ePolicy Orchestrator Architecture and Concepts
Indrajit Majumder
Agenda
Define ePolicy Orchestrator.
McAfee Architecture for NIC.
Repository.
Rogue Sensor System.
Installation, Updation and Uninstallation.
User Awareness.
What is ePolicy Orchestrator ?
ePolicy Orchestrator is a management tool from McAfee Antivirus which provide a tool for centralized anti-virus management , security policy management and enforcement.
Usage of ePolicy Orchestrator :4. Deploy McAfee Products. 5. Updation of the Products. 6. Enforcement and management of policies.
Components
The ePolicy Orchestrator software contain following components :-
The ePolicy Orchestrator Server :- It is a management server and a repository for all data collected from distributed ePolicy Orchestrator agents.
The ePolicy Orchestrator Console :- A clear , understandable view of all virus activity and status, with the ability to manage and deploy agents and products.
The ePolicy Orchestrator Agent :- An intelligent link between the ePolicy Orchestrator Server and the anti-virus and security products that enforces policies and tasks on client computers.
Communication Port
Different communication Port in ePolicy Orchestrator :-
Agent to Server communication Port
:
80
Console to server communication Port
:
81
Agent Wake-Up communication Port
:
8081
Agent Broadcast communication Port
:
8082
Sensor to Server communication Port
:
8444
Security Threats HTTP port
:
8801
MCAFEE ARCHITECTURE FOR NIC
REPOSITORY
What is Repository ?
Repository is a Place or folder which content all Virus Updates, SuperDAT, Patches for all McAfee product, Signature, McAfee default Policy, etc.
Component of Repository ?
Source Repository ( McAfee Updates.ini sites).
Master Repository ( NIC-800000-EPO1 placed in Head Office).
Distributed Repository ( in 24 Regional Offices).
Clients Machines ( In all over Operating Offices).
Source Repository
A Source Repository is a location from which Master Repository retrieves Updates.
Scheduled from 8:00 PM onwards.
HTTP:// update.nai.com /Products/ CommonUpdater. FTP:// ftp.nai.com/ CommonUpdater.
Master Repository
The Master Repository maintain a original copy of Source Repository.
The Master Repository distribute (PUSH) all the packages to the Distributed Repository. (Schedule from 5:00 AM to 9:00 AM)
The Master Repository is placed in Head Offices that is NIC-800000-EPO1.
Distributed Repository
The Distributed Repository maintain a duplicate copy of Master Repository.
The DR PULL all the packages from the Master Repository.
Clients computer retrieves updates from Distributed Repository.
Clients
Clients present on Operating Offices running with McAfee Antivirus , retrieves updates from there respective Regional Offices.
Schedule from 11:00 AM to 11:45 AM.
Normally Clients download new policies from ePO Server ( NIC-800000-EPO1) , and SDAT from Distributed Repository.
Repository Flow Chart
Rogue Sensor System
Rogue system detection means find unmanaged computers in your network or subnet.
Rogue means “ computers which do not have ePolicy Orchestrator Agent ” or the computer that is not managed by an ePO agent but should be.
The Rogue System Detection system helps you to monitor all the system on your network-Not only the once ePO manages already , but also the rogue system ( system without agent) as well.
Rogue system Detection integrates with your ePO Server to provide real-time detection of rogue system.
The Rogue sensor placed on each network broadcast segment.
Rogue Sensor System ( cont…)
In NIC Rogue Sensor are placed on Genisys Server of each Operating office. It detect all the rogue machines in there network and send report to ePO Server( NIC800000-EPO1) placed in HO.
HOW IT WORKS ?
The Sensor is a small WIN32 native executable application. We deploy at least one sensor to each broadcast segment. The sensor run on any NT-based Windows operating system.
To detect system on the network, the sensor utilize WinPCap , an open source packet capture library. Using WinPCap , the rogue system detection sensor captures network layer two broadcast packets sent by computers connected to the same network broadcast segment.
Rogue Sensor System ( cont…)
The sensor listens for Address Resolution Protocol (ARP) , Reverse Address Resolution Protocol (RARP) , and IP traffic.
The sensor is able to “listen” to the broadcast traffic of all that part of the network. Like Rogue computers , Printer , router , Switch and all other devices.
The Rogue sensor system gather all information includes DNS name ,IP, MAC Address, NetBIOS name , Operating system version , and list of currently logged-in users . And after that send all those information to ePO Server sensor that is NIC-800000-EPO1 placed in HO.
The Sensor-to-Server communication Port is : 8444
Rogue Sensor System ( cont…)
Rogue Sensor System ( cont…)
Rogue Sensor System ( cont…)
Rogue Sensor System ( cont…)
INSTALLATION
Installation of ePO Agent. (FramePkg.exe)
Installation of VirusScan Enterprise (setupvse.exe)
Updation of ePO Agent and VirusScan Enterprise.
Distributed Repository selection.
Uninstallation.
ePO Agent Installation
In the MacAfee package all these files are available. First we have to install ePO agent then we will install MacAfee virus scan enterprise.
McAfee Package present in ftp://10.80.0.25/ domainjoin/ McAfee Package.
For installation of ePO agent double click on “ FramePkg.exe ”
ePO Agent Installation
it will start installation.
After ePO agent installation is complete it show msg. “ Setup completed successfully”. Press OK.
VirusScan Enterprise Installation
Double Click on Setupvse.exe” .
First screen come for McAfee VirusScan Enterprise Setup. Click “ NEXT ” .
VirusScan Enterprise Installation
In the License expiry type, we need to select “ Perpetual” And Select country where purchased and used. We need to select " United States {default for use in US}”.
Select “ I accept the terms in the License agreement ”. Click OK.
VirusScan Enterprise Installation
Select “Typical ”. Click NEXT.
Click “ Install ”. Then it starts Installation.
VirusScan Enterprise Installation
Deselect “ update Now ” and “ Run On-Demand Scan ”
Installation is complete now. Press YES.
VirusScan Enterprise Installation
After we restart the machine the Following LOGO will come.
First check Symbol of VirusScan Enterprise in the Right hand side corner of the Desktop. That means virus scan installed successfully.
Updation of ePO Agent
If ePO agent symbol not come in the Right hand side corner of the Desktop. Do following steps.
Go to: Start Run cmd.
Type the complete path for enforces Policies. C:\Program Files\Network Associates\Common Framework> cmdagent /P /E /C
Distributed Repository selection.
Right click on VirusScan Enterprise symbol Select “ VirusScan Console.”.
Go to: Tools Edit AutoUpdate Repository List
Distributed Repository selection.
If we are installing this package for CRO-1 Operating office. Then select CRO-1 and deselect all other Repositories.
Then click Move up.
Click OK.
Update of VirusScan Enterprise
Right click on VirusScan Enterprise symbol.
Click Update Now.
Then you can see the VirusScan Enterprise take update from CRO-1.
Update of ePO Agent
Again Right click on ePO agent symbol.
Click Update Now.
Then you can see the ePO agent take update from CRO-1.
Update of ePO Agent
Right click on ePO agent symbol.
Click Status Monitor.
Finally click on Collect and Send Properties.
Then the client collects all update automatically from server.
Uninstallation of ePO agent
Go to: Start Run cmd.
Type the complete path for uninstall ePO agent. C:\Program Files\Network Associates\Common Framework> frminst.exe /remove=agent
Uninstallation of ePO agent
Click OK. Uninstallation is complete.
And for uninstall Virus Scan Enterprise click remove from CONTROL PANAL ADD/REMOVE program.
USER AWARENESS
ePO Agent and Virus Scan Enterprise Symbol must be shown in the Task bar.
On- Access Scan must be enabled.
Super DAT Of McAfee Virus Scan Enterprise must be updated. User can check latest Version of Super DAT from FTP:// 10.80.0.25/ domain join/ MacAfee-Package . Or HTTP://10.X.0.3/epo/Current/VSCANDAT1000/DAT/0000/dat ( Where X = Regional office code ) .
ePO Agent of client machines must communicate with NIC-800000-EPO1 ( main server ) Properly. At least once in a day click-on “Collects and send Properties” of ePO Agent.
ePO Agent and Virus Scan Enterprise must be taking updates from there respective Regional Office only.
User should scan there computer completely at least once in a week.