test scenario feedbackb2b-download.mcafee.com/products/naibeta-download… · web viewverify...

McAfee Endpoint Security 10.0Test Scenario Feedback

Participant InformationFull Name

Title

E-Mail

Work Phone

OverviewThank you for participating in our McAfee Endpoint Security Beta program. Please perform the following tasks and note and report any questions, comments, suggestions, or complaints on this form.GoalsThe McAfee Engineering team would also like to make sure that the key features of the system are discoverable, so for some tasks we will not give you complete instructions. Please record any confusion or discoverability problems that you have with any of the tasks.ExplorationAfter completing a set of scenarios, we encourage you to explore the feature more fully. Several blank scenario forms are provided throughout this evaluation document. These forms are for you to capture additional scenarios users might perform with the new product.

Confidential of 48


Task / Use Case

#1 Product Deployment using McAfee ePO On-Premise EASI Package

Task Goal

Deploy McAfee Endpoint Security from McAfee ePO and confirm that the deployment is successful.

Scenario

You have just registered for Beta program and want to install McAfee Endpoint Security Beta in your test environment.

Prerequisites:1. Unzip the McAfee_Endpoint_Security_v10_EASI_BETA2.zip.2. Double-click the EASI.exe file and follow the on-screen directions.3. After the installation is complete, follow these steps to ensure that your McAfee ePO server is

pulling AMCore Content Updates from betaupdate.mcafee.com (required for Beta):a. Double-click the Launch McAfee ePolicy Orchestrator 5.1.1. Console icon on your

desktop.b. Log on using the credentials provided in step 2, then select Menu | Configuration |

Server Settings.c. Select Source Sites, then click Edit | Add Source Site.d. Enter AMCore Content as the Repository Name, then Type: | HTTP and click Next.e. In the Server name (URL:) field, ensure that DNS Name is selected as the default and

enter betaupdate.mcafee.com, with default port 80, and click Next.f. Continue clicking Next until the last screen, then click Save.g. Click Enable Fallback, and click Save.h. Select Menu | Automation | Server Tasks.i. Select Update Master Repository task and click Edit.j. Click Next to navigate to the Action tab, then click the + button.k. In the New Action section, select Repository Pull.l. Select the Source site as AMCoreContentm. Click on Select Packages and select “AMCore Content Package” and Endpoint Security

Exploit Prevention Content” then click on OK and Save.n. Select Update Master Repository task and click Run.

Task Detailed Steps

Start time: __________

1. Log in to the newly installed ePO 5.1.1 server, Navigate to the “Getting Started with ePolicy Orchestrator” dashboard.

2. In the Product Deployment monitor, Click Start Deployment, select all modules, then click Deploy to create an installation URL

3. Copy the installation URL and transfer it to the specific client machine where you would like to deploy the McAfee Endpoint Security Client. On that client machine, open the URL in a browser window. Note: There is a known issue with IE 8 browser wherein the URL installation will fail

Confidential of 48


4. When the installation starts on the client machine, note that the McAfee Agent is installed first, followed by the McAfee Endpoint Security Client with all the modules. Once the McAfee Agent installation completes, you should see a McAfee shield icon in the system tray. Right click on this icon and select McAfee Agent Status Monitor, this will bring up the McAfee Agent Monitor wherein you can see additional details on what is being downloaded/installed on the client machine

5. Verify modules installed successfully. You can do this by opening the Windows Control Panel and checking for the module names in the Uninstall programs listing.

6. Verify content is updated. Open the McAfee Endpoint Security user interface, click the options pull-down menu in the upper right corner, and select About. Note the AMCore content version. If the version is 0.5, then the content has not been updated.

7. From McAfee ePO, view Dashboards, then select Endpoint Security: Installation Status.

8. View the content status in ePO by selecting Dashboards | Endpoint Security: Content Status dashboard.

Finish time: __________

Questions

1. Was the deployment successful? If not, why?

2. How would you rate the ease of deployment?

☐ Excellent ☐ Very good ☐ Good ☐ Fair ☐ Poor

Goal Success

☐ Could Not Complete ☐ Completed ☐ Completed with issue (list below)

Feedback / Comments

Confidential of 48


#2 Upgrade from VSE using McAfee ePO On-Premise

Task Goal

Deploy McAfee Endpoint Security Beta Refresh build from McAfee ePO on client where McAfee Virus Scan Enterprise already installed and confirm that the deployment is successful.

Scenario

Upgrade the McAfee Virus Scan Enterprise to McAfee Endpoint Security Beta Refresh build

Prerequisites:

Before Proceeding with the upgrade from McAfee Virus Scan Enterprise to McAfee Endpoint Security Beta Refresh build, please make sure that McAfee Agent 5.0 has been deployed to the client

Task Detailed Steps


1. Copy the installation URL that was created in Task 1 (above) and transfer it to that specific client machine that is running VSE. On that client machine, open the URL in a browser window. Note: There is a known issue with IE 8 browser wherein the URL installation will fail


3. VSE will be uninstalled and McAfee Endpoint Security will be installed4. Verify modules installed successfully. You can do this by opening the Windows

Control Panel and checking for the module names in the Uninstall programs listing.5. Verify content is updated. Open the McAfee Endpoint Security user interface, click

the options pull-down menu in the upper right corner, and select About. Note the AMCore content version. If the version is 0.5, then the content has not been updated.




Questions




Confidential of 48


Goal Success


Feedback / Comments

#3 Upgrade from SAE using McAfee ePO On-Premise

Task Goal

Deploy McAfee Endpoint Security Beta Refresh build from McAfee ePO on client where McAfee Site Advisor Enterprise is already installed and confirm that the deployment is successful.

Scenario

Upgrade the McAfee Site Advisor Enterprise to McAfee Endpoint Security Beta Refresh build

Prerequisites:

Before Proceeding with the upgrade from McAfee Site Advisor to McAfee Endpoint Security Beta Refresh build, please make sure that McAfee Agent 5.0 has been deployed to the client

Task Detailed Steps


1. Copy the installation URL that was created in Task 1 (above) and transfer it to that specific client machine that is running SAE. On that client machine, open the URL in a browser window. Note: There is a known issue with IE 8 browser wherein the URL installation will fail


3. SAE will be uninstalled and McAfee Endpoint Security will be installed4. Verify modules installed successfully. You can do this by opening the Windows




Confidential of 48




Questions




Goal Success


Feedback / Comments

#4 Upgrade from HIPS using McAfee ePO On-Premise

Task Goal

Deploy McAfee Endpoint Security Beta Refresh build from McAfee ePO on client where Host Intrusion Prevention already installed

Scenario

Installation of McAfee Endpoint Security will bail out on a system where Host Intrusion Prevention product is installed

Prerequisites:

Before Proceeding with the upgrade from McAfee Host Intrusion Prevention to McAfee Endpoint Security Beta Refresh build, please make sure that McAfee Agent 5.0 has been deployed to the client

Task Detailed Steps


1. Copy the installation URL that was created in Task 1 (above) and transfer it to that specific client machine that is running HIPS. On that client machine, open the URL in a browser window. Note: There is a known issue with IE 8 browser wherein the URL installation will fail

Confidential of 48


2. Installation of McAfee Endpoint Security will bail out as HIPS is installed on the system


Questions

1. Was the scenario is successful as expected? If not, why?



Goal Success


Feedback / Comments

#5 McAfee Endpoint Security installation on Competitor product using ePO On Prem

Task Goal

Deploy McAfee Endpoint Security Beta Refresh build from McAfee ePO on client where Competitor Product installed

Scenario

Installation of McAfee Endpoint Security removes Competitor product and proceeds with the installation of McAfee Endpoint security

Task Detailed Steps


1. Copy the installation URL that was created in Task 1 (above) and transfer it to that specific client machine that is running the competitor product. On that client machine, open the URL in a browser window. Note: There is a known issue with IE 8 browser wherein the URL installation will fail

2. When the installation starts on the client machine, note that the McAfee Agent is installed first, followed by the McAfee Endpoint Security Client with all the modules. Once the McAfee Agent installation completes, you should see a McAfee shield icon in the system tray. Right click on this icon and select McAfee Agent Status Monitor,

Confidential of 48


this will bring up the McAfee Agent Monitor wherein you can see additional details on what is being downloaded/installed on the client machine

3. Competitor Product will be uninstalled and Reboot prompt will be displayed4. Click Reboot now and system will be restarted5. After the system restart, deployment task will be started automatically and McAfee

Endpoint security will be installed6. Verify modules installed successfully. You can do this by opening the Windows






Questions




Goal Success


Task / Use Case

#6 Change Client Interface Mode from McAfee ePO

Task Goal

Modify the default client interface mode using McAfee ePO.

Task Detailed Steps


1. From McAfee ePO, configure and assign the Common policy.a. From the Policy Catalog, view the Common product.b. Create a copy of the McAfee Default instance of the Options policy named

“My Options” and open it.c. Change the Client Interface Mode to Lock Client Interface, set the password

to “McAfee”, then save the policy.d. From the System Tree, click the Assigned Policies tab. Click Edit

Confidential of 48


Assignment for Common and select My Options for Assigned policy, then click Save.

2. On the client system, verify the interface mode:a. Open the McAfee Agent Monitor from the Windows system tray and click

Check New Policies. Installation tasks should start.b. From the Start menu, select McAfee Endpoint Security.c. At the prompt, enter the password set in the My Options policy and click Log

On to open Endpoint Security Client. Close the client.3. From McAfee ePO, modify the My Options policy to change the Client Interface

Mode to Full Access, then save the policy.4. On the client system, verify the interface mode:

a. Open the McAfee Agent Monitor from the Windows system tray and click Check New Policies. Installation tasks should start.

b. From the Start menu, select McAfee Endpoint Security. The Endpoint Security Client opens without requiring a password.


Questions1. How long did it take you to complete this task?2. Did you deviate from the steps provided? If so, how and why?3. Do you have any suggestions to improve the client interface mode dialog?4. Any suggestions to improve the client interface mode workflow?

Goal Success


Feedback / Comments

Task / Use Case

#7 Right-Click Scan

Task Goal

The client user can initiate an On-Demand Scan by right-clicking one or more folders or files. The administrator can define the behavior of this scan.

Scenario

A user is suspicious of a file and wants to run a scan immediately.

Task Detailed Steps


1. In McAfee ePO, configure and assign the policy for Right-Click Scan:

Confidential of 48


a. From the Policy Catalog, view the Threat Prevention product and display all categories.

b. Create a copy of the McAfee Default instance of the On-Demand Scan policy named “Custom ODS” and open it.

c. Click the Right-Click Scan tab, customize the settings, and then save the policy.

d. From the System Tree, click the Assigned Policies tab.e. Click Edit Assignment for On-Demand Scan and select Custom ODS for

Assigned policy, then click Save.f. Schedule an Update task from McAfee ePO (or select Update Now from the

client interface).g. From the McAfee Agent Monitor on the client, click Collect and Send Props.h. From McAfee ePO, view the content status by selecting Dashboards |

Endpoint Security: Content Status dashboard.2. On the client system:

a. Open the McAfee Agent Monitor from the Windows system tray and click Check New Policies.

b. Open the Endpoint Security Client, select Settings from the drop-down menu, and disable the On-Access Scan feature of Threat Prevention.

c. Copy a test sample into a folder.d. Right-click the folder and select Scan for threats from the context menu.e. In the McAfee Agent Monitor, click Send Events.

3. From McAfee ePO:a. View the threat events by selecting Dashboards | Endpoint Security: Threat

Events Origins dashboard.b. Drill down into the chart to view details.


Questions1. How long did it take you to complete this task?2. Did you deviate from the steps provided? If so, how and why?3. How would you rate the ease of policy creation (scale of 1-5)?4. How would you rate the clarity and communication of the sample detection?5. After the detection, do you have the forensic information you need?

Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#8 Defer an On-Demand Scan

Task Goal

The user is able to defer an on-demand scan.

Scenario

A user is working on a system when an on-demand scan starts and wants to defer it.

Task Detailed Steps


1. In McAfee ePO:a. From the Client Task Catalog, under Endpoint Security Threat

Prevention, click Custom On-Demand Scan.b. Click New Task, then OK.c. In the Performance section:

i. Select Scan Anytime.ii. Check User can defer scans.iii. Enter a custom user message.

c. Save the task, click Assign, select the group containing your systems, then click OK.

d. Confirm the Product is Threat Prevention, the task type is Custom On-Demand Scan, and your custom task is selected, then click Next.

e. On the Schedule page, select Schedule Type “Run Immediately”, then click Save.

2. On the client system:a. Open the McAfee Agent Monitor from the Windows system tray and click

Check New Policies.b. When the prompt appears, select Defer.


Questions1. How long did it take you to complete this task?2. Did you deviate from the steps provided? If so, how and why?3. How would you rate the ease of policy creation (scale of 1-5)?4. How would you rate the clarity and communication of the Client interface?

Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#9 Scan when a system is idle (Zero Impact On-Demand Scanning)

Task Goal

On-Demand Scans pause automatically when a user is using the system.

Scenario

An administrator wants a system to be scanned but does not want to impact the end user.

Task Detailed Steps


1. At ePO, in the assigned On-Demand Scan policy, under Quick Scan, Scheduled Scan Options, select "Scan only when the user is idle", make sure "User can resume paused scans" is enabled, and save the policy.

2. On the client test system, open the McAfee Agent Status Monitor and click “Check new policies”

3. On the client test system, open the client UI and click Scan System (but do not click Scan Now)

4. In the ePO System Tree, select the client test system, then click Actions > Agent > Run Client Task Now

5. On the Run Client Task Now screen, select Endpoint Security Threat Prevention 10.0 > Policy Based On-Demand Scan > On-Demand Scan - Quick Scan, and then click Run Task Now

6. On the test system, make some mouse clicks and access a file, and note in the Client UI scan window that the Quick Scan gets auto-paused, since the test system is not idle.

7. Click View Scan, and then click Resume Scan -- Now the scan is no longer considered to be a "scan on idle", since it was explicitly resumed by the user-- it will run to completion regardless of the idle state.

8. Click the “Pause” button-- now the scan is again considered a Scan on idle again. Note the scan again becomes auto-paused, since the user is not idle.

9. Examine \Programdata\McAfee\Endpoint Security\Logs\OnDemandScan_Activity.log and note that clicking Pause resulted in an auto-pause.

10. Leave the system idle, and wait for the Quick Scan to complete

11. Note any questions, issues or comments you have about the scan on idle, auto-pause and resume features.


Questions

Confidential of 48


1. How long did it take you to complete this task?2. Did you deviate from the steps provided? If so, how and why?3. How would you rate the ease of policy creation (scale of 1-5)?

Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#10 Run an On-Access Scan with exclusions

Task Goal

Successfully detect an EICAR test sample in one folder and not in another.

Scenario

Some users need to exclude certain types of files or certain locations from scanning.

Task Detailed Steps


1. In McAfee ePO, configure and assign the policy for On-Access Scan:a. From the Policy Catalog, view the Threat Prevention product and display

all categories.b. Create a copy of the McAfee Default instance of the On-Access Scan policy

named “Custom OAS” and open it.c. Click the Show Advanced button.d. Add an exclusion for c:\unprotected and save the policy.e. From the System Tree, select the group, then click the Assigned Policies tabf. Select the Threat Prevention product. Click Edit Assignment for On-

Access Scan and select “Custom OAS” for Assigned policy, then click Save.

g. From the McAfee Agent Monitor on the client, click Collect and Send Props.2. On the client system:

a. Create two folders on a test client: C:\protected and C:\unprotected.b. Disable OAS. You might also need to disable your browser’s security features.c. Download an EICAR sample from http://www.amtso.org/feature-settings-

check-download-of-malware.html.d. Make a copy of the file in the two test folders.e. Enable OAS.f. Double click the file in each test folder.g. Verify that Endpoint Security displays the detection for the protected folder,

but not the unprotected one.h. Open the Endpoint Security Client.i. Click on Event Log to see detailed information about the detection. Use the

Event Log Search or Filter functionality to narrow down to the specific event if needed.

j. From the McAfee Agent Monitor on the client, click Send Events.3. From McAfee ePO, view the threat events by selecting the Dashboards | Endpoint

Security: Threat Events Origins dashboard.Finish time: __________

Questions1. How long did it take you to complete this task?2. Did you deviate from the steps provided? If so, how and why?3. How would you rate the ease of policy creation (scale of 1-5)?

Confidential of 48


4. How would you rate the clarity and communication of the sample detection?5. After the detection, do you have the forensic information you need?

Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#11 Access Protection

Task Goal

Report on modification of system files, and globally disable and enable Access Protection.

Scenario

Using Access Protection.

Task Detailed Steps


Note: You might need to disable the Endpoint Security Firewall or Windows Firewall to accomplish this task.

1. On the ePO server, edit the assigned Access Protection policya. Click ‘Show Advanced’b. Enable Report (but not Block) for the rule named ‘Remotely accessing local

files or folders’c. Save the policyd. From the McAfee Agent Status Monitor on the client test system, click ‘check

new policies’2. Using Windows Explorer on a remote system, access the system drive of the test

system with UNC (\\<test system's IP address>\c$).3. Create a text file on the system drive of the client system using this remote

connection.4. Open the Endpoint Security Client.5. Click on Event Log to locate the newly generated Access Protection (AP) event, with

event ID 1095 and Threat name ‘Remotely accessing local files or folders’. Use the Event Log Search or Filter functionality to narrow down to the specific event if needed. Examine the event details and note any issues or questions.

6. Navigate to \ProgramData\McAfee\Endpoint\Logs\, and open AccessProtection_Activity.log. Examine the activity log entries and note any issues or questions.

7. From the McAfee Agent Monitor on the client, click Send Events.8. From McAfee ePO, view detection information:

a. Select Dashboards | Endpoint Security: Threat Events Origins and Endpoint Security: Threat Behavior. Drill into the monitors.

b. View the Threat Event Log. Find the newly generated Access Protection (AP) event, with event ID 1095 and Threat name ‘Remotely accessing local files or folders’. Examine the event details and note any issues or questions.

Disable Access Protection globally:

1. From McAfee ePO, configure and assign the Access Protection policy.a. From the Policy Catalog, view the Threat Prevention product.b. Create a copy of the McAfee Default instance of the Access Protection

policy named “Custom Access Protection” and open it.c. Deselect Enable Access Protection, then save the policy.

Confidential of 48


d. From the System Tree, click the Assigned Policies tab.e. Click Edit Assignment for Access Protection and select Custom Access

Protection for Assigned policy, then click Save.2. On the client system:


b. Create a text file on the system drive of the client system using the remote connection.Note that no new Access Protection violation is reported in Endpoint Security Client, activity log, or McAfee ePO.

e. Re-enable Access Protection, and make sure the ‘Remotely accessing local files or folders’ rule is set to Report.

f. Create a text file on the system drive of the client system using the remote connection.Note: A new Access Protection violation is now reported.



Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#12 Policy based On-Demand Scan

Task Goal

Configure and run a policy-based On-Demand Quick Scan using McAfee ePO.

Scenario

Configuring and running a policy based On-Demand Quick Scan.

Task Detailed Steps


1. From McAfee ePO, in the assigned On-Access Scan policy, create an exclusion for the pattern C:\quick_ods

2. In the assigned On-Demand Scan policy, navigate to the Quick Scan tab.3. Set one Scan Location - File or Folder from the drop-down menu, then specify C:\

quick_ods.4. On the client system:


b. Create the folder C:\quick_ods.c. Place an eicar test virus sample in c:\quick_ods.

Note: This sample should not be detected, because c:\quick_ods was added as an exclusion in the On-Access Scan policy.

5. From McAfee ePO:a. In the System Tree, select the client system, select Actions | Agent | Modify

Tasks on a Single System, then choose Actions | New Client Task Assignment.

b. In Tasks to Schedule, select the following, then click Next:Product: Endpoint Security Threat Prevention 10.0Task Type: Policy Based On-Demand ScanTask Name: On-Demand Scan - Quick Scan for Task

c. In Schedule, for Schedule type, select Run immediately.d. On the client system, open the McAfee Agent Monitor from the Windows

system tray and click Check New Policies. Note that the eicar is deleted shortly afterward.

6. On the client system:a. Open the Endpoint Security Client.b. Click on Event Log to locate the newly generated On-Demand Scan (ODS)

event, with event ID 1278 and Task name “Quick Scan”. Use the Event Log Search or Filter functionality to narrow down to the specific event if needed. Examine the event details and note any issues or questions.

c. Navigate to \ProgramData\McAfee\Endpoint\Logs\, and open OnDemandScan_Activity.log. Examine the activity log entries and note any issues or questions.

d. From the McAfee Agent Monitor on the client, click Send Events.

Confidential of 48


7. From McAfee ePO, view the Threat Event Log. Find the newly generated On-Demand Scan (ODS) event, with event ID 1278 and Task name “Quick Scan”. Examine the event details and note any issues or questions.



Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#13 – Exploit Prevention

Task Goal

Leverage Windows Data Execution Prevention (DEP), and configure process-level exclusions using McAfee ePO.

Scenario

Tune Exploit Prevention

Task Detailed Steps


1. From McAfee ePO, in the assigned Exploit Prevention policy, enable Use Windows Data Execution Prevention.

2. On the client system:a. Place the sample buffer overflow test tool, ftp.exe, onto the system drive (unzip

the tool from the attached ftp.zip file)

b. At the command prompt, type ftp.exe H 5 0 1 Note the test tool crashes. This is expected.

c. Open the Endpoint Security Client.d. Click on Event Log to locate the newly generated Exploit Prevention event, with

event ID 18056 and Threat name “ExP: DEP Heap”. Use the Event Log Search or Filter functionality to narrow down to the specific event if needed. Examine the event details and note any issues or questions.

e. Navigate to \ProgramData\McAfee\Endpoint\Logs\, and open ExploitPrevention_Activity.log. Examine the activity log entries and note any issues or questions.

f. From the McAfee Agent Monitor on the client, click Send Events.3. From McAfee ePO:

a. View the Threat Event Log. Find the newly generated Exploit Prevention event, with event ID 18056 and Threat name “ExP: DEP Heap”. Examine the event details and note any issues or questions.

b. In the assigned Exploit Prevention policy, add an exclusion for ftp.exe.4. Run the sample buffer overflow test tool again.

Note that the tool reports FAIL, and that no new Exploit Prevention violation is reported in the client, activity log, McAfee ePO, because ftp.exe has been excluded from protection.

5. From McAfee ePO, edit the Exploit Prevention policy, remove the exclusion for ftp.exe, and disable Use Windows Data Execution Prevention.

6. Run the test tool again. Type ftp.exe H 5 0 1 at the command prompt.Note that the test tool reports PASS. This is expected, because Exploit Prevention is enabled, but DEP is not being used.

Confidential of 48


7. On the client system:a. Open the Endpoint Security Client.b. Click on Event Log to locate the newly generated Exploit Prevention event, with

event ID 18052 and Threat name ExP: Heap”. Use the Event Log Search or Filter functionality to narrow down to the specific event if needed. Examine the event details and note any issues or questions.

c. Navigate to \ProgramData\McAfee\Endpoint\Logs\, and open ExploitPrevention_Activity.log. Examine the activity log entries and note any issues or questions.

d. From the McAfee Agent Monitor on the client, click Send Events.8. From McAfee ePO, view detection information:

a. Select Dashboards | Endpoint Security: Threat Events Origins and Endpoint Security: Threat Behavior. Drill into the monitors.

b. View the Threat Event Log. Find the newly generated Exploit Prevention event, with event ID 18052 and Threat name ExP: Heap”. Examine the event details and note any issues or questions.


Note that if you are testing on a server based OS, Endpoint Security might report a DEP violation even if the DEP integration feature has been disabled, because the default OS setting is “DEP always on” – and Endpoint never explicitly disables DEP for a process.

Questions1. How long did it take you to complete this task?2. Did you deviate from the steps provided? If so, how and why?3. How would you rate the ease of modifying settings (scale of 1-5)?4. After the event, do you have the forensic information you need?

Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#14 Firewall - Location Awareness

Task Goal

Create firewall rules to apply different rules and policies based on the location of client system.

ScenarioAllowing traffic when network adapter settings matches.

Task Detailed Steps


1. In McAfee ePO, create a copy of the McAfee Default instance of the Firewall Rules policy named “Custom Firewall Rules”, and assign it to the client system.

2. Edit the policy.3. Click New Group, enter a name for group, then click Next.4. Select Enabled for Location status and specify a name for the location.5. Enter one or more valid location criteria (DNS suffix, Default gateway, DHCP

server, DNS server, Primary WINS, Secondary WINS) for the client system.6. Click Summary in the Firewall Group Builder, then click Save.7. Click New Rule to create a firewall intrusion rule to block port 80.8. Add the new rule to the newly created group by below actions.

a. Bring the rule right below the group.b. Click on ‘>’ control in group so that it points down now ‘V’.c. Click on rule.d. Click on Move Up button.e. Rule should be in the group now.

9. Move the created group above the Allow all outgoing traffic rule.10. In the System Tree, click Wake Up Agents to enforce the policy on the client

system.11. On the client system, open a browser and try to browse.

Browsing is blocked and intrusion alerts are displayed.



Goal Success


Confidential of 48


Feedback / Comments

Confidential of 48


Task / Use Case

#15 Firewall – McAfee GTI network reputation

Task Goal

Protection from malicious network for outgoing traffic using McAfee GTI network reputation.

Scenario

Blocking connection to an High risk IP address.

Task Detailed StepsStart time: __________

1. In McAfee ePO, create a copy of the McAfee Default instance of the Firewall Options policy named “Custom Firewall Options”, and assign it to the client system.

2. Edit the policy.3. Click Show Advanced.4. Select Send GTI events to ePolicy Orchestrator.5. Set the Outgoing GTI network-reputation block threshold to High.6. In the System Tree, click Wake Up Agents to enforce the policy on the client

system.7. On the client system, open a browser and browse to a high-risk IP address or site,

such as 46.166.145.1138. Attempts to browse to sites with a high-risk reputation in the McAfee GTI database

should be blocked. Event will be generated.9. Open the Endpoint Security Client.10. Click on Event Log to locate the newly generated event with event ID 35002, Threat

name ‘GTI Rule – TCP - Out’ and Remote port 80.



Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#16 Firewall - Adaptive Mode

Task Goal

Allowing traffic not matching any rule and automatic client rule generation for that traffic.

Scenario

Allowing browsing and automatic client rule creation.

Task Detailed Steps



2. Edit the policy.3. Disable the ‘Allow all outgoing traffic’ rule.4. Save the rule and policy.5. In the System Tree, click Wake Up Agents to enforce the policy on the client

system.6. On the client system, open a browser and browse to http://www.gmail.com.The Gmail site is

blocked in the browser.7. In McAfee ePO, create a copy of the McAfee Default instance of the Firewall Options policy

named “Custom Firewall Options”, and assign it to the client system.8. Edit the policy.9. Click Show Advanced.10. Under Tuning Options select Enable Adaptive mode.11. Click Save.12. In the System Tree, click Wake Up Agents to enforce the policy on the client system.13. Open a browser and browse to http://www.gmail.com. The Gmail site opens in the browser.14. Open McAfee Endpoint Security Client and click Firewall link.15. In the Settings page, Rules section, click the icon to expand Adaptive.16. New Adaptive Rules have been added to the list.



Goal Success

Confidential of 48



Feedback / Comments

Confidential of 48


Task / Use Case

#17 Firewall - Startup Protection

Task Goal

Protecting the system during startup by allowing only outgoing services until firewall client service has started.

Scenario

Blocking incoming ping when firewall client service has not started.

Task Detailed Steps



2. Edit the policy.3. Click New Rule to create a new Allow rule for Either direction.4. Move the created rule above “Ping and ICMP” group.5. Save the policy6. Create a copy of the McAfee Default instance of the Common Options policy

named “Custom Common Options”, and assign it to the client system.7. Edit the policy.8. Deselect Enable Self-Protection.9. Save the policy.10. In the System Tree, click Wake Up Agents to enforce the policies on the client

system.11. On the client system, open services.msc and change mfefwc startup type to Disable.12. Initiate a continuous ping from a remote machine to client machine. Ping –t <IP

address of client>13. Observe that ping from remote machine is successful.14. Reboot the system.

After rebooting, the ping request from the remote system times as mfefwc is not started.

15. Open services.msc and change the startup type of mfefwc service to Automatic and start the service. The ping request from the remote system is successful.



Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#18 Firewall – DNS Blocking

Task Goal

Blocking IP addresses of domain name servers.

Scenario

Blocking all domains of a web portal.

Task Detailed Steps


17. In McAfee ePO, create a copy of the McAfee Default instance of the Firewall Options policy named “Custom Firewall Options”, and assign it to the client system.

18. Edit the policy.19. In the DNS Blocking section click on Add button.20. Add **pcmag.com** as the domain in dialog pop up and click on Ok button.21. Save the rule and policy.22. In the System Tree, click Wake Up Agents to enforce the policy on the client

system.23. On the client system, open a browser and browse to pcmag.com. The site is blocked in the

browser.24. Open the Endpoint Security Client.25. Click on Event Log to locate the newly generated Blocked Domains event, with

event ID 35002 and Threat name ‘Blocked Domains’.



Goal Success


Confidential of 48


Feedback / Comments

Confidential of 48


Task / Use Case

#19 Firewall – Port blocking

Task Goal

Blocking specific local and remote ports.

Scenario

Blocking port 80.

Task Detailed Steps



13. Edit the policy.14. Click New Rule, enter a name ‘TestPort80’ for rule.15. Change the action to Block.16. Check the log matching traffic option.17. In the Transport protocol drop down box, select TCP.18. In the Remote port drop down box select other and add Port 80 in the edit box below

and click on Add button.19. Save the rule20. Move the rule above ‘Allow all outgoing traffic’ rule.21. Save the policy.22. In the System Tree, click Wake Up Agents to enforce the policy on the client

system.23. On the client system, open a browser and browse to www.gmail.com . The site is blocked in the

browser.24. Open the Endpoint Security Client.25. Click on Event Log to locate the newly generated event with event ID 35002, Threat

name ‘TestPort80’ and Remote port 80 or 443.



Confidential of 48

http://www.gmail.com/


Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#20 Web Control - Secure Search

Task Goal

Verify that malicious links are grayed out in Secure Search.

Scenario

Perform a search for a keyword that leads to search results with malicious links and see how Web Control prevents from accessing those URLs by graying out the links.

Task Detailed Steps


In McAfee ePO:1. Navigate to the Policy Catalog, Select Endpoint Security Web Control 10.0 as

the product.2. Open the assigned Options policy.3. Select Enable Secure Search, then click Save.

On the client system:1. Open the McAfee Agent Monitor from the Windows system tray and click Check New

Policies.4. Open a browser (Internet Explorer 7, 8,9,10 or Firefox 26, 27).5. Select Change to McAfee Secure Search (search.yahoo.com) in the popup

dialog box (asking for confirmation on a new default search provider) and click OK.6. Restart the browser. The search box in the browser converts to McAfee Secure

Search.7. Type “screensavers” in the McAfee Secure Search box.8. Verify that the URLs rated as malicious (red balloon) are grayed out.

Depending on the browser, clicking the link either does not open the page or leads to Web Control block page.



Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#21 Web Control - File download starting an On-Demand Scan

Task Goal

Web Control initiates an On-Demand Scan when a file is downloaded. The ODS scan alerts and deletes the downloaded file if it is infected.

Scenario

Try to download a test eicar file from eicar website and see how Web Control initiates an ODS scan to detect and delete the infected test eicar file.

Task Detailed Steps


In McAfee ePO:

1. Navigate to the Policy Catalog, Select “Endpoint Security Threat Prevention 10.0” as the product.

2. Open the assigned On-Demand Scan policy.3. In the Policy Catalog, select “Endpoint Security Web Control 10.0” as the

product.4. Open the assigned Options policy.5. In the Action Enforcement section, ensure that Enable file scanning for file

downloads is selected.

On the client system:

1. Open the McAfee Agent Monitor from the Windows system tray and click Check New Policies.

2. Download eicar.com from the http://www.eicar.org/85-0-Download.html website.

3. Click Save in the file download dialog box. On-Demand Scan sees the downloaded file as infected and deletes it.

4. Click on Event Log to locate the newly generated Threat Prevention: On-Demand Scan event and Task name “Web Control download scanner”. Use the Event Log Search or Filter functionality to narrow down to the specific event if needed. Examine the event details and note any issues or questions.

5. Go to the Downloads folder and verify that the file was deleted.



Confidential of 48


Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#22 Web Control - Links in Outlook emails

Task GoalWeb Control displays email annotations pointing out the malicious links present in Outlook emails.

Scenario

Try to send an email to Outlook containing malicious URLs so that Web Control displays the malicious link present in the email in the annotation.

Task Detailed Steps


In McAfee ePO:

1. Navigate to the Policy Catalog and select Endpoint Security Web Control 10.0 as the product.

2. Open the assigned Options policy.3. Click Show Advanced.4. Ensure that Enable annotations in non browser based email is selected.5. Click Save to save any policy changes.


1. Open the McAfee Agent Monitor from the Windows system tray and click Check New Policies

6. Ensure that Outlook is configured with an email account.7. Open a browser and send an email to the account configured in Outlook using html

format containing the following links in the email body:www.screensavers.comhttp://free-windows-games.com/http://argeniss.com/research/Churrasco.zipwww.google.comwww.mcafee.com

8. In Outlook, open the email containing the links.Outlook displays the email annotation: “McAfee Web Control Warning” indicating that the email contains links to malicious sites. Blocked site: Red cross icon Warn site: Yellow exclamation icon File download block: Red icon Safe URLs (www.google.com and www.mcafee.com) don’t appear in the email

annotation.


Questions1. How long did it take you to complete this task?

Confidential of 48


2. Did you deviate from the steps provided? If so, how and why?3. How would you rate the ease of modifying settings (scale of 1-5)?4. After the event, do you have the forensic information you need

Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#23 Web Control - Browser Control policy-Block supported browser

Task GoalWeb Control blocks supported browsers when enabled in policy.

Scenario

Try to launch a browser supported by Web Control but configured to block in the policy.

Task Detailed Steps


In McAfee ePO:


2. Open the assigned Browser Control policy.3. Enable Firefox in ‘Block use of following supported browser’ section.4. Click Save to save any policy changes.


1. Ensure Firefox is installed on the system.2. Open the McAfee Agent Monitor from the Windows system tray and click Check New

Policies3. Open Firefox browser.

Firefox browser is blocked from launching. Window returns an error dialog as below:

Windows cannot access the specified device, path or file. You may not have appropriate permissions to access the item.


Questions1. How long did it take you to complete this task?2. Did you deviate from the steps provided? If so, how and why?3. How would you rate the ease of modifying settings (scale of 1-5)?4. After the event, do you have the forensic information you need

Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#24 Web Control - Browser Control policy-Block unsupported browser

Task GoalWeb Control blocks browsers enabled in unsupported browsers category

Scenario

Try to launch a browser not supported by Web Control.

Task Detailed Steps


In McAfee ePO:


2. Open the assigned Browser Control policy.3. By default, all the unsupported browsers are enabled. Take a note of any

unsupported browser you wish to test (eg. Flock)4. Quit the policy page.


1. Ensure Flock is installed on the system.2. Open the McAfee Agent Monitor from the Windows system tray and click Check New

Policies4. Open Flock browser.

Flock browser is blocked from launching. Window returns an error dialog as below:

Windows cannot access the specified device, path or file. You may not have appropriate permissions to access the item.



Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#25 Web Control – Enable or Disable Web Control via policy

Task GoalDisable Web Control via policy

Scenario

Try to disable Web Control

Task Detailed Steps


In McAfee ePO:


2. Open the assigned Options policy.3. Uncheck Enable Web Control.4. Click Save to save any policy changes.



2. Open web browser & navigate to http://red.test.csm-testcenter.org Web Control toolbar color turns silver indicating that Web Control is disabled. The

toolbar annotation displays Web Control is disabled message. Navigation to http://red.test.csm-testcenter.org is allowed.

Note:-Enable Web Control back to continue further tests.



Goal Success


Feedback / Comments

Confidential of 48

http://red.test.csm-testcenter.org/


Confidential of 48


Task / Use Case

#26 Web Control – Enable Observe mode

Task GoalEnable Observe mode

Scenario

Try to enable observe mode so that Web Control neither blocks nor warns but monitors the Web Activity.

Task Detailed Steps


In McAfee ePO:


2. Open the assigned Options policy.3. Select Enable Observe mode in Action Enforcement section.4. Click Save to save any policy changes.



2. Open web browser & navigate to http://red.test.csm-testcenter.org Web Control toolbar color turns red and the toolbar annotation displays a

message “Observe mode is on. Web Control would have blocked this site”. Navigation to http://red.test.csm-testcenter.org is allowed and no block page is seen. Endpoint console event log displays an event with action as ‘Observed’.



Goal Success


Feedback / Comments

Confidential of 48



Task / Use Case

#27 Web Control – Block and Allow list

Task GoalConfigure Block and Allow list

Scenario

Try to configure few websites in Block and Allow list and verify the behavior of Web Control

Task Detailed Steps


In McAfee ePO:


2. Open the assigned Block and Allow list policy.3. Add the following URLs in the policy http://red.test.csm-testcenter.org – set to “Allow” www.twitter.com – set to “Block”4. Click Save to save any policy changes.



2. Open web browser & navigate to http://red.test.csm-testcenter.org Web Control toolbar color turns white and the toolbar annotation displays a

message “Access to this page has been authorized.” Navigation to http://red.test.csm-testcenter.org is allowed and no block page is seen. Endpoint console event log displays an event with action as ‘Allowed’.

3. Open web browser & navigate to http://twitter.com Web Control toolbar color turns black and the toolbar annotation displays a

message “Access to this page is prohibited.” Navigation to http://twitter.com is blocked.



Confidential of 48

http://twitter.com/

http://twitter.com/



Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#28 Import\Export utility

Task Goal

Configure a standalone client with the same settings as on ePO server

Scenario

Use the ESConfigTool utility to export the configuration from an ePO managed client and use the exported settings file on a standalone client at the time of install.

Task Detailed Steps


1. In order to replicate your ePO policy settings for Threat Prevention, Firewall and Web Control on a self-managed client, export the settings from the client using these steps: Open command prompt and navigate to the product install directory on a ePO managed

system. Navigate into the Endpoint Security Platform folder. Run the command “ESConfigTool.exe /export C:\ePOConfig.xml /unlock <Client UI

password>” The file C:\ePOConfig.xml now holds the configuration of the ePO managed client system

which can be imported at install time on a Self-Managed system2. On a Self-Managed system, run this command at the time of install EPSetup.exe /Import C:\

ePOConfig.xml.3. Now compare the Self-Managed system’s configuration to the configuration of the ePO

managed client and verify that they are the same.4. Also verify the About Box information contains “Policy Import” field which displays the date

and time at which the policy import was completed.



Goal Success


Confidential of 48


Feedback / Comments

Confidential of 48


Task / Use Case

#29 Password Protect Uninstall– using McAfee ePO

Task Goal

Uninstall Password should be exempted for ePO Admin

Scenario

You have installed McAfee Endpoint Security and need to un-install it in your test environment

Task Detailed Steps


In McAfee ePO:

1. Navigate to the Policy Catalog and select Endpoint Security Common as the product.

2. Open the assigned Options policy.3. Click Show Advanced.4. Check “Require password to uninstall the client” checkbox and provide the uninstall

passwordClick Save to save any policy changes

In Client System : User should not be able to uninstall without providing the uninstall password1. Uninstall a module from Control panelAdd/Remove Programs2. Uninstall Password prompt should be displayed.

From McAfee ePO : user should be able to uninstall without providing uninstall password

1. From the McAfee ePO System Tree, select the client, then select Assigned Client Tasks, then select Actions | New Client Task Assignment.

2. Select McAfee Agent from Product, and then select Product Deployment.3. Click Create New Task.4. Enter the Task Name.5. Select Endpoint Security Threat Prevention from Product and components,

and select Remove from Action.6. Click +and select Endpoint Security Firewall.7. Click + and select Endpoint Security Web Control.8. Click Save, then click Next.9. For Schedule type, select Run immediately.10. Click Next, then click Save.11. Verify the task has been deployed successfully to the client system.12. From the Control Panel on the client system, verify that the modules were removed

successfully.


Questions1. Was the uninstallation successful? If not, why?

Confidential of 48


2. How would you rate the ease of uninstallation?


Goal Success


Feedback / Comments

Confidential of 48


Task / Use Case

#30 Product Removal – using McAfee ePO

Task Goal

Successfully uninstall Endpoint Security on client systems using a McAfee ePO deployment task.

Scenario

You have installed McAfee Endpoint Security and need to un-install it in your test environment

Task Detailed Steps


13. From the McAfee ePO System Tree, select the client, then select Assigned Client Tasks, then select Actions | New Client Task Assignment.

14. Select McAfee Agent from Product, then select Product Deployment.15. Click Create New Task.16. Enter the Task Name.17. Select Endpoint Security Threat Prevention from Product and components,

and select Remove from Action.18. Click +and select Endpoint Security Firewall.19. Click + and select Endpoint Security Web Control.20. Click Save, then click Next.21. For Schedule type, select Run immediately.22. Click Next, then click Save.23. Verify the task has been deployed successfully to the client system.24. From the Control Panel on the client system, verify that the modules were removed

successfully.


Questions3. Was the uninstallation successful? If not, why?

4. How would you rate the ease of uninstallation?


Goal Success


Feedback / Comments

Confidential of 48

test scenario feedbackb2b-download.mcafee.com/products/naibeta-download… · web viewverify...

Documents