Dynamic Endpoint Security 5 - Deploy Endpoints

Version 32

     

    Prerequisites

    Before continuing with this section, please ensure you have met the following prerequisites:

     

    Deploying the Endpoint Client Software

    By this point you have installed all the necessary infrastructure necessary to support the Dynamic Endpoint, and you are prepared to deploy the protection plugins to your endpoints.  The first step in any deployment is to create a Client Task which will remotely install the desired package onto the client.  To create a client task, you must first open the Client Task Catalog by opening the ePO Menu and clicking "Client Task Catalog" under the Policy Section.

    We will be leveraging the Product Deployment feature of the McAfee Agent to perform the remote installation.  To create a new client task, open the McAfee Agent section and click on 'Product Deployment'.  Then click 'New Task' at the top of the screen.

    Select 'Product Deployment' from the Task Types in the New Task dialog box and click OK.

    A Client Task Catalog: New Task screen will open at this point.  Enter the following information into each of the components you wish to deploy through the remainder of this document:

    • Task Name (Make it descriptive to the product you are deploying)
    • Target Platform (We will be deploying to Windows systems so you can leave the default)
    • Products and Components (Select the package you wish to remotely install)
    • Action will be Install

    Be sure to click "Save" to save each Product Deployment Client Task when finished.

    VirusScan Enterprise 8.8

    In your deployment, you will use either VirusScan 8.8 or ENS 10.x as the base.  If you are using VirusScan 8.8, enter the following information into a task named "VSE 8.8 Deployment" and click "Save":

    To perform the deployment action, go to the system tree and check each of the clients you wish to run this client task against.

    Click 'Actions' at the bottom of the screen and navigate to 'Run Client Task Now' under the 'Agent' portion of the Actions menu.

    When the list of available client tasks appears, click on McAfee Agent under Product and then Product Deployment as the Task Type.

    Select VSE 8.8 Deployment under the Task Name and click 'Run Task Now'.

    Wait for the tasks to complete against each of the selected clients before moving on.

     

    Endpoint Security 10.1

    In your deployment, you will use either VirusScan 8.8 or ENS 10.x as the base.  If you are using McAfee Endpoint Security 10.x, you will leverage a pre-created default client task to simplify the deployment of all of the included modules (Threat Prevention, Web Control, and Firewall).

     

    To perform the deployment action, go to the system tree and check each of the clients you wish to run this client task against.

    Click 'Actions' at the bottom of the screen and navigate to 'Run Client Task Now' under the 'Agent' portion of the Actions menu.

    When the list of available client tasks appears, click on McAfee Agent under Product and then Product Deployment as the Task Type.

    Select 'Endpoint Security Deployment Task (default)' under the Task Name and click 'Run Task Now'.

    Wait for the tasks to complete against each of the selected clients before moving on.

     

    Deploying the Data Exchange Client Software

     

    Enter the following information into a task named 'DXL Client Deployment' and click 'Save':

    To perform the deployment action, go to the system tree and check each of the clients you wish to run this client task against.

    Click 'Actions' at the bottom of the screen and navigate to 'Run Client Task Now' under the 'Agent' portion of the Actions menu.

    When the list of available client tasks appears, click on McAfee Agent under Product and then Product Deployment as the Task Type.

    Select 'DXL Client Deployment' under the Task Name and click 'Run Task Now'.

    Wait for the tasks to complete against each of the selected clients before moving on.

     

    Give each of the clients up to 5 ~ 10 minutes to connect into the Data Exchange Layer fabric.  You can also speed up the reporting process of each client by sending an Agent Wake-up from ePO.

    Once a client is connected, you should be able to see Connected State show 'Connected' under the DXL Status tab of the system properties of the client.

     

    Deploying the Threat Intelligence Client Software

     

    The Threat Intelligence Client that you will deploy will be different if you are working with VirusScan Enterprise 8.8 or Endpoint Security 10.1.  We will cover deployment of each of these in this section.

     

    VirusScan Enterprise 8.8

    Enter the following information into a task named 'TIE Client Deployment' and click 'Save':

    To perform the deployment action, go to the system tree and check each of the clients you wish to run this client task against.

    Click 'Actions' at the bottom of the screen and navigate to 'Run Client Task Now' under the 'Agent' portion of the Actions menu.

    When the list of available client tasks appears, click on McAfee Agent under Product and then Product Deployment as the Task Type.

    Select 'TIE Client Deployment' under the Task Name and click 'Run Task Now'.

    Wait for the tasks to complete against each of the selected clients before moving on.

     

    Endpoint Security 10.x

    If you are working with Endpoint Security 10.x, you will need to deploy the Threat Intelligence for Endpoint Security module in order to connect your endpoint to TIE.

    Enter the following information into a task named 'TI for ENS Client Deployment' and click 'Save':

    To perform the deployment action, go to the system tree and check each of the clients you wish to run this client task against.

    Click 'Actions' at the bottom of the screen and navigate to 'Run Client Task Now' under the 'Agent' portion of the Actions menu.

    When the list of available client tasks appears, click on McAfee Agent under Product and then Product Deployment as the Task Type.

    Select 'TI for ENS Client Deployment' under the Task Name and click 'Run Task Now'.

    Wait for the tasks to complete against each of the selected clients before moving on.

     


    Deploying the Active Response Client Software

     

    To perform the deployment action, go to the system tree and check each of the clients you wish to run this client task against.

    Click 'Actions' at the bottom of the screen and navigate to 'Run Client Task Now' under the 'Agent' portion of the Actions menu.

    When the list of available client tasks appears, click on McAfee Agent under Product and then Product Deployment as the Task Type.

    Select 'MAR Deployment' under the Task Name and click 'Run Task Now'.

    Wait for the tasks to complete against each of the selected clients before moving on.

     

    Validation & Troubleshooting

    You can validate the installation of all of the components by either looking at the system properties of any given client or viewing the McAfee Agent About Box to see which components are installed.

    Individual components running within the Endpoint Security platform will show up in the McAfee Endpoint Security dialog box which can be opened on the client by right-clicking the McAfee Agent icon on the system tray and clicking 'McAfee Endpoint Security'.

    From here, you can see all of the currently installed modules and their status.

     

    McAfee Endpoint Client

    The easiest way to check that VirusScan Enterprise or Endpoint Security 10.1 is installed and functional is to attempt to download the industry standard EICAR sample from http://www.eicar.org/85-0-Download.html and see that McAfee caught the sample.

     

    McAfee Data Exchange Client

    Connection to the DXL Fabric is key to verifying that the Data Exchange Client was successfully deployed and working.  DXL Status can be checked from either the ePO server under the System Properties of any client or at the client itself by viewing the McAfee Agent About Box.

    McAfee Threat Intelligence Client

    At a high level, basic validation can occur by executing an executable on the client and viewing the TIE Reputations within ePO to ensure executions are being captures.  You may want to try downloading a software package such as PUTTY or other small utility.  Upon execution, view the TIE Reputations in ePO by opening the ePO Menu and clicking on 'TIE Reputations'.

     

    McAfee Active Response Client

    At a high level, basic validation can occur by performing a simple search (such as "Processes") and checking how many systems respond:

    MAR_systems_responding.png

    Note that searches using the Files collector will return an error until the endpoints complete their initial hashing of the system's files. If you run a search prior to that , you may get an error in the bottom left of ePO. In order to get the details of the error, click on the link:

    MAR_FH_error_1.png

    Clicking on the link in this case will reveal the following error:

    MAR_FH_error.png

    At this point the setup of MAR should be complete. For next steps, click here: Dynamic Endpoint Security 6 - Configure Advanced Threat Defense