Before continuing with this section, please ensure you have met the following prerequisites:
Download the McAfee Active Response extensions, packages, and server with your grant number from the McAfee Download Site
http://www.mcafee.com/us/downloads/downloads.aspx
You'll need the following:
In your ePO Console, go to Select Menu > Software > Extensions
Click on Install Extension at the top and install the extensions in the following order:
In the ePO Console, go to Menu > Master Repository and click on Check in packages
Select Product or Update (.ZIP) as the package type
Click browse and select the McAfee Active Response software package
On the package Options page, select Current and click Save
After your extensions are installed, let’s install the Active Response server. Here are the minimum requirements for the Active Response Server:
First, boot up from the Active Response Server ISO from the McAfee Download site. Upon first boot, it will install the software.
When the server boots again, it’ll allow you to configure the system.
The first step is to agree to the licensing agreement. Click Enter to read the agreement and click Y at the end.
Next, create a root password for the super user.
Enter Y to continue.
After the root password’s created, the next step is to create an operational account. Enter an account name, real name, and password.
Enter Y to continue.
This page allows you to select your network interface. If you only have one interface listed, click N.
Select DHCP or Manual IP address configuration. Enter D for DHCP or M for Manual. If you select Manual, enter your ip address, network mask, gateway, and DNS server.
When you’re finished, enter Y to continue.
Enter the Hostname and Domain Name (if appropriate) of the computer where you are installing the Active Response server appliance.
Enter Y to continue.
Enter up to three Time Servers to synchronize the time of the Active Response server. You can use the default servers listed or enter your own time server addresses.
Enter Y to continue.
Enter any proxy information that you might have.
Next, enter the IP Address or fully qualified domain name, port, and account information for your McAfee ePO server.
Enter Y to continue.
Note: The ePO server must be available. At this point the installation will begin to configure the McAfee Agent.
Enter the ePO Agent Wake-up Port. The default is 8081.
Enter Y to continue
Select the services to run on the Active Response server. If you already have a TIE server in your environment, just select Y for the AR Server. Otherwise, select Y for both the DXL Broker and AR Server
Enter Y to continue.
After that step, it’ll take some time to configure the server and you’ll see a login prompt when it’s completed.
Now, you’ll need to register the Mcafee Active Response server in ePO.
Select Menu > Configuration > Registered Servers
Click on New Server at the top.
Select Active Response Server for the server type and give the server a name such as McAfee Active Response Server and click next.
In the Active Response Server Location field, enter:
https://{AR server IP address}/mar/api
By default, the logging necessary to utilizing the file and network flow processors are disabled in policy. In order to enable these, open the policy that will be used, and enable the file hashing and network flow plugins as seen below:
While on this tab, remove the .txt files from the exclusion of file searches. For POC and demo cases, it may be beneficial to remove txt files from the exclusion list on the File Hashing tab (shown below is :
Enable the network flow plugins as seen below:
To show the automation capabilities of MAR, with triggers, you will also need to enable Triggers on the General Tab:
After installing the MAR server, validate that it has registered in ePO and has the MARSERVER tag:
If it does not have the tag, you can wait, or initiate a client wake-up. Note that if you installed the DxL broker service on the AR server, you will also see the DXLBROKER tag, as seen above.
For further validation, you can go to the Data Exchange Layer Fabric page, and select a broker, and click on the Services tab. When you select the services drop-down, you should see /mcafee/service/mar.
Next, go to "Active Response Searches, and validate the page will load. Once loaded, verify that prompting with collectors occurs when you click in the search field:
Then, validate that the autofill works as expected by clicking on the options presented in the drop-down, and run a simple search such as the one below:
At this point, the setup of MAR should be complete. For next steps, click here:
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA