Epo 450 Evaluation Guide En-Us

McAfee ePolicy Orchestrator 4.
5
Evaluation Guide
COPYRIGHT
Copyright 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE
EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,
WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in
connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property
of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
McAfee ePolicy Orchestrator 4.5
Contents
Introducing ePolicy Orchestrator 4.5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Components of ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
What's new in this release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Pre-Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Server and Agent Handler requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Database requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Database considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Distributed repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Supported products and components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Operating systems language support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Installing ePolicy Orchestrator 4.5 Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Installing the server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Installing an Agent Handler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Logging on to ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
How to navigate the ePO interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
The Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
The navigation bar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Set Up the ePolicy Orchestrator Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Configuring a repository pull task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Checking the status of the pull task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Checking in the VirusScan Enterprise package manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Add Systems to Manage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Creating your System Tree groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Adding systems to your System Tree groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Organizing new systems into your groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Deploying the McAfee Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Verifying agent communication with ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
More on working with the System Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Contents
Deployment Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Creating a product deployment task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Creating a product update task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Verifying client software installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Revisiting the PUP audit VirusScan policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Resetting the On-Access Scan policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Verifying the On-Demand Scan task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Setting Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Creating policies for the McAfee Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Creating policies for VirusScan Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Locking the local VirusScan console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Creating file exclusions on a server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Creating policies for the AntiSpyware Enterprise module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Assigning policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Assigning McAfee Agent policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Assigning VirusScan Enterprise policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Using Dashboards and Queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Activating a dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Changing a dashboard monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Introducing ePolicy Orchestrator 4.5

ePolicy Orchestrator 4.5 provides a scalable platform for centralized policy management and
enforcement of your security products and the systems on which they reside. It also provides
comprehensive reporting and product deployment capabilities, all through a single point of
control.
Contents
Components of ePolicy Orchestrator
What's new in this release
Components of ePolicy Orchestrator

ePolicy Orchestrator comprises several components that reside on systems across your network.
The ePolicy Orchestrator software is comprised of these components:
ePO server The center of your managed environment. The server delivers security
policies and tasks, controls updates, and processes events for all managed systems. The
ePO server includes these subcomponents:
Application server Auto Response, Registered Servers, and user interface
Agent Handler Policies, tasks, and properties
Event parser Threat events and client events
RSD server and data channel listener
Registered servers Used to register the ePO server with other servers. Registered
server types include:
LDAP server Used for Policy Assignment Rules and to enable automatic user account
creation.
SNMP server Used to receive an SNMP trap. You must add the SNMP servers
information so that ePolicy Orchestrator knows where to send the trap.
Ticketing server Before tickets can be associated with issues, you must have a registered
Ticketing server configured. The system running the ticketing extension must be able to
resolve the address of the Service Desk system.
Database The central storage component for all data created and used by ePolicy
Orchestrator. You can choose whether to house the database on your ePO server or on a
separate system, depending on the specific needs of your organization.
Master repository The central location for all McAfee updates and signatures, residing
on the ePO server. The Master repository retrieves user-specified updates and signatures
from McAfee or from user-defined source sites.

Distributed repositories Placed strategically throughout your environment to provide

managed systems access to receive signatures, product updates, and product installations
with minimal bandwidth impact. Depending on how your network is configured, you can set
up SuperAgent, HTTP, FTP, or UNC share distributed repositories.
McAfee Agent A vehicle of information and enforcement between the ePO server and
each managed system. The agent retrieves updates, ensures task implementation, enforces
policies, and forwards events for each managed system. McAfee Agent 4.5 and higher can
use a separate secure data channel to transfer data to the ePO server. A McAfee Agent can
also be configured as a SuperAgent with the addition of a repository.
Remote Agent Handlers A server that you can install in various network locations to
help manage agent communication, load balancing, and product updates. Remote Agent
Handlers can help you manage the needs of large or complex network infrastructures by
allowing you more control over agent-server communication.
NOTE: Depending on the needs of your organization and the complexity of your network, you
might not need to use all of these components.

This release of McAfee ePolicy Orchestrator includes several new and enhanced features.
Scalability
The ePolicy Orchestrator 4.5 software supports enhanced scalability through the use of remote
Agent Handlers. Agent Handlers can be installed on the servers where agents connect to retrieve
policies, client actions, and updates. Agents can also use Agent Handlers to send properties
and events to your primary ePO server.
Support of multiple Agent Handlers enables one ePO server to manage a larger set of installed
products on a larger set of managed systems. Agent Handlers can be deployed to strategic
points in your network environment, enabling management of systems that cannot access the
main ePO server directly. They can also be used in locations where the ePO server can be
accessed directly.
Agent data channel
The Agent data channel is a bi-directional channel for sending product-specific data between
ePolicy Orchestrator and the products on your managed systems. This feature allows McAfee
to provide user interface actions, which are used when troubleshooting with real-time feedback.
These actions operate on a single system, providing real-time status to your ePO administrators.
The Update Now command, which allows you to update a managed system on demand, is an
example of this feature.
Improved security for agent-server communication
Agent communication with the ePO server now uses the TLS (Transport Layer Security) protocol
for improved security.
Transfer systems
You can now move systems from one ePO server to another with the Transfer Systems feature.

Navigation redesign
Navigation for the ePO console has been redesigned for the 4.5 release. Now you can access
any of the first-level ePolicy Orchestrator tabs from the new ePO Menu.
Drag-and-drop
You can use drag-and-drop functionality to move certain objects in the interface. You can:
Add Menu items to the favorites bar.
In tables, add commonly used actions from the Actions menu to the Action bar.
Using the Systems table, move selected systems or groups of systems to a different group
in the System Tree.
In the System Tree, move groups and subgroups into other groups.
Policy Assignment Rules
ePolicy Orchestrator 4.5 allows you to assign policies to unique groups or to individual users
through the use of Policy Assignment Rules. This feature enables policy assignment based on
the Active Directory groups that users belong to, instead of the system they are using. You can
include individual users, groups, and Organizational Units (OUs) in a rule. You can also exclude
specific users from a rule. McAfee SiteAdvisor Enterprise 3.0 is the first managed product to
leverage this feature.
Automatic Responses
The new Automatic Responses feature replaces the Notifications feature. This new feature
allows you to create rules for responding to events that are specific to your business environment.
Available actions include:
Sending email notifications
Sending SNMP traps
Creating issues for use with integrated third-party ticketing systems
Running a registered executable or server task
IPv6 support
ePolicy Orchestrator 4.5 is fully compatible with IPv6 in both native and mixed environments,
including:
Native IPv4
Native IPv6
Mixed IPv4 and IPv6
LDAP support
ePolicy Orchestrator 4.5 supports LDAP (Lightweight Directory Access Protocol) through the
use of Active Directory servers. This version of ePolicy Orchestrator allows closer integration
with Active Directory servers so that you can:
Assign permission sets to users based on their Active Directory group
Browse your Active Directory server for users or groups when creating Policy Assignment
Rules
Automatically assign administrator rights to users when they log on with their Active Directory
domain credentials

Issues and ticketing

ePolicy Orchestrator 4.5 provides basic issues management and bi-directional integration with
these third-party ticketing systems:
Service Desk
Remedy
Multi-server rollup reporting improvements
The multi-server rollup reporting feature has been enhanced. You can now filter out unwanted
items before performing a data rollup. New rollup reporting targets have been added, including
applied policies, client events, and specific policy use across your network.
Queries system improvements
The Queries system has been enhanced in several ways. A redesigned Queries page now allows
personal and shared query groups that contian queries organized by feature group, and includes
more preconfigured queries. Query targets are now grouped in the Query Builder. Additionally,
a stacked bar chart has been added to the available chart types, and the variables and
parameters for configuring charts have been improved.
Rogue System Detection improvements
Rogue System Detection has been improved to fully leverage the power of the ePolicy
Orchestrator. Now you can categorize exceptions, update your OUI (Organizationally Unique
Identifier) list, and optionally employ OS finger printing.
Searchable Help
When you install the ePO Help extension for products that are managed by ePolicy Orchestrator,
you can now search the context-sensitive Help and product guides for those products.
Pre-Installation
Before installing ePolicy Orchestrator 4.5, review these requirements and recommendations.
Contents
System requirements
Supported products and components
Operating systems language support
System requirements
Verify that your environment meets the minimum requirements listed here:
Server and Agent Handler
Database
Distributed repositories
Server and Agent Handler requirements

Free disk space 1 GB minimum (first-time installation); 1.5 GB minimum (upgrade); 2 GB
recommended.
Memory 1 GB available RAM; 24 GB recommended.
Processor Intel Pentium III-class or higher; 1 GHz or higher.
Monitor 1024x768, 256-color, VGA monitor.
NIC Network interface card; 100 MB or higher.
NOTE: If using a server with more than one IP address, ePolicy Orchestrator uses the first
identified IP address. If you want to use additional IP addresses for agent-server communication,
see Installing an Agent Handler.
Dedicated server If managing more than 250 computers, McAfee recommends using a
dedicated server.
File system NTFS (NT file system) partition recommended.
IP address McAfee recommends using static IP addresses for ePO servers.
Server-class operating system 32bit or 64bit
Windows Server 2003 Enterprise with Service Pack 2 or later
Windows Server 2003 Standard with Service Pack 2 or later
Windows Server 2003 Web with Service Pack 2 or later
Windows Server 2003 R2 Enterprise with Service Pack 2 or later
Pre-Installation
System requirements
Windows Server 2003 R2 Standard with Service Pack 2 or later

Windows Server 2008
NOTE: Installation is blocked if you attempt to install on a version of Windows earlier than
Server 2003. In addition, ePolicy Orchestrator stops functioning if, after having been installed
on Windows Server 2003, the server is upgraded to Windows Server 2008.
Browser
Firefox 3.0
Microsoft Internet Explorer 7.0 or 8.0
If using Internet Explorer and a proxy, follow these steps to bypass the proxy server.
1
From the Tools menu in Internet Explorer, select Internet Options.
Select the Connections tab and click LAN Settings.
Select Use a proxy server for your LAN, then select Bypass proxy server for local
addresses.
Click OK as needed to close Internet Options.
Domain controllers The server must have a trust relationship with the Primary Domain
Controller (PDC) on the network. For instructions, see the Microsoft product documentation.
Security software
Install and/or update the anti-virus software on the ePolicy Orchestrator server and scan
for viruses.
CAUTION: If running VirusScan Enterprise 8.5i or 8.7i on the system where you are installing
ePolicy Orchestrator, you must ensure that the VSE Access Protection rules are disabled
during the installation process, or the installation fails.
Install and/or update firewall software on the ePolicy Orchestrator server.
Ports
McAfee recommends avoiding the use of Port 8443 for HTTPS communication. Although this
is the default port, it is also the primary port used by many web-based activities, is a popular
target for malicious exploitation, and it is likely to be disabled by the system administrator
in response to a security violation or outbreak.
NOTE: Ensure that the ports you choose are not already in use on the ePolicy Orchestrator
server computer.
Notify the network staff of the ports you intend to use for HTTP and HTTPS communication
via ePolicy Orchestrator.
NOTE: Installing the software on a Primary Domain Controller (PDC) is supported, but not
recommended.
Supported virtual infrastructure software
VMware ESX 3.5.x
Microsoft Virtual Server 2005 R2 with Service Pack 1
Windows Server 2008 Hyper-V
10
Pre-Installation
System requirements
Database requirements
Microsoft updates and patches
Update both the ePO server and the database server with the latest Microsoft security updates.
If you are upgrading from MSDE 2000 or SQL 2000, be sure to follow Microsoft's required
upgrade scenarios.
Databases supported for use with ePolicy Orchestrator
SQL Server 2005 Express. This database is included with ePolicy Orchestrator for use in
environments where there is no supported database available.
SQL Server 2005.
SQL Server 2008 Express.
SQL Server 2008.
NOTE: Use of ePolicy Orchestrator with MSDE 2000 or SQL 2000 (or earlier) is not supported.
Database installation documented in this Guide
The only database installation scenario described in detail is a first-time installation of SQL
Server 2005 Express. In this scenario, the ePOSetup installs both the ePolicy Orchestrator
software and the database on the same server. If the database is to be installed on a different
server from the ePolicy Orchestrator software, manual installation is required on the remote
servers.
Other relevant database installations and upgrades
See the documentation provided by the database manufacturer for information about the
following installation scenarios:
Installing SQL Server 2005.
Installing SQL Server 2008.
Upgrading from MSDE 2000.
Upgrading from SQL 2000.
Upgrading from SQL 2005.
Upgrading from SQL 2005 Express.
Maintenance settings McAfee recommends making specific maintenance settings to
ePO databases. For instructions, see Maintaining ePO databases in the ePolicy Orchestrator
Help.
SQL Server
Dedicated server and network connection Use a dedicated server and network
connection if managing more than 5,000 client computers.
Local database server If using SQL Server on the same system as the ePOserver,
McAfee recommends using a fixed memory size in Enterprise Manager that is approximately
two-thirds of the total memory for SQL Server. For example, if the computer has 1GB of
RAM set 660MB as the fixed memory size for SQL Server.
11
Pre-Installation
System requirements
SQL Server licenses If using SQL Server, a SQL Server license is required for each
processor on the computer where SQL Server is installed.
CAUTION: If the minimum number of SQL Server licenses is not available after you install
the SQL Server software, you may have issues installing or starting the ePolicy Orchestrator
software.
Database considerations
Using ePolicy Orchestrator with a database
A database must be installed before ePolicy Orchestrator can be installed. Any of the following
databases, if previously installed, meets this requirement.
SQL Server 2005
SQL Server 2005 Express
SQL Server 2008
NOTE: SQL Server 2000 is not supported.
If none of those databases was previously installed, the ePO installation wizard detects that no
database is present and offers you the opportunity to install SQL Server 2005 Express.
The following tables provide additional information about the database choices and other
software requirements.
Database
Requirements
Note
SQL Server 2005 Dedicated server and network

or SQL Server
connection
2008
Local database server
Licenses
If the database and ePO server are on the same system,

McAfee recommends using a fixed memory size in Enterprise
Manager or SQL Server Management Studio that is
approximately two-thirds of the total memory for SQL Server.
For example, if the computer has 1 GB of RAM, set 660 MB
as the fixed memory size for SQL Server.
A license is required for each processor on the computer
where SQL Server is installed. If the minimum number of SQL
Server licenses is not available, you might have difficulty
installing or starting the ePolicy Orchestrator software.
SQL Server 2005 .NET Framework

Express
You must acquire and install.
Software
Note
MSXML 6.0

1
From the Internet Explorer Tools menu, select Windows

Update.
Click Custom, then select Software.
Select MSXML6.
12
Needed if managing more than 5,000 computers.
Select Review and install updates, then click Install Updates.
Pre-Installation
Software
Note
Internet Explorer 7 or 8, or
Firefox 3.0
.NET Framework 2.0
You must acquire and install if using SQL Server 2005 Express.
Microsoft Visual C++

Redistributable
If not previously installed, the installation wizard installs automatically.
Microsoft Visual C++

Redistributable - x86 9.0.21022
MDAC 2.8
SQL Server 2005 Backward

Compatibility
If no other database has been previously installed, this database can be installed
automatically at users selection.
Microsoft updates
Update the ePolicy Orchestrator server and the database server with the most
current updates and patches.
MSI 3.1
The installation fails if using a version of MSI previous to MSI 3.1.
Distributed repositories
Free disk space 400 MB on the drive where the repository is stored.
NOTE: The disk space requirement for the distributed repositories on agents that are designated
as SuperAgents is equal to the disk space available for the master repository.
Memory 256 MB minimum.
Possible hosts:
HTTP-compliant servers on Microsoft Windows, Linux, or Novell NetWare operating systems
Windows, Linux, or NetWare FTP servers
Windows, Linux, or UNIX Samba UNC shares
Computer with a SuperAgent installed on it

McAfee Agent 4.0 for Email and Web Security
McAfee Agent 4.0 for HP-UX
McAfee Agent 4.0 for Linux
McAfee Agent 4.0 for Macintosh
McAfee Agent 4.0 for Solaris
McAfee Agent 4.5
McAfee Agent for Windows Patch 1 and Patch 2
McAfee Common Management Agent 3.7 Patch 1
McAfee Common Management Agent MA 3.6 Patch 4
McAfee Data Loss Prevention 3.0
13
Pre-Installation
McAfee Email and Web Security 5.1 Appliance

McAfee Endpoint Encryption 5.2.1
McAfee Endpoint Encryption 5.3
McAfee Endpoint Encryption Files/Folders 3.1
McAfee Endpoint Encryption Files/Folders 4.x
McAfee EndPoint Encryption for Mobile 3.0
McAfee Foundstone 6.5.3
McAfee GroupShield for Domino 7.0 Patch 2
McAfee GroupShield for Exchange 7.0
McAfee GroupShield for Exchange 7.0 SP 1
McAfee Host Intrusion Prevention 6.1 Patch 3
McAfee Host Intrusion Prevention 7.0 Patch 3
McAfee Host Intrusion Prevention 7.1
McAfee IntruShield 4.1
McAfee IntruShield 5.1
McAfee LinuxShield 1.5.1
McAfee Network Access Control 3.1
McAfee Policy Auditor 5.1
McAfee PortalShield 2.0 Patch 1
McAfee Quarantine Manager 6.0
McAfee Rogue System Detection 2.0 Patch 2
McAfee Security for Lotus Domino Linux 7.5
McAfee Security for Macintosh v1.0
McAfee SiteAdvisor Enterprise 1.6
McAfee SiteAdvisor Enterprise 2.0+
McAfee SiteAdvisor Enterprise 3.0
McAfee VirusScan 8.5i with McAfee AntiSpyware Enterprise
McAfee VirusScan 8.7 with McAfee AntiSpyware Enterprise
McAfee VirusScan Enterprise for Storage
McAfee VirusScan Enterprise for use with the SAP Netweaver platform
McAfee VirusScan Enterprise for Offline Virtual Images
McAfee VirusScan for Macintosh 8.6.1
Symantec SAV 10.x
Symantec SAV 9.x
USB Device 1.0 (EEV)
Vdisk 4.1 (EEV)
vDisk for Macintosh 1.0
14
Pre-Installation

This version of the ePolicy Orchestrator software runs on any supported operating system
irrespective of the language of the operating system.
Following is a list of languages into which the ePolicy Orchestrator has been translated. When
the software is installed on an operating system using a language that is not on this list, the
ePolicy Orchestrator interface attempts to display in English.
Chinese (Simplified)
Japanese
Chinese (Traditional)
Korean
English
Russian
French (Standard)
Spanish
German (Standard)
15
Installing ePolicy Orchestrator 4.5 Software

This chapter provides instructions for installing ePolicy Orchestrator 4.5 in an environment
where no previous version of ePolicy Orchestrator software has been installed.
CAUTION: If you are upgrading from a prior version of ePolicy Orchestrator, see ePolicy
Orchestrator 4.5 Installation Guide.
Be sure that you have read, understood, and complied with the requirements and
recommendations in Pre-Installation.
Contents
Installing the server
Installing an Agent Handler
Logging on to ePolicy Orchestrator
How to navigate the ePO interface

The installation depends, in part, upon the presence of MSXML 6.0 on the server. If it is not
present, an error message appears during the installation, advising you that it must be installed
before proceeding. To avoid the inconvenience of interfering with the installation in order to
download and install MSXML, we strongly recommend that you obtain and install MSXML before
starting the installation.
We also recommend that you monitor the entire installation process. It might require you to
restart the system.
Use this task to install the ePolicy Orchestrator server.
Task
1
Using an account with local administrator permissions, log on to the Windows server
computer to be used as the ePO server.
Run the Setup program.

From the product CD: select a language in the ePolicy Orchestrator autorun window,
then select Install ePolicy Orchestrator 4.5.
From software downloaded from the McAfee website: go to the location containing the
extracted files and double-click Setup.exe. The executable is located in the file EPO
4.5.0 <build and package numbers>.zip. Be certain to extract the contents of the zip file
to a temporary location. Do not attempt to run Setup.exe without first extracting the
contents of the zip file.
NOTE: If any prerequisite software is missing from the installation target computer, a list
of those items appears.
16

Click Next. The installation process for each software item not listed as Optional begins
automatically.
If you intend to use an existing instance of SQL Server 2005, or SQL 2008, you can continue
without selecting the checkbox for installation of SQL Server 2005 Express.
If you do not have a supported version of SQL or MSDE, take one of the following actions:
Install SQL 2005 or 2008 on a server.
If you are installing ePolicy Orchestrator with SQL 2005, the SQL Browser must be
enabled or you cannot complete the installation wizard.
Install SQL Server 2005 Express on the same computer where you are installing ePolicy
Orchestrator. If you selected the checkbox for installation of SQL Server 2005 Express,
ePolicy Orchestrator installs the database automatically.
If you are installing SQL Server 2005 Express, you might be prompted to install SQL
Server 2005 Backward Compatibility. You must install it.
In the Welcome page of the installation wizard, click Next. The License Key page appears.
NOTE: License Keys are distributed from the same McAfee website from which the ePolicy
Orchestrator software is downloaded.
Select whether you are installing based on a license key or installing an evaluation version.
If you have a License Key, type its number here.
If you select License Key but do not type its number, you are asked if you want to
install an evaluation version. Click OK to proceed with installation of the evaluation
version, or Cancel to return to the previous page.
If you are installing a beta version of the software, the Beta test information box appears.
Click OK.
Accept the End User License Agreement, then click OK to continue. The Choose
Destination Location dialog box appears. Click Next.
Accept the default installation path or click Browse to select or create a different location,
then click Next.
If installing on a cluster server, the Set Database and Virtual Server Settings dialog box
appears. Otherwise the Set Administrator Information dialog box appears.
Type and verify the password for logging on to this ePolicy Orchestrator server, then click
Next.
If your environment employs Microsoft Cluster Server (MSCS) for a high availability system
that ensures failover support, the Set Database and Virtual Server Settings dialog box
appears.
10 In the Set Database Information dialog box, identify the type of account and
authentication details that the ePO server will use to access the database:
a Use the drop-down list to select a database server. If SQL Express was installed, the
name of the database is <computername>\EPOSERVER.
b Select the type of authentication, then click Next. The available options are:
Windows authentication (recommended) Specify the NetBIOS name of the
Domain associated with the desired domain administrator user account. Then, provide
and verify a password.
NOTE: If the database identification fails, type 1433 or 1434 in the SQL server TCP
port field.
SQL authentication Provide the User name that the ePolicy Orchestrator software
will use to access the database, then provide a password. If the installer cannot identify
17

the port used for communication to and from the server, you might be prompted to
provide that information.
NOTE: The ePolicy Orchestrator account must have DB ownership to the database.
11 Set the HTTP Configuration. Designate the port to be used by each function, then click
Next.
Function
Port
Agent-to-Server communication port
Configurable. McAfee recommends using a port other

than 80.
Agent-to-Server communication secure port
Configurable port that the agent uses for secure

communication with the server. The default port is 443.
Agent Wake-Up communication port
Configurable.
Agent Broadcast communication port
Configurable port used to send SuperAgent wake-up

calls.
Console-to-Application Server communication

port
Configurable.
Sensor-to-Server communication port
Configurable port used by the Rogue System sensor to

report host-detected messages to the Rogue System
Detection server using SSL.
Security Threats communication port
Port 8801. Nonconfigurable port used by McAfee Avert

to provide information on security threats and the
required DAT and engine versions to protect against
them.
SQL server TCP port
See SQL documentation for configuration information.
NOTE: Client firewalls block communication from the ePO server. Ensure that the ports
required for communication from the ePO server are available on the client.
12 Optional step (can be performed after ePolicy Orchestrator is up-and-running). In the
Default Notification Email Address dialog box, type the email address of the recipient of
messages from ePolicy Orchestrator notification or leave the default. For a new recipient,
complete these options, then click Next.
a Provide a default destination for messages.
b Select Setup email server settings now. However, if you choose Setup email
server settings later, leave the default address.
c Type the Fully Qualified Domain Name (FQDN) of the mail server and specify the Port
to use for email.
d Select This server requires authentication if needed, then type the User name
and Password required to access the server.
For more information, see Automatic Responses in the ePolicy Orchestrator 4.5 Product
Guide.
13 In the Start Copying Files dialog box, click Next to begin the installation.
14 In the Installation Complete dialog box, you can view the Release Notes, launch ePolicy
Orchestrator, or click Finish to complete the installation.
18


Use this task to set up an Agent Handler.
Before you begin
You must first install the ePO server with which the Agent Handler is to communicate.
Task
1
Open the folder where you extracted the contents of the ePolicy Orchestrator installation
package.
Copy the AgentHandler folder to the intended Agent Handler server system.
Double-click and run Setup.exe. Installation activities take place in the background. When
they are completed, the InstallShield Wizard for McAfee Agent Handler opens. Click Next.
Accept the default destination or click Browse to change the destination, then click Next.
The Server Information page opens.
Type the machine name of the ePO Server with which the Agent Handler is to communicate.
Type the port to be used for server-handler communication. Port 8433 is the default. McAfee
recommends that you change the port designation. See the discussion of Ports in the Server
and Agent Handler requirements section.
Type the ePO Admin User name and password of a user with global administrator
privileges. If these credentials are to be used for the database as well, click Next to start
the installation.
If you want to use different database credentials than those mentioned in step 7, follow
these additional steps:
a Deselect Use ePO Server's database credentials, then click Next.
b Type the name of the SQL database server.
c Select Windows Authentication or SQL Authentication, then type the credentials.
NOTE: These credentials must be previously defined in SQL Server.
Click Next. The installation process begins.
Logging on to ePolicy Orchestrator

Use this task to log on to the ePolicy Orchestrator. You must have valid credentials to do this.
Task
1
To launch the ePolicy Orchestrator software, open an Internet browser and go to the URL
of the server (For example: https://<servername>:8443). The Log On to ePolicy
Orchestrator dialog box appears.
NOTE: You can also double-click the McAfee ePolicy Orchestrator icon on the desktop to
launch ePolicy Orchestrator.
Type the User name and Password of a valid account, created during the installation of
the software.
NOTE: Passwords are case-sensitive.
19

Select the Language you want the software to display.
Click Log On.

Navigation in ePolicy Orchestrator 4.5 has been redesigned to make it faster and easier to find
the features and functionality you need. The interface now uses a single menu for all top-level
features of ePolicy Orchestrator, and a customizable navigation bar. Top-level features were
previously displayed as tabs when selecting a section.
For example, in ePolicy Orchestrator 4.0, when the Reporting section was selected, the top-level
features that were displayed included: Queries, Server Task Log, Audit Log, Event Log, and
MyAvert.
In version 4.5, all of these top-level features are accessed from the Menu. The following table
provides some examples of the change in navigation steps to arrive at a desired page.
To get to...
in version 4.0
in version 4.5
The Audit Log
Click Reporting | Audit Log tab.
Click Menu and select User Management |

Audit Log.
The Policy Catalog
Click Systems | Policy Catalog page.
Click Menu and select Policy | Policy Catalog.
The Menu
The Menu is new in version 4.5 of ePolicy Orchestrator software. The Menu uses categories
that comprise the various ePO features and functionalities. Each category contains a list of
primary feature pages associated with a unique icon. The Menu and its categories replace static
group of section icons used to navigate the 4.0 version of the interface. For example, in the
4.5 version, the Reporting category includes all of the pages included in the 4.0 version Reporting
20

section, plus other commonly used reporting tools such as the Dashboards page. When an item
in the Menu is highlighted, its choices appear in the details pane of the interface.
The navigation bar
In ePolicy Orchestrator 4.5, the navigation bar is customizable. In the 4.0 version of the interface,
the navigation bar was comprised of a fixed group of section icons that organized functionality
into categories. Now you can decide which icons are displayed on the navigation bar by dragging
any Menu item on or off the navigation bar. When you navigate to a page in the Menu, or click
an icon in the navigation bar, the name of that page is displayed in the blue box next to the
Menu.
On systems with 1024x768 screen resolution, the navigation bar can display six icons. When
you place more than six icons on the navigation bar, an overflow menu is created on the right
side of the bar. Click > to access the Menu items not displayed in the navigation bar. The icons
displayed in the navigation bar are stored as user preferences, so each user's customized
navigation bar is displayed regardless of which console they log on to.
21
Set Up the ePolicy Orchestrator Server

The ePolicy Orchestrator repository is the central location for all McAfee product installations,
updates, and signature packages. The modular design of ePolicy Orchestrator allows new
products to be added as extensions. This includes new or updated versions of McAfee products,
such as VirusScan Enterprise, and non-McAfee products from McAfee partners. Packages are
components that are checked in to the master repository, then deployed to client systems.
For information about extensions and packages, see these topics in the ePolicy Orchestrator
4.5 Product Guide:
Extensions and what they do
Deployment packages for products and updates
Contents
Configuring a repository pull task
Checking the status of the pull task
Checking in the VirusScan Enterprise package manually
Configuring a repository pull task

For ePolicy Orchestrator to keep your client systems up-to-date, you must configure a repository
pull task that retrieves updates from a McAfee site (HTTP or FTP) at specified intervals. Use
this task to create a repository pull task that adds and updates the client software.
NOTE: A repository pull task was created for you automatically during installation.
Task
For option definitions, click ? in the interface.
1
Click Menu | Automation | Server Tasks.
In the list, find the task named Update Master Repository and, under the Actions
column, click Edit to open the Server Task Builder.
On the Description page, set Schedule status to Enabled, then click Next.
On the Actions page, there is a gray bar just below the page description labeled 1. Select
Respository Pull from the drop-down list.
Select Move existing packages to Previous branch, then click Next.

NOTE: This option allows ePolicy Orchestrator to maintain more than one day's signature
files, so you can rollback updates, if necessary. When the next pull task runs, today's
updates are moved to a directory on the server called Previous.
22
On the Schedule page, choose when you want ePolicy Orchestrator to check the McAfee
site for updates.

Schedule the task to run Daily, with No End Date.

Set Schedule to between 9:00am and 11:00pm.
Set every to two or three hours.
TIP: McAfee recommends checking for updates several times each day to ensure you have
the latest content.
7
Click Next.
On the Summary page, click Save. The console returns to the Server Tasks page.
Find the Update Master Repository task and, under the Actions column, click Run. This
immediately retrieves the current updates, and opens the Server Task Log.

The Server Task Log is useful to show the status of the McAfee Pull task. Use this task to
verify that the Update Master Repository task has finished pulling updates from the McAfee
site.
Task
1
Click Menu | Automation | Server Task Log.
In the list of tasks, find the Update Master Repository task.
The task is finished when the Status column reports Completed.
Checking in the VirusScan Enterprise package

manually
Use this task to manually check in the VirusScan Enterprise deployment package to the master
repository so that ePolicy Orchestrator can deploy them.
Before you begin
You must have the VirusScan Enterprise 8.7i deployment package available in a temporary
directory. If you do not have the deployment package, you can download the McAfee
VirusScan Enterprise 8.7i Repost Patch 1 Evaluation version from:
https://secure.nai.com/apps/downloads/free_evaluations/default.asp.
You must have the appropriate permissions to perform this task.
NOTE: You cannot check in packages while pull or replication tasks are running.
Task
For option definitions, click ? in the page interface.
1
Click Menu | Software | Master Repository, then click Actions | Check In Package.
The Check In Package wizard opens.
23

Checking in the VirusScan Enterprise package manually
Select the package type, then browse to and select the VirusScan Enterprise 8.7i deployment
package file.
NOTE: If you had downloaded the evaluation version of McAfee VirusScan Enterprise 8.7i
Repost Patch 1, then browse for the file VSE870MLRP1.ZIP.
Click Next. The Package Options page appears.
Confirm or configure the following:

Package info Confirm this is the correct package.
Branch Select the desired branch. If there are requirements in your environment to
test new packages before deploying them throughout the production environment,
McAfee recommends using the Evaluation branch whenever checking in packages. Once
you finish testing the packages, you can move them to the Current branch by clicking
Menu | Software | Master Repository.
Options Select whether to:
Move the existing package to the Previous branch When selected, moves
packages in the master repository from the Current branch to the Previous branch
when a newer package of the same type is checked in. Available only when you
select Current in Branch.
Add this package to the global update list Adds the package to the Distributed
repository. A SuperAgent call also occurs, forcing the package to be installed on all
the managed systems.
Package signing Specifies if the package is signed by McAfee or is third-party
package.
Click Save to begin checking in the package. Wait while the package is checked in.
The new package appears in the Packages in Master Repository list on the Master Repository
tab.
24
Add Systems to Manage

The ePolicy Orchestrator System Tree organizes managed systems in units for monitoring,
assigning policies, scheduling tasks, and taking actions. These units are called groups, which
are created and administered by global administrators or users with the appropriate permissions,
and can include both systems and other groups. Before you start managing endpoint policies
for client systems on your network, you must add those systems to your System Tree.
There are several methods of organizing and populating the System Tree:
Manually structure your System Tree by creating your own groups and adding individual
systems.
Synchronize with Active Directory or NT domain as a source for systems. In the case of using
Active Directory, synchronization also provides System Tree structure.
Create your own groups based on IP ranges or subnets. This is called criteria-based sorting.
Import groups and systems from a text file.
The workflow in this section uses the manual approach to create a simple structure for evaluation.
While this method can be too slow when deploying ePolicy Orchestrator in a live network, it is
a useful way to add a small number of systems in your test network. You can try the other
approaches once you become familiar with ePolicy Orchestrator.
Contents
Creating your System Tree groups
Adding systems to your System Tree groups
Organizing new systems into your groups
Deploying the McAfee Agent
Verifying agent communication with ePolicy Orchestrator
More on working with the System Tree
Creating your System Tree groups

Use this task to add groups to your System Tree. For this exercise, we are creating two groups,
Servers and Workstations.
Task
1
Click Menu | Systems | System Tree, then click Group on the menu bar.
Highlight My Organization, then click System Tree Actions | New Subgroup.
Type Test Group, then click OK. The new group appears in the System Tree.
25

Highlight Test Group, click System Tree Actions | New Subgroup, type Servers, and
click OK.
Repeat Step 4, but type Workstations for the group name. Once you return to the Group
page, highlight Test Group. Your Servers and Workstations groups are listed on the Group
page. The sorting order should be the same as the order in which you created the groups.

Use this task to manually add a few test systems to your ePO System Tree.
Task
1
In the System Tree, highlight the Workstation group and click System Tree Actions
| New Systems.
For How to Add Systems, select Add systems to the current group, but do not
deploy agents.
For Systems to Add, type the NetBIOS name for each system in the text box, separated
by commas, spaces, or line breaks. You can also click Browse to select systems.
Verify that System Tree sorting is disabled.
Click OK.
As needed, repeat these steps to add systems to your Servers group.
Organizing new systems into your groups

By performing the tasks in the previous sections, you now have several groups and systems in
your System Tree. In a live production environment, new systems contact the ePolicy
Orchestrator server, and need to be placed in the System Tree. This occurs if you installed the
McAfee Agent on new systems, through use of Rogue System Detection, or through another
method. In these cases, systems are placed in the Lost&Found group.
ePolicy Orchestrator has a powerful group sorting function that allows you to set up rules about
how systems sort themselves into your System Tree when they first contact the ePO server.
For details on this feature, refer to Criteria-based sorting in the McAfee ePolicy Orchestrator
4.5 Product Guide.
In this exercise, you will create a system sorting rule based on tags. ePolicy Orchestrator creates
two default tags, Server and Workstation, which you can use. The sorting rule does not function
until a system that is not in the System Tree calls in to the ePO server. You can also schedule
the sorting rule, or run it manually.
Use this task to create a sorting rule based on the default tags.
Task
26
Click Menu | Systems | System Tree, then click Group Details on the menu bar.
Highlight Test Group.
At the top of the Group page, locate the label Sorting Criteria and click Edit.

Select Systems that match any of the criteria below (IP addresses and/or tags).
The page expands with additional options.
Click Add Tag(s).
From the drop-down menu, select Server, click the plus sign (+), then select Workstation.
Click Save.
In the System Tree, highlight My Organization.
In the Sorting Order list, find the entry for Test Group. In the Actions column, click
Move Up until the group is at the top of the list. Now this group is the first to be evaluated
when new systems are put into the System Tree.

The McAfee Agent is the distributed component of ePolicy Orchestrator that must be installed
on each system in your network that you want to manage. The agent collects and sends
information to the ePO server. It also installs and updates the endpoint products, and applies
your endpoint policies. Systems cannot be managed by ePolicy Orchestrator unless the McAfee
Agent is installed.
Use this task to deploy the McAfee Agent to your client systems.
Before deploying the McAfee Agent, it is useful to verify communication between the server
and systems, and access to the default administrator share directory. Also, you might need to
create firewall exceptions.
Before you begin
Check that you can ping client systems by name. This demonstrates that the server can
resolve client names to an IP address.
Check for access to the default Admin$ share on the client systems: in the Windows interface,
click Start | Run, then type \\computer-name\admin$. If the systems are properly connected
over the network, your credentials have sufficient rights, and the Admin$ shared folder is
present, a Windows Explorer dialog box opens.
If an active firewall is running on any client systems, create an exception for Framepkg.exe.
This is the file ePolicy Orchestrator copies to the systems you want to manage.
Task
1
Click Menu | Systems | System Tree, then click Systems on the menu bar.
Highlight Test Group. If this group has no systems, but has subgroups with systems, click
the Level Filter drop-down list and select This Group and All Subgroups.
Select one or more systems from the list, and click Actions | Agent | Deploy Agents.
Type credentials that have rights to install software on client systems, such as a Domain
Administrator, and click OK.
It will take a few minutes for the McAfee Agent to install and for client systems to retrieve
and execute the installation packages for the endpoint products. When first installed, the
agent determines a random time within 10 minutes for connecting to the ePO server to
retrieve policies and tasks.
27

Verifying agent communication with ePolicy Orchestrator
There are many other ways to deploy the McAfee Agent (see the ePolicy Orchestrator
Product Guide or Help).
Verifying agent communication with ePolicy

Orchestrator
Once the initial agent-server communication has occurred, the agent polls the server once every
60 minutes by default. This is known as the Agent to Server Communication Interval or ASCI.
Every time this occurs, the agent retrieves policy changes and enforces the policies locally.
With the default ASCI, an agent that polled the server 15 minutes ago will not pick up any new
policies for another 45 minutes. However, you can force systems to poll the server with an
agent wake-up call. The wake-up call is useful when you need to force a policy change sooner
than the next communication would occur. It also allows you to force clients to run tasks, such
as an immediate update.
Use this task to verify whether your client systems are communicating with ePolicy Orchestrator.
Task
1
Highlight your Servers or Workstations group.
If an IP address and user name are listed, the agent on the client system is communicating
with the server.
If five to ten minutes pass and systems do not have an IP address and user name, select
Actions | Agent | Wake Up Agents.
If sending a wake-up call fails to retrieve an IP address and user name, other environmental
factors might be preventing the initial agent deployment. If this happens, you can copy
the agent installer, Framepkg.exe, from the ePO server and run it on the client systems.
More on working with the System Tree

You can use many types of groupings to organize your System Tree.
Along with groups, you can add tags to your systems to further identify them, using a trait
based on the system's properties. For details on this feature, refer to Organizing the System
Tree in the McAfee ePolicy Orchestrator 4.5 Product Guide.
28
Deployment Tasks
You have now created a System Tree, added some client systems, checked in the software,
and configured your policies. Next, you will schedule the deployment of VirusScan Enterprise.
Product deployment is accomplished using a client task that the McAfee Agent retrieves and
executes. You also use client tasks for scheduling scans and updating.
After creating the deployment and update tasks in this section, create a VirusScan Enterprise
On-Demand Scan task.
Contents
Creating a product deployment task
Creating a product update task
Verifying client software installation
Revisiting the PUP audit VirusScan policy
Resetting the On-Access Scan policy
Verifying the On-Demand Scan task
Creating a product deployment task

Use this task to create a client task that deploys VirusScan Enterprise 8.7 to a group of systems.
Task
1
Click Menu | Systems | System Tree, then click Client Tasks on the menu bar.
Highlight My Organization, then click New Task.
For Name, type McAfee Deployment.
For Type, select Product Deployment from the drop-down menu, then click Next.
On the Configuration page under Products and components, select VirusScan

Enterprise 8.7.0.xxx, set Action to Install and set Language to the language used
on your client systems.
Select Run at Every Policy Enforcement (Windows only), then click Next.
On the Schedule page, set these options, then click Next:
Schedule status
Enabled
Schedule type
Run Immediately
On the Summary page, click Save.
29
Deployment Tasks
When deploying to a large number of systems in a production environment, McAfee

recommends using the Randomization option on the Schedule page. Task randomization
helps avoid client systems sending numerous simultaneous requests to the server. Typically
in a live environment, you might want to schedule deployments at specific times of the
day. Setting the schedule to Run Immediately speeds up the deployment process for
evaluation purposes.

Use this section to create a client task that updates the VirusScan engine and DATs.
Task
1
Highlight Test Group, then click New Task.
For Name, type Daily Update.
For Type, select Product Update from the drop-down menu, then click Next.
On the Configuration page under Products and components, select McAfee Agent
for Windows 4.x.x.xxx, set Action to Install, select Engine and DAT, then click Next.
On the Schedule page, set Schedule type to Daily.

NOTE: If you are updating a large number of systems, McAfee recommends specifying
some randomization to stagger the client requests.
For Options, select Run missed task.
Set Schedule to Repeat Between, and set the time values to 7:00am, 6:59am, and
every 4 hours.
On the Summary page, click Save.

The time span for the schedule is an example only. Typically in a live environment, you
want to schedule client systems to check for updates throughout the day. The scheduling
options allow you to set up any schedule you require.
Systems that temporarily disconnect from your network (for example, laptops) continue to
run their assigned update tasks. In such a case, the laptop retrieves updates from the
McAfee site (rather than the ePO server) while in a hotel or anywhere there is an Internet
connection.
Verifying client software installation

Depending on how many products you deployed, the client installation process might take some
time to complete. You can verify client installations from the ePO server, or on the client systems
by right-clicking the McAfee system tray icon.
Use this task to verify client installations from the ePO server.
Task
30
Deployment Tasks
Highlight your Servers or Workstations group.
Select individual systems using the checkboxes, or use Select All in this Page or Select
All in all Pages.
Click Actions | Agent | Wake Up Agents.
If you were waking up a large number of systems, adding a few minutes of randomization
is useful. Click OK.
After a few minutes, click individual systems. The System Details page provides information
about the system, including the installed McAfee software.

At this point, the software installation client tasks have run, or are running, and all the policies
you created in previous tasks are downloaded. If your test systems have clean, newly installed
operating systems, you might not have any PUP detections. For the purpose of this exercise,
assume that these items were detected on your clients:
The remote administration tool Tight VNC.
A port scanner called SuperScan.
Most PUPs are detected with both the family and name of the application. For instance, the
port scanner called SuperScan is detected as PortScan-SuperScan, and TightVNC is detected
as RemAdm-TightVNC. This is the basic nomenclature for the "detection names" as provided
in ePO reports and local client log files.
After completing your audit of PUPs, use this task to create a new policy, based on your existing
Unwanted Programs Policies, and add any required exclusions. This task uses SuperScan
and Tight VNC as examples. You do not need to enter these exclusions now; you can refer back
to this example if and when you need to make any actual exclusions.
Task
1
Click Menu | Systems | System Tree, then click Assigned Policies on the menu bar.
From the Product drop-down menu, select VirusScan Enterprise 8.7.0.
To the right of Unwanted Programs Policies, click Edit Assignment.
Select Break inheritance and assign the policy and settings below.
Click New Policy.
Type a name for the policy, such as PUP exclusions for IT staff, and click OK. The Policy editor
opens.
In the Unwanted Program Exclusions area, type PortScan-SuperScan and click the plus symbol
(+) on the right.
Type RemAdm-TightVNC, click + again, and type Reg-TightVNC.

TightVNC also requires a "Reg" exclusion for the Windows Registry entries for this
application. This instructs the scanner not to clean the associated Registry entries for this
program. SuperScan does not require a Reg exclusion because it is a standalone executable.
10 Click Save.
31
Deployment Tasks
11 From the Assigned policy drop-down menu, select the policy PUP exclusions for IT
staff, then click Save.
It is safer to exclude only the tools you use, rather than deselecting an entire category.
For example, considering remote administration tools, you might need to exclude a few
tools for normal operations, but you might also want to know if the McAfee AntiSpyware
module finds any non-approved, rogue tools of this nature on your network.
After completing the PUP audit, it is important that you change the VirusScan setting back
to Clean, and create a policy with exclusions. If you don't, you won't remove spyware.

Previously, you created a new policy that instructed the on-access scanner to detect PUPs but
not clean them. Use this task to reapply the default scanner policy, which enables cleaning.
Task
1
To the right of On-Access Default Processes Policies, click Edit Assignment.
From the Assigned policy drop-down menu, select My Default.
Select the radio button for the policy Audit for PUPs, which is either Global Root or My
Organization, depending on your previous settings.
Click Save.
Verifying the On-Demand Scan task

In a previous exercise, you scheduled a recurring scan for the client system. As part of that
configuration, we instructed the scanner to temporarily only detect PUPs, and not to clean them.
Use this task to reset the option that enables cleaning during a scheduled scan.
Task
1
Locate the scan task you created, then under the Actions column click Edit Settings.
On the first page of the task wizard, click Next.
On the Configuration page, click Actions, then in the When an Unwanted Program
is Found drop-down menu, select Clean Files.
Click Save.
VirusScan will now clean any PUPs that you have not explicitly excluded. The next time
client systems communicate with the server, they will download your configuration changes.
32
Setting Policies
A policy is a collection of settings that you create, configure, then enforce. Policies ensure that
the managed security software products are configured and perform accordingly.
Some policy settings are the same as the settings you configure in the interface of the product
installed on the managed system. Other policy settings are the primary interface for configuring
the product or component. The ePolicy Orchestrator console allows you to configure policy
settings for all products and systems from a central location.
Policy categories
Policy settings for most products are grouped by category. Each policy category refers to a
specific subset of policy settings. Policies are created by category. In the Policy Catalog page,
policies are displayed by product and category. When you open an existing policy or create a
new policy, the policy settings are organized across tabs.
Where policies are displayed
To see all of the policies that have been created per policy category, click Menu | Policy |
Policy Catalog, then select a Product and Category from the drop-down lists. On the Policy
Catalog page, users can see only policies of the products to which they have permissions.
To see which policies, per product, are applied to a specific group of the System Tree, click
Menu | Systems | System Tree | Assigned Policies page, select a group, then select a
Product from the drop-down list.
NOTE: A McAfee Default policy exists for each category. You cannot delete, edit, export or
rename these policies, but you can copy them and edit the copy.
Contents
Creating policies for the McAfee Agent
Creating policies for VirusScan Enterprise
Assigning policies
Creating policies for the McAfee Agent

When evaluating McAfee ePolicy Orchestrator, it is useful to change the McAfee Agent policy
to display the system tray icon on client systems. This allows you to view the Agent Status
Monitor.
Another reason to change the McAfee Agent policy might be slow WAN connections to remote
offices, or a very large number of managed nodes.
For example, you might determine that systems communicating over slower links should contact
ePolicy Orchestrator every 180 minutes, which is eight times a day rather than the default of
24. For this case, you might create a policy called "Low bandwidth" or "3 hour polling" and
33
Setting Policies
change the Agent to Server Connection Interval option to 180 minutes from the default
of 60.
NOTE: This functionality is enabled by McAfee Agent 4.0 latest patch, which is included in the
ePolicy Orchestrator 4.5 evaluation software.
Use this task to create a policy that displays the McAfee Agent on client systems:
Task
1
Click Menu | Policy | Policy Catalog.
From the Product drop-down menu, select McAfee Agent.
On the line that lists McAfee Default, click Duplicate.
For Name, type Show Agent Icon, then click OK.
On the line that lists your new policy, click Edit.
Select the box next to Show the McAfee system tray icon, and click Save.
ePolicy Orchestrator provides you with the option to access the McAfee Agent log on each
system remotely. See the ePolicy Orchestrator Product Guide for details on this useful
troubleshooting tool.

This section covers three examples of VirusScan Enterprise policies. The first is designed to
prevent users from making changes to VirusScan settings on their managed systems. The
second establishes database exclusions on servers. The third temporarily modifies the Unwanted
Programs Policy.
Tasks
Locking the local VirusScan console
Creating file exclusions on a server
Creating policies for the AntiSpyware Enterprise module
Locking the local VirusScan console

Use this task to modify the default VirusScan Enterprise User Interface Policy to prevent users
from tampering with the local VirusScan interface. VirusScan Enterprise runs on both workstations
and servers; therefore, the VirusScan policies have separate settings for each platform. In this
case, you want to make changes only to the workstation settings.
Task
34
From the Category drop-down menu, select User Interface Policies.
For Name, type Lock VSE Console, then click OK.
Setting Policies
On the line that lists your new Lock VSE Console policy, click Edit.
On the menu bar, click Password Options.
Make sure the Settings for option is set to Workstation.
For User interface password, select Password protection for all items listed.
10 Type a password in the boxes provided, then click Save.
Creating file exclusions on a server

Use this task to create a VirusScan policy that excludes two hypothetical database files on a
server. Creating these types of scanning exclusions is a typical practice on many database and
email servers.
Task
1
Expand Test Group, then click your Servers group. This policy can be configured prior
to adding systems to this group.
To the right of On-Access Default Processes Policies, click Edit Assignment.
For Inherit from, select Break inheritance and assign the policy and settings
below.
For Assigned policy, click New Policy.
In the Create a new policy dialog box, for Policy Name, type Database AV Exclusions,
then click OK. This opens the policy editor.
From the Settings for drop-down menu, select Server.
On the menu bar, click Exclusions.
10 For What not to scan, click Add.

11 In the dialog box, select By pattern and type data.mdf, then click OK. Click Add again,
and type data.ldf as another exclusion, then click OK.
NOTE: Only the file name is specified in this task. In a real environment, you might want
to specify a full path to narrow your exclusions.
12 Once both exclusions are listed, click Save.
13 From the Assigned policy drop-down menu, select Database AV Exclusions, then click
Save.
Creating policies for the AntiSpyware Enterprise module

When the AntiSpyware module is installed, it is immediately active and cleans or deletes any
potentially unwanted programs (PUPs) it finds. While it detects and cleans spyware and adware,
there are other PUPs that you might not want it to clean, such as your IT department's
administrative tools. For example, you might have remote administrative tools, port scanners,
or password cracking utilities that your IT staff uses. Many of these tools have legitimate uses
on the network by administrators.
35
Setting Policies
Assigning policies
This section presents a methodology for detecting the PUPs on your network to discover what
exists, create exclusions for any with legitimate purposes, then configure the scanner to block
the remainder.
The task modifies the VirusScan On-Access Scan settings to log PUPs that it finds, but not delete
them. VirusScan continues to detect and clean viruses, worms, Trojan horses, and other threats.
The intent is to check for PUPs in "audit mode" for a few days or a week, check the PUP detection
reports in ePolicy Orchestrator, and identify your required exclusions. Later, you will change
the policy assignment so it once again cleans PUPs.
Use this task to modify the default VirusScan On-Access Scan policy so that PUPs are audited
on your managed systems.
Task
1
In the Category column, select On-Access Default Processes Policies.
For Name, type Audit for PUPs, then click OK.
On the line that lists your new policy, click Edit.
From the Settings for drop-down menu, select Workstation.
On the menu bar, click Actions.
For When an unwanted program is found, select Allow access to files from the
drop-down menu for the first action to perform. This disables the secondary action.
10 Click Save.
Assigning policies
Use these tasks to assign policies from the System Tree interface and assign the VirusScan
Enterprise policies.
Tasks
Assigning McAfee Agent policy
Assigning VirusScan Enterprise policies
Assigning McAfee Agent policy

You now have several policies to assign to the systems in your System Tree. For this part, you
will assign all the policies from the System Tree interface.
Task
36
From the Product drop-down menu, select McAfee Agent.
Setting Policies
Assigning policies
On the line that lists My Default, click Edit Assignment.
below.
From the Assigned Policy drop-down menu, select Show Agent Icon.
Click Save.
Assigning VirusScan Enterprise policies

Use this task to assign the VirusScan Enterprise policies.
NOTE: When you created the Database AV Exclusions policy, you also assigned it to the Servers
group.
Task
1
On the line that lists User Interface Policies, click Edit Assignment.
below.
From the Assigned Policy drop-down menu, select Lock VSE Console.
Click Save.
Click Save. When you return to the Policies page, you will see that On-Access Default
Processes Policies has an entry in the Broken Inheritence column. This is because
you already assigned the Database AV Exclusions policy to the Servers group.
37
Using Dashboards and Queries

Dashboards and queries provide various types of status information about your environment.
You can also create custom dashboards and queries.
By default, the only active dashboard after installation is the ePO Summary for 4.5 dashboard.
In this section, you will activate a second dashboard, change one of the monitors, run a
predefined query, and create a custom query.
NOTE: Default dashboards and queries are displayed only for the user that installs ePolicy
Orchestrator and ePO managed products. Before other users will be able to view these default
dashboards and queries, the installing user must make them public or shared.
Contents
Activating a dashboard
Changing a dashboard monitor
Activating a dashboard
To make a dashboard part of your active set on the tab bar of the Dashboards page, you
need to activate it.
Task
1
Click Menu | Reporting | Dashboards, click Options, then select Manage Dashboards.
The Manage Dashboards page appears.
From the Dashboards list, highlight VSE: Current Detections, then click Make Active.
The Make Active dialog box appears.
Click OK, then Close.

The VSE: Current Detections dashboard now appears on the tab bar. Take a moment
to examine this dashboard and the information it provides.
NOTE: When first installed, Virus Scan Enterprise will not have any detections to report
on. As a result, the VSE: Current Detections dashboard will display a message stating
that Query did not return any results. Overtime, VirusScan Enterprise will make
detections (based on your policy configuration) and display them in this dashboard.

Most default dashboards contain six monitors. If the default monitors do not give you the
information you want, you can change the set of monitors rather than create a new dashboard.
38
Using Dashboards and Queries

To view some information about VirusScan Enterprise and Potentially Unwanted Programs, you
will duplicate, then modify the VSE: Current Detections dashboard.
Task
1
Click Menu | Reporting | Dashboards, click Options, then select Manage Dashboards.
The Manage Dashboards page appears.
From the Dashboards list, highlight VSE: Current Detections then click Duplicate.
For Name, type VSE: Detections (custom), and click OK.
Click Edit.
Find the monitor named VSE: Threats Detected in the Last 24 Hours and click Delete.
Click New Monitor.
From the Category list, select Queries.
From the Monitor list, select VSE: DAT Deployment, then click OK.
Find the monitor named VSE: Threats Detected in the Last 7 Days and click Delete.
10 Click New Monitor.

11 From the Category list, select Queries.
12 From the Monitor list, select VSE: Top 10 Access Protection Rules Broken, then click
OK.
13 Click Save.
14 ClickMake Active, then when prompted, click OK.
15 Click Close.
16 On the Dashboards tab bar, click VSE: Detections (custom).
The two monitors you added display a pie chart (DAT Deployment), and a summary table
(Top 10 Access Protection Rules Broken). When creating your own queries, consider the
type of data you want to view, and how to display it.
39
Summary
Congratulations. By completing this guide, you have performed many of the common tasks
used in creating and maintaining a secure network environment.
Here is what you have accomplished:
1
Installed the McAfee ePolicy Orchestrator 4.5 software.
Enabled and run a task that updates the ePO master repository from the McAfee site.
Created a System Tree structure, and added test systems into groups.
Created and applied a new McAfee Agent policy that displays the system tray icon on
managed systems.
Created and applied new policies for endpoint products, consisting of several VirusScan
policies, including a policy to audit PUPs.
Created a deployment task to install VirusScan Enterprise on the client systems.
Created a client update task to keep the clients current.
Deployed the McAfee Agent.
Verified agent-server communication, and sent agent wake-up calls to ensure that your
managed systems retrieved the new policies.
10 Modified the PUP audit policy with exclusions.

11 Reapplied the default on-access scan policy, and reset the on-demand scan task to clean
PUPs.
12 Activated a dashboard and changed monitors on a dashboard.
40
References
Use the links in this section to access more information.
Support by Reading
Search McAfee's award-winning KnowledgeBase to find answers to questions.
Search the Knowledge base
For more information on ePolicy Orchestrator 4.5, refer to the following product documentation:
ePolicy Orchestrator 4.5
ePolicy Orchestrator 4.5 Product Guide
ePolicy Orchestrator 4.5 Installation Guide
License Management in ePolicy Orchestrator 4.5 FAQ
ePolicy Orchestrator 4.5 - Master list of release Support articles
VirusScan Enterprise 8.7i
VirusScan Enterprise 8.7i Installation Guide
VirusScan Enterprise 8.7i Product Guide
Access Protection in McAfee VirusScan Enterprise and Host Intrusion Prevention - Whitepaper
Support by Seeing
View tutorials
View video tutorials that address common issues and questions.
Support by Doing
Download Software Updates
Obtain the latest anti-virus definitions, product security updates and product versions. To get
product patches and maintenance releases you must be logged on to the ServicePortal.
Global Support Lab
Configure and walk through common issues in a live test environment.
41

Epo 450 Evaluation Guide En-Us

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Epo 450 Evaluation Guide En-Us

Uploaded by

Copyright:

Available Formats

McAfee ePolicy Orchestrator 4.

McAfee ePolicy Orchestrator 4.5

Installing ePolicy Orchestrator 4.5 Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Set Up the ePolicy Orchestrator Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Add Systems to Manage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

McAfee ePolicy Orchestrator 4.5

Using Dashboards and Queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

McAfee ePolicy Orchestrator 4.5

Introducing ePolicy Orchestrator 4.5

Components of ePolicy Orchestrator

McAfee ePolicy Orchestrator 4.5

Introducing ePolicy Orchestrator 4.5

Distributed repositories Placed strategically throughout your environment to provide

What's new in this release

McAfee ePolicy Orchestrator 4.5

Introducing ePolicy Orchestrator 4.5

McAfee ePolicy Orchestrator 4.5

Introducing ePolicy Orchestrator 4.5

Issues and ticketing

McAfee ePolicy Orchestrator 4.5

Server and Agent Handler requirements

McAfee ePolicy Orchestrator 4.5

Windows Server 2003 R2 Standard with Service Pack 2 or later

From the Tools menu in Internet Explorer, select Internet Options.

Select the Connections tab and click LAN Settings.

Click OK as needed to close Internet Options.

McAfee ePolicy Orchestrator 4.5

McAfee ePolicy Orchestrator 4.5

SQL Server 2005 Dedicated server and network

If the database and ePO server are on the same system,

SQL Server 2005 .NET Framework

You must acquire and install.

You must acquire and install.

From the Internet Explorer Tools menu, select Windows

Click Custom, then select Software.

Needed if managing more than 5,000 computers.

McAfee ePolicy Orchestrator 4.5

Select Review and install updates, then click Install Updates.

You must acquire and install.

.NET Framework 2.0

Microsoft Visual C++

If not previously installed, the installation wizard installs automatically.

Microsoft Visual C++

If not previously installed, the installation wizard installs automatically.

If not previously installed, the installation wizard installs automatically.

SQL Server 2005 Backward

If not previously installed, the installation wizard installs automatically.

SQL Server 2005 Express

The installation fails if using a version of MSI previous to MSI 3.1.

Supported products and components

McAfee ePolicy Orchestrator 4.5

McAfee Email and Web Security 5.1 Appliance

McAfee ePolicy Orchestrator 4.5

Operating systems language support

McAfee ePolicy Orchestrator 4.5

Installing ePolicy Orchestrator 4.5 Software

Installing the server

Run the Setup program.

McAfee ePolicy Orchestrator 4.5

Installing ePolicy Orchestrator 4.5 Software

McAfee ePolicy Orchestrator 4.5

Installing ePolicy Orchestrator 4.5 Software

Agent-to-Server communication port