skip to primary navigationskip to content
 

Managed Endpoint Protection Service: guide for institutions

Domain preparation

Typically we talk about domains in the context of a Microsoft Active Directory domain but the principles can be applied to any managed environment.

Firewall exceptions

You need to prepare your systems to allow the main ePO server (128.232.131.41), an additonal agent handler (128.232.131.42) and the Threat Intelligence Exchange server (128.232.131.44), to connect and configure your computers and to allow traffic to return through any institutional border firewall or port blocking that you may have in place.

Ports used

Agent to server communication is via port 443 by default, so typically should not be impeded. For Admin access you will need to be able to access the following URL: https://epo.uis.cam.ac.uk:8443

ePO servers:

epo.uis.cam.ac.uk 128.232.131.41

handler.epo.uis.cam.ac.uk 128.232.131.42

sql.epo.uis.cam.ac.uk 128.232.131.43

uis-epotie.blue.cam.ac.uk 128.232.131.44

Service ports table

Bidirectional - A connection is initiated from either direction.
Inbound (to ePO servers) - Connection initiated by a remote system.
Outbound (from ePO servers) - Connection initiated by the local system.

Service

Port

TCP/UDP

Bidirectional connection to and from the ePO server and agent handler.

80

TCP

Outbound connection from the ePO server and agent handler.

389

TCP

Bidirectional connection to and from the ePO server and agent handler.

443

TCP

Agent Wake-up communication port opened by agents to receive agent wake-up requests from the ePO server.

8081

TCP

UDP port that the SuperAgents use to forward messages from the ePO server/Agent Handler.

8082

UDP

TCP port that the ePO Application Server service uses to allow web browser UI access.

Console-to-application server communication port. Inbound connection to the ePO server from ePO Console.

8443

TCP

TCP Port that the Agent Handler uses to communicate with the McAfee ePO server

8444

TCP

Security threats communication port

8801

TCP

DXL/TIE communication

8883

TCP

These ports from the table above are required to allow functionality. Traffic to and from epo.uis.cam.ac.uk should be allowed into your network on these ports.

Client configuration

Depending on your deployment method for the Agent you may need to enable certain features to allow the ePO server to remotely install an Agent and products onto your systems.

Windows example

Using Group Policy add the following exceptions to your client firewalls.
Computer Configuration - Policies - Administrative Templates - Network/NetworkConnections/Windows Firewall/Domain Profile

  • Windows Firewall:  Define inbound program exceptions
    • FramePkg.exe

NOTE:  By installing the Agent (by whatever means) the Framework Service will be added as an exception to the firewall.

Windows user account control (UAC) group policy setting

If you have UAC enabled on your Windows desktops you will need to enable the policy outlined below.  This allows the Agent and McAfee products to be installed with UAC enabled on client systems without UAC preventing installation by requiring a local admin prompt intervention.  
Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Security Options/ User Account Control
User Account Control:  Behaviour of the elevation prompt for administrators in Admin approval mode - Elevate without prompting

The ePO server

The ePolicy Orchestrator server is epo.uis.cam.ac.uk (128.232.131.41).  You can connect to the ePO console with the login provided at https://epo.uis.cam.ac.uk:8443/

Browser support

To connect to the ePO via the web you need to use a supported browser.  ePO 5.10 supports web access using IE 11+, Firefox 45+, Chrome 51+ and Safari 10+. Others browsers/versions will receive some warning text at log-in.

Opera

To use Opera enter “about:config” into Opera's address bar. The resulting screen is the background settings section of Opera. Type "Spoof UserAgent ID" into the search text area to locate the correct setting:
There are only five values you can enter:

  1. Opera (this is the default user agent string used by Opera)
  2. Mozilla
  3. Internet Explorer
  4. Mozilla, without mentioning Opera (in other words, without saying that this is actually Opera but being spoofed as Mozilla)
  5. Internet Explorer, without mentioning Opera (in other words, without saying that this is actually Opera but being spoofed as IE)
  • Enter 2, 3, 4 or 5 and click save

System tree access

You have been given access to a portion of the System Tree based on the name of your institution. Systems will be tagged and sorted into your areas based on agreed criteria (See the Service outline and configuration section for details). You can add systems to the system tree using one or more of the methods outlined below. Please make sure that you use the correct McAfee Agent for the hosted ePO service when not deploying directly from the ePO console. 

Agents are available to download here.

Adding Systems to the system tree and the agent

The McAfee Agent provides three levels of functionality in an ePO environment:

  • Communication to the ePO server
  • Application of Policies to a workstation
  • Cleaning instructions

So to manage your systems you need to install the Agent from an ePO into your workstations.  This Agent will have the IP Address and host name of the ePO server to define communication paths, it uses IP first, then FQDN and then NetBIOS name.

A note on IPv6

ePO 5.10.0 (the current version) is IPv6 aware and capable. The current ePO server is using a mixed mode method of IP which means it will use IPv4 first and by preference but systems which are IPv6 capable can communicate with ePO.

Deploying the agent

There are several ways you can deploy the Agent to systems, we will outline the most common methods of deployment and advise each institution on the best way to proceed. Please make sure that you have prepared your systems (if necessary) as per the Domain preparation section.

It is possible to create an Agent installer package with embedded credentials if required.

Agents

Only install these agents on managed systems within institutions that have joined the service.

New ePO Server

For use with new ePO server

  • Windows - agent 5.6.2.209
  • Mac - agent 5.6.2.209
  • Linux - agent 5.6.2.209

 

Agent deployment URL

An agent deployment URL can be made for each branch (or sub-branch) that can then be used on any machine to download and install the agent. This automatically puts the machine into the branch the agent deployment URL was created in.

Smart installer

Download and run the McAfeeSmartInstall.exe

Deploying the agent using ePO

ePO can push the agent to systems provided you have administrative access to the systems and have created a firewall rule to allow Framepkg.exe to be deployed from the ePO server.

To do this you add systems to the system tree. You should do this by IP address.

  • Click the System Tree tab
  • Make sure My Organisation is open and your institution is selected
  • Click on System Tree Actions - New Systems
  • Select the top option – Push agents and add systems to the current group
  • Enter your systems IP addresses in the Target Systems box.
  • Un-tick “Disable system tree sorting on these systems”
  • NOTE:  This is very important.  In order to minimise manual management of systems we are using tags to identity and sort systems in the system tree automatically.
  • Enter in your Domain/Administrative credentials.
  • Click OK to add the systems.

Deploying the agent using scripts

The FramePkg.exe file can be installed via a start-up script or similar if desired.  Typically a Computer start up script is the best way to do this as it ensures that the next time the system is booted the Agent will be installed.

Deploying the agent using group policy

You can deploy the agent via group policy using an MSI. This requires you to create an MSI from the .exe file.

The instructions on McAfee's pages don't work well, so use these instead:

  • Before you start, you need to have a share, on your local domain, that all your machines have at least read access to. This is usually a deployment share on a domain server. Once you create the files, this is where you'll put them. In this example, this share is YourServer\share\FramePkg, but in your domain it may be MedDent\files\Mcafee
  • Download FramePkg_x_x.exe to an empty folder on your desktop, and run the following command, after modifying it. Running the command will produce all the files you need, including SiteList.xml and the msi
  • You will need to modify the command, to suit your environment. Modify YourServer\share\FramePkg, to reflect a shared filespace in your domain, where you will be putting the files produced after you run the command, and also modify FramePkg_x_x.exe to reflect the agent exe version
  • FramePkg_x_x.exe /GenGPOmsi /SiteInfo=\\YourServer\share\FramePkg\SiteList.xml /FrmInstLogLoc=c:\temp\mcafeeagent_install
  • Once you have edited it, run the command and it will produce the files you need to put into the folder on your share
  • Then create and apply a gpo for software install in the usual way:
    • Create a new Group Policy Object
    • Click Computer Configuration, Policies, Software Settings
    • Right-click Software installation and select New, Package
    • When prompted for a package, enter the network location of the MFEAgent_x64.msi file in the FramePkg folder
    • Select Assigned for the deployment method
  • Assign this GPO to all Organizational Units (OUs) that require the MA deployment
  • Restart all computers in these OUs

Deploying the agent to OS X

The agent install package (install.sh) needs to be run on all OS X systems that you wish to install the ePO Agent to.

The package installer will write out a log file (/Library/Logs/ePO_install). You can check the Activity Monitor from /Applications/Utilities and search for the cma process to check that the agent process is running.

Uninstall any existing agent first.

Download this package and run the installer within.

After uninstalling, restart your computer.

Then install the latest ePO agent:

  1. Log on as an administrator or with root account privileges.
  2. Copy the install.sh file to the desktop of the Macintosh
  3. Open the Terminal.
  4. Navigate to the desktop.
  5. To begin the installation, type sudo ./install.sh -i and press Enter.
  6. Type the password when prompted.
    You are notified in the terminal window when the installation is 
    complete.
  7. Reboot the Mac

    This should give you a clean install which should then (after a period 
    of time) get the Mac AV client.

Additional Configuration for High Sierra (and later)

Due to the increased security in High Sierra, there are some additional configuration steps required once the product has installed.

  1. Restart the Mac.
  2. Wait for the McAfee shield to appear (this can take some time as it won't appear until Endpoint Security for Mac has installed).
  3. Click the McAfee shield and select Preferences.
  4. Choose the General pane and click the padlock.
  5. When prompted enter a username and password for an administrator level account.
  6. Set Threat Prevention to On.
  7. When prompted to approve the System Extension signed by McAfee click OK.
  8. Open System Preferences from the Applications folder and choose the Security & Privacy pane.
  9. Click Allow if the Mac reports "System software from developer McAfee, Inc was blocked from loading".

Deploying the agent to Linux (Ubuntu)

  1. Extract the install package
  2. Open Terminal, then switch to the location where you copied the installdeb.sh file
  3. $chmod +x ./installdeb.sh
  4. $sudo ./installdeb.sh -i

Policies

Every product has a number of settings which can be set using policies in ePO.  We have set up a basic set of policies and settings (See Default policy settings).  You can have these applied to your systems or you can customize the settings yourself for one or more of the available policies.

Customising policies

To configure policies click the Assigned Policies tab in System Tree.

  • Select a product from the drop-down list and click on Edit Assignment for the category you want to configure.
  • Select “Break inheritance and assign the policy and settings below” and click on “New Policy”. Select My Default from the “Create a policy based on the existing policy” drop-down.
  • Enter a name for the new policy (it’s best to enter a name based on your organisation name and the category name e.g. “Maths On-Access General Policies”) and click OK twice.
  • Edit the policy to your requirements and click Save twice.
  • Repeat for all the other categories you wish to edit.

Automatic responses

You can create your own automatic responses to send emails to individuals or groups whenever an event occurs.

All automatic responses can be viewed but users only have permission to edit ones they have created.

  • Go to Menu > Automation > Automatic Responses > New Response button
  • Enter a name (preferable with your domain name included), select an event group and event type and set the status to “Enabled”.
  • To set up a response for “Malware detected but not handled” set Event group to “EPO Notification Events” and Event type to “Threat”.
  • Click “Next”
  • Select required properties from the list on the left hand side.
  • To set up a response for “Malware detected but not handled” select “Threat category”, leave “Belongs to” set and select “Malware detected” from the drop down list then select “Threat handled” leave  equals set and select “False”.
  • Click “Next”
  • Choose required aggregation options. Decide if you want to be notified for every event or if multiple events occur within a set period of time. Decide if you want to group events on criteria such as Agent GUID or Threat category and set throttling to prevent multiple emails.
  • Click “Next”
  • Select “Send Email” from the drop down (at the top left of the screen that currently says “Run System Command”)
  • Enter an email address to send the response to.
  • Leave Importance set to “High”
  • Enter a subject and body text along with any variables selected from the drop down lists e.g.:
  • Value “Threat Category”, “Source Host Name”
  • Click “Next”
  • Review all settings and click “Save”

The dashboard

Dashboards are graphical information displays which can be customised by users of the ePO service. You will have had a basic new Dashboard for your institution created for you and you can add new private (or public) dashboards for yourself which can contain various graphs and charts of information.

Default dashboard

Each institution has a dashboard created for it which contains the following charts:

  • McAfee Labs Threat Advisory which displays the status of the repository and versions available in the ePO
  • Basic systems total for your Group
  • Systems Compliance chart (systems up to date and with the latest product installed
  • Malware detection History

Creating your own dashboard

You may want to create your own dashboards. You can create custom queries on which the dashboard can be based.

  • Log in to the ePO server
  • Your default Dashboard will be displayed by default.
  • In the Dashboard Actions drop down select New.
  • Name your new dashboard and click OK
  • Click Add Monitor and drag required monitors to the dashboard area
  • Click Save then Close

Creating a new query

  • Log in to the ePO server
  • Click on the Queries & Reports tab
  • Ensure the Query tab is selected and click ‘New’
  • Select required Feature Group & Result Type
  • For this example use Events and Threat Events and click ‘Next’
  • Select required display and configure appropriately
  • For this example use Pie Chart and configure the slice values as Number of Threat Events, the labels as Threat Name and Sort by Value, click ‘Next’
  • Choose required columns (Unless you selected "Table" on the previous screen, this is a table accessed by clicking on the summary chart).
  • For this example leave the defaults and click ‘Next’
  • Select the criteria you want to use to narrow down the results
  • For this example select  Event Generated Time and choose ‘Is within the last’ ‘2’ and ‘Weeks’
  • Click ‘Save’
  • Enter a query name
  • For this example use ‘Threats in last 2 weeks’
  • Enter a group name if required
  • Click ‘Save’

Create the dashboard based on the query

  • Click on the Dashboards tab
  • Select ‘New’ from the Dashboard Actions drop-down menu
  • Enter a name for the dashboard and click ’OK’
  • Click ‘Add Monitor’
  • Drag ‘Queries’ into the dashboard area (if queries is not visible, click the right pointing arrow)
  • Select the required Monitor Content (your new query is usually select by default but if not, select it from the drop-down list)
  • Set the Refresh Interval and click ‘OK’
  • Add addition monitors as required then click ‘Save’
  • Click ‘Close’
  • Your new dashboard is now available from the Dashboards drop-down menu

Product removal

OS X

To uninstall McAfee, then users should download this package and run the installer within.

NOTE: You may have to set the eXecute bit on the file before you can run the scripts.

Windows

ePO will usually manage the removal of the Agent and product. However, in cases where it doesn't or where a system was in ePO but the ePO server no longer exists you may need to do a manual removal.

As a last resort, and not recommended (by McAfee) for use on a regular basis, a removal tool is available, along with the usual help and advice via

Please note, this removal tool expires so you are forced to update it once a quarter to ensure you are using the latest removal tool, which contains new bug fixes or new functionality.

A removal tool user guide is available here.

To manually remove the agent from a managed PC open a command line and enter: 
C:\Program Files\McAfee\Agent\x86\frminst.exe /forceuninstall 

To manually remove Enterprise 8.8 use: C:\Windows\System32\msiexec /x {CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF} REMOVE=ALL REBOOT=R /q 
see https://kc.mcafee.com/corporate/index?page=content&id=KB71179 
and 
https://kc.mcafee.com/corporate/index?page=content&id=KB52648.

Ubuntu

Send removal task from ePO to remove ENS for Linux then remove the agent using:

sudo dpkg --remove MFEcma

MER Tool

Use this tool to provide logs when requested for problem escalation to McAfee

MER tool - extract and run

UIS Service Desk


  Phone padded  01223 332999

UIS bITe-size bulletin


A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >  |  Back issues

UIS Service Status

Phone padded  Service status line: (01223) 463085
Website  Sign up for SMS/email status alerts

RSS Feed Latest news

Windows 7 end-of-life countdown: 3 months to go

Sep 25, 2019

There are only 3 months left until Windows 7 reaches end of life, after which Microsoft will no longer supply security updates and bug fixes for the operating system.

Beware scam emails offering fake jobs

Sep 19, 2019

Please beware emails that offer you easy jobs that you can do part-time while you study. They are scams that aim to trick you into providing personal information, such as your bank or passport details, driver's licence or student number.

View all news