mcafee active response 2.2 active response 2.2.0 installation guide 5. supported web browsers for...

Installation GuideRevision B

McAfee Active Response 2.2.0

COPYRIGHT

Copyright © 2017 McAfee, LLC

TRADEMARK ATTRIBUTIONSMcAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THEGENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASECONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVERECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOUDOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IFAPPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

2 McAfee Active Response 2.2.0 Installation Guide

Contents

1 Pre-Installation 5System requirements for Active Response . . . . . . . . . . . . . . . . . . . . . . . . . . 5Active Response network ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Installing Active Response 9Install Active Response 2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Install the Active Response extensions . . . . . . . . . . . . . . . . . . . . . . . . 10Install the Active Response server . . . . . . . . . . . . . . . . . . . . . . . . . 10Install aggregators (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Install the Active Response clients . . . . . . . . . . . . . . . . . . . . . . . . . 14

Uninstall Active Response clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Installation error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Viewing the Active Response Health status . . . . . . . . . . . . . . . . . . . . . . . . . 17

3 Upgrading Active Response 21Upgrade Active Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Upgrade the Active Response server . . . . . . . . . . . . . . . . . . . . . . . . 21Upgrade the Active Response extensions . . . . . . . . . . . . . . . . . . . . . . . 22Upgrade clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Upgrade content packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Upgrade Trace rules content package . . . . . . . . . . . . . . . . . . . . . . . . 24

4 Getting started 25Managing access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Recommendations for configuring clients . . . . . . . . . . . . . . . . . . . . . . . . . 26

Create an Active Response policy . . . . . . . . . . . . . . . . . . . . . . . . . 27Performance recommendations for Windows servers . . . . . . . . . . . . . . . . . . 27

Configuring Active Response Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Changing the cloud storage geolocation . . . . . . . . . . . . . . . . . . . . . . . . . . 29Configuring multiple McAfee ePO servers . . . . . . . . . . . . . . . . . . . . . . . . . 30Bridged and non-bridged McAfee ePO server configuration examples . . . . . . . . . . . . . . . 30

5 Troubleshooting Active Response 33Roll back content rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Index 35

McAfee Active Response 2.2.0 Installation Guide 3

Contents


1 Pre-Installation

Contents System requirements for Active Response Active Response network ports

System requirements for Active ResponseMake sure that your system environment meets these requirements and that you have administrator rights.

For a complete list of supported platforms, environments, and operating systems for McAfee®

Active Response,see KB84473.

Minimum requirements for McAfee Data Exchange Layer components

Use the following table to determine your minimum McAfee®

Data Exchange Layer (DXL) components based onyour McAfee

®

ePolicy Orchestrator®

(McAfee®

ePO™

) server environment.

Component Single McAfee ePOserver environment

Multiple McAfee ePOserver environment

DXL extensions 4.0.0 4.0.0

DXL endpoint clients 3.0.0 + HF3 (< RS2, Linux, macOS)3.1.0 (RS2/RS3)

4.0.0

DXL brokers 3.1.x* 4.0.0(at least one DXL 4.0.0

broker must be online)

* With version 3.1.x broker, the Health Status page reports an out-of-date broker. This alert can be disregarded.

Minimum requirements for the Active Response server

The server can be installed on a physical server or a virtual machine.

• 1 CPU with 4 cores

• 8 GB RAM

• 140-GB solid-state disk

1


https://kc.mcafee.com/corporate/index?page=content&id=KB84473&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US

Supported web browsers for the user interface

• Internet Explorer 11 or later

• Microsoft Edge on Windows 10.0

• Chrome 53.0 or later

• Firefox 46.0 or later

• Safari 8.0 or later (on Macintosh operating systems only)

Supported operating systems for the Active Response endpoint client

Operating system Version Architecture Processor RAM Minimum FreeHard Disk space

Windows 10(Redstone 3)

Base 32-bit and 64-bit 2 GHz or higher 3 GB 1 GB

Windows 10(Redstone 2)


Windows 10 Enterprise,Anniversary Update


Windows 8.1 Enterprise Base, U1 32-bit and 64-bit 2 GHz or higher 3 GB 1 GB

Windows 8.0 Base 32-bit and 64-bit 2 GHz or higher 3 GB 1 GB

Windows 7 Enterprise Up to SP1 32-bit and 64-bit 1.4 GHz or higher 2 GB 1 GB

Windows 7 Professional Up to SP1 32-bit and 64-bit 1.4 GHz or higher 2 GB 1 GB

Windows Server 2016 Base 64-bit 2 GHz or higher 3 GB 1 GB

Windows 2012 Server Base, R2, U1 64-bit 2 GHz or higher 3 GB 1 GB

Windows 2008 R2Enterprise

SP1 64-bit 2 GHz or higher 3 GB 1 GB

Windows 2008 R2Standard

SP1 64-bit 2 GHz or higher 3 GB 1 GB

CentOS* 6.5 - 6.9 64-bit only 2 GHz or higher 2 GB 1 GB

Red Hat* 6.5 - 6.9 64-bit only 2 GHz or higher 2 GB 1 GB

macOS* High Sierra (10.13)

Sierra (10.12)

El Capitan (10.11)

64-bit 2 GHz or higher 2 GB 1 GB

* Does not support the Trace functionality or displaying data on the Threat Workspace.

On Linux 64-bit systems, compatible 32-bit libraries must be installed on endpoints for Active Response to workproperly. See KB89991 for instructions.

Minimum requirements for the Active Response endpoint client

Product Windows Linux macOS

McAfee ePO 5.3.1 5.3.1 5.3.1

McAfee® Agent 5.0.3 (< RS2)5.0.5 (RS2/RS3)

5.0.5.658 5.0.5.658 (El Capitan and Sierra)5.0.6.347 (High Sierra)

1 Pre-InstallationSystem requirements for Active Response


https://kc.mcafee.com/corporate/index?page=content&id=KB89991

Product Windows Linux macOS

Data Exchange Layer 3.0.0 + HF3 (< RS2)3.1.0 (RS2/RS3)

3.0.0 + HF3 3.0.0 + HF3

Endpoint SecurityThreat Prevention with

Threat Intelligence module

10.2.0 (< RS2)10.2.2 (RS2)

10.2.3 (RS3)*

10.2.2** 10.2.3***

Endpoint Security withAdvanced Threat Protection

10.5.1 (< RS2)10.5.2 (RS2)

10.5.3 (RS3)

Microsoft Windows 10 (version 1607) - Anniversary Update (Redstone 1 [RS1])

Microsoft Windows 10 (version 1703) - Creators Update (Redstone 2 [RS2])

Microsoft Windows 10 (version 1709) - Fall Creators Update (Redstone 3 [RS3])

*If you have Redstone 3 endpoints, McAfee®

Endpoint Security 10.2.2 or 10.5.3 must be checked in to the MasterRepository before installing the Active Response client bundle.

**Install McAfee Endpoint Security 10.2.2 on Linux endpoints before installing Active Response 2.2.

***Install Endpoint Security 10.2.3 for macOS before installing Active Response 2.2.

If an endpoint does not currently have a version of Endpoint Security or McAfee VirusScan Enterprise, theappropriate version of the Endpoint Security modules is installed automatically with the Active Responseinstallation. If an endpoint currently has an unsupported version of Endpoint Security, upgrade the modules onthe endpoint to a supported version.

See also Install Active Response 2.2 on page 9Install the Active Response clients on page 14Installation error messages on page 16Viewing the Active Response Health status on page 17Configuring multiple McAfee ePO servers on page 30Upgrade clients on page 22

Active Response network portsActive Response uses these ports for network connectivity.

Make sure your network settings are not blocking access to the Active Response server and clients through theseports.

Table 1-1 Server ports

Port number Open to Incomingconnections

Outgoingconnections

443 Connect to extensions on the McAfee ePOserver.

Yes Yes

8883 Connect the DXL broker to the DXL client onthe McAfee ePO server.

Yes Yes

8081 Connect McAfee Agent to the McAfee ePOserver.

Yes Yes

Pre-InstallationActive Response network ports 1


Table 1-1 Server ports (continued)

Port number Open to Incomingconnections

Outgoingconnections

22 Connect remotely through ssh to performmaintenance tasks.

Yes Yes

123 UDP Network Time Protocol Yes Yes

Table 1-2 Client ports

Port number Open to Incoming connections Outgoing connections

8081 Connect McAfee Agent to a McAfee ePOserver.

Yes Yes

8883 Connect the DXL client to a DXL broker. Yes Yes

1 Pre-InstallationActive Response network ports


2 Installing Active Response

Contents Install Active Response 2.2 Uninstall Active Response clients Installation error messages Viewing the Active Response Health status

Install Active Response 2.2The installation of Active Response includes several components and clients.

Before you begin

• You have reviewed the system requirements for Active Response.

• Before installing Active Response, make sure you have installed Endpoint Security, DataExchange Layer, and Threat Intelligence Exchange. See the installation guides for theseproducts.

Follow these tasks, if you are installing Active Response for the first time.

1 Install and check in the Active Response extensions bundle

2 Mount and configure the ISO file

3 Install and check in the Active Response Aggregator file (optional)

4 Deploy the endpoints

Tasks

• Install the Active Response extensions on page 10You must install the Active Response extensions on the McAfee ePO server so it can be managed bySoftware Manager.

• Install the Active Response server on page 10Install and configure the Active Response server. The Active Response server communicates withthe Active Response clients running on endpoints to collect data and remediate actions.

• Install aggregators (optional) on page 14You are not required to install an aggregator to use Active Response. But, aggregators reduce theamount of DXL bandwidth required, and increase the number of managed endpoints supported.

• Install the Active Response clients on page 14Active Response clients are ready to function immediately after installation and configuration.

See also System requirements for Active Response on page 5

2


Install the Active Response extensionsYou must install the Active Response extensions on the McAfee ePO server so it can be managed by SoftwareManager.

Task

1 Log on to McAfee ePO as an administrator.

2 Select Menu | Software | Software Manager.

3 Locate and select the Active Response extensions bundle.

4 Click Check in.

5 Accept the License Agreement and click OK.

Install the Active Response serverInstall and configure the Active Response server. The Active Response server communicates with the ActiveResponse clients running on endpoints to collect data and remediate actions.

Active Response server is provided as an ISO image, packaging a McAfee®

Linux Operating System (MLOS)instance.

Task1 Log on to McAfee ePO as an administrator.

2 Select Menu | Software | Software Manager and download the Active Response server ISO file.

3 Mount the ISO in a supported Virtual Infrastructure System. For supported systems, see KB84473.

4 Start the system where the Active Response server will be installed, making sure that it boots from theActive Response server ISO image. MLOS and all needed packages are installed automatically after thesystem starts.

5 When the installation finishes, restart the system. Make sure that it starts from the installed system, notfrom the ISO image.

6 Configure the Active Response server.

a Read the License Agreement and enter Y to accept its terms.

b Set a root password and confirm it.

c Create an operational account. You can use this account to connect through ssh to the system, and usesu to obtain root permissions.

d Select the main network interface for the system. This interface connects the Active Response server toMcAfee ePO and the Data Exchange Layer.

e Configure the network interface.

• Enter D for DHCP configuration.

• Enter M to manually set the network addresses.

f Set a host name and domain name for the system.

g Set the time server for the system.

2 Installing Active ResponseInstall Active Response 2.2



h (Optional) Set proxy variables.

http_proxy and https_proxy definitions are comma-separated lists of host names or IP addresses.no_proxy definition is a comma-separated list of host names, domains, or IP addresses.

Proxy settings are for operating system administration only. Active Response does not use proxies tocommunicate with McAfee ePO or network endpoints.

i Configure McAfee Agent to set up the connection to McAfee ePO.

j Select which services must run on the system.

• DXL Broker — Installs a Data Exchange Layer broker. If your environment already has a least one DXLbroker version 3.0.0 or later, you can choose not to install a new instance of the broker.

• AR Server — Installs the Active Response server.

k Set the DXL broker communication port.

7 Log on to McAfee ePO as an administrator and verify that an Active Response server is listed in the SystemTree.

Tasks

• Configure the DXL broker extension on page 11Broker extensions are additional features that can be enabled on a Data Exchange Layer broker toadd new functionality created by other managed products. Enable the Trace broker extension usedby Active Response.

• Create a McAfee Cloud account on page 12Create a McAfee Cloud account and link it to McAfee ePO server.

• Link an existing cloud account on page 13Link an existing cloud account to McAfee ePO server.

• Configure McAfee ePO proxy server settings (optional) on page 13If your company uses proxy addresses, enter the IP address for the Active Response server in theMcAfee ePO proxy settings.

• Best Practices for the Threat Intelligence Exchange server on page 14Follow this recommendation if you are installing TIE and Active Response servers for the first time.

See also Configuring Active Response Service on page 28

Configure the DXL broker extensionBroker extensions are additional features that can be enabled on a Data Exchange Layer broker to add newfunctionality created by other managed products. Enable the Trace broker extension used by Active Response.

Active Response 2.1 or later requires at least one DXL broker version 3.0.0 or later. The Trace extension is notavailable on previous broker versions.

Task

1 Select Menu | Configuration | Server Settings | DXL Topology.

2 Click Edit.

3 Select a broker and next to Broker Extension, select Provides trace data to the cloud for MAR Workspace.

4 Click Save.

Installing Active ResponseInstall Active Response 2.2 2


Create a McAfee Cloud accountCreate a McAfee Cloud account and link it to McAfee ePO server.McAfee ePO Cloud Bridge is an extension that you install on your local McAfee ePO server, allowing you to linkyour McAfee ePO server to your McAfee Cloud account where you store threat data.

You can register a new cloud account or configure your cloud account through the Workspace Configuration link.

From the Workspace bar, click Configuration to view the status of your McAfee Cloud account.

• If your McAfee Cloud account is not configured, select a cloud data location or geolocation from thedrop-down list. If you are upgrading to Active Response 2.2, the previous geolocation (US west coast) fromActive Response 2.1 remains the default selection.

• If you have a McAfee Cloud Account, click the link to log on to your account.

• If you do not have a McAfee Cloud Account, click the link to create one.

1 Create a cloud account from the Configuration pane or register for a cloud account at https://login.mcafee.com/v1/SignUp/en-US/epo/CloudTenantSignup.

2 Complete the company and contact information.

The email address you provide is the email address used to create the McAfee Cloud account for yourcompany.

3 Read and accept the license agreement to complete the registration and click Submit.

4 After submitting the form, you will receive an email to activate the McAfee Cloud account and set thepassword.



https://login.mcafee.com/v1/SignUp/en-US/epo/CloudTenantSignup

https://login.mcafee.com/v1/SignUp/en-US/epo/CloudTenantSignup

After the McAfee Cloud account is successfully activated, you must link it to the McAfee ePO server.

1 Log on to McAfee ePO as administrator.

2 Select Menu | Configuration | Server Settings | McAfee ePO Cloud Bridge.

3 Click Edit

4 Type in the account credentials and click Save.

Switching between different geolocations is not supported or recommended, because of a high risk of losingdata. This setting is meant to be permanent.

See also Link an existing cloud account on page 13Changing the cloud storage geolocation on page 29

Link an existing cloud accountLink an existing cloud account to McAfee ePO server.

Before you beginYou need the McAfee Cloud account email and password.

To link an existing McAfee Cloud account to McAfee ePO server, you must enable McAfee Cloud Threat Detection.Enter the email address used to create your McAfee Cloud account.

If you have forgotten your password, click Configuration on the Workspace and click Reset password. Enter the emailaddress used to create your Cloud account and click Submit.

1 Log on to McAfee ePO as administrator.

2 Select Menu | Configuration | Server Settings | McAfee® ePO™ Cloud Bridge.

3 Click Edit.

4 Type in the account credentials and click Save.

If you unlink an existing McAfee Cloud account from the McAfee ePO Cloud Bridge settings, and link to a differentMcAfee Cloud account, you lose access to the threat data in the previous McAfee Cloud account.

See also Create a McAfee Cloud account on page 12

Configure McAfee ePO proxy server settings (optional)If your company uses proxy addresses, enter the IP address for the Active Response server in the McAfee ePOproxy settings.

Task


2 Select Menu | Configuration | Server Settings | Proxy Settings.

3 Click Edit.

Installing Active ResponseInstall Active Response 2.2 2


4 Enter the proxy information.

5 Click Save.

Best Practices for the Threat Intelligence Exchange serverFollow this recommendation if you are installing TIE and Active Response servers for the first time.

If you are installing the TIE and Active Response servers for the first time, install the TIE server first. Run the TIEserver in your environment for a few days before enabling tracing on endpoints.

• Files that do not show suspicious activity and have high prevalence because they are executed on a majorityof endpoints, are automatically set to Might be Trusted reputation. This means you do not need to manuallychange occurrences of these reputations in the Active Response Workspace later.

• You can fine-tune the TIE Reputations database and decide on the reputations for your corporate-ownedfiles and certificates before Active Response starts inspecting running processes, looking for potentialthreats.

Install aggregators (optional)You are not required to install an aggregator to use Active Response. But, aggregators reduce the amount ofDXL bandwidth required, and increase the number of managed endpoints supported.

Install Active Response aggregators on DXL broker systems in your fabric. We recommend that you install anaggregator on each system in your fabric that runs only a DXL broker. Aggregators can't be installed on ActiveResponse or TIE server systems.

Do not pre-install the DXL client or install a DXL client upgrade package from McAfee ePO on the DXL broker.Always use the Active Response Aggregator package to install the DXL client on the DXL broker. You can install theaggregator package from the Master Repository.

Task


2 Select Menu | Software | Software Manager and check in the Active Response Aggregator package.

3 Select Menu | Software | Product Deployment, then click New Deployment.

4 In the Package drop-down list, select the Active Response aggregator.

5 Click Select Systems and choose the DXL broker where to install the aggregator.

6 Select Run Immediately and click Save to start deployment.

Install the Active Response clientsActive Response clients are ready to function immediately after installation and configuration.

Before you begin• Look at the Health Status page before and after installing to view any endpoint incompatibilities or

deployment errors.

• Make sure your Windows endpoints are running McAfee Agent 5.0.3 or later.

• Make sure your Linux endpoints are running McAfee Agent 5.0.3 or later and Endpoint Securityfor Linux 10.2.2.



• Make sure your macOS endpoints are running

• McAfee Agent 5.0.6.347 and Endpoint Security 10.2.3 for Mac on High Sierra

• McAfee Agent 5.0.5.658 and Endpoint Security 10.2.3 for Mac on El Capitan and Sierra

• If you have Redstone 3 endpoints, Endpoint Security 10.2.2 or 10.5.3 must be checked in to theMaster Repository before installing the Active Response client bundle.



During deployment on Windows systems, Active Response disables Microsoft Protection Servicemomentarily to complete the installation. Endpoint users might see a warning that this service has beendisabled. When the installation is complete, Microsoft Protection Service is restored and the warning can beignored.

3 Select the Active Response client software package, McAfee Active Response 2.2.0 for Windows, Linux, andmacOS.

On Linux 64-bit systems, compatible 32-bit libraries must be installed on endpoints for Active Response towork properly. See KB89991 for instructions.

4 Click Select Systems to select which endpoints to manage with Active Response.


6 Deploy the Active Response clients. All needed clients are installed.

If an older version is already installed, the Active Response client is updated with the newer version. Also, ifdeploying on an older system that takes longer for a new deployment, create a client task and increase thetimeout setting to greater than 20 minutes (the default setting). This ensures the deployment does nottime-out before it completes.

After deploying the Active Response clients, make sure to configure the appropriate McAfee ePO policies.

See also System requirements for Active Response on page 5Installation error messages on page 16Upgrade clients on page 22Recommendations for configuring clients on page 26

Uninstall Active Response clientsRemove Active Response clients from endpoints.

This procedure does not remove Endpoint Security Threat Intelligence module, Endpoint Security AdaptiveThreat Protection or Data Exchange Layer.

Installing Active ResponseUninstall Active Response clients 2



Task


2 Select Menu | Software | Product Deployment | New Deployment.

3 Complete and save the new deployment information for the uninstall.

4 In the Product Deployment page, from the Action drop-down, select Uninstall. Then start the deployment touninstall Active Response.

Installation error messagesDetailed endpoint installation errors are described in the Threat Event Log to inform you of missing or invaliddependencies.

If an installation fails, the error messages listed in the Server Task Log are generic and non-specific. Select Menu |Reporting | Threat Event Log to display detailed error messages caused by various deployment issues.

A package is missing on McAfee ePO

• McAfee® Endpoint Security

• Endpoint Security Threat Prevention

• Threat Intelligence Exchange

• Endpoint Security Adaptive Threat Protection

• Data Exchange Layer 3.0

Deployed version is below minimum requirement

• VirusScan Enterprise < 8.8.0

• McAfee Agent < 5.0.3

• McAfee Agent < 5.0.5 for Microsoft Windows 10 (version 1703) - Creators Update (Redstone 2)

• Endpoint Security < 10.2 or Threat Intelligence module < 10.2

• Endpoint Security < 10.2.1 or Endpoint Security < 10.5.1 for Microsoft Windows 10 (version 1703) - CreatorsUpdate (Redstone 2)

• McAfee® Host Intrusion Prevention < 8.0.0.7364

Client installer failed

• Endpoint Security • Endpoint Security Adaptive Threat Protection

• Endpoint Security Threat Prevention • Data Exchange Layer

• Threat Intelligence Exchange • Active Response

2 Installing Active ResponseInstallation error messages


Table 2-1 Error messages

Error code Error Message Description

0 UNKNOWN Unknown error

1 ESP_MISSING_PACKAGE_ON_EPO ESP missing package on ePO

2 TP_MISSING_PACKAGE_ON_EPO TP missing package on ePO

3 TIE_MISSING_PACKAGE_ON_EPO TIE missing package on ePO

4 ATP_MISSING_PACKAGE_ON_EPO ATP missing package on ePO

5 DXL_MISSING_PACKAGE_ON_EPO DXL missing package on ePO

6 VSE_INSTALLED VSE installed

7 MA_INCOMPATIBLE_VERSION MA incompatible version installed

8 ESP_INCOMPATIBLE_VERSION ESP incompatible version installed

9 TP_INCOMPATIBLE_VERSION TP incompatible version installed

10 HIP_INCOMPATIBLE_VERSION HIP incompatible version installed

11 ESP_INSTALLATION_FAILED ESP installation failed

12 TP_INSTALLATION_FAILED TP installation failed

13 TIE_INSTALLATION_FAILED TIE installation failed

14 ATP_INSTALLATION_FAILED ATP installation failed

15 DXL_INSTALLATION_FAILED DXL installation failed

16 MAR_INSTALLATION_FAILED MAR installation failed

The error codes are stored in the MarCustomEvent table on McAfee ePO server. The events are sent from theMcAfee Agent based on its configuration. If you are using a McAfee Agent version equal to or greater than 5.0.6,you can see the Error code number in the Running Task view output if an installation failure occurs.

See also System requirements for Active Response on page 5Install the Active Response clients on page 14Viewing the Active Response Health status on page 17

Viewing the Active Response Health statusThe Active Response Health Status page displays the number of endpoints, status of endpoint deployments,incompatible and unsupported versions, and connection issues with servers and services.

The Active Response Health Status page is a central location to check the status of endpoints and serversbefore installing upgrades or troubleshooting issues. To view the Active Response Health Status page, selectMenu | Systems | Active Response Health Status or click the link in the Health Status Alert window if it appears whenyou open the Workspace. The Health Status Alert window appears if the endpoints, servers, or cloud servicesneed attention due to critical issues.

Total endpoints

The total number of endpoints in the environment where Active Response is deployed, awaiting deployment,incompatible, or deployment failed.

Installing Active ResponseViewing the Active Response Health status 2


Active Response deployed

The number of endpoints currently running Active Response and displays Trace status managed by McAfeeePO. If the Trace plug-in is disabled, a warning message appears and the status displays the number ofendpoints affected. Click the link to see the list of hosts affected.

Ready for Active Response deployment

An installation or deployment task is pending, but has not yet run. The number of new endpoints (macOS,Windows, Linux) needing deployment and the number of endpoints needing updates are displayed.

Incompatible with Active Response

There is an Active Response requirement on the endpoint that is not met. The status lists:

• Unsupported versions of an endpoint client such as Endpoint Security or McAfee Agent and the number ofendpoints affected.

• Unsupported clients such as VirusScan Enterprise on the endpoint and the number of endpoints affected.

• Endpoints with unsupported OS versions and the number of endpoints affected. The Active Responseinstaller fails to install on endpoints with an unsupported OS version, so you know which endpoints needupgrading.

Active Response deployment failed

An installation or deployment task ran but failed to complete. The status displays the installations that failedand the number of endpoints affected.

Active Response Server

Displays the version and status of the Active Response server and a link to its configuration page. The statusdisplays if the server is unreachable or needs to be updated. Click the link to troubleshoot the issue.

DXL Brokers

Displays the version and status of the DXL brokers that displays a successful or failed connection. If a broker isnot available, click the link to troubleshoot the issue.

Threat Intelligence Exchange Servers

Displays the version and status of the TIE servers and a link to its configuration page. If a server is not available,click the link to troubleshoot the issue.

Cloud Storage and Services

There are connection or configuration requirements that have not been met.

• The cloud account is not set up.

• The Cloud Bridge connection is disrupted.

• A cloud connection time-out occurred.

2 Installing Active ResponseViewing the Active Response Health status


• Bridged McAfee ePO servers are configured with different geolocations. You can select only one geolocationfor each DXL fabric.

Switching between different geolocations is not supported or recommended, because of a high risk oflosing data. This setting is meant to be permanent.

• Bridged McAfee ePO servers are linked to different cloud accounts. You can configure only one cloudaccount to bridged McAfee ePO servers.

Switching between multiple cloud accounts is not supported or recommended, because of a high risk oflosing data. We recommend using one cloud account for managing your cloud geolocation and bridgedMcAfee ePO servers.

See also System requirements for Active Response on page 5Upgrade clients on page 22Installation error messages on page 16

Installing Active ResponseViewing the Active Response Health status 2


2 Installing Active ResponseViewing the Active Response Health status


3 Upgrading Active Response

Upgrade Active ResponseA complete upgrade installs a new Active Response server, extensions, and client packages.

To minimize downtime during the upgrade process, install components in this order:

1 Active Response server: MAR-Server-Bundle_{version}.zip

2 Active Response extensions: Active_Response_MAR_{version}.zip

3 Active Response aggregator (optional)

4 Active Response clients on managed systems

Do not upgrade the DXL client with a standard DXL client package on a DXL broker with an Active Responseaggregator installed. The Active Response aggregator is incompatible with the standard DXL client. For a DXLbroker with Active Response aggregator installed, all DXL client updates will be included in a new Active Responseaggregator package.

Tasks• Upgrade the Active Response server on page 21

Install Active Response server update packages from the McAfee ePO Software Manager.• Upgrade the Active Response extensions on page 22

Upgrade the Active Response extensions on McAfee ePO server.

• Upgrade clients on page 22Install a newer version of the Active Response client on managed systems to upgrade clients.

• Upgrade content packages on page 23Install content packages to get new collectors and reactions, or new versions of existing built-incollectors and reactions.

• Upgrade Trace rules content package on page 24The Active Response rules content package adds, updates, and removes old Trace rules. You canautomatically deploy Trace rules content updates to endpoints when a new update is available inSoftware Manager.

Upgrade the Active Response serverInstall Active Response server update packages from the McAfee ePO Software Manager.

3


Task


2 Select Menu | Software | Software Manager and check in the Active Response Server package.

3 To deploy the update package:

a Select Menu | Software | Product Deployment, then click New Deployment.

b In the Package drop-down list, select the server update package.

c Click the + sign to add an additional package.

d In the Package drop-down list, select the server platform update package.

e Click Select Systems to select the Active Response server in your network.

f Select Run Immediately and click Save to start deployment.

See also Configuring Active Response Service on page 28

Upgrade the Active Response extensionsUpgrade the Active Response extensions on McAfee ePO server.

Before you beginActive Response server of the same or later version must be installed.

Task


2 Select Menu | Software | Software Manager.

3 Select Software Not Checked In | Licensed.

4 Locate and select the Active Response extensions bundle.

5 Click Check in.

6 Accept the License Agreement, then click OK.

After the extensions are installed, upgrade the Active Response client.

Upgrade clientsInstall a newer version of the Active Response client on managed systems to upgrade clients.

Before you begin• Look at the Health Status page before and after installing to view any endpoint incompatibilities or

deployment errors.

• Make sure your Windows endpoints are running McAfee Agent 5.0.3 or later.

• Make sure your Linux endpoints are running McAfee Agent 5.0.3 or later and Endpoint Securityfor Linux 10.2.2.

3 Upgrading Active ResponseUpgrade Active Response


• Make sure your macOS endpoints are running

• McAfee Agent 5.0.6.347 and Endpoint Security 10.2.3 for Mac on High Sierra

• McAfee Agent 5.0.5.658 and Endpoint Security 10.2.3 for Mac on El Capitan and Sierra

• If you have Redstone 3 endpoints, Endpoint Security 10.2.2 or 10.5.3 must be checked in to theMaster Repository before installing the Active Response client bundle.



During deployment on Windows systems, Active Response disables Microsoft Protection Servicemomentarily to complete the installation. Endpoint users might see a warning that this service has beendisabled. When the installation is complete, Microsoft Protection Service is restored and the warning can beignored.

3 Select the Active Response client software package, McAfee Active Response 2.2.0 for Windows and Linux.

On Linux 64-bit systems, compatible 32-bit libraries must be installed on endpoints for Active Response towork properly. See KB89991 for instructions.

4 Click Select Systems to select which endpoints to manage with Active Response.


6 Deploy the Active Response clients. All needed clients are installed.

If an older version is already installed, the Active Response client is updated with the newer version. Also, ifdeploying on an older system that takes longer for a new deployment, create a client task and increase thetimeout setting to greater than 20 minutes (the default setting). This ensures the deployment does nottime-out before it completes.

You can upgrade Active Response clients while they are online. As soon as the new version is installed, clientsrespond to the Active Response server.

See also System requirements for Active Response on page 5Install the Active Response clients on page 14Viewing the Active Response Health status on page 17Recommendations for configuring clients on page 26Configuring multiple McAfee ePO servers on page 30

Upgrade content packagesInstall content packages to get new collectors and reactions, or new versions of existing built-in collectors andreactions.

New versions of collectors and reactions in the content package might make some of your saved searches andtriggers unusable. This only happens if the update changes a built-in collector output field, or if the updatechanges built-in reaction arguments. Check the McAfee Active Response Content Update Release Notes forinformation about changes to collectors and reactions introduced by a content package.

Upgrading Active ResponseUpgrade Active Response 3



Task


2 Select Menu | Software | Software Manager and check in the Active Response content package.

Content packages have this naming convention: BaseActiveResponseContent‑MajorVersion.MinorVersion.PatchVersion‑BuildVersion.zip

If you have Auto Update enabled for deployments, after the package checks in to the Master Repository it isinstalled automatically. If you do not have Auto Update enabled, create an update deployment task.

Upgrade Trace rules content packageThe Active Response rules content package adds, updates, and removes old Trace rules. You can automaticallydeploy Trace rules content updates to endpoints when a new update is available in Software Manager.

Trace rules determine a potential threat and its severity, and displays it in the Trace Timeline. The mechanism toautomatically update Trace rules content is enabled by default, with update tasks scheduled every 240 minutes(4 hours). This is an unattended task that is enabled in McAfee ePO.

Task


2 Select Menu | Policy | Policy Catalog , then click My Default.

3 On the General tab, select Enable Unattended Content Updates to disable or enable this feature.

If you disable this feature, you can update the rules manually.

4 To change the default time for Unattended Content Updates Timeout (minutes), edit the numeric value in the field.

Updates are checked every cycle, and if there is a new update, it is deployed to the endpoints to update theirTrace rules.

See also Roll back content rules on page 33

3 Upgrading Active ResponseUpgrade Active Response


4 Getting started

Contents Managing access Recommendations for configuring clients Configuring Active Response Service Changing the cloud storage geolocation Configuring multiple McAfee ePO servers Bridged and non-bridged McAfee ePO server configuration examples

Managing accessAfter installation, Active Response creates permission sets to manage access to its resources.

• Group Active Response Editor — Allows access to all features and resources. Most importantly, this permissionset allows users to create, edit, and delete collectors, triggers, and reactions. Set this permission set forusers that need to:

• Create custom content.

• Set triggers to automatically catch events on endpoints and execute reactions.

• Back up or share custom content with other McAfee ePO instances.

• Group Active Response Responder — Allows access to Active Response Search. It also allows users to see thecontent and configuration of collectors, triggers, and reactions, but not to edit or delete them. Set thispermission set for users that need to:

• Actively monitor endpoints for indicators of compromise.

• Quickly execute reactions from Active Response Search results.

• Group Active Response Responder Workspace Monitor — Allows access to the Threat Workspace and ActiveResponse Search functions. It allows users to see threat behavior activity, and to execute searches toinvestigate a potential threat but not take remediation actions. Set this permission for users that need to:


• Inform incident responders who can remediate a possible threat.

• Group Active Response Workspace Responder — Allows full access to the Threat Workspace and Active ResponseSearch functions. It allows users to see threat behavior activity, execute searches to investigate a potentialthreat and take immediate action through the Threat Workspace, or automate tasks on endpoints throughtriggers and reactions. Set this permission for users that need to:


• Take immediate action on endpoints using the Threat Workspace.

4


• Quickly execute reactions from search results.

• Create custom content.

• Set triggers to automatically catch events on endpoints and execute reactions.

• Back up or share custom content with other McAfee ePO instances.

You can also customize access management by creating your own permission sets.

Privacy information and Active Response

Active Response collects information from managed endpoints, such as user names, system names, and IPaddresses. It also includes process activity such as modified registry entries, files created, and establishednetwork connections. Access to this information is available in Active Response pages in McAfee ePO. Makesure that access to these pages is authorized and appropriately managed.

McAfee ePO restrictions to the System Tree through access management configuration do not prevent ActiveResponse users from receiving information from systems outside their authorized segment of the System Tree.Make sure that Active Response users are qualified and trained to appropriately handle private informationfrom your users’ systems.

McAfee also collects data that is not personally identifiable to further enhance threat intelligence, but cannotsearch the data or trace it back to a specific organization. For more information, review the License Agreement.

Recommendations for configuring clientsUse McAfee ePO policies to configure Active Response clients.

Using policies, you can:

• Set the maximum number of results returned by search expressions.

• Enable endpoints to execute triggers.

• Enable Network Flow and File Hashing collectors and triggers.

• Enable the Trace plug-in on the endpoint. This is required to see potential threat activity in the ThreatWorkspace.

• Set database limits and maximum number of results returned by the Network Flow collector. For NetworkFlow in Windows, traffic can be excluded for specific processes. This is done using the complete processpath.

• Set database limits, maximum number of results returned, and files excluded by the File Hashing collector.

• You can also exclude entire paths and extensions by policy.

• File Hashing "Hash Strategy" determines how many endpoint resources are dedicated for hashing. Forexample, setting the default to Low reduces performance impact (resource consumption), but makes thehashing period longer.

• Set database and data limits for the Trace collector.

• Enable system logging on managed endpoints.

• Enable data folder protection. When selected, you cannot read the files in C:\ProgramData\McAfee\MAR\data. Deselect it to read the logs and config files.

Preset McAfee ePO policies

After installing Active Response, the following McAfee ePO policies are available in the Policy Catalog:

4 Getting startedRecommendations for configuring clients


• McAfee Default — This is the policy enforced by default after installation. When this policy is enforced, NetworkFlow and Trace collectors are enabled. Triggers and File Hashing are disabled.

• Full Visibility — When this policy is enforced, NetworkFlow, File Hashing, and Trace collectors are enabled.Triggers are disabled.

• Full Monitoring — When this policy is enforced, all collectors and triggers are enabled.

See also Install the Active Response clients on page 14Upgrade clients on page 22

Create an Active Response policyCreate an Active Response policy with custom settings.

Task

1 Select Menu | Policy | Policy catalog.

2 From the Product list, select Active Response.

3 Select New Policy, or select an existing policy and select Duplicate.

4 Enter a name and a brief description for the new policy, then click OK.

5 Complete the fields on the Policy Catalog page for the options you want to apply to the policy.

After you create a policy, assign it to managed systems to configure the Active Response clients on thosesystems. See the McAfee ePO documentation for information about assigning policies.

Performance recommendations for Windows serversUse the following recommendations to configure Active Response running on Windows servers.

Active Response network flow

• From Menu | Policy | Policy Control, select the Network Flow tab and deselect Collect TCP/UDP System processinformation (Windows only).

• Prevent Active Response from tracking and keeping a history of all connections to save disk and CPU usage.To do this, ignore the network traffic from the binary that attends to network requests. Configure thisbehavior through the Active Response endpoint policy in McAfee ePO by using the full path of the binary.For example:

• Apache server — C:\Apache24\bin\httpd.exe

• IIS web server — C:\Windows\System32\inetsrv\w3wp.exe

Active Response file hashing

• Set the Hash Strategy to Low.

• Ignore folders where: The server logs and data are saved, the server databases are located, and the serversdata backup folders are located. This prevents Active Response from tracking and keeping a history of allfiles created, deleted, and changed, avoiding demands on disk and CPU usage. For example:

• Apache server — C:\Apache24\logs; C:\Apache24\htdocs

• IIS web server — C:\inetpub\wwwroot; C:\inetpub\logs

Getting startedRecommendations for configuring clients 4


Active Response file hashing for SQL Server

• Ignore these SQL Server policy extensions: ldf, mdf, adf, bak

• Ignore FOLDERID_ProgramFiles\Microsoft SQL Server and the backup folder.

Threat Intelligence Exchange reputations

Make sure the reputation for the entire binary set that runs your server is set to Known Trusted.

Configuring Active Response ServiceConfigure how the Active Response service works. Use the Active Response option in the McAfee ePO ServerSettings page.

Search execution time-to-live

Active Response search expressions execute collectors on managed endpoints. Because endpoints might comeonline or offline during the execution of a collector, Active Response can't know when all endpoints that couldanswer have already answered. This configuration tells Active Response to stop expecting search results after acertain time has passed.

Table 4-1 Active Response Server options

Option Definition

Search time-to-live The timeout (in milliseconds) that Active Response waits since the last endpointreplied to a search expression. If another endpoint replies during this wait, the timecount is restarted. Else, the search stops.Default: 15,000 ms

Search time-to-live at 50% Defines a percentage of the value in Search time-to-live that applies as the new timeoutwait after 50% of available endpoints have replied.Default: 33%

Search time-to-live at 90% Defines a percentage of the value in Search time-to-live that applies as the new timeoutwait after 90% of available endpoints have replied.Default: 7%

Compatibility with ActiveResponse 1.0 clients

When enabled, Active Response endpoint clients reply to searches, reactions, andtriggers executed by an Active Response server.

Authentication The Active Response service relies on McAfee ePO certificates to authenticate access,so that only Active Response extensions can make service requests. Thisconfiguration is set up after the installation of the Active Response service. If youchange the certificates used by McAfee ePO, use this configuration option to resetthe certificates in the Active Response server.

Active Response Workspace configuration

These Workspace configuration settings control what you see on the Threat Workspace. The Process instancessetting controls the number of potential threat instances that display on the trace chart. The Events perinstance setting controls the number of potential threat events that display on the trace chart.

Server and aggregator tags

After installation, the Active Response server and aggregator systems are automatically applied with these tags:

4 Getting startedConfiguring Active Response Service


• MARSERVER — Identifies the Active Response server.

• MARAGG — Identifies an Active Response aggregator system.

• DXLBROKER — Identifies both the Active Response server and the aggregators.

You can review and edit the tags applied to your systems in the McAfee ePO System Tree.

See also Install the Active Response server on page 10Upgrade the Active Response server on page 21

Changing the cloud storage geolocationChange the cloud storage location for your threat data.

From the Workspace, click Configuration to select a different geolocation from the Cloud Account drop-down list.Here are guidelines for selecting different geolocations.

Switching between different geolocations is not supported or recommended, because of a high risk of losingdata. This setting is meant to be permanent.

• The selected geolocation from Active Response 2.1 remains the default selection after upgrading to ActiveResponse 2.2.

• If you have bridged McAfee ePO servers, you must select one geolocation and one McAfee Cloud account.You cannot point bridged McAfee ePO servers to different geolocations. Check the Health Status page foralerts. If you have multiple McAfee ePO servers that are not linked, you can select different geolocations, butyou must use the same McAfee Cloud bridge account.

• You are allowed one geolocation per DXL fabric.

• You must use the same McAfee Cloud bridge account for all linked McAfee ePO servers.

Switching between multiple cloud accounts is not supported or recommended, because of a high risk of losingdata. We recommend using one cloud account for managing your cloud geolocation and bridged McAfee ePOservers.

• Endpoint roaming is not supported.

• Data between the cloud geolocations can't be shared.

• New geolocations are added to the selection menu as they become available, without reinstalling orupgrading Active Response.

Only one geolocation is accessible at a time for trace information. For example, if you change from geolocation Xto geolocation Y, all existing threat data that was available on geolocation X is no longer accessible. If you switchback to geolocation X, old trace information is accessible, but the new traces on geolocation Y are not accessible.You risk losing data by switching back and forth between one geolocation to another.

See also Create a McAfee Cloud account on page 12Bridged and non-bridged McAfee ePO server configuration examples on page 30

Getting startedChanging the cloud storage geolocation 4


Configuring multiple McAfee ePO serversIn a multiple McAfee ePO server environment, there is more than one McAfee ePO server connected to DXLbrokers on bridged DXL fabrics. Bridging fabrics allows DXL brokers that are managed by different McAfee ePOservers to communicate with each other.

Requirements for a multiple McAfee ePO server environment

If you upgrade from Active Response 2.1 to 2.2 and bridge multiple McAfee ePO servers, you must upgrade theDXL extensions, client, and at least one broker (which must be online) to version 4.0. See KB84473 for additionaldetails.

• Install DXL 4.0 broker, extensions, and client. See KB84473 for DXL requirements for multiple McAfee ePOservers.

• The Active Response 2.2 client must be deployed on all endpoints managed by the different McAfee ePOservers.

• The DXL broker fabrics between McAfee ePO servers must be bridged. Bridging DXL fabrics is covered in theDXL product guide.

Using a multiple McAfee ePO server environment

To expand your remediation and upgrade capabilities

• Deploy Active Response client packages from one McAfee ePO server to upgrade another bridged McAfeeePO server's endpoints.

• Share saved and custom searches using collectors and reactions across bridged McAfee ePO servers.

• Manage potential threats across bridged McAfee ePO servers and store threat data in the cloud, using asingle cloud storage location.

Switching between multiple cloud accounts is not supported or recommended, because of a high risk oflosing data. We recommend using one cloud account for managing your cloud geolocation and bridgedMcAfee ePO servers.

• View and investigate potential threats on McAfee ePO servers that you manage.

Active Response 2.1 and earlier do not support environments where two or more McAfee ePO servers havebridged DXL hubs.

See also System requirements for Active Response on page 5Upgrade clients on page 22Bridged and non-bridged McAfee ePO server configuration examples on page 30

Bridged and non-bridged McAfee ePO server configuration examplesExamples of bridged and non-bridged multiple McAfee ePO server environments.

McAfee ePO servers are bridged — A company bridges their USA and Germany McAfee ePO servers on asingle DXL fabric to use their TIE database worldwide for consistent hash reputations. In this scenario, they usea single cloud account and single cloud storage geolocation. A warning appears on the Health Status page andHealth Status Alert window if they link their bridged McAfee ePO servers to a different cloud account or changetheir cloud storage geolocation.

4 Getting startedConfiguring multiple McAfee ePO servers




McAfee ePO servers are not bridged — A company has not yet bridged their USA and Germany McAfee ePOservers on a single DXL fabric. They want parallel deployments for each geography because of a possiblerestriction where certain data cannot be shared between countries. The USA and Germany sites each haveseparate McAfee ePO servers with separate TIE and Active Response servers. They each have differentgeolocations and use different cloud accounts.

Endpoint roaming is not supported — A company has two non-bridged McAfee ePO servers assigned todifferent geolocations (USA and Germany). An employee travels to a different company site with her laptopmanaged by McAfee ePO server A and geolocation USA. When she connects to McAfee ePO server B inGermany, potential threats on her laptop will not appear in the Workspace managed by McAfee ePO server B.

See also Changing the cloud storage geolocation on page 29Configuring multiple McAfee ePO servers on page 30

Getting startedBridged and non-bridged McAfee ePO server configuration examples 4


4 Getting startedBridged and non-bridged McAfee ePO server configuration examples


5 Troubleshooting Active Response

Roll back content rulesThe last update of Trace rules can be rolled back to a previous version by creating a client task.

Two product properties are associated with the endpoint rules content rollback.

• Blacklisted Rules Version — The version that is not applied when upgraded.

• Rules Version — The current version of the client.

View the properties, then create a task to roll back the rule.


2 Select Menu | Policy | Client Task Catalog .

3 Under Client Task Types, locate and select Active Response 2.2.0.

4 Select Roll Back Dat Rules.

5 Click New Task and click OK.

6 Type in a name for the task.

7 In the Roll Back Rules text box, enter the version number of the rules you want to remove or block. When yourun this task, a new blocked version is sent to the client and if one of them is already applied, the versionautomatically rolls back to the previously installed update.

You can only roll back one rules version.

8 Click Save.

9 Select Menu | Policy | Client Task Assignments to assign this new task to all applicable endpoints.

10 Verify the completion of the rollback in the Threat Events logs to see the status.

Reuse this client task to roll back subsequent rules updates. In the Roll Back Rules text box, comma-separate theprevious version number from the new version number to blacklist.

See also Upgrade Trace rules content package on page 24

5


5 Troubleshooting Active ResponseRoll back content rules


Index

Aaccess management, Active Response

editor role 25

responder role 25

Active Responseinstallation status 17

policy configuration 26

upgrade 21

aggregator tags, configuring 28

aggregators, installing 14

authentication, configuring 28

Cclient, Active Response 26

cloud bridgecreating accounts 12

registering Active Response 12

common core extensions, installing 10

configurationaccess management 25

client 26

network ports 7services 28

create an Active Response policy 27

DData Exchange Layer

cloud bridge 12

install the extension 10

EEndpoint Security extensions

installation status 17

error messages, Active Response 16

FFile Hashing, enabling 26

Hhealth status information 17

Iinstallation requirements, Active Response 5installation, Active Response 10

client deployment 14

common core extensions 10

content update 23

enable automatic update 24

error messages 16

McAfee ePO Cloud Bridge 12

proxy server settings 13

requirements 5status on servers and endpoints 17

TIE server 14

trace rules update 24

uninstall clients 15

LLog files, enabling 26

MMcAfee ePO Cloud Bridge 12

Ppermission sets, Active Response, See access management policy configuration 26

policy, creating 27

ports, Active Response 7proxy server settings 13

Rroll back version, Active Response

trace rules rollback 33

Sserver, Active Response 21, 28

TThreat Intelligence Exchange

install the extension 10

install the TIE server 14

Threat Workspaceconfiguring 28


Traceenabling 26

Uupgrade, Active Response 21

client deployment 22

upgrade, Active Response 21 (continued)extensions 22

server 21

Index


mcafee active response 2.2 active response 2.2.0 installation guide 5. supported web browsers for...

Documents