cancel
Showing results for 
Search instead for 
Did you mean: 

How to install McAfee Endpoint Intelligence Agent in ePolicy Orchestrator

Introduction

          The McAfee Endpoint Intelligence Agent correlates application behavior and network activity to give you true application visibility.  In this document, you'll learn what the Endpoint Intelligence (EI or EIA) is, how to install it and how it protects your organization from malicious applications.

What is Endpoint Intelligence?

          McAfee Endpoint Intelligence Agent provides real-time, per-flow endpoint traffic correlation.  This plug-in to the agent positively associates each session with the originating host system, user, and application process. It provides a new type of threat detection that combines behavioral analysis of network traffic flows with multiple sources of reputation intelligence and eliminates the need to parse and analyze message content.  This solution leverages intelligence in the network and on every windows host to reveal relationships between endpoint executables and network traffic flows making it possible to:

  • Identify malicious network connections and executables in real time.
  • Incorporate detailed process context for attacks.
  • Block malicious communications and prevent the spread of advanced malware.
  • Quarantine and remediate compromised host systems

Installing Components to Endpoint Intelligence

The Endpoint

The McAfee Endpoint Intelligence Agent is deployed through ePO and a baseline of your environments applications and processes will come from an endpoint (or multiple endpoints) that the network admin designates.  Given vital information needed from the endpoint, we have to start here.

 ePO Configuration

EIA is downloaded from Mcafee.com product download page

download 1.png

          Once you have entered a valid grant number and captcha letters you'll be redirected to your list of products.  In my case, EIA is listed under the "McAfee Network Security Platform section.

    EIA DL.JPG

          In the future, this product will be available directly from ePO in your software repository.

    Check in Packages

          I recommend downloading all ".zip" files of EIA from your downloads page and note the location you saved it.

          Now log into ePO.  Once you have logged ePO navigate to your "Master Repository" and select "Check In Package"


Master Repository.JPG

          In the Master Repository screen browse to the location of the EIA compressed file and then select "next"

    MR check in.JPG

        After Selecting "next" accept any defaults and verify that the Endpoint Intelligence has been checked-in.

 

    Check in Extensions

          Navigate to Menu --> Software --> Extensions in your ePO console and at the bottom left select  "Install Extensions"


          Browse to the location where you previously saved your EIA downloads and select the "eia_epo_extension_xxx" and then select "ok".  You can verify that the extension has been installed on the Software Extensions page...


Deploy Endpoint Intelligence in ePO

          For the Endpoint Intelligence Agent to be deployed to hosts in your network these hosts must currently be managed by ePO and have the McAfee Agent installed. Once the hosts have EIA installed and configured application network activity will be reported to pre-configured EIA dashboards available in your "dashboards" drop-down menu.

          You can deploy the Endpoint Intelligence Agent in a couple ways

          1. System Tree --> select desired system -->  Actions --> Agent --> Run Client Task Now

          2. Menu --> Software --> Product Deployment

          I opt for the second route as I feel it gives me more visibility and control of the deployment process. However, if you are more comfortable with creating a "Client Task" by all means please go with what you prefer.

          In the Product Deployment select "New Deployment".

              Name your deployment

              Choose type of deployment "fixed or continuous"

              Enable automatic update if desired

              Select the Endpoint Intelligent Agent 2.x.x

              Select the systems you'd like to deploy the agent to

              Select a start time "Run Immediately"

          In my case I've chosen to run immediately since I'm only deploying to a single controlled system if you are deploying to multiple systems you may choose to deploy at more convenient time.

 

          Selecting "save" at the bottom of the page will start the deployment if you selected "run immediately".

          If you chose "Once" then it will launch at the time scheduled.

          A successful deployment will be reflected on the "Product Deployment" page

   

          Upon successful completion and deployment of EIA you'll be able to launch the Endpoint Baseline Generator from the host.

   

          The baseline generator creates an XML file that can be imported and used as a

          whitelist.

Configure the Endpoint Intelligence Agent

          In ePO brows to the Policy Catalog by going to Menu --> Policy --> Policy Catalog

          In the product, section hit the down arrow and find "Endpoint Intelligence Agent 2.x.x"

          The "McAfee Default" policy should be the only policy, in which case you'll need to select "duplicate" so that it can be edited.  Once the policy is open there are three tabs, "General Settings", "Advanced Settings" and "Raptor Settings"

    

    General Settings

          This tab is used for sending EIA data to network devices, we'll cover this in another document.

    Advanced Settings

          For general EIA usage, no changes need to be here to get functionality.  However log information, connectivity information, and other reputation settings can be changed on the Advanced tab.

          Change the "Dashboard Update Interval" from 6 to 1.  Make this change during setup and configuration so that EIA data is reflected on the dashboard sooner.  After deployment and tuning, this can be set at a lower interval to reduce the amount of information being sent to ePO.

    Raptor Settings:

          Raptor is a heuristic based detection engine that is new to McAfee in 2015.  Enabling Raptor will increase detection rates over just DAT and GTI by 30%

               *NOTE: Enabling Raptor comes at the expense of a higher runtime footprint

          Verify that the assignments on the Policy Catalog page includes the systems or domains you've specified from your system tree.

Endpoint Intelligence Dashboards

          EIA dashboards are available.  The McAfee Endpoint Intelligence Agent information can take some time to be collected,  particularly when you've only deployed to a few endpoints for initial testing.  Allow EIA to run for a day then select "Last 24 hours" as your time period.

          The information provided in the dashboards are applications and the number of network connections each of these applications have made.  EIA gives you visibility into which applications are generating the most network traffic in your environment.

    dashboards1.jpg

Additional Resources

    Endpoint Intelligence Documentation on the Service Portal

    Endpoint Intelligence White Paper

    Endpoint Intelligence Video Description

    Endpoint Intelligence Product Guide

Labels (1)
Comments

Nice guide can say

Is there more information on the Integratiion of Raptor which is part of EIA. I did see statemtns in Blogs that it's Monitor/read only mode and

that the Raptor version in EIA will not block traffic or applications.

However if we look at EPO Logs under threath we see the entry which says Acces blocked.

Dateipfad des Bedrohungsziels:rundll32.exe(md5: dd81d91ff3b0763c392422865c9ac12e)
Ereigniskategorie:Malware entdeckt
Ereignis-ID:1024
Schweregrad der Bedrohung:Warnung
Name der Bedrohung:Injector
Typ der Bedrohung:raptor_detected_threat
Ausgeführte Aktion:Keine
Verarbeitete Bedrohung:
Entdeckungsmethode des Analyseprogramms:RAPTOR
Ereignisse, die von verwalteten Systemen gesendet wurden 

Ereignisbeschreibung:Infizierte Datei gefunden, der Zugriff wurde verweigert
Contributors
Version history
Revision #:
3 of 3
Last update:
‎03-15-2018 12:01 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community