skip to content
Home

IT Help and Support

University Information Services
 

Managed Endpoint Protection Service: guide for institutions

Domain preparation

Typically we talk about domains in the context of a Microsoft Active Directory domain but the principles can be applied to any managed environment.

Firewall exceptions

You need to prepare your systems to allow the main ePO server (128.232.131.41), additional agent handlers (128.232.131.42 & 128.232.132.77) and the Threat Intelligence Exchange servers (128.232.131.44 & 128.232.131.73), to connect and configure your computers and to allow traffic to return through any institutional border firewall or port blocking that you may have in place.

Ports used

Agent to server communication is via port 443 by default, so typically should not be impeded. For Admin access you will need to be able to access the following URL: https://epo.uis.cam.ac.uk:8443

ePO servers:

epo.uis.cam.ac.uk 128.232.131.41

handler.epo.uis.cam.ac.uk 128.232.131.42

handler-ext.epo.uis.cam.ac.uk 128.232.132.77

sql.epo.uis.cam.ac.uk 128.232.131.43

uis-epotie2 128.232.131.73

Service ports table

Bidirectional - A connection is initiated from either direction.
Inbound (to ePO servers) - Connection initiated by a remote system.
Outbound (from ePO servers) - Connection initiated by the local system.

Service

Port

TCP/UDP

Bidirectional connection to and from the ePO server and agent handler.

80

TCP

Outbound connection from the ePO server and agent handler.

389

TCP

Bidirectional connection to and from the ePO server and agent handler.

443

TCP

Agent Wake-up communication port opened by agents on endpoints to receive agent wake-up requests from the ePO server.

8081

TCP

UDP port that the SuperAgents use to forward messages from the ePO server/Agent Handler - not used as we don't use super agents

8082

UDP

TCP port that the ePO Application Server service uses to allow web browser UI access. 

Console-to-application server communication port. Inbound connection to the ePO server from ePO Console on any endpoint

 8443

TCP

TCP Port that the Agent Handler uses to communicate with the ePO server - internal server-to-server communication

8444

TCP

Security threats communication port

8801

TCP

DXL/TIE communication from endpoints and TIE servers to DXL brokers

8883

TCP

These ports from the table above are required to allow functionality. Traffic to and from epo.uis.cam.ac.uk should be allowed into your network on these ports.

Client configuration

Depending on your deployment method for the Agent you may need to enable certain features to allow the ePO server to remotely install an Agent and products onto your systems.

Windows example

Using Group Policy add the following exceptions to your client firewalls.
Computer Configuration - Policies - Administrative Templates - Network/NetworkConnections/Windows Firewall/Domain Profile

  • Windows Firewall:  Define inbound program exceptions
    • FramePkg.exe

NOTE:  By installing the Agent (by whatever means) the Framework Service will be added as an exception to the firewall.

Windows user account control (UAC) group policy setting

If you have UAC enabled on your Windows desktops you will need to enable the policy outlined below.  This allows the Agent and McAfee/Trellix products to be installed with UAC enabled on client systems without UAC preventing installation by requiring a local admin prompt intervention.  
Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Security Options/ User Account Control
User Account Control:  Behaviour of the elevation prompt for administrators in Admin approval mode - Elevate without prompting

The ePO server

The ePolicy Orchestrator server is epo.uis.cam.ac.uk (128.232.131.41).  You can connect to the ePO console with the login provided at https://epo.uis.cam.ac.uk:8443/

Browser support

To connect to the ePO via the web you need to use a supported browser.  ePO 5.10 supports web access using Edge, Firefox, Chrome and Safari. Others browsers/versions may receive some warning text at log-in.

Opera

To use Opera enter “about:config” into Opera's address bar. The resulting screen is the background settings section of Opera. Type "Spoof UserAgent ID" into the search text area to locate the correct setting:
There are only five values you can enter:

  1. Opera (this is the default user agent string used by Opera)
  2. Mozilla
  3. Internet Explorer
  4. Mozilla, without mentioning Opera (in other words, without saying that this is actually Opera but being spoofed as Mozilla)
  5. Internet Explorer, without mentioning Opera (in other words, without saying that this is actually Opera but being spoofed as IE)
  • Enter 2, 3, 4 or 5 and click save

System tree access

You have been given access to a portion of the System Tree based on the name of your institution. Systems will be tagged and sorted into your areas based on agreed criteria (See the Service outline and configuration section for details). You can add systems to the system tree using one or more of the methods outlined below. Please make sure that you use the correct McAfee/Trellix Agent for the hosted ePO service when not deploying directly from the ePO console. 

Agents are available to download here.

Adding Systems to the system tree and the agent

The McAfee/Trellix Agent provides three levels of functionality in an ePO environment:

  • Communication to the ePO server
  • Application of Policies to a workstation
  • Cleaning instructions

So to manage your systems you need to install the Agent from an ePO into your workstations.  This Agent will have the IP Address and host name of the ePO server to define communication paths, it uses IP first, then FQDN and then NetBIOS name.

A note on IPv6

ePO 5.10.0 (the current version) is IPv6 aware and capable. The current ePO server is using a mixed mode method of IP which means it will use IPv4 first and by preference but systems which are IPv6 capable can communicate with ePO.

Deploying the agent

There are several ways you can deploy the Agent to systems, we will outline the most common methods of deployment and advise each institution on the best way to proceed. Please make sure that you have prepared your systems (if necessary) as per the Domain preparation section.

It is possible to create an Agent installer package with embedded credentials if required.

Agents

Only install these agents on managed systems within institutions that have joined the service.

For use with Managed Endpoint Protection Service (updated 10/01/2024)

  • Windows - agent 5.8.1.313
  • Mac - agent 5.8.1.313
  • Linux - agent 5.8.1.313

Note: Some browsers may try to block the download as, due to the way it's produced and because it's regularly changed, it does not have a certificate. Please ignore the warnings and accept the download. The Mcafee/Trellix Agent installation files are unsigned by design. The files are unique to each ePO environment, and while it contains signed binaries that it installs, the executables or wrapper itself can't be signed. 

 Agent deployment URL

An agent deployment URL can be made for each branch (or sub-branch) that can then be used on any machine to download and install the agent. This automatically puts the machine into the branch the agent deployment URL was created in.

Smart installer

Download and run the SmartInstall.exe

Deploying the agent using ePO

ePO can push the agent to systems provided you have administrative access to the systems and have created a firewall rule to allow Framepkg.exe to be deployed from the ePO server.

To do this you add systems to the system tree. You should do this by IP address.

  • Click the System Tree tab
  • Make sure My Organisation is open and your institution is selected
  • Click on System Tree Actions - New Systems
  • Select the top option – Push agents and add systems to the current group
  • Enter your systems IP addresses in the Target Systems box.
  • Un-tick “Disable system tree sorting on these systems”
  • NOTE:  This is very important.  In order to minimise manual management of systems we are using tags to identity and sort systems in the system tree automatically.
  • Enter in your Domain/Administrative credentials.
  • Click OK to add the systems.

Deploying the agent using scripts

The FramePkg.exe file can be installed via a start-up script or similar if desired.  Typically a Computer start up script is the best way to do this as it ensures that the next time the system is booted the Agent will be installed.

Deploying the agent using group policy

You can deploy the agent via group policy using an MSI. This requires you to create an MSI from the .exe file.

The instructions on McAfee's pages don't work well, so use these instead:

  • Before you start, you need to have a share, on your local domain, that all your machines have at least read access to. This is usually a deployment share on a domain server. Once you create the files, this is where you'll put them. In this example, this share is YourServer\share\FramePkg, but in your domain it may be MedDent\files\Mcafee (or anything else you want it to be, as long as it's an accessible share for software installation)
  • Download FramePkg_x_x.exe to an empty folder on your desktop, and run the following command, after modifying it. Running the command will produce all the files you need, including SiteList.xml and the msi. The command must be run in the same directory as the frame package.
  • You will need to modify the command, to suit your environment. Modify YourServer\share\FramePkg, to reflect a shared filespace in your domain, where you will be putting the files produced after you run the command, and also modify FramePkg_x_x.exe to reflect the agent exe version
  • FramePkg_x_x.exe /GenGPOmsi /SiteInfo=\\YourServer\share\FramePkg\SiteList.xml /FrmInstLogLoc=c:\temp\mcafeeagent_install
  • Once you have edited it, run the command and it will produce the files you need to put into the folder on your share. The command writes the location of the SiteList.xml file into the msi files that are produced. You must make sure the SiteList.xml file is where you've said it will be, or the agent will install but not find the SiteList, and will run in unmanaged mode (not seeing the ePO server or downloading the ENS software)
  • Then create and apply a gpo for software install in the usual way:
    • Create a new Group Policy Object
    • Click Computer Configuration, Policies, Software Settings
    • Right-click Software installation and select New, Package
    • When prompted for a package, enter the network location of the MFEAgent_x64.msi file in the FramePkg folder
    • Select Assigned for the deployment method
  • Assign this GPO to all Organizational Units (OUs) that require the MA deployment
  • Restart all computers in these OUs

Deploying the agent via an image

To ensure that agent GUIDs are not duplicated, run the following command on the master system image where the McAfee/Trellix agent is installed for deployment on client systems:

  • maconfig -enforce -noguid

On non-Windows operating systems, the command is case sensitive and you must run the command with root permission using sudo. For example:

  • sudo /Library/McAfee/agent/bin/maconfig -enforce -noguid

The GUID is regenerated the next time the agent is started. So, it is important to run this command immediately before creating your system image, otherwise a new GUID might be assigned before the system image is created.

maconfig is a command-line tool provided with the agent for Windows and non-Windows operating systems. Its default location is:

  • Windows: Depending on whether the agent was upgraded from MA version 4.x or is a fresh installation, the agent can be found in one of the following directories:
    • C:\Program Files\McAfee\Agent\
    • C:\Program Files\McAfee\Common Framework\
    • C:\Program Files (x86)\McAfee\Common Framework
  • Linux: /opt/McAfee/agent/bin/
  • Apple OS X: /Library/McAfee/agent/bin/

Deploying the agent to OS X

Apple is releasing a new M1 silicon chip. The hardware runs x86_64 instructions using Apple's Rosetta 2 emulation layer.
The versions of McAfee Agent 5.6.x and earlier do not support this chip.
Support is provided with McAfee/Trellix Agent 5.7.0 and later.

The agent install package (install.sh) needs to be run on all OS X systems that you wish to install the ePO Agent to.

The package installer will write out a log file (/Library/Logs/ePO_install). You can check the Activity Monitor from /Applications/Utilities and search for the cma process to check that the agent process is running.

Uninstall any existing agent first.

Download this package and run the installer within.

After uninstalling, restart your computer.

Then install the latest ePO agent:

  1. Log on as an administrator or with root account privileges.
  2. Copy the install.sh file to the desktop of the Macintosh
  3. Open the Terminal.
  4. Navigate to the desktop.
  5. To begin the installation, type sudo ./install.sh -i and press Enter.
  6. Type the password when prompted.
    You are notified in the terminal window when the installation is 
    complete.
  7. Reboot the Mac

    This should give you a clean install which should then (after a period 
    of time) get the Mac AV client.

Additional Configuration for High Sierra (and later)

Due to the increased security in High Sierra, there are some additional configuration steps required once the product has installed.

  1. Restart the Mac.
  2. Wait for the McAfee/Trellix logo to appear (this can take some time as it won't appear until Endpoint Security for Mac has installed).
  3. Click the McAfee/Trellix logo and select Preferences.
  4. Choose the General pane and click the padlock.
  5. When prompted enter a username and password for an administrator level account.
  6. Set Threat Prevention to On.
  7. When prompted to approve the System Extension signed by McAfee click OK.
  8. Open System Preferences from the Applications folder and choose the Security & Privacy pane.
  9. Click Allow if the Mac reports "System software from developer McAfee, Inc was blocked from loading".

Deploying the agent to Linux (Ubuntu)

  1. Extract the install package
  2. Open Terminal, then switch to the location where you copied the installdeb.sh file
  3. $chmod +x ./installdeb.sh
  4. $sudo ./installdeb.sh -i

Agent Communication

To check communication (Windows):

  • Right click the McAfee/Trellix logo
  • Select Trellix Agent Status Monitor...
  • Click Collect and Send Props
  • Click Send Events
  • Click Check New Policies

If agent is failing to communicate

  • Navigate to C:\ProgramData\McAfee\Agent
  • Run Agent_x64.msi
  • Repeat steps in Check communication section

If agent is still failing to communicate (and communication previously worked/works on other machines on same network/range etc.) 

  • Download the Trellix removal tool
  • Tick Remove all Supported Products
  • After restart, install a new agent
  • Repeat steps in Check communication section
  • Check other McAfee products have reinstalled after 1 hour

Policies

Every product has a number of settings which can be set using policies in ePO.  We have set up a basic set of policies and settings (See Default policy settings).  You can have these applied to your systems or you can customize the settings yourself for one or more of the available policies.

Customising policies

To configure policies click the Assigned Policies tab in System Tree.

  • Select a product from the drop-down list and click on Edit Assignment for the category you want to configure.
  • Select “Break inheritance and assign the policy and settings below” and click on “New Policy”. Select My Default from the “Create a policy based on the existing policy” drop-down.
  • Enter a name for the new policy (it’s best to enter a name based on your organisation name and the category name e.g. “Maths On-Access General Policies”) and click OK twice.
  • Edit the policy to your requirements and click Save twice.
  • Repeat for all the other categories you wish to edit.

Automatic responses

You can create your own automatic responses to send emails to individuals or groups whenever an event occurs.

All automatic responses can be viewed but users only have permission to edit ones they have created.

  • Go to Menu > Automation > Automatic Responses > New Response button
  • Enter a name (preferable with your domain name included), select an event group and event type and set the status to “Enabled”.
  • To set up a response for “Malware detected but not handled” set Event group to “EPO Notification Events” and Event type to “Threat”.
  • Click “Next”
  • Select required properties from the list on the left hand side.
  • To set up a response for “Malware detected but not handled” select “Threat category”, leave “Belongs to” set and select “Malware detected” from the drop down list then select “Threat handled” leave  equals set and select “False”.
  • Click “Next”
  • Choose required aggregation options. Decide if you want to be notified for every event or if multiple events occur within a set period of time. Decide if you want to group events on criteria such as Agent GUID or Threat category and set throttling to prevent multiple emails.
  • Click “Next”
  • Select “Send Email” from the drop down (at the top left of the screen that currently says “Run System Command”)
  • Enter an email address to send the response to.
  • Leave Importance set to “High”
  • Enter a subject and body text along with any variables selected from the drop down lists e.g.:
  • Value “Threat Category”, “Source Host Name”
  • Click “Next”
  • Review all settings and click “Save”

The dashboard

Dashboards are graphical information displays which can be customised by users of the ePO service. You will have had a basic new Dashboard for your institution created for you and you can add new private (or public) dashboards for yourself which can contain various graphs and charts of information.

Default dashboard

Each institution has a dashboard created for it which contains the following charts:

  • McAfee Labs Threat Advisory which displays the status of the repository and versions available in the ePO
  • Basic systems total for your Group
  • Systems Compliance chart (systems up to date and with the latest product installed
  • Malware detection History

Creating your own dashboard

You may want to create your own dashboards. You can create custom queries on which the dashboard can be based.

  • Log in to the ePO server
  • Your default Dashboard will be displayed by default.
  • In the Dashboard Actions drop down select New.
  • Name your new dashboard and click OK
  • Click Add Monitor and drag required monitors to the dashboard area
  • Click Save then Close

Creating a new query

  • Log in to the ePO server
  • Click on the Queries & Reports tab
  • Ensure the Query tab is selected and click ‘New’
  • Select required Feature Group & Result Type
  • For this example use Events and Threat Events and click ‘Next’
  • Select required display and configure appropriately
  • For this example use Pie Chart and configure the slice values as Number of Threat Events, the labels as Threat Name and Sort by Value, click ‘Next’
  • Choose required columns (Unless you selected "Table" on the previous screen, this is a table accessed by clicking on the summary chart).
  • For this example leave the defaults and click ‘Next’
  • Select the criteria you want to use to narrow down the results
  • For this example select  Event Generated Time and choose ‘Is within the last’ ‘2’ and ‘Weeks’
  • Click ‘Save’
  • Enter a query name
  • For this example use ‘Threats in last 2 weeks’
  • Enter a group name if required
  • Click ‘Save’

Create the dashboard based on the query

  • Click on the Dashboards tab
  • Select ‘New’ from the Dashboard Actions drop-down menu
  • Enter a name for the dashboard and click ’OK’
  • Click ‘Add Monitor’
  • Drag ‘Queries’ into the dashboard area (if queries is not visible, click the right pointing arrow)
  • Select the required Monitor Content (your new query is usually select by default but if not, select it from the drop-down list)
  • Set the Refresh Interval and click ‘OK’
  • Add addition monitors as required then click ‘Save’
  • Click ‘Close’
  • Your new dashboard is now available from the Dashboards drop-down menu

Running an On-Demand scan

To run an On-Demand scan, you must first make sure the machine(s) you wish to scan will receive the task:

  • Navigate to the ePO system tree
  • Select the required machine using the checkbox
  • Click Actions > Agent > Single System Troubleshooting.
    • If connection to the machine can be established, you will see either the agent log or an option to download it
    • If you don’t see either of these, you will not be able to send tasks manually to it
    • The most common reason for not being able to send tasks, even when you know a machine is on, is that the required communication ports are not open

Note: You can also use the above method to determine if machines will respond to an agent wake-up call

 Once you have established the machine will receive the task, follow these steps:

  • Navigate to the ePO system tree
  • Select the required machine
  • Click Actions > Agent > Run Client Task Now
  • Important stepSelect the Options tab
  • Edit Stop Task on the Client After: to allow time for the scan to complete (3 hours or more is often required for a full system scan)
  • In the Product column, select Endpoint Security Threat Prevention
  • In the Task Type column, select the Policy-based On-Demand scan
  • In the Task Name column, select the required Full or Quick scan
  • Click Run Task Now

For the default Policy-based on-demand scans, users can pause or cancel the scan if required.

Scans will not run when a machine is on battery power or in presentation mode.

To pause or cancel a scan

  • Click the Trellix logo in the system tray
  • Select Trellix Endpoint Security
  • Click the Scan System button
  • View the active scan and pause or cancel as required 

Custom scans can be created, or custom On-Demand scan policies for the Policy-based On-Demand Scan can be applied to the required branch or sub-branch.

Contact anti-malware@uis.cam.ac.uk for more details 

Product removal

OS X

To uninstall McAfee/Trellix, then users should refer to the Trellix documentation here

Windows

ePO will usually manage the removal of the Agent and product. However, in cases where it doesn't or where a system was in ePO but the ePO server no longer exists you may need to do a manual removal.

As a last resort, and not recommended (by McAfee/Trellix) for use on a regular basis, a removal tool (expires 31/05/2024) is available, along with the usual help and advice via

Please note, this removal tool expires so you are forced to update it once a quarter to ensure you are using the latest removal tool, which contains new bug fixes or new functionality.

A removal tool user guide is available here.

To manually remove the agent from a managed PC open a command line and enter: 
C:\Program Files\McAfee\Agent\x86\frminst.exe /forceuninstall 

To manually remove Enterprise 8.8 use: C:\Windows\System32\msiexec /x {CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF} REMOVE=ALL REBOOT=R /q 
see
https://kcm.trellix.com/corporate/index?page=content&id=KB52648

Ubuntu

Send removal task from ePO to remove ENS for Linux then remove the agent using:

sudo dpkg --remove MFEcma

MER Tool

Use this tool to provide logs when requested for problem escalation to McAfee/Trellix

MER tool - extract and run

McAfee GetClean

Use the GetClean to submit known clean files, that are being detected by McAfee/Trellix, to get them whitelisted

Download the zip file, extract all files and run the exe. Choose the folder(s) you wish to scan. McAfee/Trellix will be sent details for analysis and should whitelst the files if they are clean.

A report will be sent to anti-malware@uis.cam.ac.uk (although this can be changed in the program settings) so please let me know if you run this program and wish to see the report.

Contact us

UIS facilities

Resources

UIS websites

Study at Cambridge

About the University

Research at Cambridge