Dynamic Endpoint Security 4 - Configure Active Response

Version 19

    Table of Contents


    Before continuing with this section, please ensure you have met the following prerequisites:


    Setting Up MAR

    Download the McAfee Active Response extensions, packages, and server with your grant number from the McAfee Download Site



    You'll need the following:

    • Extensions
      • McAfee Active Response Server Extension (mar-server.zip)
      • McAfee Active Response UI Extension (mar-ui.zip)
      • McAfee Active Response Client Extension (mar-client.zip)
      • McAfee Active Response License Extension (mar-license.zip)
    • Packages
      • McAfee Active Response for Windows (Mar_Client_Package_Win_1.1.0.161.zip)
    • Other
      • McAfee Active Response Server (MAR-
    • Documentation
      • McAfee Active Response Help (mar-help.zip)


    Installing the Active Response ePO Extensions

    In your ePO Console, go to Select Menu > Software > Extensions


    Click on Install Extension at the top and install the extensions in the following order:

    1. mar-server.zip
    2. mar-client.zip
    3. mar-license.zip
    4. mar-ui.zip
    5. mar-help.zip


    Checking in the Active Response Client Packages


    In the ePO Console, go to Menu > Master Repository and click on Check in packages

    Master Repo.png

    Select Product or Update (.ZIP) as the package type


    Click browse and select the McAfee Active Response software package

    On the package Options page, select Current and click Save

    Installing the Active Response Server

    After your extensions are installed, let’s install the Active Response server. Here are the minimum requirements for the Active Response Server:

    • 4 Intel® Xeon® CPU X5675 @ 3.07GHz
    • 8GB Ram
    • 120 GB SSD

    First, boot up from the Active Response Server ISO from the McAfee Download site. Upon first boot, it will install the software.

    When the server boots again, it’ll allow you to configure the system.

    The first step is to agree to the licensing agreement. Click Enter to read the agreement and click Y at the end.


    Next, create a root password for the super user.

    Enter Y to continue.


    After the root password’s created, the next step is to create an operational account. Enter an account name, real name, and password.

    Enter Y to continue.


    This page allows you to select your network interface. If you only have one interface listed, click N.

    Select DHCP or Manual IP address configuration. Enter D for DHCP or M for Manual.  If you select Manual, enter your ip address, network mask, gateway, and DNS server.

    When you’re finished, enter Y to continue.


    Enter the Hostname and Domain Name (if appropriate) of the computer where you are installing the Active Response server appliance.

    Enter Y to continue.


    Enter up to three Time Servers to synchronize the time of the Active Response server. You can use the default servers listed or enter your own time server addresses.

    Enter Y to continue.


    Enter any proxy information that you might have.



    Next, enter the IP Address or fully qualified domain name, port, and account information for your McAfee ePO server.

    Enter Y to continue.

    Note:  The ePO server must be available.  At this point the installation will begin to configure the McAfee Agent.


    Enter the ePO Agent Wake-up Port.  The default is 8081.

    Enter Y to continue


    Select the services to run on the Active Response server. If you already have a TIE server in your environment, just select Y for the AR Server. Otherwise, select Y for both the DXL Broker and AR Server

    Enter Y to continue.


    After that step, it’ll take some time to configure the server and you’ll see a login prompt when it’s completed.

    Now, you’ll need to register the Mcafee Active Response server in ePO.

    Select Menu > Configuration > Registered Servers


    Click on New Server at the top.


    Select Active Response Server for the server type and give the server a name such as McAfee Active Response Server and click next.

    In the Active Response Server Location field, enter:

    https://{AR server IP address}/mar/api




    Configuring the Client Policies

    By default, the logging necessary to utilizing the file and network flow processors are disabled in policy. In order to enable these, open the policy that will be used, and enable the file hashing and network flow plugins as seen below:


    While on this tab, remove the .txt files from the exclusion of file searches. For POC and demo cases, it may be beneficial to remove txt files from the exclusion list on the File Hashing tab (shown below is :


    Enable the network flow plugins as seen below:


    To show the automation capabilities of MAR, with triggers, you will also need to enable Triggers on the General Tab:





    After installing the MAR server, validate that it has registered in ePO and has the MARSERVER tag:


    If it does not have the tag, you can wait, or initiate a client wake-up. Note that if you installed the DxL broker service on the AR server, you will also see the DXLBROKER tag, as seen above.

    For further validation, you can go to the Data Exchange Layer Fabric page, and select a broker, and click on the Services tab.  When you select the services drop-down, you should see /mcafee/service/mar.



    Next, go to "Active Response Searches, and validate the page will load.  Once loaded, verify that prompting with collectors occurs when you click in the search field:


    Then, validate that the autofill works as expected by clicking on the options presented in the drop-down, and run a simple search such as the one below:


    At this point the setup of MAR should be complete. For next steps, click here: Dynamic Endpoint Security 5 - Deploy Endpoints