ePolicy Orchestrator Architecture and Concepts

Indrajit Majumder

Agenda

Define ePolicy Orchestrator.

McAfee Architecture for NIC.

Repository.

Rogue Sensor System.

Installation, Updation and Uninstallation.

User Awareness.

What is ePolicy Orchestrator ?

ePolicy Orchestrator is a management tool from McAfee Antivirus which

provide a tool for centralized anti-virus management , security policy

management and enforcement.

Usage of ePolicy Orchestrator :-

1. Deploy McAfee Products.

2. Updation of the Products.

3. Enforcement and management of policies.

Components

The ePolicy Orchestrator software contain following components :-

1. The ePolicy Orchestrator Server :- It is a management server and a repository for

all data collected from distributed ePolicy Orchestrator agents.

2. The ePolicy Orchestrator Console :- A clear , understandable view of all virus

activity and status, with the ability to manage and deploy agents and products.

3. The ePolicy Orchestrator Agent :- An intelligent link between the ePolicy

Orchestrator Server and the anti-virus and security products that enforces policies

and tasks on client computers.

Communication Port

Different communication Port in ePolicy Orchestrator :-

Agent to Server communication Port : 80

Console to server communication Port : 81

Agent Wake-Up communication Port : 8081

Agent Broadcast communication Port : 8082

Sensor to Server communication Port : 8444

Security Threats HTTP port : 8801

MCAFEE ARCHITECTURE FOR NIC

REPOSITORY

What is Repository ?

Repository is a Place or folder which content all Virus Updates, SuperDAT,

Patches for all McAfee product, Signature, McAfee default Policy, etc.

Component of Repository ?

Source Repository ( McAfee Updates.ini sites).

Master Repository ( NIC-800000-EPO1 placed in Head Office).

Distributed Repository ( in 24 Regional Offices).

Clients Machines ( In all over Operating Offices).

Source Repository

A Source Repository is a location from which Master Repository retrieves Updates.

Scheduled from 8:00 PM onwards.

HTTP:// update.nai.com /Products/ CommonUpdater.

FTP:// ftp.nai.com/ CommonUpdater.

Master Repository

The Master Repository maintain a original copy of Source Repository.

The Master Repository distribute (PUSH) all the packages to the Distributed

Repository. (Schedule from 5:00 AM to 9:00 AM)

The Master Repository is placed in Head Offices that is NIC-800000-EPO1.

Distributed Repository

The Distributed Repository maintain a

duplicate copy of Master Repository.

The DR PULL all the packages from

the Master Repository.

Clients computer retrieves updates

from Distributed Repository.

Clients

Clients present on Operating Offices running with McAfee Antivirus , retrieves

updates from there respective Regional Offices.

Schedule from 11:00 AM to 11:45 AM.

Normally Clients download new policies from ePO Server ( NIC-800000-EPO1) , and

SDAT from Distributed Repository.

Repository Flow Chart

Rogue Sensor System

Rogue system detection means find unmanaged computers in your network or

subnet.

Rogue means “ computers which do not have ePolicy Orchestrator Agent ” or the

computer that is not managed by an ePO agent but should be.

The Rogue System Detection system helps you to monitor all the system on your

network-Not only the once ePO manages already , but also the rogue system

( system without agent) as well.

Rogue system Detection integrates with your ePO Server to provide real-time

detection of rogue system.

The Rogue sensor placed on each network broadcast segment.

Rogue Sensor System ( cont…)

In NIC Rogue Sensor are placed on Genisys Server of each Operating office. It

detect all the rogue machines in there network and send report to ePO Server( NIC-

800000-EPO1) placed in HO.

HOW IT WORKS ?

The Sensor is a small WIN32 native executable application. We deploy at least one

sensor to each broadcast segment. The sensor run on any NT-based Windows

operating system.

To detect system on the network, the sensor utilize WinPCap , an open source

packet capture library. Using WinPCap , the rogue system detection sensor captures

network layer two broadcast packets sent by computers connected to the same

network broadcast segment.

Rogue Sensor System ( cont…)

The sensor listens for Address Resolution Protocol (ARP) , Reverse Address

Resolution Protocol (RARP) , and IP traffic.

The sensor is able to “listen” to the broadcast traffic of all that part of the network.

Like Rogue computers , Printer , router , Switch and all other devices.

The Rogue sensor system gather all information includes DNS name ,IP, MAC

Address, NetBIOS name , Operating system version , and list of currently logged-in

users . And after that send all those information to ePO Server sensor that is

NIC-800000-EPO1 placed in HO.

The Sensor-to-Server communication Port is : 8444

Rogue Sensor System ( cont…)

Rogue Sensor System ( cont…)

Rogue Sensor System ( cont…)

Rogue Sensor System ( cont…)

INSTALLATION

Installation of ePO Agent. (FramePkg.exe)

Installation of VirusScan Enterprise (setupvse.exe)

Updation of ePO Agent and VirusScan Enterprise.

Distributed Repository selection.

Uninstallation.

ePO Agent Installation

In the MacAfee package all these files are available. First we have to install ePO agent then we will install MacAfee virus scan enterprise.

McAfee Package present in ftp://10.80.0.25/ domainjoin/ McAfee Package.

For installation of ePO agent double click on

“ FramePkg.exe ”

ePO Agent Installation

it will start installation.

After ePO agent installation is complete it show msg. “ Setup completed successfully”. Press OK.

VirusScan Enterprise Installation

Double Click on

Setupvse.exe” .

First screen come for McAfee

VirusScan Enterprise Setup.

Click “ NEXT ” .

VirusScan Enterprise Installation

In the License expiry type, we

need to select “ Perpetual”

And Select country where

purchased and used. We

need to select " United States

{default for use in US}”.

Select “ I accept the terms in

the License agreement ”. Click

OK.

VirusScan Enterprise Installation

Select “Typical ”. Click NEXT.

Click “ Install ”. Then it starts

Installation.

VirusScan Enterprise Installation

Deselect “ update Now ” and

“ Run On-Demand Scan ”

Installation is complete now.

Press YES.

VirusScan Enterprise Installation

After we restart the machine the

Following LOGO will come.

First check Symbol of VirusScan

Enterprise in the Right hand side

corner of the Desktop. That means

virus scan installed successfully.

Updation of ePO Agent

If ePO agent symbol not come in the Right hand side corner of the Desktop. Do following steps.

Go to: Start Run cmd.

Type the complete path for enforces Policies. C:\Program Files\Network Associates\Common Framework> cmdagent /P /E /C

Distributed Repository selection.

Right click on VirusScan

Enterprise symbol Select “

VirusScan Console.”.

Go to: Tools Edit

AutoUpdate Repository List

Distributed Repository selection.

If we are installing this package for CRO-1 Operating office. Then select CRO-1 and deselect all other Repositories.

Then click Move up.

Click OK.

Update of VirusScan Enterprise

Right click on VirusScan Enterprise

symbol.

Click Update Now.

Then you can see the VirusScan

Enterprise take update from CRO-1.

Update of ePO Agent

Again Right click on ePO agent

symbol.

Click Update Now.

Then you can see the ePO

agent take update from CRO-1.

Update of ePO Agent

Right click on ePO agent symbol.

Click Status Monitor.

Finally click on Collect and Send Properties.

Then the client collects all update automatically from server.

Uninstallation of ePO agent

Go to: Start Run cmd.

Type the complete path for uninstall ePO agent. C:\Program Files\Network Associates\Common Framework> frminst.exe /remove=agent

Uninstallation of ePO agent

Click OK. Uninstallation is

complete.

And for uninstall Virus Scan

Enterprise click remove from

CONTROL PANAL

ADD/REMOVE program.

USER AWARENESS

ePO Agent and Virus Scan Enterprise Symbol must be shown in the Task bar.

On- Access Scan must be enabled.

Super DAT Of McAfee Virus Scan Enterprise must be updated. User can check latest

Version of Super DAT from FTP:// 10.80.0.25/ domain join/ MacAfee-Package . Or

HTTP://10.X.0.3/epo/Current/VSCANDAT1000/DAT/0000/dat ( Where X = Regional

office code ) .

ePO Agent of client machines must communicate with NIC-800000-EPO1 ( main

server ) Properly. At least once in a day click-on “Collects and send Properties” of

ePO Agent.

ePO Agent and Virus Scan Enterprise must be taking updates from there respective

Regional Office only.

User should scan there computer completely at least once in a week.