The McAfee Endpoint Intelligence Agent correlates application behavior and network activity to give you true application visibility. In this document, you'll learn what the Endpoint Intelligence (EI or EIA) is, how to install it and how it protects your organization from malicious applications.
What is Endpoint Intelligence?
McAfee Endpoint Intelligence Agent provides real-time, per-flow endpoint traffic correlation. This plug-in to the agent positively associates each session with the originating host system, user, and application process. It provides a new type of threat detection that combines behavioral analysis of network traffic flows with multiple sources of reputation intelligence and eliminates the need to parse and analyze message content. This solution leverages intelligence in the network and on every windows host to reveal relationships between endpoint executables and network traffic flows making it possible to:
Identify malicious network connections and executables in real time.
Incorporate detailed process context for attacks.
Block malicious communications and prevent the spread of advanced malware.
Quarantine and remediate compromised host systems
Installing Components to Endpoint Intelligence
The McAfee Endpoint Intelligence Agent is deployed through ePO and a baseline of your environments applications and processes will come from an endpoint (or multiple endpoints) that the network admin designates. Given vital information needed from the endpoint, we have to start here.
EIA is downloaded from Mcafee.com product download page
Once you have entered a valid grant number and captcha letters you'll be redirected to your list of products. In my case, EIA is listed under the "McAfee Network Security Platform section.
In the future, this product will be available directly from ePO in your software repository.
Check in Packages
I recommend downloading all ".zip" files of EIA from your downloads page and note the location you saved it.
Now log into ePO. Once you have logged ePO navigate to your "Master Repository" and select "Check In Package"
In the Master Repository screen browse to the location of the EIA compressed file and then select "next"
After Selecting "next" accept any defaults and verify that the Endpoint Intelligence has been checked-in.
Check in Extensions
Navigate to Menu --> Software --> Extensions in your ePO console and at the bottom left select "Install Extensions"
Browse to the location where you previously saved your EIA downloads and select the "eia_epo_extension_xxx" and then select "ok". You can verify that the extension has been installed on the Software Extensions page...
Deploy Endpoint Intelligence in ePO
For the Endpoint Intelligence Agent to be deployed to hosts in your network these hosts must currently be managed by ePO and have the McAfee Agent installed. Once the hosts have EIA installed and configured application network activity will be reported to pre-configured EIA dashboards available in your "dashboards" drop-down menu.
You can deploy the Endpoint Intelligence Agent in a couple ways
1. System Tree --> select desired system --> Actions --> Agent --> Run Client Task Now
2. Menu --> Software --> Product Deployment
I opt for the second route as I feel it gives me more visibility and control of the deployment process. However, if you are more comfortable with creating a "Client Task" by all means please go with what you prefer.
In the Product Deployment select "New Deployment".
Name your deployment
Choose type of deployment "fixed or continuous"
Enable automatic update if desired
Select the Endpoint Intelligent Agent 2.x.x
Select the systems you'd like to deploy the agent to
Select a start time "Run Immediately"
In my case I've chosen to run immediately since I'm only deploying to a single controlled system if you are deploying to multiple systems you may choose to deploy at more convenient time.
Selecting "save" at the bottom of the page will start the deployment if you selected "run immediately".
If you chose "Once" then it will launch at the time scheduled.
A successful deployment will be reflected on the "Product Deployment" page
Upon successful completion and deployment of EIA you'll be able to launch the Endpoint Baseline Generator from the host.
The baseline generator creates an XML file that can be imported and used as a
Configure the Endpoint Intelligence Agent
In ePO brows to the Policy Catalog by going to Menu --> Policy --> Policy Catalog
In the product, section hit the down arrow and find "Endpoint Intelligence Agent 2.x.x"
The "McAfee Default" policy should be the only policy, in which case you'll need to select "duplicate" so that it can be edited. Once the policy is open there are three tabs, "General Settings", "Advanced Settings" and "Raptor Settings"
This tab is used for sending EIA data to network devices, we'll cover this in another document.
For general EIA usage, no changes need to be here to get functionality. However log information, connectivity information, and other reputation settings can be changed on the Advanced tab.
Change the "Dashboard Update Interval" from 6 to 1. Make this change during setup and configuration so that EIA data is reflected on the dashboard sooner. After deployment and tuning, this can be set at a lower interval to reduce the amount of information being sent to ePO.
Raptor is a heuristic based detection engine that is new to McAfee in 2015. Enabling Raptor will increase detection rates over just DAT and GTI by 30%
*NOTE: Enabling Raptor comes at the expense of a higher runtime footprint
Verify that the assignments on the Policy Catalog page includes the systems or domains you've specified from your system tree.
Endpoint Intelligence Dashboards
EIA dashboards are available. The McAfee Endpoint Intelligence Agent information can take some time to be collected, particularly when you've only deployed to a few endpoints for initial testing. Allow EIA to run for a day then select "Last 24 hours" as your time period.
The information provided in the dashboards are applications and the number of network connections each of these applications have made. EIA gives you visibility into which applications are generating the most network traffic in your environment.