Dynamic Endpoint Security 4 - Configure Active Response

Version 19

    Table of Contents


    Prerequisites

    Before continuing with this section, please ensure you have met the following prerequisites:

     

    Setting Up MAR

    Download the McAfee Active Response extensions, packages, and server with your grant number from the McAfee Download Site

    http://www.mcafee.com/us/downloads/downloads.aspx

     

    You'll need the following:

    • Extensions
      • McAfee Active Response Server Extension (mar-server.zip)
      • McAfee Active Response UI Extension (mar-ui.zip)
      • McAfee Active Response Client Extension (mar-client.zip)
      • McAfee Active Response License Extension (mar-license.zip)
    • Packages
      • McAfee Active Response for Windows (Mar_Client_Package_Win_1.1.0.161.zip)
    • Other
      • McAfee Active Response Server (MAR-1.1.0.169x86_64.zip)
    • Documentation
      • McAfee Active Response Help (mar-help.zip)

     

    Installing the Active Response ePO Extensions

    In your ePO Console, go to Select Menu > Software > Extensions

    21.png

    Click on Install Extension at the top and install the extensions in the following order:

    1. mar-server.zip
    2. mar-client.zip
    3. mar-license.zip
    4. mar-ui.zip
    5. mar-help.zip

    22.png

    Checking in the Active Response Client Packages

     

    In the ePO Console, go to Menu > Master Repository and click on Check in packages

    Master Repo.png

    Select Product or Update (.ZIP) as the package type

    MAC_client_checkin.png

    Click browse and select the McAfee Active Response software package

    On the package Options page, select Current and click Save


    Installing the Active Response Server

    After your extensions are installed, let’s install the Active Response server. Here are the minimum requirements for the Active Response Server:

    • 4 Intel® Xeon® CPU X5675 @ 3.07GHz
    • 8GB Ram
    • 120 GB SSD

    First, boot up from the Active Response Server ISO from the McAfee Download site. Upon first boot, it will install the software.

    When the server boots again, it’ll allow you to configure the system.

    The first step is to agree to the licensing agreement. Click Enter to read the agreement and click Y at the end.

    01.png

    Next, create a root password for the super user.

    Enter Y to continue.

    02.png

    After the root password’s created, the next step is to create an operational account. Enter an account name, real name, and password.

    Enter Y to continue.

    03.png

    This page allows you to select your network interface. If you only have one interface listed, click N.

    Select DHCP or Manual IP address configuration. Enter D for DHCP or M for Manual.  If you select Manual, enter your ip address, network mask, gateway, and DNS server.

    When you’re finished, enter Y to continue.

    04.png

    Enter the Hostname and Domain Name (if appropriate) of the computer where you are installing the Active Response server appliance.

    Enter Y to continue.

    05.png

    Enter up to three Time Servers to synchronize the time of the Active Response server. You can use the default servers listed or enter your own time server addresses.

    Enter Y to continue.

    06.png

    Enter any proxy information that you might have.

    MAR_proxy.png

     

    Next, enter the IP Address or fully qualified domain name, port, and account information for your McAfee ePO server.

    Enter Y to continue.

    Note:  The ePO server must be available.  At this point the installation will begin to configure the McAfee Agent.

    07.png

    Enter the ePO Agent Wake-up Port.  The default is 8081.

    Enter Y to continue

    08.png

    Select the services to run on the Active Response server. If you already have a TIE server in your environment, just select Y for the AR Server. Otherwise, select Y for both the DXL Broker and AR Server

    Enter Y to continue.

    09.png

    After that step, it’ll take some time to configure the server and you’ll see a login prompt when it’s completed.

    Now, you’ll need to register the Mcafee Active Response server in ePO.

    Select Menu > Configuration > Registered Servers

    10.png

    Click on New Server at the top.

    11.png

    Select Active Response Server for the server type and give the server a name such as McAfee Active Response Server and click next.

    In the Active Response Server Location field, enter:

    https://{AR server IP address}/mar/api

    12.png

     

     

    Configuring the Client Policies

    By default, the logging necessary to utilizing the file and network flow processors are disabled in policy. In order to enable these, open the policy that will be used, and enable the file hashing and network flow plugins as seen below:

    MAR_FH.png

    While on this tab, remove the .txt files from the exclusion of file searches. For POC and demo cases, it may be beneficial to remove txt files from the exclusion list on the File Hashing tab (shown below is :

    MAR_txt.png

    Enable the network flow plugins as seen below:

    MAR_NF.png

    To show the automation capabilities of MAR, with triggers, you will also need to enable Triggers on the General Tab:

    MAR_triggers.png

     

     

    Validation

    After installing the MAR server, validate that it has registered in ePO and has the MARSERVER tag:

    MAR_tag.png

    If it does not have the tag, you can wait, or initiate a client wake-up. Note that if you installed the DxL broker service on the AR server, you will also see the DXLBROKER tag, as seen above.

    For further validation, you can go to the Data Exchange Layer Fabric page, and select a broker, and click on the Services tab.  When you select the services drop-down, you should see /mcafee/service/mar.

    MAR_service_validation.png

     

    Next, go to "Active Response Searches, and validate the page will load.  Once loaded, verify that prompting with collectors occurs when you click in the search field:

    MAR_collectors_list.png

    Then, validate that the autofill works as expected by clicking on the options presented in the drop-down, and run a simple search such as the one below:

    MAR_autofill.png

    At this point the setup of MAR should be complete. For next steps, click here: Dynamic Endpoint Security 5 - Deploy Endpoints