cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee Active Response Getting Started Guide

Introduction

 

McAfee Active Responses allows you to rapidly discover, detect, and respond to threats within your environment by providing real-time visibility of endpoint data. This document will walk you through getting McAfee Active Response installed, taking a look at the Active Response Workspace, and performing a quick search.

The McAfee Active Response Workspace provides a user interface that streamlines the security workflow, providing you with the information that you need quickly and allowing you to take corrective actions immediately.

 

Video

 

 

 

Prerequisites

This document assumes that you have McAfee ePO already installed along with the McAfee Agent on the endpoints. In addition to McAfee Active Response, We'll install Endpoint Security 10.5 as well.

 

The version of ePO required is:

McAfee ePO 5.3.1

 

The version of McAfee Agent required is:

McAfee Agent 5.0.3

 

Getting the software

McAfee provides an easy way to install newly released software with the Software Manager. We're going to use it to download and check in the McAfee Active Response components into our ePO environment.

To find the software that's available to you, click on Menu > Software Manager

Our first step is to install Endpoint Security 10.5.

In the Search box in the top left, type in "Endpoint Security".

When the results are shown, select McAfee Endpoint Security 10.5.

Click on Check-In for the McAfee Endpoint Security 10.5 bundle.

It'll show a confirmation screen where you can select the branch. If you already have another version of Endpoint Security installed, you may want to check it into the evaluation branch. Otherwise, just keep it in the current branch.

 

 

After Endpoint Security 10.5 has completed its installation, we'll check in Adaptive Threat Protection.

Type in Adaptive Threat Protection into the search box.

Click on McAfee Endpoint Security Adaptive Threat Protection 10.5 in the Product section.

Click on Check-In for the following items; you may need to repeat the search to install all three components

  • Adaptive Threat Protection: Package
  • Adaptive Threat Protection: Extension
  • Adaptive Threat Protection help: Extension

 

Finally, let's install the McAfee Active Response Bundle.

Type in Active Response in the search box.

Click on McAfee Active Response 2.0 in the Product pane.

Scroll to the bottom of the Product List pane and click on "Download" for the following items:

  • McAfee Active Response Server ISO
  • TIEServer ISO

We'll use these in just a little bit, so remember where you saved them.

 

 

Next, scroll back to the top and click on Check-In for the Active_Response_2.0.0_Build_217_(ENU-RELEASE-MAIN): Bundle

 

 

Configure the Cloud Bridge Server Settings

 

Great, now that your software is installed in ePO, let's set up the Cloud Bridge.

 

Go to Menu > Server Settings

 

Click on McAfee ePO Cloud Bridge in the Settings Categories and click on Edit in the bottom right.

 

 

Enter your McAfee ePO Cloud Account information if you already have an account. Click Save when you're done. You can go to the "Setting up the Threat Intelligence Server" section if you've successfully linked your account. Otherwise, go to the next step if you don't already have an account.

 

Click on the "If you do not have a McAfee® ePO™ Cloud account, sign up for an account here" to register for a new ePO Cloud account.

 

You may have been provided with an Activation Code. If you have a code, click on Activate New User.

 

 

 

Enter your email and activation code and choose a new password. After that's complete, use your login information on the McAfee® ePO™ Cloud Bridge page that we were at earlier, read and Check "I accept the License Agreement", and finally click save in the bottom right. Your ePO Cloud Bridge should now be linked.

If you don't have an activation code, you can create a trial account in the next step.

 

 

 

To create a trial account, click on the "Sign up Now" button and create a new account.

 

 

Check the "McAfee Endpoint Protection Essential - For SMB" for the product name and enter your information. After that's complete, use your login information on the McAfee® ePO™ Cloud Bridge page that we were at earlier, read and Check "I accept the License Agreement", and finally click save in the bottom right. Your ePO Cloud Bridge should now be linked.

You may need to review this account later.

 

 

Setting up the Threat Intelligence Exchange Server (TIE Server)

 

To set up your TIE server, you can use install it on an ESXi server.

Log into ESXi and create a new virtual machine as a Linux system and CentOS 64 bit.

The recommended system requirements for the TIE server are:

1 CPU with 8 cores

16 GB of RAM

120 GB disk (Thick Provisioning)

 Extract the TIE Server from TIEServer_2.0.0.653.x86_64.iso.zip file.

Boot the system off the TIEServer_2.0.0.653.x86_64.iso.

The system will begin its initial installation procedure and after that is complete, it will power the system off. After the system powers off, power it back up.

 

Hit Enter to read the License Agreement. You can just hold it down if you read very fast.

 

license agreement .png

Click Y to agree to the terms of the license.


click y.png

Enter a root password and confirm it. It must be 9 characters long. Click Y to proceed.

 

TIEServer-2016-12-20-13-17-50.png

 

Next, create an account and assign it a password for the console.

 

TIEServer-2016-12-20-13-18-32.png

 

It will select the default network adapter and generally you can type in "n" here to move to the next screen.

 

TIEServer-2016-12-20-13-19-28.png

 

Next, we'll configure the ip address for the system. We can use DHCP, but I'm going to manually assign an ip address

 

TIEServer-2016-12-20-13-21-03.png

 

On the next screen, I'm going to give it a hostname and domain, then click Y to proceed.

 

TIEServer-2016-12-20-13-21-57.png

 

Next we'll set up the ntp server. You can just click enter to accept the defaults and move to the next line to proceed.

 

TIEServer-2016-12-20-13-22-59.png

 

After that, we'll connect the TIE server with our ePO Server. Enter the ePO address, username, and password. Make sure that the account used is an account that isn't required to change its password. Click Y to continue.

 

TIEServer-2016-12-20-13-27-15.png

 

It will then ask you to verify the fingerprint of the ePO server Certificate. Click Y to continue.

 

TIEServer-2016-12-20-13-29-19.png

 

Next, click Y for both the DXL Broker and the TIE Server. Then click Y to continue.

 

TIEServer-2016-12-20-13-30-36.png

 

Next, you can use the default port 8883 for the DXL Broker. Click Y to proceed.

 

TIEServer-2016-12-20-13-31-24.png

 

It will take a few minutes for the TIE Server to configure the McAfee Agent and DXL Broker.

 

TIEServer-2016-12-20-13-33-20.png

 

After the TIE Server configuration is complete, it'll just show a login page. We can move back to ePO to complete the TIE Server configuration.

 

Open your McAfee ePO Console again. Click on Menu > Server Settings

server settings.png

Next, click on TIE Server Topology Management and then click on Edit in the bottom right.

 

 

Make sure that the hostname of your TIE Server is selected on the left and use the dropdown to change the Operation Mode from "Unassigned" to "Master". Then click Save in the bottom right. It'll take a few minutes for the change to take place.

 

 

After we've finished installing our TIE Server, we can then install our McAfee Active Response (MAR) server.

 

Installing the McAfee Active Response Server (MAR Server)

 

Next, we'll want to install a McAfee Active Response Server. A lot of the steps are similar to installing a TIE Server, so this should be pretty easy.

 

First, we'll want to set up a new virtual machine in ESXi as a Linux system with CentOS (64 bit) along with the following minimum requirements.

1 CPU with 4 cores

8 GB Ram

140 GB Solid State Disk

 

Boot the system off the MAR-2.0.0.0-314.x86_64.iso

The system will begin its initial installation procedure and after that is complete, it will power the system off. After the system powers off, power it back up.

 

Click C to continue to read the license agreement or E to go to the end of the document.

 

end the document .png

Click Y to agree to the terms of the license agreement.

 

terms of.png

Enter a root password and confirm it. It must be 9 characters long. Click Y to proceed.

 

MARServer-2016-12-20-14-11-49.png

 

Next, create an account and assign it a password for the console.

 

MARServer-2016-12-20-14-12-11.png

 

It will select the default network adapter and generally you can type in "n" here to move to the next screen.

 

MARServer-2016-12-20-14-17-33.png

 

 

Next, we'll configure the ip address for the system. We can use DHCP, but I'm going to manually assign an ip address.

 

MARServer-2016-12-20-14-18-34.png

 

On the next screen, I'm going to give it a hostname and domain, then click Y to proceed.

 

MARServer-2016-12-20-14-18-55.png

 

The next screen will ask if you will be using IPV6. I'm just going to select N.

 

MARServer-2016-12-20-14-19-58.png

 

Next we'll set up the ntp server. You can just click enter to accept the defaults and move to the next line to proceed.

 

MARServer-2016-12-20-14-20-24.png

 

The next screen will ask if there is a proxy address. I'm just going to leave these blank for my environment.

 

MARServer-2016-12-20-14-21-13.png

 

After that, we'll connect the TIE server with our ePO Server. Enter the ePO address, username, and password. Make sure that the account used is an account that isn't required to change its password. Click Y to continue.

 

MARServer-2016-12-20-14-22-12.png

 

It will then ask you to verify the fingerprint of the ePO server Certificate. Click Y to continue.

 

MARServer-2016-12-20-14-22-49.png

 

Next it will ask you for the ePO Agent Wake-up Port. Most environments have it set as the default 8081.

 8081.png

On this next screen. I'm going to select N for DXL Broker (since we already have a DXL Broker with the TIE Server) and Y for AR Server.

 ar server.png

It will take a few minutes for the MAR Server to configure the McAfee Agent.

 

mcafee agent.png

After the MAR Server configuration is complete, it'll just show a login prompt. We can move back to ePO to complete the MAR Server configuration.

 

Going back to ePO click on Menu > Server Settings

 mar server config.png

 

Then, click on DXL Topology and click Edit in the bottom right.

 

 

Check the box next to "Provides trace data to the cloud for MAR Workspace" for "Broker Extensions". And then click Save in the bottom right.

 

 

Whew, okay, we're finally done with installing our servers.

 

Deploying McAfee Active Response Client

 

We've built McAfee Active Response as a bundle that can be deployed to client systems all in one step.

On a system that doesn't have any existing components (such as ENS, DXL, or TI/APT) the entire McAfee Active Response solution can be deployed to a client with a single client task. If a system does have any existing components (such as ENS, DXL, or TI/APT) it may require a separate task to upgrade those existing components before installing MAR.

In my example, I'm just going to install MAR on a clean system without any other products installed.

From the System Tree in ePO, I can select the system that I want to deploy MAR to by checking it. You can also select multiple systems if you want to deploy to multiple systems at at once.

 

 

Next, I can deploy McAfee Active Response by clicking on Action > Agent > Run Client Task Now

 

 

Next, I'll want to select the type of client task as McAfee Agent > Product Deployment > McAfee Active Response then click on Run Task Now in the bottom right.

 

 

Now, it'll show you the status of the Client Deployment Task. It'll just take a few minutes to complete the deployment of all of the MAR Components.

 

 

After the installation is complete, we can see it in the Deployment Task screen (we don't really need to stay on this screen though).

 

 

After the deployment task is complete, I would recommend that you perform an Agent Wake Up on the TIE Server, MAR Server, and your new MAR Clients.

 

To View, the Active Response Workspace, go to Menu > Active Response Workspace

 

 

Your Active Response Workspace may be blank right now since you haven't run any unknown applications on the client, but here's my example workspace with a sample file.

 

 

On the right in the Potential Threats section, these are threats identified by the Cloud Behavioral Analysis engine provided by McAfee. These potential threats are organized with the greatest risk at the top.

 

 

 

At the top of the middle section is the Threat Timeline. This can show any threat trends or campaigns occurring within the environment.

 

 

Below that are the affected hosts of the threat selected on the left. We can use this section to remediate individual or multiple hosts affected by the threat.

 

 

Using the dropdown under Host Actions, we can choose to Stop the process or Stop and remove the process on the selected hosts.

 

 

Below the affected hosts, the workspace provides a Process Trace of the potential threat. This process trace can include the parent process, any child processes, files that were modified, registry keys that were changed, or any network connections that were established. These are identified by the icons.

 

You can also zoom in and out using your mouse scroll-wheel.

 

To expand the Process Trace window, click on the expand icon in the top right of the window.

 

 

In addition, clicking on one of the elements provides additional details on the selected element. Clicking on the blue links will perform a real time Active Response search on client systems.

In addition to just threat details, it will also provide the behavior observed to help facilitate investigations on this potential threat.

 

 

On the right side, the Active Response Workspace provides the reputation information for the selected potential threat. This can include reputation information from other sources such as "Advanced Threat Defense" or "Global Threat Intelligence"

 

 

Finally, we are able to use the Global Actions to mark a file as Known Malicious if a potential threat is determined to be a confirmed threat. This will kill the process and completely prevent the file from running in the organization in the future.

 

 

Performing an Active Response Search

Active Response can perform real time searches of threat artifacts on endpoints.

Active Response Searches can be performed directly from the Workspace by clicking on the links provided by the details.

In addition to using the Workspace, we can also use the Active Response Search feature.

To use the search feature, click on Menu > Active Response Search

search.png

This will provide you with a search box where you can search your endpoints.

Here’s a sample search that provides process information on a single system:

 

Processes name, id, size, imagepath where HostInfo hostname equals "{systemname}"

(where {systemname} is the system that you had installed the Active Response Client Package on and it requires quotes around the systemname)

 

You can use the autocomplete dropdown boxes or just type out the search terms.

17.png

To give this statement a quick breakdown, the Process is the Collector Name, or type of search to be performed.

 

The name, id, size, and imagepath are the collector output fields and determine which columns are displayed.

 

The where is a filter keyword and the statement hostinfo hostname equals “dlpdiscovery” just means to only include systems where the hostname is dlpdiscovery. You’ll want to look at the Active Response product guide for more details on how to perform these searches, but here’s just a simple search to show how it works.

 

 

19.png

After you’ve created a search, you can click on the Save Search button in the bottom right to use that search in the future.

18.png

To access your saved searches, go to

Menu > Active Response Searches Catalog

19a.png

Here, you can see your saved searches.

20.png

Labels (1)
Tags (1)
Contributors
Version history
Revision #:
3 of 3
Last update:
‎03-27-2018 11:06 AM
Updated by: