endpoint security 10.5 upgrade project planning guide · pdf file ·...
TRANSCRIPT
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 2
Document Management Document Revision History
Version Date Author(s) Version Details
1.0 May 23, 2017 Aaron Yarnal, Bradley Gable Initial release
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 3
Contents Document Management ........................................................................................................... 2 Introduction .............................................................................................................................. 7
Audience ................................................................................................................................ 7 Methodology .......................................................................................................................... 7
Plan ........................................................................................................................................... 8 Identify business applications, administrators and application owners .................................... 9 Discuss project and business objectives ...............................................................................10 Discuss security requirements ...............................................................................................10 Discuss end user communications ........................................................................................10 Discuss additional planning topics .........................................................................................11 Discuss product features .......................................................................................................11 Discuss product feature parity ...............................................................................................12
Threat prevention ..............................................................................................................13 Adaptive Threat Protection ................................................................................................13 Firewall ..............................................................................................................................14 Web Control ......................................................................................................................15
Discuss supported platforms .................................................................................................18 Discuss supported McAfee agents ........................................................................................18 Discuss integration with other McAfee solutions ....................................................................18 Discuss conflicts with existing products .................................................................................18 Discuss the implementation process .....................................................................................19 Identify systems for the initial pilot deployment ......................................................................20 Discuss McAfee application validation testing .......................................................................21 Discuss business application testing procedures ...................................................................22 Discuss performance testing and baseline metrics ................................................................23 Discuss current security management practices ....................................................................23 Discuss change control processes ........................................................................................24 Discuss back out and recovery plans ....................................................................................24 Discuss software updates .....................................................................................................24 Discuss signature content testing ..........................................................................................25 Discuss GetClean .................................................................................................................26 Discuss reporting requirements .............................................................................................26 Review corporate security policies and supporting documentation ........................................27
Design ......................................................................................................................................29 Discuss the McAfee solution architecture overview ...............................................................29 Discuss the system architecture ............................................................................................30 Discuss the network infrastructure services ...........................................................................31 Discuss McAfee network services .........................................................................................31 Discuss registered servers ....................................................................................................31 Discuss roles and responsibilities ..........................................................................................32 Discuss users and groups .....................................................................................................32 Review release notes ............................................................................................................33 Review known issues Knowledge Base articles ....................................................................33 Review the product compatibility matrix ................................................................................33 Verify that the installation environment meets specifications .................................................34
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 4
Verify accounts and permissions ...........................................................................................37 Verify prerequisite software is installed .................................................................................37 Verify pilot systems configuration ..........................................................................................37
Assess .....................................................................................................................................38 Prepare for installation ..........................................................................................................38 Backup the ePO application server and database .................................................................39 Obtain the installation software .............................................................................................39 Install required management extensions ...............................................................................39 Run Endpoint Upgrade Assistant ..........................................................................................39 Analyze Endpoint Upgrade Assistant results .........................................................................39 Review dashboards and queries ...........................................................................................39 Perform McAfee VirusScan Enterprise policy review(s) .........................................................40 Perform McAfee Host Intrusion Prevention policy review(s) ..................................................42 Perform SiteAdvisor Enterprise policy review(s) ....................................................................46 Export production policies .....................................................................................................47 Export production tasks .........................................................................................................48
Test ..........................................................................................................................................49 Prepare for installation ..........................................................................................................50 Backup the ePO application server and database .................................................................50 Check in required packages ..................................................................................................50 Install required management extensions ...............................................................................51 Validate distributed repository replication ..............................................................................52 Run Endpoint Upgrade Assistant ..........................................................................................52 Import production policies .....................................................................................................52 Import production tasks .........................................................................................................52 Configure users and permission sets ....................................................................................52 Perform initial validation testing .............................................................................................53 Run the Endpoint Migration Assistant ....................................................................................53 Migrate policies .....................................................................................................................54 Migrate tasks .........................................................................................................................54 Configure the baseline policy ................................................................................................54 Assign the migrated policies to systems ................................................................................54 Assign the migrated tasks to systems ...................................................................................54 Configure a deployment dashboard.......................................................................................54 Configure product deployment tasks .....................................................................................55 Deploy McAfee Agents to pilot systems, as needed ..............................................................57 Deploy McAfee Endpoint Security to pilot systems ................................................................57 Monitor McAfee Agent and Endpoint Security deployments ..................................................57 Perform post-upgrade validation testing ................................................................................57 Export the baseline policy .....................................................................................................63
Implement ................................................................................................................................64 Prepare for installation ..........................................................................................................65 Backup the ePO application server and database .................................................................65 Check in required packages ..................................................................................................65 Install required management extensions ...............................................................................66 Validate distributed repository replication ..............................................................................67 Import the baseline policies ...................................................................................................67
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 5
Import the baseline tasks ......................................................................................................67 Configure users and permission sets ....................................................................................67 Configure a deployment dashboard.......................................................................................68 Run the Endpoint Upgrade Assistant .....................................................................................68 Analyze Endpoint Upgrade Assistant results .........................................................................68 Configure the baseline policy ................................................................................................69 Assign the migrated policies to systems ................................................................................69 Assign the migrated tasks to systems ...................................................................................69 Configure product deployment tasks .....................................................................................69 Deploy McAfee Agents to systems, as needed .....................................................................69 Deploy McAfee Endpoint Security to systems .......................................................................69 Monitor McAfee Agent and Endpoint Security deployments ..................................................69 Perform validation testing ......................................................................................................69
Appendix .................................................................................................................................71 Upgrade Project Planning Checklist ......................................................................................71
List of Tables Table 1: Planning Checklist ....................................................................................................................... 8 Table 2: Example Application Owners Sheet .......................................................................................... 9 Table 3: Questions regarding Project and Business Objectives ........................................................ 10 Table 4: Pilot System Plan ....................................................................................................................... 20 Table 5: Design Checklist ......................................................................................................................... 29 Table 6: System Requirements ............................................................................................................... 34 Table 7: Assessment Checklist ................................................................................................................ 38 Table 8: Example Future State Dashboard for Endpoint Security Products .................................... 40 Table 9: VirusScan Policies - Consolidation Tracking Sheet................................................................ 41 Table 10: VirusScan Tasks - Consolidation Tracking Sheet ................................................................. 42 Table 11: The Migration of Exception Rules in the HIPS 8.0 IPS Rules policy .................................. 43 Table 12: HIPS IPS Rules Policies - Consolidation Tracking Sheet ..................................................... 44 Table 13: Host IPS Firewall Rules Policies - Consolidation Tracking Sheet ....................................... 45 Table 14: Test checklist ............................................................................................................................ 49 Table 15: ENS 10.5 Packages .................................................................................................................. 51 Table 16: Management Extensions ........................................................................................................ 51 Table 17: Help Extensions ....................................................................................................................... 51 Table 18: Additional Extensions ............................................................................................................. 52 Table 19: Exploit Prevention – Viewing Aggregated Events ................................................................ 61 Table 20: Threat Intelligence Exchange – Manually changing a file’s reputation to “most likely malicious” .................................................................................................................................................. 62 Table 21: Example ENS Validation Results ............................................................................................ 63 Table 22: ENS 10.5 Packages .................................................................................................................. 66 Table 23: Management Extensions ........................................................................................................ 66 Table 24: Help Extensions ....................................................................................................................... 66
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 6
Table 25: Additional Extensions ............................................................................................................. 67 Table 26: Upgrade Project Planning Checklist ...................................................................................... 71
Table of Figures Figure 1: High Level DAC Tuning Workflow .......................................................................................... 14 Figure 2: Web Control – Policy Recommendations .............................................................................. 15 Figure 3: Web Control - Secure Search .................................................................................................. 16 Figure 4: Web Control Examining File Downloads ............................................................................... 17 Figure 5: Workflow to Identify and Remediate other security Products .......................................... 19 Figure 6: Example Format for a Validation Test ................................................................................... 21 Figure 7: Tracking Test Results ............................................................................................................... 22 Figure 8: GetClean Workflow .................................................................................................................. 26 Figure 9: How McAfee Endpoint Threat Protection defenses work together .................................. 30 Figure 10: McAfee Endpoint Security platform .................................................................................... 30 Figure 11: McAfee Agent Port Reference .............................................................................................. 31 Figure 12: EUA Workflow ......................................................................................................................... 33 Figure 13: EUA - Deployment Prerequisites. ........................................................................................ 34 Figure 14: VSE OAS – Example Policy Consolidation Workflow.......................................................... 41 Figure 15: Firewall Consolidation Workflow ......................................................................................... 45 Figure 16: Website Review Process ........................................................................................................ 47 Figure 17: ENS Permissions Categories ................................................................................................. 53 Figure 18: ENS Installation Status Report - Stacked Bar Chart .......................................................... 55 Figure 19: ENS Installation Status Report - Stacked Bar Chart Details ............................................. 55 Figure 20: Deploying EUA Package ........................................................................................................ 56 Figure 21: Example Task with all ENS Modules .................................................................................... 56 Figure 22: On Access Scanning - EICAR Test ......................................................................................... 58 Figure 23: Viewing the Quarantine Folder ............................................................................................ 58 Figure 24: Exploit Prevention - Blocking Hidden PowerShell ............................................................. 59 Figure 25: Web Control - Blocking Navigation to a malicious website .............................................. 59 Figure 26: Web Control – Blocking Navigation to a Phishing page .................................................... 60 Figure 27: ENS Permissions Categories ................................................................................................. 68
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 7
Introduction This document serves as a recommended summary outline for planning and executing an upgrade from McAfee legacy endpoint security products to McAfee Endpoint Security 10.5.
This outline is derived from McAfee Solution Services, based on current methodology incorporated into field engagements for endpoint software upgrades from any or all of the following McAfee endpoint legacy products; McAfee VirusScan Enterprise 8.8, McAfee Host Intrusion Prevention 8.0, and McAfee Site Advisor Enterprise 3.5. This planning outline can also serve as a general guide for planning new deployments of McAfee Endpoint Security 10.5.
Audience The intended audience for this outline is administrators who are experienced with McAfee endpoint security products, and is not intended to be a comprehensive solution document, containing detailed supporting information. McAfee recommends that project participants refer to this document as supplemental to their own guidelines and requirements for software deployment within their environment.
Questions or requests for detailed information relating to steps outlined in this summary, should be directed to McAfee subject matter experts within your organization. Additional information can be obtained from the McAfee Knowledge Center and McAfee Communities. Further requests for assistance can be obtained by contacting your McAfee support representative.
Methodology The methodology for this software upgrade project follows the McAfee Way and includes the following phases:
Plan Design Assess Test Implement
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 8
Plan Successful software deployment projects involve thorough planning before an upgrade of your production environments. Upgrade project plans will differ widely, depending on your environment and complexity.
To ensure overall project success, it is essential that key stakeholders are identified and provide active input during the project. Project teams should be comprised of cross-functional members representing various interests across your organization; infrastructure, essential business applications, systems and application administration, management, and end users, by groups or locations.
Project success can and should be determined by quantifiable metrics, measuring benefits, or impediments, to the organization. It is critical that initial planning determines and outlines the business objectives and intended security requirements for the organization.
Technology upgrade planning confirms an understanding of the product solution, and should include information on product features, design, implementation, and integration with other software currently installed within the organization.
Solution validation should be assessed initially in non-production testing environments, and again in production environments using small, manageable pilot groups, that are representative of the production environment to ensure critical business operations are not impacted.
The planning checklist identifies a set of initial considerations to assist you with upgrade planning. The decisions you make should be documented for use during the subsequent design, assess, test, and implement phases.
Table 1: Planning Checklist
Plan
Prepare for… By addressing these considerations…
Project Success Quantifiable business benefits are mandatory
Identify business applications, administrators, and application owners
Discuss: project and business objectives security requirements end user communications additional planning topics
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 9
Plan
Technology Implementation Confirm an understanding of the solution’s capabilities
Discuss: product features product feature parity supported platforms supported McAfee agents integration with other McAfee solutions conflicts with existing products the implementation process
Identify systems for the initial pilot deployment
Solution Validation Confirm validation processes
Discuss: 1. McAfee application validation testing 2. business application testing procedures
Ongoing Operations Continued product deployment. Identify and respond to risk.
Discuss: current security management practices change control processes back out and recovery plans software updates signature content testing McAfee Get Clean reporting requirements
Review corporate security policies and supporting documentation
Identify business applications, administrators and application owners Project planning discussions should include business critical application administrators and application owners to determine how the McAfee security solution might affect these key stakeholders.
The project manager should identify enterprise applications and their owners, and maintain a stakeholder register as necessary.
Table 2: Example Application Owners Sheet
Application Owners Application Name Purpose Owner/Administrator
Example: Meditech Pharmacy Workflow, Laboratory Diagnostics
Example: Invoice Supreme Accounts Receivable, Recurring Billing
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 10
***The Application Owners Sheet is important for ENS based exclusions, exceptions, and other policies. - Business owners may require a new or different policy based on the application vendor’s list of recommended exclusions, or other configurations.
Discuss project and business objectives Project participants should use this opportunity to clearly identify the project and business objectives. A common business objective is “Improved security by applying technical safeguards that enforce policies.” Ensure that your company’s information security strategy aligns with strategy objectives.
You can get the conversation started by asking the project participants the following questions:
Table 3: Questions regarding Project and Business Objectives
Question Response What is our success criteria for the ENS Upgrade Project?
Have we identified any business risks concerning the project?
How can the results of this project make our organization more effective?
Discuss security requirements Review specific use cases and core product capabilities as needed to ensure policy configurations will meet the organizations defined security requirements
Different policy configurations for workstations and servers Different policy configurations based on server role / function Different policy configurations for functional user groups Different policy configurations for specific enterprise applications Different policy configurations for LAN or remote VPN users
Discuss end user communications Users, administrators, and internal support personnel (including help desk) will need to understand the potential impact of the ENS Modules. New security functionality will likely be introduced that was previously not present in the organization.
Determine if the organization has identified end users for testing as part of the pilot deployment
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 11
Determine if end users have been notified about the project and the deployment timeline
Determine if end users have been informed of how to report any suspected problems
Discuss additional planning topics Review and identify any additional planning topics which may be unique to the environment.
These topics should focus on project success and related business outcomes. Implementation, solution validation and operational topics will follow.
Identify additional topics that may be required:
- change control process and lead time to establish change control windows - training requirements and kick-off call for pilot user group - collecting network traffic diagrams for critical applications - Identifying critical infrastructure servers (examples include Active Directory, SQL and
DHCP Servers) - Collecting a list of vendor recommended exclusions.
o NOTE: Review McAfee KB66909 “Consolidated list of Endpoint Security/VirusScan Enterprise exclusion articles.”
- other topics as specified
Discuss product features Review product features, capabilities, and operational functionality.
Review McAfee KB86704 “FAQs for Endpoint Security”, Review McAfee KB82761 “Supported platforms, environments, and operating systems
for Endpoint Security” Review ENS product guides, and release notes for further information.
Determine which modules or core features will be implemented for Endpoint Security; Threat Prevention, Adaptive Threat Protection, Firewall, and Web Control, or McAfee Client Proxy.
Endpoint Migration Assistant
The Endpoint Migration Assistant walks you through the migration process. You can let the Migration Assistant migrate all your settings and assignments automatically, based on your current settings and new product defaults, or you can select and configure them manually.
Use the Endpoint Migration Assistant to migrate product settings where a supported legacy version of a product module is installed.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 12
The Endpoint Migration Assistant ensures that the settings in your legacy policies are moved to the correct policies in Endpoint Security. In some cases, they are merged with other Endpoint Security settings, and in others, new default settings are applied to support updated technologies.
Refer to the ENS 10.5 Migration Guide and review the following information:
Installing the Endpoint Migration Assistant extension to ePO Migrating policies automatically Migrating policies manually Maps of migrated policies (old solution to ENS 10.5)
Endpoint Upgrade Assistant (EUA)
The McAfee® Endpoint Upgrade Assistant is a McAfee® ePolicy Orchestrator® (McAfee® ePO™) extension that simplifies and automates the tasks required to upgrade the McAfee products on your managed endpoint. The Endpoint Upgrade Assistant features minimize the number of upgrade tasks and ensure product interoperability.
Refer to McAfee KB88141 and the EUA Product Guide for the following information:
Installing the Endpoint Upgrade Assistant extension to ePO Understand the Analyze tab, to assess current endpoints in the environment Understand the Prepare tab, to verify correct prerequisites have been met Understand the Plan tab, to view and create required upgrade tasks Understand the Deploy tab, to configure and deploy upgrade tasks
Discuss product feature parity Review the relationship between the ENS 10.5 Modules and legacy endpoint security solutions.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 13
Threat prevention
The Endpoint Security Threat Prevention module replaces McAfee VirusScan® Enterprise 8.8, and Host Intrusion Prevention® - IPS security protections. Threat Prevention detects threats in realtime, leveraging McAfee Global Threat Intelligence (GTI) and AMCore security content files. Updates are delivered automatically to target vulnerabilities and block emerging threats from executing.
Layered protection includes Anti-malware scanning, script scanning, Access Protection and Exploit Prevention. Threat prevention checks for viruses, spyware, unwanted programs, and other threats automatically when users access them at any time.
Adaptive Threat Protection
Endpoint Security Adaptive Threat Protection (ATP) analyzes content from your enterprise and decides what to do based on file reputation, rules, and reputation thresholds.
The Adaptive Threat Protection module is supported on Microsoft Windows only, and is an optional Endpoint Security module.
Real Protect
McAfee Real Protect is a real-time behavior detection technology which monitors suspicious activity on an endpoint. Real Protect leverages system learning and automated behavioral-
•Replaces Host Intrusion Prevention IPS and VirusScan Enterprise
Threat Prevention
• Includes Dynamic Application Containment and Real Protect and the Threat Intelligence Exchange Module. Replaces the Threat Intelligence module for VSE
Adaptive Threat Protection
•Replaces Host Intrusion Prevention Firewall
Firewall
•Replaces Site Advisor
Web Control
•An optional component that integrates with McAfee Web Gateway
McAfee Client Proxy
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 14
based classification on the local system, and in the cloud to detect zero-day malware in real time
Dynamic Application Containment (DAC)
DAC allows unknown/untrusted applications to run inside a container. Several containment rules limit what an application is allowed to do.
Review McAfee KB87843 – “List of and best practices for Endpoint Security Dynamic Application Containment rules. Identify DAC rules that align with use cases and/or security concerns, to define an appropriate workflow for tuning DAC
Figure 1: High Level DAC Tuning Workflow
Firewall
Endpoint Security Firewall updates and replaces the McAfee Host Intrusion Prevention® - Firewall. The integrated, stateful firewall dynamically inspects traffic on the network, blocking malicious or undesired traffic.
Set Rules to Report only
Monitor logs/reports
Set reputations or DAC exclusions
for trusted applications
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 15
Policy configuration features include: trusted networks, trusted/untrusted executables, Location Aware Groups, Connection isolation, and Timed firewall groups for end-user VPN connections.
ENS Firewall rule policies are similar to legacy Host IPS, and the migration of existing rules/policies typically completes without issue.
Web Control
Endpoint Security Web Control improves on McAfee Site Advisor Enterprise with updated Web Control browser toolbars to improve user experience. Integration of Web Control with Threat Prevention using Global Threat Intelligence™ ensures users safe, reputable, web browsing, and secure browser file downloads. Web Control notifies users of threats while they search or browse websites.
Security administrators can prevent disabling of browser plug-ins, control access to sites, pages, and downloads, based on safety rating or type of content. Identify sites as blocked or allowed, based on URLs and domains. Customize notifications that appear when users attempt to access a blocked website, and create detailed reports of website usage. Endpoint Security Web Control supports user based policies, making it easy to configure customized security policies and user controls.
Figure 2: Web Control – Policy Recommendations
Enable Secure Search to block links to risky sites in search results
Websites that McAfee has tested have a risk rating attached to it. Unsafe websites have a red x. Left clicking on the malicious link will not open the unsafe website
Block links to Risky sites in Search Results
Block the use of unsupported browsers
Allow Web Control to Analyze Downloaded Files
Allow Web Control to “stand down” if an on premise appliance is present
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 16
Figure 3: Web Control - Secure Search
Allow Web Control to examine files that are downloaded from the Web. Web Control will perform a GTI lookup on files prior their download.
Web Control works in conjunction with Threat Prevention to provide an additional level of scanning for file downloads.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 17
Figure 4: Web Control Examining File Downloads
Web Control enforcement can be disabled while connected to the corporate network and protected by perimeter security appliances such as a McAfee Web Gateway, Blue Coat Proxy Server or a Palo Alto Firewall. For additional information on integrating with McAfee Web Gateway solutions, refer to the McAfee Client Proxy 2.3 product guide or configuring McAfee Client Proxy with McAfee Web Gateway.
For more information on any of Endpoint Security components, refer to the product guide.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 18
Discuss supported platforms Review the existing infrastructure and identify systems being considered for the project.
Review McAfee KB82761 – “Supported platforms, environments, and operating systems for Endpoint Security”
*NOTE: This knowledge base article is updated frequently as new Operating Systems, Browsers and Virtualization technologies are released.
Identify which Operating Systems, virtualization technologies, and internet browsers are in use within the environment.
Discuss supported McAfee agents Supported McAfee Agents include McAfee 5.0.2 and later. Determine if the McAfee agent will need to be upgraded. It is always recommended to deploy the most recent patch version. McAfee Agent versions are listed at McAfee KB82105
Discuss integration with other McAfee solutions ENS integrates with McAfee Threat Intelligence Exchange, (TIE) Data Exchange Layer (DXL), and McAfee Active Response (MAR) to provide a comprehensive security solution.
TIE, DXL and MAR all directly integrate with ENS.
When installed and configured, TIE reputations are leverage by all Endpoint Security modules to assist in verifying security threats throughout the entire infrastructure.
TIE reputations are also leveraged directly by ENS Adaptive Threat Protection/Dynamic Application Containment to determine whether containment rules should be triggered.
If McAfee Threat Intelligence Exchange is already deployed for legacy products, the upgraded endpoints will be upgraded when the ENS 10.5 Adaptive Threat Protection module is installed.
Discuss conflicts with existing products McAfee KB85522 provides a detailed list of 3rd-party security products which can be removed by the Endpoint Security installer, when ENS is installed.
Identify other security products within the environment and determine if there are any known uninstall or interoperability issues.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 19
Figure 5: Workflow to Identify and Remediate other security Products
*NOTE: The ENS 10.5 Installer is not able to successfully remove all security products.
Discuss any known operating system incompatibilities and review McAfee KB82450 “Endpoint Security 10.x Known Issues”
Discuss the implementation process Components within the infrastructure will change during the endpoint security implementation. Review processes to successfully recover or revert components to their prior condition should any implementation failures occur.
Determine how software will be deployed to managed clients:
Deployment through ePO Deployment through a 3rd party application (e.g. Microsoft SCCM, KACE, Altiris, etc.) Use of ENS Package Designer (if desired). For information about installing and using
Package Designer, see KB86438.
Repository Considerations
Review the ePolicy Orchestrator Distributed Repositories and methods used to populate repositories (i.e. lazy caching, replication tasks).
Peer to Peer (P2P) Updating Considerations
Review Peer-to-Peer updating ability of the McAfee Agent. In nearly all circumstances, Peer-to-Peer updating reduces the load on the distributed repositories, and enables software and
Identify if ENS security product removal is supported
In a test environment, attempt to install ENS
Verify whether or not the other security product was cleanly uninstalled.
If remnants of a supported product are present, contact McAfee support.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 20
content to be distributed faster. The steps below can be used to gradually implement P2P Agent communications for the environment.
1) Consider enabling P2P on laptops, physical workstations and servers. 2) Systems that are not good candidates for P2P are:
Laptops that spend the majority of the time connected via VPN Fixed function machines that have extremely limited spare processing cycles
3. Systems that may be good candidates for P2P are:
Physical or Virtual Machines in the datacenter • These machines typically have an extremely high bandwidth connection to a
repository, so bandwidth costs are very low
4. Review performance metrics, both before and after P2P is enabled to establish a baseline, and the actual load of the P2P process (work with the network admin and monitor traffic via Wireshark or a similar Trace program).
5. If network performance is acceptable, enable P2P on a subset of workstations. Document how many nodes are in these specific broadcast domains
6. Review performance metrics 7. If network performance is acceptable, expand the number of workstations that have
P2P enabled 8. Review performance metrics 9. Continue repeating this process
Identify systems for the initial pilot deployment Identify systems that will be part of the initial pilot deployment. It is recommended to use a variety of systems representative of the overall environment.
Determine the operating system platforms to be managed (e.g. Windows, Mac, Solaris, etc. as supported by the product).
Determine groups for type of systems; workstations or servers, remote users or VPN etc.
The scope of your project may be limited to only workstations, only servers, or both etc.
Verify McAfee Agent deployment credentials for each platform are available.
Record the list of hostnames on a pilot system planning sheet.
Table 4: Pilot System Plan
Application(s) OS App Owner Contact # Pilot Devices
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 21
EMC Backup Server Win Server 2012 [email protected] 2
DHCP Server Win Server 2016 [email protected] 2
Common Desktop Applications
Win 7 and 10 (x86 and 64bit)
[Critical App 1] Win Server 2016 [email protected] 3
Mac Desktop MacOS 10.12 [email protected] 1
Discuss McAfee application validation testing Application validation testing should be planned for the McAfee solution being installed. Discuss and review the high-level activities which will be performed for your ENS deployment.
These activities are designed to validate the solution is working as designed, and are not intended to fulfill or replace existing requirements for the validation of critical business applications.
Endpoint Security validation tests
Validation tests ensure the ENS product is capable of blocking/monitoring activity and producing logs/events that are viewable on the client system and from the ePolicy Orchestrator console.
Validation tests should be created for ENS modules and features planned for deployment.
Tests may include, but are not limited to:
On Access Scanning – EICAR Test Viewing the Quarantine Folder Exploit Prevention - Hidden PowerShell Detected Dynamic Application Containment Firewall policy block/allow Web Control
Figure 6: Example Format for a Validation Test
Test Name Test ID#
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 22
Validation Steps Step 1)
Step 2)
Step 3)
Expected Results Expected results
Actual Results
*NOTE: The results of validation testing should provide discussion points for additional policy configurations as required.
Figure 7: Tracking Test Results
Test ID Test Name Results
Test-01 On Access Scanning Test Pass
Test-02 Exploit Prevention - Hidden PowerShell Detected Fail
Discuss business application testing procedures Prior to installation, determine the application testing practices for the organization. Understand any existing business application testing which needs to be performed, and may require additional support (e.g. Exchange, SharePoint, database applications, VPN, etc.)
Best Practice: Perform the initial installation in a Lab, Development, or other non-production environment.
Best Practice: IT Application Administrators and Business Application Users should perform any existing application tests prior to the full production rollout.
If the organization doesn’t have current functional application testing practices defined, it is recommended to create a basic set of practices, based on current industry standards.
A basic functional application testing process should include:
Discuss organization specific testing procedures (what testing is done for other applications being rolled out to users?)
Determine basic tests that should be performed (e.g. Windows Updates, enterprise application use, etc.)
Establish methodology, or testing scripts to produce repeatable tests
Prepare the test environment
Perform the installation
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 23
Conduct testing and analyze the results
Resolve application issues, should any arise
Discuss performance testing and baseline metrics Prior to installation of ENS, determine whether application performance testing baseline metrics exist for legacy security products within the organization. Understand existing performance issues which may be a concern, and should be baselined prior to installation of ENS. Identify the performance testing benchmarks to be measured before and after upgrade to ENS. The tests and benchmark indicators need to be consistent for both testing environments.
McAfee Endpoint Security Scan Avoidance is the most efficient way to ensure optimal performance on the endpoint. This feature, only available in ENS, leverages the AMCore Trust Model to help recognize when a scan is not necessary. This mechanism provides the greatest performance increase because it not only indicates whether a scan is necessary early in the scan workflow, but also has longer term relevance because cached Trusted + Clean results survive an AMCore Content update whereas Clean results alone will not.
Endpoint Security 10.2 and later includes a policy setting to allow the administrator to trust certain third-party certificates. These certificates are from third-party software that client systems have identified and reported back to ePolicy Orchestrator. Once trusted, file accesses by trusted processes and of trusted files will benefit from the performance optimization provided through Scan Avoidance. McAfee recommends that you review your legacy policies to decide whether they are relevant to the new Endpoint Security scan optimization architecture. Endpoint Security includes by default, an optimized “Let McAfee Decide” option for On-Access Scanning. See KB88205 - How to improve performance with Endpoint Security 10.
Discuss current security management practices It is recommended to identify existing processes for the following areas:
Event or change management Incident Response: Identification of existing processes and procedures associated with
Incident Response. Operations: What portion of the business will be responsible for the day-to-day
operations of the ePO application and/or any of the applications that the ePO Solution will be managing? This will tie into the users and permissions discussion.
Maintenance: Maintenance windows, coordination, regular scheduled basis or any other potentially impacting processes.
Governance and Compliance: Which organizations are currently addressing Compliance within the environment?
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 24
Discuss change control processes Review and verify the applicable change control procedures.
Discuss options and impacts as needed to address existing change control processes and procedures within the environment.
It is assumed that all changes to non-production environments do not need a change control.
It is assumed that all changes to the production environment will need a change control. A list of changes that will need to take place is shown below:
1) Installation of ENS related extensions in the ePO server
2) Installation of ENS related packages in the ePO server
3) Creation/Modification of policies on the ePO server
4) Deployment of software to nodes in the production environment.
Change control approval
Develop a back out and recovery plan in the event of unforeseen issues, or installation failures.
This is particularly important when installing on shared file servers, application servers, or database servers
Verify access to the original installation software for operating system, database, and/or other applications
Verify and create Virtual Machine (VM) snapshots or backups of any existing application server and SQL databases
Discuss back out and recovery plans Develop a back out and recovery plan in the event of unforeseen issues, or installation failures.
This is particularly important when installing on shared file, application, or database servers
Verify access to the original installation software for operating system, database, and/or other applications
Verify and create VM snapshots or backups of any existing application server and SQL databases
Discuss software updates The McAfee Support Notification Service (SNS) can be leveraged to provide alerts regarding hotfixes, patches and other notifications relating to ENS 10.5.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 25
The Support Notification Service (SNS) delivers valuable product news, alerts, and best practices to help you increase the functionality and protection capabilities of your McAfee products.
*NOTE: It is recommended to review the release notes for the current patch for ENS 10.5 and for the current version of McAfee Agent.
Discuss signature content testing Discuss and review ENS content updates to understand the importance of testing updates prior to a full production deployment. Refer to ENS 10.5 Product Guide, “How content files work” section to review the types of content ENS uses.
AMCore content package
McAfee Labs releases AMCore content packages daily by 7:00 p.m. (GMT/UTC). To receive alerts regarding delays or important notifications, subscribe to the Support Notification Service (SNS). See KB67828.
The AMCore content package includes these components:
AMCore — Engine and content
o Contains updates to the Threat Prevention scan engine and signatures based on results of ongoing threat research.
Adaptive Threat Protection — Scanner and rules
o Contains rules to dynamically compute the reputation of files and processes on the endpoints. McAfee releases new Adaptive Threat Protection content files every two months.
Real Protect — Engine and content
o Contains updates to the Real Protect scan engine and signatures based on results of ongoing threat research. Real Protect is a component of the optional Adaptive Threat Protection module.
Exploit Prevention content package
McAfee Labs releases Endpoint Security Exploit Prevention signature content on the 2nd Tuesday of every month. Monthly Exploit Prevention content release notes can be found here.
The Exploit Prevention content package includes:
Memory protection signatures — Generic Buffer Overflow Protection (GBOP), caller validation, Generic Privilege Escalation Prevention (GPEP), and Targeted API Monitoring.
Application Protection List — Processes that Exploit Prevention protects. Exploit Prevention content is similar to the McAfee Host IPS content files.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 26
Discuss GetClean Consider using McAfee GetClean on representative systems, or enterprise images running in the Common Operating Environment COE).
Use of this utility can help optimize scanning performance of unknown, files and utilities within the system environment. The tool provides scanning-related information to McAfee that is used to update McAfee cloud intelligence with information on known, good files present in your environment.
GetClean is a McAfee Labs initiative to minimize false-positive detections in the field. McAfee KB73044 provides an introduction to GetClean.
*NOTE: Refer to KB88288 - Endpoint Security Quick Start Tasks for summarized deployment information using GetClean.
Figure 8: GetClean Workflow
Note: McAfee will send an email acknowledgement and a confirmation that the submitted files were added to McAfee Labs test systems.
Discuss reporting requirements During this step the project participants and stakeholders should document an understanding of all required reporting requirements.
Clearly identify and document the reporting requirements of the various business units. The individual business units should be held to fully documenting their reporting requirements. These requirements should identify:
Purpose of the report Permissions to run reports
Track Results
Scan Directories and submit Clean Files
Download GetClean
Identify a machine
with a “gold image”
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 27
Access to related data Scheduling requirements
• What frequency is required for the individual reports? Report distribution requirements
Determine if there is an established process for requesting reports. This process should include a review of the requirement, approval, creation of the report(s), and acceptance from the requesting party that the report(s) will satisfy the requirement.
Discussions should address the basics to demonstrate the solution is:
Reporting on the status of the security solution within the environment; • i.e. identifying the versions of McAfee Security Software that are installed,
identifying the latest policy being enforced, etc. Reporting on compliance of the enterprise with your security standards as identified Reporting on Risk and Risk Mitigation within the enterprise Reporting on Incidents: i.e. violations of rules, malware, etc.
Reporting on Incident Response: i.e. information on how the applications reacted to incidents (e.g. quarantined, blocked, would have been prevented, etc.)
Review corporate security policies and supporting documentation
Corporate security policies and supporting documentation Policies, standards, guidelines and related practices and procedures These documents communicate management’s direction for reducing risk and establish the control framework
Electronic copies of documents related to: Acceptable use of assets Access controls Malware prevention, detection, and correction Information and system backup Security logging and monitoring Change control Management of technical vulnerabilities
• System patch management • Patch testing procedures
Secure system engineering principles and requirements • System hardening and configuration standards • Firewall policy documentation
System acceptance testing Information security continuity Data retention and disposal policies
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 28
Corporate security policies and supporting documentation As built documentation For the security solutions and platforms related to the
implementation:
System hardening and configuration standards Network segmentation and configuration standards Database server hardening and configuration
standards Network diagrams End user computing configuration standards for
example, gold disk images
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 29
Design Project participants should discuss the current network and systems architecture to facilitate design and implementation of the McAfee security solution.
Table 5: Design Checklist
Design
Prepare for… By addressing these considerations…
Solution Integration Explain and confirm the high-level design
Discuss: McAfee solution architecture overview system architecture network infrastructure services McAfee network services registered servers
Design Principles: Least privilege, segregation of duties, access control
Discuss: roles and responsibilities users and groups
Validate Design Confirm readiness prior to implementation
Review: release notes known issues Knowledge Base articles product compatibility
Verify:
the installation environment meets specifications accounts and permissions prerequisite software is installed pilot systems configuration
Discuss the McAfee solution architecture overview Project participants and stakeholders should possess a high-level understanding of the ENS Security Platform. Stakeholders should discuss how the total solution addresses their security use cases.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 30
Figure 9: How McAfee Endpoint Threat Protection defenses work together
Project participants should review the Endpoint Threat Protection whitepaper located at https://www.mcafee.com/us/resources/data-sheets/ds-endpoint-threat-protection.pdf. This whitepaper will provide participants with a high level understanding of ENS and its related components.
Discuss the system architecture Each ENS module is centrally adminstistered via McAfee ePO. An active McAfee agent must be installed on each system in order for a device to receive policy and task configurations that were configured in ePO.
Figure 10: McAfee Endpoint Security platform
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 31
Discuss the network infrastructure services Discuss the current infrastructure services which are needed to facilitate deployment of the McAfee security solution.
DNS
DHCP
NTP
SMTP
Discuss McAfee network services ENS 10.5 leverages the existing ports that have been configured in your ePO environment.
Figure 11: McAfee Agent Port Reference
Default Port
Protocol Traffic Direction
80 TCP Outbound connection to the ePO server/Agent Handler
443 TCP Outbound connection to the ePO server/Agent Handler
8081 TCP Inbound connection from the ePO server/Agent Handler. If the agent is a SuperAgent repository, inbound connection from other McAfee Agents.
8082 UDP Inbound connection to agents. Inbound/outbound connection from/to SuperAgents.
8083 UDP Relay server discovery for the McAfee agent
Discuss registered servers Registered servers allow for the integration of ePO software with other, external servers. For example, register your LDAP server to connect with the Active Directory server. Registering a server can increase the effectiveness of ENS
Each type of registered server supports or supplements the functionality of ENS with other McAfee solutions. For example, if you have TIE/DXL deployed in your environment and ENS ATP is enabled, you can leverage reputation information from TIE to block applications from executing. ePO Users are then able to view TIE server information in ePO reports and dashboards.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 32
Discuss roles and responsibilities Discuss roles and responsibilities, segregation of duties, and requirements for access to ePO and other applications. Discuss with the project participants and identify which types of users require access to the system. Spend time understanding their unique roles and responsibilities. This information can then be used to describe and create permission sets which allow them to perform their job successfully.
Users should be assigned privileges based upon their operational role for the solution. Operational Roles might include: • ePO Global Administration • Product Administration • Global Reviewer • Product level reviewer
In the production ePO environment, consider providing global administrators with two accounts:
1) A global administrator account
2) A “day-to-day” operations type of account that has more restrictive permissions than the global admin account.
Typical user permissions • Read-access to events in ePO • Read-access to policies in ePO • Read-access to system tree objects in ePO
Typical “administrative” permissions (only to be used in a change control window) • Full access to policies • Full access to system tree
Discuss users and groups Users
There are two types of users: Global administrators and users with limited permissions.
Discuss Global Admin users, mapping the Global Admin users to AD accounts. Identify users requiring access to ePO and other applications
Groups
To facilitate management of the solution, McAfee recommends developing a group structure linked to an existing Active Directory or LDAP directory.
For installation and ongoing operation of the solution, consider creating the following Active Directory groups (Global/Universal Groups):
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 33
Group Description
ENS_Administrators ePO Permissions: Users requiring full access to ENS Policies, Queries and Dashboards.
ENS_Reviewers ePO Permissions: Users requiring review permissions to ENS Policies, Queries and Dashboards
Review release notes McAfee products operate on a broad range of platforms and operating systems. McAfee quality assurance activities attempt to identify incompatibilities prior to product release. A current list of known issues is provided with the product release notes and is maintained online.
Review known issues Knowledge Base articles The list of known product incompatibilities can be located through the McAfee Service Portal and will be reviewed with you as part of your McAfee Professional Services engagement. Please reference McAfee KB82450 for Endpoint Security 10.x Known Issues
Review the product compatibility matrix The Endpoint Upgrade Assistant (EUA) can provide you with compatibility information that is specific to your ePO environment. The EUA examines the software packages in your repository and compares that info against the list of ENS compatibility software. The “Analyze” Tab and “Prepare” tab in Endpoint upgrade assistant provides a visual representation of minimum software versions supported by McAfee Endpoint Security 10.5.
Figure 12: EUA Workflow
Analyze Prepare Plan Deploy
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 34
Figure 13: EUA - Deployment Prerequisites.
Verify that the installation environment meets specifications Compare the systems in your environments against KB82761 - “Supported platforms, environments, and operating systems for Endpoint Security”.
*Note: This KB article is updated frequently as new operating systems are released.
There will likely be a mix of operating systems versions and hardware configurations in your environment. The table below was taken from KB82761 and provides an “at a glance view” of the system requirements for ENS 10.5. Pay special attention to Operating Systems that are not supported with ENS 10.5
Table 6: System Requirements
Operating System Service Pack
32bit 64bit Processor RAM Minimum Hard Disk Space
Free Windows 10
X X 2 GHz or
higher 3 GB 1 GB
Windows 10 with November update
X X 2 GHz or
higher 3 GB 1 GB
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 35
Windows 8.1 Update 1
X X 2 GHz or higher
3 GB 1 GB
Windows 8.1
X X 2 GHz or higher
3 GB 1 GB
Windows 8 (Except RT)
X X 2 GHz or higher
3 GB 1 GB
Windows 7 SP1 X X 1.4 GHz or higher
2 GB 1 GB
Windows Embedded Standard 7
X
1 GHz or higher
1 GB 1 GB
Windows Vista (not supported with ENS 10.5)
SP2 X X 1.4 GHz or higher
2 GB 1 GB
Windows XP Pro (No longer supported by Microsoft.) (not supported with ENS 10.5)
SP3 X
1 GHz or higher
1 GB 1 GB
Windows Embedded for POS (WEPOS)
X
1 GHz or higher
1 GB 1 GB
Windows Embedded 8 (Pro, Standard, and Industry)
X
1 GHz or higher
1 GB 1 GB
Windows Server 2016
X 2 GHz or higher
3 GB 1 GB
Windows Server 2012 R2 Update 1
X 2 GHz or
higher 3 GB 1 GB
Windows Server 2012 R2 Essentials, Standard, and Datacenter (including Server Core Mode)
X 2 GHz or
higher 3 GB 1 GB
Windows Server 2012 Essentials, Standard, and Datacenter (including Server Core Mode)
X 2 GHz or
higher 3 GB 1 GB
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 36
Windows Server 2008 Essentials, Standard, Datacenter, and Enterprise Web (including Server Core Mode) (not supported with ENS 10.5)
SP2 X X 1.4 GHz or greater
2 GB 1 GB
Windows Server 2008 R2 Essentials, Standard, Datacenter, and Enterprise Web (including Server Core Mode)
SP2 X X 1.4 GHz or greater
2 GB 1 GB
Windows Storage Server 2008 (not supported with ENS 10.5)
X X 1.4 GHz or
higher 2 GB 1 GB
Windows Storage Server 2008 R2
X X 1.4 GHz or
higher 2 GB 1 GB
Windows Server 2003, 2003 R2 – All No longer supported by Microsoft.
X
1.4 GHz or higher
2 GB 1 GB
Windows Small Business Server 2008 (not supported with ENS 10.5)
X
1.4 GHz or higher
2 GB 1 GB
Windows Small Business Server 2011
X
1.4 GHz or higher
2 GB 1 GB
Windows Embedded Standard 2009
X
1 GHz or higher
1 GB 1 GB
Windows Point of Service 1.1
X
1 GHz or higher
1 GB 1 GB
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 37
Windows Point of Service Ready 2009
X
1 GHz or higher
1 GB 1 GB
Verify accounts and permissions Verify that the account(s) have the correct permissions. The same account may be used to upgrade software and deploy solution components on endpoints as needed.
ePO administrative account McAfee Agent deployment ENS deployment (as needed to perform upgrades)
Verify prerequisite software is installed Verify that prerequisite software is installed by using Endpoint Upgrade Assistant, and reviewing the product release notes.
Verify pilot systems configuration Verify that pilot systems have supported versions of the McAfee Agent software installed. Also, ensure that pilot systems meet the system requirements as listed in KB82761 - “Supported platforms, environments, and operating systems for Endpoint Security”.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 38
Assess During this phase, project participants will perform an assessment of the current production environment configuration to provide guidance and recommendations for the upgrade.
Activities performed during the assessment will result in changes to the production environment – Specifically, checking in the extension for the Endpoint Upgrade Assistant (EUA). Prior to checking in the EUA extension, McAfee recommends following your organization’s practices for submitting change requests, performing system backups and developing a back out plan
Table 7: Assessment Checklist
Assess
Prepare for… By performing these activities…
Recovery In the event of a failure
Prepare for installation Backup the ePO application server and database
Installation Of assessment tools for the production environment
Obtain the installation software Check in required packages Install required management extensions
Technical review Run Endpoint Upgrade Assistant Analyze Endpoint Upgrade Assistant results Review dashboards and queries Perform McAfee VirusScan Enterprise policy review(s) Perform McAfee Host Intrusion policy review(s) Perform SiteAdvisor Enterprise policy review(s) Export production policies Export production tasks
Prepare for installation Implementation begins by preparing your production environment for recovery in the unlikely event of an installation or upgrade failure. Back out and recovery plans should be verified with project participants and stakeholders.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 39
Backup the ePO application server and database Verify that snapshots or backups of the production ePO server completed successfully, and that the ePO database was also backed up. If backups of both were taken, their integrity should be verified prior to installing the management extensions
Obtain the installation software The Endpoint Upgrade assistant can be obtained from the following locations:
The McAfee Download Page in the section named Utilities & Connectors (requires a valid Grant#)
Within the ePO console by navigating to Software > Software Manager > Utilities & Connectors > Endpoint Upgrade Assistant 1.3 (or perform a search for the latest version)
Install required management extensions Install the latest version of the Endpoint Upgrade assistant. Once installed, the Endpoint Upgrade Assistant can be accessed from Menu > Software > Endpoint Upgrade Assistant.
Run Endpoint Upgrade Assistant In this phase (Assess), you will be running the Endpoint Upgrade Assistant (EUA) so that you can get an idea of what machines in your production environment are currently ready for migration to ENS 10.5.
Refer to the Introduction to Endpoint Upgrade Assistant for explanation of the tool, video overview, and links to product documentation.
Analyze Endpoint Upgrade Assistant results Carefully analyze the results of the Endpoint Upgrade Assistant and prepare to implement the recommended upgrade scenarios (after you’ve completing testing – See Test phase.) The objective of this initial analysis is to understand the “Upgrade Readiness” of your environment.
Review dashboards and queries Review the ePolicy Orchestrator dashboards and queries for the following products:
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 40
VirusScan Host IPS Site Advisor
These dashboards and queries will likely need to be ported into their ENS 10.5 equivalent.
Identify if automated queries and reports are configured for endpoint security products. Document this information and create an “action plan” to ensure the existing level of operational effectiveness. This review can provide an opportunity to introduce additional monitoring insights into the existing operational processes. Refer to the ePolicy Orchestrator product guide for additional information on monitoring and reporting configuration
Table 8: Example Future State Dashboard for Endpoint Security Products
Operational Dashboard Monitor Name Description Action Plan
Antivirus Installed/Missing
This Boolean chart shows machines that have AV installed as well as machines that are missing AV. The approved antivirus software is VirusScan
Update the query to include criteria for ENS 10.5 Threat Prevention.
HIPS Content Compliance
Shows devices running up to date HIPS content (Signatures)
Add a new monitor that also shows content compliance for Exploit Prevention
VirusScan Current DAT Adoption
Displays the number of workstations which have recent VirusScan DATs (Within 2 versions of the master repository)
Add a new monitor that shows AMCore Content (Threat Prevention) within 2 version versions of the Master Repository
Perform McAfee VirusScan Enterprise policy review(s) The Endpoint Migration Assistant can be used to successfully migrate VirusScan policies and tasks to ENS 10.5. In order to streamline the migration activities, consider consolidating the number of On Access Scanning (OAS) VirusScan policies that are present in the environment. Identify the business purpose for each VirusScan policy, paying special attention to On Access Scanning policies.
Identify a policy consolidation workflow that works for your environment. The example workflow shown in the figure below can be used as a starting point.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 41
Figure 14: VSE OAS – Example Policy Consolidation Workflow
Track policy consolidation decisions as this will provide traceability for why new ENS OAS policies were created.
Table 9: VirusScan Policies - Consolidation Tracking Sheet
VirusScan Policies - Consolidation Tracking Sheet VSE Policy Name Description Action Plan
Finance.Corp-OAS Policy
This policy includes exclusions Legacy financial applications that have known performance issues. The exclusions are recommended by the vendor
The list of exclusions for these Applications will be placed into a new policy named “Finance-OAS-G1” Revenue Cycle-OAS
Policy This policy includes exclusions for the app named Revenue Cycle. The exclusions are recommended by the vendor
Note: Repeat the above methodology for all configured VirusScan tasks. Task consolidation decisions need to ensure whether new or additional ENS product tasks might need to be created.
Review existing On Access scanning Policies
Identify policies that are very similar. Consolidate exclusions into new On
Access Scanning policy(s)
Document the consolidated policies and
their exclusion lists.
Present the consolidated policies & exclusion list to the Information Security
Office and receive sign off
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 42
Table 10: VirusScan Tasks - Consolidation Tracking Sheet
VirusScan Tasks - Consolidation Tracking Sheet VSE Task Name Description Action Plan
Update All Updates DAT files for VSE None – This task will be used for ENS content updates
Weekly ODS Performs full system scan a weekly basis Schedule a new Scan task for ENS 10.5
Perform McAfee Host Intrusion Prevention policy review(s) The Endpoint Migration Assistant can be used to successfully migrate Host IPS policies and tasks to ENS 10.5.
Project participants and Stakeholders will review and consolidate Host IPS policies, Exclusions and Firewall rules.
*NOTE: Host Intrusion Prevention, IPS Protection and Rules policies may contain exceptions and/or changes to the severity of a specific signature. Capture policies settings that deviate from the McAfee default and attempt to consolidate the IPS rules policies. *Refer to the ENS Migration Guide for further information on ‘Exception Rules’.
Exception Rules
Exception Rules from the IPS Rules policy migrate to the Access Protection and Exploit Prevention policies as executables under Exclusions.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 43
Table 11: The Migration of Exception Rules in the HIPS 8.0 IPS Rules policy
Exception Rules with signatures
IPS Exceptions can include custom signatures. The executables and parameters from exceptions are appended to the Endpoint Security Access Protection Rule created during signature migration.
If all McAfee-defined signatures are added to a subrule exception, the exception migrates as a global exclusion in the Access Protection and Exploit Prevention policies.
Source exception
Signature Type
Target Endpoint Security Policy
Target Setting
Executables, Caller module, and API
All McAfee-defined signatures supported in the Threat Prevention Exploit Prevention policy (for example, Buffer Overflow and Illegal API Usage signatures
Exploit Prevention Exclusions
Executables and Parameters
FILE/REGISTRY/PROGRAM/SERVICE signatures
Access Protection Executables and subrule parameters
Executables No signature Access Protection Exploit Prevention
Global Exclusions
GPEP (General Privilege Escalation Prevention) signature
Severity/reaction signature (ID 6052 Exploit Prevention Enable General Privilege Escalation Prevention
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 44
Table 12: HIPS IPS Rules Policies - Consolidation Tracking Sheet
HIPS IPS Rules Policies - Consolidation Tracking Sheet HIPS IPS Rules
Policy Description Action Plan
IPS Rules-Marketing Contains exceptions for an app used by Marketing.
The list of exclusions pertaining to these applications will be consolidated into a new policy named IPS Rules-General-Apps
IPS Rules Publishing Contains exceptions for an app used by Marketing.
*NOTE: The environment may have many firewall policies with rules in them that are not currently linked to the Host IPS Firewall Catalog.
You can reduce the complexity of firewall rules by leveraging Host IPS Catalog. The Host IPS Catalog contains reusable items that can be imported into firewall policies.
Consider maintaining a baseline firewall policy which satisfies most of the security requirements of the organization. Create additional catalog and policy items for specific types of users/groups as required.
The workflow shown in the figure below can act as a spring board for consolidating firewall policies and rules.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 45
Figure 15: Firewall Consolidation Workflow
Understand planning decision points regarding firewall policy consolidation.
Table 13: Host IPS Firewall Rules Policies - Consolidation Tracking Sheet
HIPS Firewall Rules Policies - Consolidation Tracking Sheet HIPS Firewall Rules
Policy Description Action Plan
FW Rules-Coders Firewall rules used by software coders The firewall rules for these applications will be placed into a new firewall policy named FW-Rules-Developers
FW Rules-Programmers
Firewall rules used by Python Programmers
Understand the network topology and computing environment•This provides the ability to create a strong
baseline policy that satisfies most business cases
Analyze firewall rules•Firewall rules should have descriptive
names and the notes field should be used to identify the purpose behind the rule.
Identify possible areas for consolidation•Review network traffic diagrams for
common and critical applications.
Optimize firewall rule sets•Firewall policies should be checked for
redundant, shadowed or blocked rules, and unused rules that can be eliminated or changed to reduce the size and complexity of the firewall catalog.
Repeat•Applications change frequently, so the
administrator should repeat this process to ensure that only relevant firewall policies are present in the environment
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 46
Review any configured Host IPS product specific tasks. Task consolidation decisions need to ensure whether new or additional ENS product tasks might need to be created to mirror specific task goals.
Perform SiteAdvisor Enterprise policy review(s) There are over 100 web categories that Site Advisor and Web Control can take action on. Identify if the environment has an acceptable internet usage policy, and block web categories which violate those usage policies.
If numerous site advisor policies contain similar or identical settings (example: Blocking the same web categories), use the policy comparison tool or an excel sheet to find identical settings which can possibly be consolidated in the policies.
Identify which web browsers are approved for use in the environment- both Site Advisor and Endpoint Security Web control can be configured to block unsupported internet browsers.
Identify if an established workflow is in place for unblocking websites that are incorrectly categorized. Website’s categorization and reputation is linked to McAfee’s TrustedSource.org. The workflow diagram below provides an example workflow for safely reviewing websites that have been blocked by Site Advisor or ENS Web Control (Zoom in to see the text clearly)
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 47
Figure 16: Website Review Process
Website Review Process
StartEnd-user Opens ticket
for blocked site
Was a screen shot of the block page and business
justification provide by the user?
Yes Ask the user to provide a screen shot of the block
page
No
Review the website on a “non production” PC
that is not on the corporate network.
Is this a legitimate website that is free of
malicious content?
Yes
Perform a Google search using words from the business
justification and try to identify the correct
website.
No
Add web domain or website to
“Allowed list”
Await Response
Submit re-categorization request to TrustedSource.org
Was the correct website identified?
Yes
Inform the user that you were unable to
determine which website they are
attempting to access and ask them to
contact the vendor.
No
Is the website mis-categorized?
Yes
Is the site blocked because of Risk
Reputation?
Yes
Outcome 3
Provide the user with the correct
website
No
No
Outcome 2
Escalate to ePO Admin so that the
end-user’s web surfing policy can be reviewed
Outcome 1
Notify the user that the website is now
accessible
Review any configured Site Advisor Enterprise product specific tasks. Task consolidation decisions need to ensure whether new or additional ENS product tasks need to be created to mirror specific task goals.
Export production policies Export the recently reviewed/consolidated production policies for VirusScan, Host IPS, and Site Advisor. These policies will be referenced in the next phase (Test), specifically when the Endpoint Migration Assistant is used for policy/task conversation to ENS 10.5
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 48
Export production tasks Export the recently reviewed/consolidated production tasks for VirusScan, Host IPS, and Site Advisor. These tasks will be referenced in the next phase (Test), specifically when the Endpoint Migration Assistant is used for policy/task conversation to ENS 10.5
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 49
Test During this phase, project participants will install, configure, upgrade and validate the McAfee solution in a non-production environment.
Table 14: Test checklist
Test
Prepare for… By performing these activities…
Recovery In the event of a failure
Prepare for installation Backup the ePO application server and database
Installation Check in required packages Install required management extensions Validate distributed repository replication Run Endpoint Upgrade Assistant Analyze Endpoint Upgrade Assistant results Import production policies Import production tasks
Configuration Configure users and permission sets Perform initial validation testing Run the Endpoint Migration Assistant
• Migrate policies • Migrate tasks
Configure the baseline policy Assign the migrated policies to systems Assign the migrated tasks to systems Configure a deployment dashboard Configure product deployment tasks
Upgrade Deploy: McAfee Agents to pilot systems, as needed McAfee Endpoint Security to pilot systems
Validation Verify the technical implementation meets the security objectives discussed in the plan and design phases
Monitor McAfee Agent and Endpoint Security deployments Perform post-upgrade validation testing Export the baseline policy
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 50
Prepare for installation Implementation begins by preparing your test environment for recovery in the unlikely event of an installation or upgrade failure. Back out and recovery plans should be verified with project participants and stakeholders.
Successful installation of the solution requires following a phased approach which takes into account several activities.
Best Practice: McAfee recommends that you perform the initial installation or upgrade in a lab, development, or other non-production environment that is representative of the production environment.
Best Practice: During the technical implementation, McAfee recommends that you use a phased deployment approach. This typically begins with a series of pilot deployments that bring IT and business units together.
Best Practice: McAfee recommends that your environment’s Service Desk personnel be involved as early as possible to gain valuable experience needed to provide support for the organization.
Backup the ePO application server and database Verify that snapshots or backups of the Test ePO server completed successfully, and that the ePO database was also backed up. If backups of both were taken, their integrity should be verified prior to installing the management extensions
Check in required packages The installation software can be obtained directly from the ePolicy Orchestrator Software Manager or via the McAfee Products download page (https://secure.mcafee.com/apps/downloads/my-products/login.aspx).
• TIP: The easiest way to obtain all required extensions and packages for ENS 10.5 is to download the McAfee Endpoint Security 10.5.x bundle from the ePO Software Manager. The McAfee Client Proxy package/extension is included in the bundle.
• The Endpoint Migration Assistant and the Endpoint Upgrade Assistant are available for download via the software manager separate from the bundle.
*NOTE: The Adaptive Threat Protection Software is optional and not in the ENS bundle. A valid grant # for ATP is required for separate download availability.
The packages for ENS 10.5 are listed in the following table:
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 51
Table 15: ENS 10.5 Packages
Component Type Version Endpoint Security Web Control Package 10.5.x Endpoint Security Threat Prevention Package 10.5.x Endpoint Security Platform Package 10.5.x Endpoint Security Firewall Package 10.5.x McAfee Client Proxy Package 2.3 Endpoint Security Adaptive Threat Protection (If purchased)
Package 10.5.x
Install required management extensions Management extensions allow the point products to be managed via ePO using policies.
Table 16: Management Extensions
Component Type Version Endpoint Security Web Control Extension 10.5.x Endpoint Security Threat Prevention Extension 10.5.x Endpoint Security Platform Extension 10.5.x Endpoint Security Firewall Extension 10.5.x Endpoint Security Adaptive Threat Protection (if purchased)
Extension 10.5.x
McAfee Client Proxy Extension 2.3.x McAfee Common Catalog Framework Extension 2.0.0.190 McAfee Common Catalog Extension 2.0.0.190
Each module also has a corresponding “help” extension. The help extensions enable “context sensitive help” for each of the specific products.
Table 17: Help Extensions
Component Type Version Endpoint Security Web Control help Extension 10.5.x Endpoint Security Threat Prevention help
Extension 10.5.x
Endpoint Security Platform help Extension 10.5.x Endpoint Security Firewall help Extension 10.5.x Endpoint Security Adaptive Threat Protection help (if purchased)
Extension 10.5.x
McAfee Client Proxy Extension 2.3.x
Additional extensions that will aid in the policy migration and upgrade effort are listed in the table below:
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 52
Table 18: Additional Extensions
Component Type Version Endpoint Migration Assistant Extension Latest Endpoint Upgrade Assistant Extension Latest
Validate distributed repository replication Prior to deploying the software, ensure that distributed repositories are working as expected. If lazy caching is used, perform a deployment task on a single machine that is pointed to a repository to ensure that the ENS packages/content are available.
Run Endpoint Upgrade Assistant Analyze Endpoint Upgrade Assistant results
Import production policies Import the consolidated policies for VirusScan, Host IPS and Site Advisor. These policies will undergo a conversion to their ENS 10.5 counterparts as the Endpoint Migration Assistant tool is utilized.
Import production tasks Import the consolidated tasks for VirusScan, Host IPS and Site Advisor. These tasks will undergo a conversion to their ENS 10.5 counterparts as the Endpoint Migration Assistant tool is utilized.
Configure users and permission sets Upon checking in the ENS 10.5 extensions, new permissions for Endpoint Security 10.5 will become available. Update existing permission sets to include these new products and/or create new permission sets that focus on ENS 10.5.
Existing ePO Users that are responsible for endpoint security should have their assigned permission sets updated to reflect the additional ENS 10.5 products. Existing permission sets will have “no permissions” for ENS specific products until they are manually added.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 53
Figure 17: ENS Permissions Categories
Perform initial validation testing On your test machines, collect basic performance information prior to installing ENS. This will provide you with a simple baseline to measure against once ENS has been installed.
Run the Endpoint Migration Assistant Refer to the Endpoint Security Migration Guide for specific steps required to migrate policies before ENS installation.
The Endpoint Migration Assistant can be accessed from Menu > Policy > Endpoint Migration Assistant
The migration assistant will perform a policy/tasks conversion of your currently in place VSE/HIPS/SAE settings and migrate them to their corresponding ENS counterparts. Two Migration Modes are present:
1) Manual Migration – Recommended for environments that have unnecessary policies/tasks that should be consolidated for easier administration. This may need to be run multiple times as different policies are migrated.
2) Automatic Migration – Not recommended as unnecessary policies may be needlessly migrated.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 54
*IMPORTANT: Configure and assign policies to systems and groups prior to deploying ENS 10.5.
Migrate policies When you use the manual migration option, you have an opportunity to selectively migrate policies and make policy adjustments on the fly.
Migrate tasks Ensure that you migrate relevant “On-Demand Scan Tasks”
Configure the baseline policy Configure and assign the baseline policy to system groups, or individual systems.
Assign the migrated policies to systems Assign migrated policies to devices in your test environment.
Assign the migrated tasks to systems Assign migrated tasks to devices in your test environment.
Configure a deployment dashboard The deployment dashboard will show systems which are in scope for ENS 10.5.
Consider creating a Boolean pie chart query that contains matching criteria for ENS 10.5 security modules. Systems which lack the matching criteria will appear as “non-compliant”.
A default query named “Endpoint Security: Installation Status Report” displays the total number of systems which have ENS 10.5 installed.
Consider adding the query to the deployment dashboard.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 55
Figure 18: ENS Installation Status Report - Stacked Bar Chart
Figure 19: ENS Installation Status Report - Stacked Bar Chart Details
Configure product deployment tasks Review and identify the deployment task method(s) to be used for controlling the scope of the software deployments. Several methods exist for deploying ENS 10.5 and its associated modules.
This guide presents the following two methods:
Method 1: Deploy Upgrade Automation Task utilizing the Endpoint Upgrade Assistant Method 2: Selectively Deploy ENS Modules via the Client Task Catalog and system tree
assignment
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 56
Method 1: Deploy Upgrade Automation Task
The package named ENS Upgrade Assistant 1.0.x can be used to upgrade devices to ENS 10.5. All ENS 10.5 packages/extensions must be checked into ePO prior to deploying this package.
The ENS upgrade assistant package will attempt to deploy three ENS modules (TP, WC, and FW). If you do not wish to deploy all modules, you can create a task in the Client Task Catalog that explicitly specifies the modules to be deployed, or remove that package from that branch of the repository. Refer to the Endpoint Upgrade Assistant product guide for further information.
*IMPORTANT: Perform extensive testing prior to using the Deploy Upgrade Automation Task.
The workflow for the Deploy Upgrade Automation task is shown in the figure below:
Figure 20: Deploying EUA Package
Method 2: Selectively Deploy ENS Modules via the Client Task Catalog and system tree assignment.
Create a task in the task catalog that includes all or some of the ENS Modules.
Figure 21: Example Task with all ENS Modules
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 57
*NOTE: You might be more familiar with leveraging Method 2 as it is the legacy method.
Deploy McAfee Agents to pilot systems, as needed If the required version of McAfee Agent is not currently installed, deploy the required McAfee Agent version for the test environment to pilot systems before deploying ENS 10.5.
Deploy McAfee Endpoint Security to pilot systems Deploy ENS 10.5 using the planned deployment method.
Monitor McAfee Agent and Endpoint Security deployments The overwhelming majority of your ENS deployments should be successful. Capture any reported issues and document the solutions for those issues. Engage McAfee Support when necessary.
Perform post-upgrade validation testing Verify the technical implementation meets the security objectives discussed in the Plan and Design phases.
These activities will validate the newly created ENS 10.5 policies configured for the environment. Validate any additional testing criteria which may have been defined in the Plan and Design phases, for specific use case(s).
*NOTE: Verify any additional performance and functional testing requirements planned for your critical enterprise applications. Ensure the application performs the required business tasks that were discussed as requirements with business owners in the planning phase.
ENS Validation Tests
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 58
Validation tests verify your McAfee products are functional; blocking/monitoring activity and producing logs/events which are viewable on client systems and from the ePolicy Orchestrator console.
Example validation tests for ENS specific features are shown in the following figures/tables:
Figure 22: On Access Scanning - EICAR Test
On Access Scanning – EICAR Test TC-ENS-001
Validation Steps
1) Create a new text file 2) Within the text file, enter the following string:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
3) Save and close the text file 4) Attempt to copy the text file
Expected Results
The test file will be deleted and a popup message similar to the one shown below will be produced.
Actual Results
Figure 23: Viewing the Quarantine Folder
Options – Viewing the Quarantine Folder TC-ENS-002
Validation Steps 1) Navigate to C:\quarantine 2) Verify that files appear in the quarantine folder
Expected Results
Files that have been quaratined will be in compresed zip format.
Actual Results
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 59
Figure 24: Exploit Prevention - Blocking Hidden PowerShell
Exploit Prevention - Hidden PowerShell Detected TC-ENS-003
Test Setup 1) Create a TEMP Policy in the Category: Endpoint Security Threat Prevention>Exploit Prevention
2) Name the Policy: TEMP-6070_Hidden_Powershell 3) Set the signature ID 6070 to Block+Report. 4) Save the policy 5) Assign the policy to a single test device
Validation Steps 1) Open Microsoft PowerShell and attempt to execute a command in hidden mode by pasting in the following command:
PowerShell.exe -windowstyle hidden {Invoke-Item c:\windows\system32\calc.exe} 2) Open the Endpoint Security console and view the Event Log. Verify
that a detection event was generated for Exploit Prevention Expected Results
The Event Log will show a recent Exploit Prevention Event (See example screen shot)
Actual Results
Figure 25: Web Control - Blocking Navigation to a malicious website
Web Control – Blocking Navigation to a Malicious Site TC-ENS-004
Test Setup 1) Ensure that the browser plugin for McAfee Endpoint Security Web Control is running
Validation Steps 1) Open the Google Chrome Browser 2) Navigate to http://red.test.csm-testcenter.org/
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 60
Expected Results
The site is blocked because it is has a “red rating” (See screen shot)
Actual Results Attachments How to test SiteAdvisor Enterprise 3.x category ratings
https://kc.mcafee.com/corporate/index?page=content&id=KB72563
Figure 26: Web Control – Blocking Navigation to a Phishing page
Web Control – Blocking Navigation to a Phishing page TC-ENS-005
Test Setup 1) Ensure that the browser plugin for McAfee Endpoint Security Web Control is running
Validation Steps 1) Open the Google Chrome Browser 2) Navigate to http://www.testingmcafeesites.com/testcat_ph.html
Expected Results
The phishing webpage is blocked because phishing is a category on the block list” (See screen shot)
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 61
Actual Results Attachments How to test SiteAdvisor Enterprise 3.x category ratings
https://kc.mcafee.com/corporate/index?page=content&id=KB72563
Table 19: Exploit Prevention – Viewing Aggregated Events
Exploit Prevention – Viewing Aggregated Events TC-ENS-006
Validation Steps 1) Open the ePO console 2) Navigate to Reporting > Exploit Prevention Events 3) Aggregate on “Analyzer Rule ID + Threat Target File Path + Action
Taken 4) Drill into an event with Analyzer ID 6070 5) On the page named “Aggregated Exploit Prevention Events Details”,
click Actions > Add Exclusion” 6) In the “Select a destination policy” page, click the policy named
“TEMP-6070_Hidden_Powershell” and select ok 7) Navigate to the policy named “TEMP-6070_Hidden_Powershell” (it can
be found at “Endpoint Security Threat Prevention : Policy Category > Exploit Prevention > TEMP-6070_Hidden_Powershell”)
8) Select “Show Advanced” Expected Results
An exclusion for the process “POWERSHELL.EXE” was created in the policy (See screen shot)
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 62
Actual Results
*Optional TIE/DXL Validation Tests Table 20: Threat Intelligence Exchange – Manually changing a file’s reputation to “most likely malicious”
Threat Intelligence Exchange – Manually changing a file’s reputation to “most likely malicious”
TC-ENS-007
Test Setup 1) The TIE and DXL Infrastructure must be up and running in your environment.
2) ATP must be enabled 3) The action enforcement setting to Block when reputation threshold
reaches “Most Likely Malicious” must be enabled. 4) Download and install the software named “Putty”. It can be
downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html Note: If you are currently using Putty for business purposes please select a different .exe to test.
Validation Steps 1) Navigate to Menu > Systems > Reputation > Tie Reputations 2) Using the Quick Find, search for “putty” 3) Select Putty.exe and click Actions > Most Likely Malicious 4) Attempt to launch putty from your test computer
Expected Results
A McAfee Endpoint Security Alert is produced on your test computer (see screen shot)
The file is blocked on execute.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 63
Note: Revert Putty’s reputation by setting the Reputation for Putty to “known trusted”
Actual Results
Example ENS Validation Results
The results of the Application Validation testing should be captured and shared with the project participants.
Table 21: Example ENS Validation Results
Test ID Test Name Results TC-ENS-001 On Access Scanning – EICAR Test Pass
TC-ENS-002 Options – Viewing the Quarantine Folder Pass
TC-ENS-003 Exploit Prevention - Hidden PowerShell Detected Pass
TC-ENS-004 Web Control – Blocking Navigation to a Malicious Site Pass
TC-ENS-005 Web Control – Blocking Navigation to a Phishing page Pass
TC-ENS-006 Exploit Prevention – Viewing Aggregated events Pass
TC-ENS-007 Threat Intelligence Exchange – Manually changing a file’s reputation to “most likely malicious” Pass
Export the baseline policy The migration assistant was used to convert policies to their ENS 10.5 equivalents. These newly converted policies are now ready to be exported from the test environment and imported into the production environment.
*IMPORTANT: Ensure you are exporting all of the policies which were validated in your test environment.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 64
Implement During this phase, project participants will install, configure, upgrade and validate the McAfee solution in a production environment.
The activities listed in this phase will closely mirror the activities completed in the “Test” phase.
Activities performed during this phase will result in changes to the production environment. McAfee recommends following your organization’s practices for submitting change requests, performing system backups and developing a recovery plan.
Implement
Prepare for… By performing these activities…
Recovery In the event of a failure
Prepare for installation Backup the ePO application server and database
Install Check in the required client packages Install required management extensions Validate distributed repository replication Import the baseline policies Import the baseline tasks Configure users and permission sets Configure a deployment dashboard
Deploy Run the Endpoint Upgrade Assistant Analyze Endpoint Upgrade Assistant results Configure the baseline policy Assign the migrated policies to systems Assign the migrated tasks to systems Configure product deployment tasks Deploy McAfee Agents to systems, as needed Deploy McAfee Endpoint Security to systems
Validation Verify the technical implementation meets the security objectives discussed in the plan and design phases
Monitor McAfee Agent and Endpoint Security deployments Perform validation testing
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 65
Prepare for installation Production implementation begins by preparing the environment for recovery in the unlikely event of an installation or upgrade failure. Discuss your Back out and recovery plans with the project participants.
Best Practice: Refer to any lessons learned that were discovered when upgrading devices to ENS in 10.5 in the test environment
Backup the ePO application server and database Verify that snapshots or backups of the Production ePO server completed successfully, and that the ePO database was also backed up. If backups of both were taken, their integrity should be verified prior to installing the management extensions
Check in required packages Ensure that software versions in the production environment are the same as those in the test environment.
The installation software can be obtained directly from the ePolicy Orchestrator Software Manager or via the McAfee Products download page (https://secure.mcafee.com/apps/downloads/my-products/login.aspx).
Tip: The easiest way to obtain all required extensions and packages for ENS 10.5 is to download the McAfee Endpoint Security 10.5.x bundle from the ePO Software Manager. The McAfee Client Proxy package/extension is included in the bundle.
The Endpoint Migration Assistant and the Endpoint Upgrade Assistant are available for download via the software manager separate from the bundle.
*NOTE: The Adaptive Threat Protection Software is optional and not in the ENS bundle. A valid grant # for ATP is required for separate download availability.
The packages for ENS 10.5 are listed in the following table:
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 66
Table 22: ENS 10.5 Packages
Component Type Version Endpoint Security Web Control Package 10.5.x Endpoint Security Threat Prevention Package 10.5.x Endpoint Security Platform Package 10.5.x Endpoint Security Firewall Package 10.5.x McAfee Client Proxy Package 2.3 Endpoint Security Adaptive Threat Protection (If purchased)
Package 10.5.x
Install required management extensions Ensure that the same extensions were that were checked into test, are also checked into production.
Management extensions allow the point products to be managed via ePO using policies.
Table 23: Management Extensions
Component Type Version Endpoint Security Web Control Extension 10.5.x Endpoint Security Threat Prevention Extension 10.5.x Endpoint Security Platform Extension 10.5.x Endpoint Security Firewall Extension 10.5.x Endpoint Security Adaptive Threat Protection (if purchased)
Extension 10.5.x
McAfee Client Proxy Extension 2.3.x McAfee Common Catalog Framework Extension 2.0.0.190 McAfee Common Catalog Extension 2.0.0.190
Each module also has a corresponding “help” extension. The help extensions enable “context sensitive help” for each of the specific products.
Table 24: Help Extensions
Component Type Version Endpoint Security Web Control help Extension 10.5.x Endpoint Security Threat Prevention help
Extension 10.5.x
Endpoint Security Platform help Extension 10.5.x Endpoint Security Firewall help Extension 10.5.x Endpoint Security Adaptive Threat Protection help (if purchased)
Extension 10.5.x
McAfee Client Proxy Extension 2.3.x
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 67
Additional extensions that will aid in the policy migration and upgrade effort are listed in the table below:
Table 25: Additional Extensions
Component Type Version Endpoint Migration Assistant Extension Latest Endpoint Upgrade Assistant Extension Latest
Validate distributed repository replication Prior to deploying the software, ensure that distributed repositories are working as expected. If lazy caching is used, perform a deployment task on a single machine that is pointed to a repository to ensure that the ENS packages/content are available. Refer to the ePolicy Orchestrator Best Practices Guide for additional information.
Import the baseline policies Import the polices that you worked with in the test environment. These policies were from the production environment and have undergone a migration to ENS 10.5 via the Endpoint Migration Assistant.
Ensure that policies have been tested and tailored for critical applications
Import the baseline tasks Import the baseline tasks so that your devices can run the necessary tasks to stay protected.
Configure users and permission sets Upon checking in the ENS 10.5 extensions, new permissions for Endpoint Security 10.5 will become available. Update existing permission sets to include these new products and/or create new permission sets that focus on ENS 10.5.
Existing ePO Users that are responsible for endpoint security should have their assigned permission sets updated to reflect the additional ENS 10.5 products. Existing permission sets will have “no permissions” for ENS specific products until they are manually added.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 68
Figure 27: ENS Permissions Categories
Configure a deployment dashboard Ensure that the dashboard is viewable by those tracking the deployment.
The deployment dashboard will show systems which are in scope for ENS 10.5.
Consider creating a Boolean pie chart query that contains matching criteria for ENS 10.5 security modules. Systems which lack the matching criteria will appear as “non-compliant”.
A default query named “Endpoint Security: Installation Status Report” displays the total number of systems which have ENS 10.5 installed.
Consider adding the query to the deployment dashboard (repeat the steps that you performed in the “Test” phase)
Run the Endpoint Upgrade Assistant Ensure that you have set the tool to focus on an ENS 10.5.x Upgrade.
Analyze Endpoint Upgrade Assistant results The upgrade scenarios that are displayed in the production environment might be different than those in the test environment. Perform additional testing where necessary to ensure a smooth ENS upgrade.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 69
Configure the baseline policy Configure and assign the baseline policy to system groups, or individual systems.
Assign the migrated policies to systems Assign migrated policies to devices in your production environment.
Assign the migrated tasks to systems Assign migrated tasks to devices in your test environment.
Configure product deployment tasks Ensure that the tasks are set to execute in accordance with the information listed in the change request. Please see the section in the “Test” phase named Configure product deployment tasks
Deploy McAfee Agents to systems, as needed Machines that have a broken McAfee Agent will need to be remediated prior to deploying ENS 10.5 through ePO
Deploy McAfee Endpoint Security to systems Use a phased implementation approach and tightly control the number of devices that receive ENS 10.5.
Monitor McAfee Agent and Endpoint Security deployments The overwhelming majority of ENS deployments should be successful. Closely monitor any failed deployments and identify common scenarios that result in failure. Engage McAfee Support when necessary
Perform validation testing Ensure that stake holders (specifically, application owners) are aware of the implementation timeline. Encourage stakeholders to validate system performance once ENS 10.5 modules are installed on critical servers. Application owners should perform a regression test against their application to ensure that ENS 10.5 has not introduced a new issue into your environment.
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 70
Note: Please see the section in the “Test” phase regarding “Post-upgrade validation testing”
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 71
Appendix Upgrade Project Planning Checklist Table 26: Upgrade Project Planning Checklist
Plan [ ] Identify business applications, administrators and application owners [ ] Discuss project and business objectives [ ] Discuss security requirements [ ] Discuss end user communications [ ] Discuss additional planning topics [ ] Discuss product features [ ] Discuss product feature parity [ ] Discuss supported platforms [ ] Discuss supported McAfee agents [ ] Discuss integration with other McAfee solutions [ ] Discuss conflicts with existing products [ ] Discuss the implementation process [ ] Identify systems for the initial pilot deployment [ ] Discuss McAfee application validation testing [ ] Discuss performance testing and baseline metrics [ ] Discuss business application testing procedures [ ] Discuss current security management practices [ ] Discuss change control processes [ ] Discuss back out and recovery plans [ ] Discuss software updates [ ] Discuss signature content testing [ ] Discuss McAfee GetClean [ ] Discuss reporting requirements [ ] Review corporate security policies and supporting documentation
Design [ ] Discuss the McAfee solution architecture overview [ ] Discuss the system architecture [ ] Discuss the network infrastructure services [ ] Discuss McAfee network services [ ] Discuss registered servers [ ] Discuss roles and responsibilities [ ] Discuss users and groups [ ] Review release notes [ ] Review known issues Knowledge Base articles [ ] Review the product compatibility matrix
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 72
[ ] Verify that the installation environment meets specifications [ ] Verify accounts and permissions [ ] Verify prerequisite software is installed [ ] Verify pilot systems configuration
Assess [ ] Prepare for installation [ ] Backup the ePO application server and database [ ] Obtain the installation software [ ] Install required management extensions [ ] Run Endpoint Upgrade Assistant [ ] Analyze Endpoint Upgrade Assistant results [ ] Review dashboards and queries [ ] Perform McAfee VirusScan Enterprise policy review(s) [ ] Perform McAfee Host Intrusion Prevention policy review(s) [ ] Perform SiteAdvisor Enterprise policy review(s) [ ] Export production policies [ ] Export production tasks
Test [ ] Prepare for installation [ ] Backup the ePO application server and database [ ] Check in required packages [ ] Install required management extensions [ ] Validate distributed repository replication [ ] Run Endpoint Upgrade Assistant [ ] Analyze Endpoint Upgrade Assistant results [ ] Import production policies [ ] Import production tasks [ ] Configure users and permission sets [ ] Perform initial validation testing [ ] Run the Endpoint Migration Assistant [ ] Migrate policies [ ] Migrate tasks [ ] Configure the baseline policy [ ] Assign the migrated policies to systems [ ] Assign the migrated tasks to systems [ ] Configure a deployment dashboard [ ] Configure product deployment tasks [ ] Deploy McAfee Agents to pilot systems, as needed [ ] Deploy McAfee Endpoint Security to pilot systems [ ] Monitor McAfee Agent and Endpoint Security deployments [ ] Perform post-upgrade validation testing
McAfee Endpoint Security 10.5: Upgrade Project Planning Guide Page 73
[ ] Export the baseline policy
Implement [ ] Prepare for installation [ ] Backup the ePO application server and database [ ] Check in required packages [ ] Install required management extensions [ ] Validate distributed repository replication [ ] Import the baseline policies [ ] Import the baseline tasks [ ] Configure users and permission sets [ ] Configure a deployment dashboard [ ] Run the Endpoint Upgrade Assistant [ ] Analyze Endpoint Upgrade Assistant results [ ] Configure the baseline policy [ ] Assign the migrated policies to systems [ ] Assign the migrated tasks to systems [ ] Configure product deployment tasks [ ] Deploy McAfee Agents to systems, as needed [ ] Deploy McAfee Endpoint Security to systems [ ] Monitor McAfee Agent and Endpoint Security deployments [ ] Perform validation testing