Before continuing with this section, please ensure you have met the following prerequisites:
- ePO installed and configured in accordance with Dynamic Endpoint Security 1 - Getting Started
- Basic endpoint components are checked into ePO in accordance with Dynamic Endpoint Security 2 - Basic Endpoint
- TIE and DXL installed and configured in accordance with Dynamic Endpoint Security 3 - Data Exchange Layer and Threat Intelligence Exchange
- Endpoint security is deployed to endpoints in accordance with Dynamic Endpoint Security 5 - Deploy Endpoints
Configuring Advance Threat Defense for TIE and DXL
Our final step in installing and configuring the Dynamic Endpoint will be integration of the McAfee Advanced Threat Defense (ATD) sandboxing solution. This module assumes you have already performed initial installation of an ATD appliance on your network.If you need additional guidance on initial installation and configuration of McAfee ATD, please visit Advanced Threat Defense in the Intel Security Expert Center.
Once initial depoyment of ATD is complete:
- Start by logging into the ATD UI as an Administrator
- Navigate to “Manage” and then sub menu on the left “ePO Login/DXL”
- Check the “Enable ePO Login” and enter the credentials for your ePO Server. Click “Test ePO Login” and once the test has completed successfully click “Submit”
- Now log into the ePO server. Navigate to the “System Tree”. The Agent check in will take a few minutes and ATD will typically be found under “Lost/Found”.
Note: System names for ATD will show up as ATD-1000 ATD-1500, ATD-3000, or ATD-6000
- Now Navigate back to the ATD UI. Navigate to “Manage” and then sub-menu on the left “ePO Login/DXL”. Click the check box to Enable DXL communication. Click “Test” and once the test has completed successfully click “Apply”. The DXL Client initialization and policy synchronization will take a few minutes. Once this has completed the “DXL Status” will change from red/Down to green/Up.
- As an optional step you can configure the “Publish Threat Events to ePO”. Select the drop down for all or Malicious (Medium to Very High). Click the check box to “Enable Threat Event Publisher” and click “Apply”. The status icon for Publisher. Threat Events will now show up on the ePO “Threat Events” dashboard.
- Navigate to Policy\Analyzer Profile and select Create new.
- Create a new Analyzer Profile based on the settings below.
- Assign the Analyzer Profile to the TIE User. Navigate to Manage\ATD Users. Select the "Threat Intelligence Exchange" user and click edit at the bottom.
- Change the Password. (Ensure you follow the password policy). Update the "Default Analyzer Profile" to the Analyzer Profile you just created and click "Save"
Configuring the TIE Server policies
- Log into ePO.
- In the ePO Console, go to Menu > Policy Catalog and click the drop down next to product to select “McAfee Threat Intelligence Exchange Server Management 1.2.1.” and select the policy “My Default”. Note this policy is being used for the purposes of documentation simplification.
- Click the Advanced Threat Defense Tab. Enter the User Name and Password you configured earlier and click “Save”
Configuring the TIE Client’s policies for VSE 8.8
In your deployment, you will use either VirusScan 8.8 or ENS 10.x as the base. If you are using VirusScan 8.8:
- Go to the Policy Catalog and click the drop down next to the product to select “Threat Intelligence Exchange module for VSE 1.2.1” and select “My Default”.
- Set the following as seen in the screen shot below. Red arrows are required and the Blue arrows are optional. Click "Save" when completed.
- Typically policy updates happen within a few minutes but, to speed up the testing. Got to System Tree and select all the endpoints in your test/POC including the TIE Server, and AT. Click Wake Up. Ensure you check the "Force complete policy and task update".
- Your configuration is complete. You can now start your testing.
Configuring the TIE Client policies for ENS 10.x
In your deployment, you will use either VirusScan 8.8 or ENS 10.x as the base. If you are using ENS 10.x:
- In the ePO System Tree, open "Assigned Policies" and select "Endpoint Security Threat Intelligence".
- Update the Policy as seen below and click Save.
- Wake up agents and ensure you check "force complete policy and task update". This will push the policy changes you just made out and allow you to start testing.
- Your configuration is complete you can now start testing.
Validation and Trouble Shooting
Once ATD integration is complete, check for ATD in Managed System in EPO. Please note that this may take a few minutes to complete.
If ATD does not register with ePO:
- Check the ePO credentials used in ATD, and ensure that ATD can properly authenticate.
- Verify Network connectivity with a pings from ATD CLI to TIE Server and ePO, as well as the other directions.
- Check ATD ePO/DXL login status
- Verify TIE credentials are correct by logging into ATD using the TIE User credentials.