.128.17
For more information, see KB72970 - Open ports required for the EWS/MEG 7.x Appliance.

 

Maximum scanning size:
The anti-spam scanner has a default maximum scanning size limit of 250KB. The MEG anti-spam scanner does not scan email messages that exceed this size limit.
To confirm or modify this setting, see KB72143 - How to increase the EWS and MEG Appliance maximum message size for spam detection.

 

Spam score and report:
Set up the Appliance to add a spam score and report on all messages. If you still receive spam or false positives in your mailbox, you can provide this mail to the McAfee spam team for further review and correction.  Make sure these changes are done on your primary inbound policy(more than likely this will be the default policy).
Select Email, Email Policies, SMTP, Spam.
Select Yes to enable anti-spam scanning.
For Add a spam score indicator, select To all messages.
For Attach a spam report, select To all messages.
Click OK.
Apply changes.

 

Score based action:
Enable the second score based action with When the spam score is at least 5.0 and always enable the And Also setting to quarantine the modified version of the message. The default configuration is to mark when the score is greater than or equal to 5 points and accept and drop when the score is greater than or equal to 10 points. The McAfee spam team considers any message that receives fewer than 5 points to be legitimate and any message that receives 5 or more points to be spam. Therefore, the default anti-spam scanning configuration may allow some spam-like emails to be delivered. Change the anti-spam settings as follows to block any email message whith a spam score between 5.0 and 10.0:
Select Email, Email Policies, SMTP, Spam.
Enable the second listed When the spam score is at least, and enter 5.0 in the text box next to it.
For the action, select Accept and then drop the data (Block).
In the And also options, enable Quarantine modified.
Click OK, then apply the changes.
Although email is considered spam at a score of 5.0 or higher, this value can be modified depending on your needs.  It is possible to drop this lower threshold value down to 4.2 with only a slight increase in false positives.

 

Spam Submissions:
If there is a false positive (legitimate email is scored too high) or false negative (spam email is scored too low), obtain a copy of the email from quarantine and submit it to the McAfee spam team.
For full steps, see KB59415 - How to submit spam and phishing samples to the McAfee Spam Analysis Team.

 

Sender Authentication:
Global Threat Intelligence (GTI) message reputation identifies a large percentage of spam more quickly than the regular anti-spam scanning and can help stop spam blasts more quickly.
Select Email, Email Policies, SMTP.
On your inbound email policy group, open Sender Authentication and navigate to the Message Reputation tab.
In Higher Detection Threshold, enable McAfee GTI Message Reputation at the higher detection threshold.
Set the Detection threshold for Higher threshold as Highly suspect.
From the If the sender fails the check list menu, select one of the available Block actions.

 

Within the Sender Authentication section, there are some other settings that can be enabled to assist with blocking unwanted messages.  On the Message Reputation tab of the Sender Authentication window, Enable the Lower Detection Threshold and set the Detection threshold to suspect.  Change the action to add to score 10 for if the sender fails the check.  Navigate to the SPF, Sender ID, DKIM, and FCrDNS tab.  Enable SPF, Sender ID, DKIM, and FCrDNS.  For each process, change the failure action to add to score 10.  Still within the Sender Authentication window, navigate to the Cumulative Score and Other Options tab.  NOTE:  Depending on the resolution of your monitor, this tab may need to be accessed via clicking on a drop down arrow and then selecting the tab.  On this tab, put a checkmark in the box to Check the total added score.  It is recommended to leave the score threshold at 20.  This will check the score for GTI at the lower threshold, SPF, Sender ID, DKIM, and FCrDNS.  If there are two or more failures amongst the 5 scanners, the configured action for the threshold being reached will be taken.    Click OK and apply the changes.  It is important to note that the sender authentication scores are independent of the spam score.

 

IMPORTANT: If the Appliance is behind an MTA and has a hop count set (as explained in the next step), do NOT use the Reject, Close, and Deny(Block) action. This can cause MEG to block the connecting IP address of your onward server when GTI Message Reputation detection triggers.

 

If your MEG is behind the MTA:
Select the Cumulative Score and Other Options tab, enable Parse the email headers for sender address if behind an MTA and specify the Number of hops to the MTA.
Click OK.
Click Apply changes.

 

NOTE: If you encounter issues where legitimate messages are blocked by GTI message reputation, see KB62754 - Email Gateway/Secure Mail/Email and Web Security: TrustedSource FAQ.

GTI Feedback:
McAfee strongly recommends that you enable GTI feedback. GTI feedback submits various metadata about the message to McAfee to improve the GTI reputations and spam rules.
Select Email, Email Policies, SMTP, McAfee GTI feedback.
Enable Threat Feedback.
Click OK and apply the changes.

How to Configure Digest Mail on MQM 701

 

1. Click Admin Management  | Manage Domains. Provide the Domain Name and Click
   Add to create a new domain to store the domain based quarantined items.

 

NOTE: For example, if you need items to be quarantined for the domain xyz.com, create
a Domain Name with @xyz.com and click Add.

 

2. Click Admin Management | Manage Domains| Modify Configuration.
   Under the tab Template you can Select  Template type - Digest Mail  and Mail Format:

  Digest_Template.png

 

2a) Click Admin Management | Manage Domains| Modify Configuration
.  Under the tab General 
    Add Mail Server information for digest mail to be sent to this Mail server.

   In Server Name/IP Address, enter the hostname or the IP address of the mail server
   for this domain.
   In Port, specify the port number used by the above mail server.

 

3. From the McAfee Quarantine Manager main menu, click Settings and Diagnostics |
   Communications | LDAP Server.
   Enter the LDAP Server details
   Each type of LDAP server has parameters that need to be defined to facilitate communication
   with the McAfee Quarantine Manager server.

LDAP_Config.png

 

4. Click Settings and Diagnostics | Task Manager | Scheduled Tasks.
     In Task Type, select User Synchronization.

    In Task Name, type a name for the task.
    Click Add to schedule the task based on the options selected.
    A message box stating Task successfully added appears. In the message box, click OK

    For details, view the Product Log. (From the McAfee Quarantine Manager main menu, click Settings and Diagnostics | Product Log.

 

5. Send the spam mail and quarantine,

 

6. Click Settings and Diagnostics | Task Manager | Scheduled Tasks.
    In Task Type, select Email digest.
    Schedule this task .

    For details, view the Product Log. (From the McAfee Quarantine Manager main menu, click Settings and Diagnostics | Product Log.

The MEG 7.6.3 software is now out and customers have been using it for a while.  I thought I would take a little time today to tell everyone about one of the new features present in this software version.

 

We know that many times, customers see archives come in with innocuous-sounding names but which then happen to contain malicious or unwanted content.  While we can usually block such content, in the event of a 0-day exploit we may not always know about the malware in time to block it from coming in.  Should such an unhappy event happen, however, how is an admin to know who in their environment was exposed to this unknown malware?

 

That's where this new feature comes in.  With this new feature, the MEG appliance will look through archives attached to email and extract the filenames of each file inside the attachment.  When the admin then looks at the Message Search, they can see up to 11 of those file names (10 if there's more than 11), and a link for more if there's more than 11.  That link will then allow the admin to look at the full list of files inside the archive.  This also allows the admin to search through the GUI for filenames inside of attachments.  For instance, if a piece of malware were to get through the appliance, and we know that it's inside an innocuous archive, but is named exploit.exe, we could search through the gui for all archives which contain exploit.exe, and thus see who already received it.  Also, policy could be built to block exploit.exe, even though it's inside archive.zip.

 

It's worth noting that, at this time, the following archive formats are supported by this feature:

ZIP (*.zip)

TAR (*.tar)

7-ZIP (*.7z)

GZIP (*.gz)

RAR (*.rar)

 

For additional information about this feature, I recommend viewing the November MEG TechTalk recording in which Marcelo and I detail this and the other new features in MEG 7.6.3.  That TechTalk can be found at https://community.mcafee.com/videos/2061

The MEG appliance is a powerful filtering tool for email.  As part of its use, it needs to be able to find content in various parts of messages.  While it is frequently possible to only worry about simple strings with (possible) wildcards, sometimes it's necessary to be able to filter for content matching particular formats, but which cannot be reliably predicted ahead of time (except in that it matches the given format).  In such cases, Regular Expressions are a powerful tool.

 

However, as Spiderman keeps telling us, with great power comes great responsibility.  Regular expressions are extremely powerful tools.  They can pick out seemingly random data as matching a specific pattern, and do so much more quickly than we can.  However, the more complicated the regular expression, the more processing power it will require to run it.  Additionally, regular expressions can be designed to search for strings or blocks of varying lengths, or even of an undefined length but still matching a particular pattern.

 

The problem with Regular expressions is that, as I saw in a case I recently worked on, there are commands which are able to be interpreted as "look for this pattern in a string of (effectively) infinite length".  While they aren't always as recognizable as this, the simplest version of this sort of regular expression is ".*" (without the quotes).  This command means to match any character one or more times.  However, since there's no limit to the length, the result is that it's entirely possible that the system would continue searching for a lot longer than we would normally expect.

 

In order to prevent this from resulting in significant, unexpected CPU use, it is recommended to be very careful with the use of * and + in regular expressions.  If it doesn't need to search indefinitely, it would be better to put in something like {1,100}, thus ensuring that the preceeding item matches up to 100 characters, but not more than that.  This helps to prevent a case where the CPU gets all chewed up because the system is trying to match an extremely long string to the pattern when it has no business doing so.

Taken from McAfee KnowledgeBase - How to enable new spam rules on Email Gateway for system defined header analysis

 

Environment

 

McAfee Email Gateway (MEG) 7.x

 

 

Summary

Several new spam rules have been added to MEG 7.x that look at defined header values to improve detections.

 

New Rules:

 

  • EDT_ SDHA_SMP_HMS_FRM - This rule triggers when the MAIL FROM has a null sender.
  • EDT_ SDHA_HMS_FRM - This rule triggers when the header From is missing or empty.
  • EDT_SDHA_FRM_INV (Header From Invalid) - This rule triggers when the 822 header is an invalid email address.
  • EDT_SDHA_ADR_FRG (Address Forged) - This rule triggers when there is a mismatch in either the local or the domain part of the email address between 821 and 822 headers.
  • EDT_SDHA_DMN_FRG (Domain Forged) - This rule triggers when there is a mismatch in the domain part of the email address between 821 and 822 headers.
NOTE: EDT_SDHA_ADR_FRG (Address Forged) and EDT_SDHA_DMN_FRG (Domain Forged) replicate the Header Analysis featurefrom Ironmail.
  • The rule EDT_SDHA_ADR_FRG is functionally equivalent to the following filter on IronMail:
    SDHA, 821-Address, Forged "From:" email address.
  • The rule EDT_SDHA_DMN_FRG is functionally equivalent to the following filter on IronMail:
    SDHA, 821-Address, Forged "From:" domain name.

 

Solution

Use the following procedure to enable the rules.
IMPORTANT:
  • If you are using ePO to manage your appliance, you must follow the process documented in KB82606 to avoid ePO overwriting your configuration changes.
  • For details about saving, editing, and restoring the appliance configuration file, follow the instructions in KB56323.
  1. Open the MEG Management console and select Email, Email Policies, Policy Row, Spam.
  2. Select the Spam Rules tab.
  3. In the Filter text box, type EDT_ and click Apply.
  4. Disable all five rules displayed and click Apply.
  5. Select System, System Administration, Configuration Management.
  6. Select Backup Configuration and save the zip file to your local drive.
  7. Open the zip file, navigate to the \config directory, and open SharedSettings.xml in a text editor.
  8. Search for EDT_.
  9. For the five rules, change the enabled value from 0 to 1 and set the score to the required level.
  10. Save the file and update the configuration zip file.
  11. Select System, System Administration, Configuration Management, Restore from File.
  12. Navigate to the modified zip file and load the modified config.
  13. Click OK and apply changes as required.

 

Many customers have multiple appliances.  Prior to MEG 7.5, there wasn't really a good way to get all the mail traffic data and configuration settings handled from a single spot, however.  Starting with MEG 7.5, ePO can now manage the configuration on MEG appliances directly through policy application.  While this is a good thing normally, what happens when it comes time to deal with upgrades of varying sorts?

 

So the nutshell of the link between ePO and the MEG is that the ePO server has configuration policies which it then pushes down to the various attached appliances.  Different policies can be pushed to different devices as desired.  The question comes down to what needs to be done to address upgrades of various types.

 

So there's pretty much two types of upgrades which will be present for the appliances:

1.  Upgrades which make changes to the configuration settings in various places.

2.  Upgrades which simply update binaries and don't adjust configuration settings at all.

 

Version upgrades almost always fall into the first category.  Many binary updates and configuration changes are present here and generally there are major changes to the appliance behavior.

Patches usually fall into the first category, although there are a few patches which may fall under the second.  The number of patches which fall into the second category, however, is small.

Hotfixes are a much more mixed bag.  Hotfixes frequently simply provide updates to binaries to fix some sort of vulnerability or significant errors.  Sometimes, however, those binary fixes require changes to the configuration details for the appliance.  In those cases, these fit into the first category.

 

So why the two categories?  Because the attachment of the MEG to ePO requires the installation of MEG plugins and configuration uploads to the ePO.  But what should admins do when updates become necessary?  For all updates where the first category is true, it is absolutely necessary that customers follow the steps in KB79376.  Failing to do so may result in unexpected operation or unexpected errors.  For updates which fall into the second category, no changes are really necessary, so customers need not worry about following the steps in that KB.  That said, however, since there's no indication on individual hotfixes or patches as to whether or not configuration changes are necessary, it's best to go ahead and run the steps found in the KB anyway, just to be sure that something like the GUI configuration doesn't get changed on the box but not in the configuration on the ePO server.

How to configure McAfee Email Gateway 7.x with Content Security Reporter 2.x

 

From https://kb.mcafee.com/agent/index?page=content&id=KB83242

 

Title

How to configure McAfee Email Gateway 7.x with Content Security Reporter 2.x

 

 

Environment

McAfee Email Gateway 7.x

McAfee Content Security Reporter 2.x

ePolicy Orchestrator 5.x

 

Summary

How to configure McAfee Email Gateway to send events to Content Security Reporter?

 

Open ePolicy Orchestrator

Click Menu, Configuration, Report Server settings

Select Log Sources

Click the Actions Menu in the right Pane at the bottom left

Select New

Configure a Name under Log Type

For example we used: MEG5000

For Mode Select Syslog

For Log Format Select McAfee Email Gateway

Enter the Client Address(es) for Accept Log Files from the Network Device

Select TCP for the Protocol

Note! Server port will change from 514 to 610 after selecting TCP

Click OK

 

Open the McAfee Email Gateway Console

Browse to System, Logging, Alerting, and SNMP, System Log Settings

Tick the check box for Enable System Log Events

For Logging Format chose Content Security Reporter

Select the events to be sent to CSR

Expand Off-box system log

Tick the check box for Enable off-box system log

Click Add Server

Enter the IP address of the CSR Server

Change the port from 514 to 610

Note! This is what CSR uses for TCP connections for Syslog.  MEG only uses TCP when communicating with CSR.

Apply the Changes

 

Once everything is configured the CSR Reports in ePO will allow for easy reporting on various detections.

Open the ePolicy Orchestrator Console

Browse to Dashboards

Click the Drop Down and Select CSR Email Activity

Click the PIE Chart to drill in to see events.

 

Screen Shots:

Capture1.JPG

Capture2.JPG

Capture3.JPG

Capture4.JPG

Capture5.JPG

 

Capture6.JPG

From https://kb.mcafee.com/agent/index?page=content&id=KB83165

 

Environment

 

McAfee Email Gateway (MEG) 7.x

 

 

Summary

By default, McAfee Email Gateway (MEG) allows negotiation of secure connections via SSLv3. Perform the steps in this article to disable SSLv3 connections.

 

 

Solution

NOTE: This solution requires either MEG 7.5.3 + HF971179 (3016.109) or later or 7.6.2H1008011 (3044.109) or later installed.

 

IMPORTANT:

  • If you are using ePO to manage your appliance, you must follow the process documented in KB82606 to avoid ePO overwriting your configuration changes.
  • For details about saving, editing, and restoring the appliance configuration file, follow the instructions in KB56323.

 


To disable SSLv3 for MEG:
  1. Export the Appliance configuration file and extract machine.xml:
    1. Create a new folder and assign a descriptive name.
    2. Log on to the Appliance Management Console and select System, System Administration, Configuration Management.
    3. Click Backup Config, then click the link to save the configuration. Save the configuration to the new folder.

      NOTE
      : The numbers in the name of the configuration file change with new versions and updates.
    4. Save a copy of the configuration .zip file to a backup location.
    5. Right-click the configuration file and select Open with WinZip.
    6. Locate and extract machine.xml file to your new folder.
      NOTE:
      Ensure that you do not extract the full zip file, only the XML file to be edited. Extracting the full configuration can cause corruption in the MEG appliance configuration. 
  2. Edit the machine.xml configuration file:
    1. Right-click machine.xml and select Open with Wordpad.
    2. Search for ForbiddenProtocols. The entry will be in the following text section:

      <List name="ForbiddenProtocols" type="nstr">
      <Attr name="0" value="SSLv2"/>
      </List>
    3. Change the entry above to read as follows:

      <List name="ForbiddenProtocols" type="nstr">
      <Attr name="0" value="SSLv2"/>
      <Attr name="1" value="SSLv3"/>
      </List>
    4. Click Save.
    5. Update the MEG appliance configuration zip file with the edited machine.xml
  3. Restore the Configuration File to the Appliance:
    1. Log on to the Appliance Management Console and select System, System Administration, Configuration Management, Backup and Restore Configuration.
    2. Click Restore from File, locate the updated configuration zip file and click OK.
    3. Select the Values to Restore and click OK.
    4. Click Close.
    5. Click Apply Changes.
    6. Type a comment and click OK.

From McAfee KnowledgeBase -

 

There are two methods to enabling debug logging.

 

Method 1 - via the AdminUI

 

  1. Create a destination folder for the Debug logs:

    1. Open Windows Explorer.
    2. On a local drive, create a folder to store the Debug logs (for example: C:\MQMLogs).
    3. Close Windows Explorer.
  2. Enable Debug logging in the MSME console:

    1. Open the MQM AdminUI. 
    2. Click Settings and Diagnostics.
    3. Click Diagnostics, and then click the Debug Logging tab.
    4. Set Level to High
    5. Optional: Select Limit size of Debug log files.

      IMPORTANT: McAfee recommends that you not set a size limit for the debug logs because important information will be overwritten when the log files are truncated. Instead, enable debug logging only for the time necessary to reproduce the issue, and then disable debug logging.
    6. Select Specify location for Debug files.
    7. In the Debug file location drop-down list, select (full path)
    8. In the Debug file location field, type the name of the folder created above (example: C:\MQMLogs)
    9. Click Apply.
  3. Run the Debug log for the specified time to capture the issue.

    With Debug logging enabled, replicate the issue. The length of time to have debug logging enabled will vary depending on the issue that you are investigating. When the issue has been replicated, proceed to the next step to disable debug logging.
  4. Disable Debug logging:
    1. Open the MQM AdminUI. 
    2. Click Settings and Diagnostics.
    3. Click Diagnostics, and then click the Debug logging tab.
    4. Set Level to None.
    5. Click Apply

 

 

Method 2 - via the Registry

 

 

  1. Stop the McAfee Quarantine Manager service:

    1. Click Start, Run, type services.msc, and then click OK.
    2. Perform the following two steps only if the server is managed by ePolicy Orchestrator (ePO):
    1. Right-click McAfee Framework Service and select Properties.
    2. In the Startup Type section, select Manual from the drop-down list and then click Apply. This will stop ePO policies from restarting the service.
    3. Right-click McAfee Framework Service and select Stop.
    1. Right-click McAfee Quarantine Manager and select Stop.
    2. Minimize the Services window.

       
  2. Enable debug logging via the registry:

    1. Click Start, Run, type regedit, and then click OK.
    2. Navigate to the following key:

      [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\Quarantine Manager\trace]
      [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\Quarantine Manager\trace]

    3. Set the keys to the following values:

      NOTE: If any of the listed keys do not exist, click Edit, New and select either DWORD Value or String Value.    
      Key Name

      Key Type

      Base Type

      Value

      Level

      DWORD

      Hex

      3

      MaxFileSize

      DWORD

      Decimal

      10240

      Path

      STRING

       

      C:\MQMLogs


      IMPORTANT: MaxFileSize is an optional value. This key is not required if you do not want to set a maximum file size. McAfee does not recommend that a size limit be set for the debug logs because important information will be overwritten when the log files are truncated. Instead, enable debug logging only for the time necessary to capture the error/issue, and then disable it.
    4. Close the Registry Editor.

       
  3. Start McAfee Quarantine Manager and launch the Product Console:
    1. Maximize the Services window.
    2. Right-click McAfee Quarantine Manager and select Start.
    1. Minimize the Services window.
    2. Open the McAfee Quarantine Manager Console and/or perform the steps and actions that you want to be captured in the debug logs.

       
  4. When enough debug information has been captured, remove the debug settings from the registry:

    1. Click Start, Run, type regedit and then click OK.
    2. Navigate to the following key:

      [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\Quarantine Manager\trace]
      [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\Quarantine Manager\trace]

    3. Right-click Level and change the value to 0.
    4. Close the registry editor.

       
  5. Restart the McAfee Quarantine Manager service:

    1. In the Services window, right-click McAfee Quarantine Manager and select Restart.
    2. Close the Services window.

       
  6. Set McAfee Framework Service back to Automatic and start the service.
  7. Collect the required files, and contact McAfee technical support. 

We have KB79376 which tells how to apply patches on an ePO managed MEG 7.x Appliance.

 

We will make the process a little bit easier. Updated version of KB79376 will be made available soon. In short, we will have less steps in item #3 in the KB. In this blog post I am introducing the new process.

 

Use the following steps to install a MEG patch .zip file to your MEG Appliance that is managed by ePO:

 

  1. Disable ePO management on the Appliance:

    IMPORTANT: If you apply the patches without disabling the ePO management and Extensions, The console/dashboard may become unresponsive. If this occurs, contact McAfee to arrange a remote session to resolve the issue. See the Related Information section of this article for contact details.
    1. Open the MEG Appliance management console and log in using admin credentials.
    2. Navigate to System, Package Installer, ePO, Settings for ePO Management.
    3. Deselect the Enable ePO management and Allow configuration to be applied from ePO options.
    4. Apply changes.
    5. If you have multiple Appliances, repeat these steps for all of them before moving to the next step.
  2. Install the MEG patch .zip file:
    1. Navigate to System, Component Management, Package Installer, Update From File.
    2. Locate the MEG patch zip file, and click OK.
    3. Click OK to install the patch. The Appliance will reboot.
    4. If you have multiple Appliances, install the patch to the rest before moving to the next step.
  3. Update the ePO Extension for your ePO server:
    1. Open the MEG Appliance management console, and log in using admin credentials.
    2. Click the Resources link located at the top-right of the console.
    3. Click the ePO Extensions link and save the Extension to your local folder.
    4. Click the ePO Help Extensions link and save the Extension to your local folder.
    5. Open the ePO console and log in using admin credentials.
    6. Navigate to Menu, Software, Extensions, Email and Web Gateway.
    7. Click Install Extension.
    8. Locate the ePO Extension file that you downloaded from the MEG Appliance, click OK, and then click OK again.
    9. Locate the ePO Help Extension file that you downloaded from MEG Appliance, click OK, and then click OK again.  
  4. Export the Appliance configuration and import it in the ePO policy catalog:
    1. Open the MEG Appliance management console and log in using admin credentials.
    2. Navigate to System, Component Management, ePO, ePO Server Configuration.
    3. Click Export Appliance Configuration and save it to your local folder.
    4. Open the ePO console and log in using admin credentials.
    5. Navigate to Menu, Policy, Policy Catalog.
    6. Select McAfee Email Gateway 7.x from the Product pull-down menu.
    7. Click Import, locate the exported configuration file, and click OK.
    8. Ensure all the items are selected for import and click OK.
  5. Re-enable ePO management on the Appliance:
    1. Open the MEG Appliance management console and log in using admin credentials.
    2. Navigate to System, Package Installer, ePO, Settings for ePO Management.
    3. Select the Enable ePO management and Allow configuration to be applied from ePO options.
    4. Apply changes.
    5. If you have multiple Appliances, re-enable ePO management for the rest of them.

Filter Blog

By date:
By tag: