• Prerequisites
• Setting Up MAR
• Installing the Active Response ePO Extensions
• Checking in the Active Response Client Packages
• Installing the Active Response Server
• Configuring the Client Policies
• Validation

Prerequisites

Before continuing with this section, please ensure you have met the following prerequisites:

• ePO installed and configured in accordance with Dynamic Endpoint Security 1 - Getting Started
• Endpoint security extensions, etc. installed and configured in accordance with Dynamic Endpoint Security 2 - Basic Endpoint
• TIE and DXL installed and configured in accordance with  Dynamic Endpoint Security 3 - Data Exchange Layer and Threat Intelligence Exchange

 

Setting Up MAR

Download the McAfee Active Response extensions, packages, and server with your grant number from the McAfee Download Site

http://www.mcafee.com/us/downloads/downloads.aspx

 

You'll need the following:

• Extensions
  • McAfee Active Response Server Extension (mar-server.zip)
  • McAfee Active Response UI Extension (mar-ui.zip)
  • McAfee Active Response Client Extension (mar-client.zip)
  • McAfee Active Response License Extension (mar-license.zip)
    
• Packages
  • McAfee Active Response for Windows (Mar_Client_Package_Win_1.1.0.161.zip)
• Other
  • McAfee Active Response Server (MAR-1.1.0.169x86_64.zip)
• Documentation
  • McAfee Active Response Help (mar-help.zip)

 

Installing the Active Response ePO Extensions

In your ePO Console, go to Select Menu > Software > Extensions

Click on Install Extension at the top and install the extensions in the following order:

1. mar-server.zip
2. mar-client.zip
3. mar-license.zip
   
4. mar-ui.zip
5. mar-help.zip

 

Checking in the Active Response Client Packages

 

In the ePO Console, go to Menu > Master Repository and click on Check in packages

Select Product or Update (.ZIP) as the package type

Click browse and select the McAfee Active Response software package

On the package Options page, select Current and click Save

Installing the Active Response Server

After your extensions are installed, let’s install the Active Response server. Here are the minimum requirements for the Active Response Server:

• 4 Intel® Xeon® CPU X5675 @ 3.07GHz
• 8GB Ram
• 120 GB SSD

First, boot up from the Active Response Server ISO from the McAfee Download site. Upon first boot, it will install the software.

When the server boots again, it’ll allow you to configure the system.

The first step is to agree to the licensing agreement. Click Enter to read the agreement and click Y at the end.

Next, create a root password for the super user.

Enter Y to continue.

After the root password’s created, the next step is to create an operational account. Enter an account name, real name, and password.

Enter Y to continue.

This page allows you to select your network interface. If you only have one interface listed, click N.

Select DHCP or Manual IP address configuration. Enter D for DHCP or M for Manual.  If you select Manual, enter your ip address, network mask, gateway, and DNS server.

When you’re finished, enter Y to continue.

Enter the Hostname and Domain Name (if appropriate) of the computer where you are installing the Active Response server appliance.

Enter Y to continue.

Enter up to three Time Servers to synchronize the time of the Active Response server. You can use the default servers listed or enter your own time server addresses.

Enter Y to continue.

Enter any proxy information that you might have.

 

Next, enter the IP Address or fully qualified domain name, port, and account information for your McAfee ePO server.

Enter Y to continue.

Note:  The ePO server must be available.  At this point the installation will begin to configure the McAfee Agent.

Enter the ePO Agent Wake-up Port.  The default is 8081.

Enter Y to continue

Select the services to run on the Active Response server. If you already have a TIE server in your environment, just select Y for the AR Server. Otherwise, select Y for both the DXL Broker and AR Server

Enter Y to continue.

After that step, it’ll take some time to configure the server and you’ll see a login prompt when it’s completed.

Now, you’ll need to register the Mcafee Active Response server in ePO.

Select Menu > Configuration > Registered Servers

Click on New Server at the top.

Select Active Response Server for the server type and give the server a name such as McAfee Active Response Server and click next.

In the Active Response Server Location field, enter:

https://{AR server IP address}/mar/api

 

 

 

Configuring the Client Policies

By default, the logging necessary to utilizing the file and network flow processors are disabled in policy. In order to enable these, open the policy that will be used, and enable the file hashing and network flow plugins as seen below:

While on this tab, remove the .txt files from the exclusion of file searches. For POC and demo cases, it may be beneficial to remove txt files from the exclusion list on the File Hashing tab (shown below is :

Enable the network flow plugins as seen below:

To show the automation capabilities of MAR, with triggers, you will also need to enable Triggers on the General Tab:

 

 

Validation

After installing the MAR server, validate that it has registered in ePO and has the MARSERVER tag:

If it does not have the tag, you can wait, or initiate a client wake-up. Note that if you installed the DxL broker service on the AR server, you will also see the DXLBROKER tag, as seen above.

For further validation, you can go to the Data Exchange Layer Fabric page, and select a broker, and click on the Services tab.  When you select the services drop-down, you should see /mcafee/service/mar.

 

Next, go to "Active Response Searches, and validate the page will load.  Once loaded, verify that prompting with collectors occurs when you click in the search field:

Then, validate that the autofill works as expected by clicking on the options presented in the drop-down, and run a simple search such as the one below:

At this point, the setup of MAR should be complete. For next steps, click here:

Dynamic Endpoint Security 5 - Deploy Endpoints