endpoint security 10.5 upgrade project planning guide · pdf file ·...

Upgrade Project Planning Guide

Endpoint Security 10.5 Revision Date: May 23rd, 2017

McAfee Endpoint Security 10.5: Upgrade Project Planning Guide

Document Management Document Revision History

Version Date Author(s) Version Details

1.0 May 23, 2017 Aaron Yarnal, Bradley Gable Initial release


Contents Document Management ........................................................................................................... 2 Introduction .............................................................................................................................. 7

Audience ................................................................................................................................ 7 Methodology .......................................................................................................................... 7

Plan ........................................................................................................................................... 8 Identify business applications, administrators and application owners .................................... 9 Discuss project and business objectives ...............................................................................10 Discuss security requirements ...............................................................................................10 Discuss end user communications ........................................................................................10 Discuss additional planning topics .........................................................................................11 Discuss product features .......................................................................................................11 Discuss product feature parity ...............................................................................................12

Threat prevention ..............................................................................................................13 Adaptive Threat Protection ................................................................................................13 Firewall ..............................................................................................................................14 Web Control ......................................................................................................................15

Discuss supported platforms .................................................................................................18 Discuss supported McAfee agents ........................................................................................18 Discuss integration with other McAfee solutions ....................................................................18 Discuss conflicts with existing products .................................................................................18 Discuss the implementation process .....................................................................................19 Identify systems for the initial pilot deployment ......................................................................20 Discuss McAfee application validation testing .......................................................................21 Discuss business application testing procedures ...................................................................22 Discuss performance testing and baseline metrics ................................................................23 Discuss current security management practices ....................................................................23 Discuss change control processes ........................................................................................24 Discuss back out and recovery plans ....................................................................................24 Discuss software updates .....................................................................................................24 Discuss signature content testing ..........................................................................................25 Discuss GetClean .................................................................................................................26 Discuss reporting requirements .............................................................................................26 Review corporate security policies and supporting documentation ........................................27

Design ......................................................................................................................................29 Discuss the McAfee solution architecture overview ...............................................................29 Discuss the system architecture ............................................................................................30 Discuss the network infrastructure services ...........................................................................31 Discuss McAfee network services .........................................................................................31 Discuss registered servers ....................................................................................................31 Discuss roles and responsibilities ..........................................................................................32 Discuss users and groups .....................................................................................................32 Review release notes ............................................................................................................33 Review known issues Knowledge Base articles ....................................................................33 Review the product compatibility matrix ................................................................................33 Verify that the installation environment meets specifications .................................................34


Verify accounts and permissions ...........................................................................................37 Verify prerequisite software is installed .................................................................................37 Verify pilot systems configuration ..........................................................................................37

Assess .....................................................................................................................................38 Prepare for installation ..........................................................................................................38 Backup the ePO application server and database .................................................................39 Obtain the installation software .............................................................................................39 Install required management extensions ...............................................................................39 Run Endpoint Upgrade Assistant ..........................................................................................39 Analyze Endpoint Upgrade Assistant results .........................................................................39 Review dashboards and queries ...........................................................................................39 Perform McAfee VirusScan Enterprise policy review(s) .........................................................40 Perform McAfee Host Intrusion Prevention policy review(s) ..................................................42 Perform SiteAdvisor Enterprise policy review(s) ....................................................................46 Export production policies .....................................................................................................47 Export production tasks .........................................................................................................48

Test ..........................................................................................................................................49 Prepare for installation ..........................................................................................................50 Backup the ePO application server and database .................................................................50 Check in required packages ..................................................................................................50 Install required management extensions ...............................................................................51 Validate distributed repository replication ..............................................................................52 Run Endpoint Upgrade Assistant ..........................................................................................52 Import production policies .....................................................................................................52 Import production tasks .........................................................................................................52 Configure users and permission sets ....................................................................................52 Perform initial validation testing .............................................................................................53 Run the Endpoint Migration Assistant ....................................................................................53 Migrate policies .....................................................................................................................54 Migrate tasks .........................................................................................................................54 Configure the baseline policy ................................................................................................54 Assign the migrated policies to systems ................................................................................54 Assign the migrated tasks to systems ...................................................................................54 Configure a deployment dashboard.......................................................................................54 Configure product deployment tasks .....................................................................................55 Deploy McAfee Agents to pilot systems, as needed ..............................................................57 Deploy McAfee Endpoint Security to pilot systems ................................................................57 Monitor McAfee Agent and Endpoint Security deployments ..................................................57 Perform post-upgrade validation testing ................................................................................57 Export the baseline policy .....................................................................................................63

Implement ................................................................................................................................64 Prepare for installation ..........................................................................................................65 Backup the ePO application server and database .................................................................65 Check in required packages ..................................................................................................65 Install required management extensions ...............................................................................66 Validate distributed repository replication ..............................................................................67 Import the baseline policies ...................................................................................................67


Import the baseline tasks ......................................................................................................67 Configure users and permission sets ....................................................................................67 Configure a deployment dashboard.......................................................................................68 Run the Endpoint Upgrade Assistant .....................................................................................68 Analyze Endpoint Upgrade Assistant results .........................................................................68 Configure the baseline policy ................................................................................................69 Assign the migrated policies to systems ................................................................................69 Assign the migrated tasks to systems ...................................................................................69 Configure product deployment tasks .....................................................................................69 Deploy McAfee Agents to systems, as needed .....................................................................69 Deploy McAfee Endpoint Security to systems .......................................................................69 Monitor McAfee Agent and Endpoint Security deployments ..................................................69 Perform validation testing ......................................................................................................69

Appendix .................................................................................................................................71 Upgrade Project Planning Checklist ......................................................................................71

List of Tables Table 1: Planning Checklist ....................................................................................................................... 8 Table 2: Example Application Owners Sheet .......................................................................................... 9 Table 3: Questions regarding Project and Business Objectives ........................................................ 10 Table 4: Pilot System Plan ....................................................................................................................... 20 Table 5: Design Checklist ......................................................................................................................... 29 Table 6: System Requirements ............................................................................................................... 34 Table 7: Assessment Checklist ................................................................................................................ 38 Table 8: Example Future State Dashboard for Endpoint Security Products .................................... 40 Table 9: VirusScan Policies - Consolidation Tracking Sheet................................................................ 41 Table 10: VirusScan Tasks - Consolidation Tracking Sheet ................................................................. 42 Table 11: The Migration of Exception Rules in the HIPS 8.0 IPS Rules policy .................................. 43 Table 12: HIPS IPS Rules Policies - Consolidation Tracking Sheet ..................................................... 44 Table 13: Host IPS Firewall Rules Policies - Consolidation Tracking Sheet ....................................... 45 Table 14: Test checklist ............................................................................................................................ 49 Table 15: ENS 10.5 Packages .................................................................................................................. 51 Table 16: Management Extensions ........................................................................................................ 51 Table 17: Help Extensions ....................................................................................................................... 51 Table 18: Additional Extensions ............................................................................................................. 52 Table 19: Exploit Prevention – Viewing Aggregated Events ................................................................ 61 Table 20: Threat Intelligence Exchange – Manually changing a file’s reputation to “most likely malicious” .................................................................................................................................................. 62 Table 21: Example ENS Validation Results ............................................................................................ 63 Table 22: ENS 10.5 Packages .................................................................................................................. 66 Table 23: Management Extensions ........................................................................................................ 66 Table 24: Help Extensions ....................................................................................................................... 66


Table 25: Additional Extensions ............................................................................................................. 67 Table 26: Upgrade Project Planning Checklist ...................................................................................... 71

Table of Figures Figure 1: High Level DAC Tuning Workflow .......................................................................................... 14 Figure 2: Web Control – Policy Recommendations .............................................................................. 15 Figure 3: Web Control - Secure Search .................................................................................................. 16 Figure 4: Web Control Examining File Downloads ............................................................................... 17 Figure 5: Workflow to Identify and Remediate other security Products .......................................... 19 Figure 6: Example Format for a Validation Test ................................................................................... 21 Figure 7: Tracking Test Results ............................................................................................................... 22 Figure 8: GetClean Workflow .................................................................................................................. 26 Figure 9: How McAfee Endpoint Threat Protection defenses work together .................................. 30 Figure 10: McAfee Endpoint Security platform .................................................................................... 30 Figure 11: McAfee Agent Port Reference .............................................................................................. 31 Figure 12: EUA Workflow ......................................................................................................................... 33 Figure 13: EUA - Deployment Prerequisites. ........................................................................................ 34 Figure 14: VSE OAS – Example Policy Consolidation Workflow.......................................................... 41 Figure 15: Firewall Consolidation Workflow ......................................................................................... 45 Figure 16: Website Review Process ........................................................................................................ 47 Figure 17: ENS Permissions Categories ................................................................................................. 53 Figure 18: ENS Installation Status Report - Stacked Bar Chart .......................................................... 55 Figure 19: ENS Installation Status Report - Stacked Bar Chart Details ............................................. 55 Figure 20: Deploying EUA Package ........................................................................................................ 56 Figure 21: Example Task with all ENS Modules .................................................................................... 56 Figure 22: On Access Scanning - EICAR Test ......................................................................................... 58 Figure 23: Viewing the Quarantine Folder ............................................................................................ 58 Figure 24: Exploit Prevention - Blocking Hidden PowerShell ............................................................. 59 Figure 25: Web Control - Blocking Navigation to a malicious website .............................................. 59 Figure 26: Web Control – Blocking Navigation to a Phishing page .................................................... 60 Figure 27: ENS Permissions Categories ................................................................................................. 68


Introduction This document serves as a recommended summary outline for planning and executing an upgrade from McAfee legacy endpoint security products to McAfee Endpoint Security 10.5.

This outline is derived from McAfee Solution Services, based on current methodology incorporated into field engagements for endpoint software upgrades from any or all of the following McAfee endpoint legacy products; McAfee VirusScan Enterprise 8.8, McAfee Host Intrusion Prevention 8.0, and McAfee Site Advisor Enterprise 3.5. This planning outline can also serve as a general guide for planning new deployments of McAfee Endpoint Security 10.5.

Audience The intended audience for this outline is administrators who are experienced with McAfee endpoint security products, and is not intended to be a comprehensive solution document, containing detailed supporting information. McAfee recommends that project participants refer to this document as supplemental to their own guidelines and requirements for software deployment within their environment.

Questions or requests for detailed information relating to steps outlined in this summary, should be directed to McAfee subject matter experts within your organization. Additional information can be obtained from the McAfee Knowledge Center and McAfee Communities. Further requests for assistance can be obtained by contacting your McAfee support representative.

Methodology The methodology for this software upgrade project follows the McAfee Way and includes the following phases:

Plan Design Assess Test Implement

https://support.mcafee.com/ServicePortal/faces/knowledgecenter

https://community.mcafee.com/community/business/system/endpoint-security-10


Plan Successful software deployment projects involve thorough planning before an upgrade of your production environments. Upgrade project plans will differ widely, depending on your environment and complexity.

To ensure overall project success, it is essential that key stakeholders are identified and provide active input during the project. Project teams should be comprised of cross-functional members representing various interests across your organization; infrastructure, essential business applications, systems and application administration, management, and end users, by groups or locations.

Project success can and should be determined by quantifiable metrics, measuring benefits, or impediments, to the organization. It is critical that initial planning determines and outlines the business objectives and intended security requirements for the organization.

Technology upgrade planning confirms an understanding of the product solution, and should include information on product features, design, implementation, and integration with other software currently installed within the organization.

Solution validation should be assessed initially in non-production testing environments, and again in production environments using small, manageable pilot groups, that are representative of the production environment to ensure critical business operations are not impacted.

The planning checklist identifies a set of initial considerations to assist you with upgrade planning. The decisions you make should be documented for use during the subsequent design, assess, test, and implement phases.

Table 1: Planning Checklist

Plan

Prepare for… By addressing these considerations…

Project Success Quantifiable business benefits are mandatory

Identify business applications, administrators, and application owners

Discuss: project and business objectives security requirements end user communications additional planning topics


Plan

Technology Implementation Confirm an understanding of the solution’s capabilities

Discuss: product features product feature parity supported platforms supported McAfee agents integration with other McAfee solutions conflicts with existing products the implementation process

Identify systems for the initial pilot deployment

Solution Validation Confirm validation processes

Discuss: 1. McAfee application validation testing 2. business application testing procedures

Ongoing Operations Continued product deployment. Identify and respond to risk.

Discuss: current security management practices change control processes back out and recovery plans software updates signature content testing McAfee Get Clean reporting requirements

Review corporate security policies and supporting documentation

Identify business applications, administrators and application owners Project planning discussions should include business critical application administrators and application owners to determine how the McAfee security solution might affect these key stakeholders.

The project manager should identify enterprise applications and their owners, and maintain a stakeholder register as necessary.

Table 2: Example Application Owners Sheet

Application Owners Application Name Purpose Owner/Administrator

Example: Meditech Pharmacy Workflow, Laboratory Diagnostics

[email protected]

Example: Invoice Supreme Accounts Receivable, Recurring Billing

[email protected]


***The Application Owners Sheet is important for ENS based exclusions, exceptions, and other policies. - Business owners may require a new or different policy based on the application vendor’s list of recommended exclusions, or other configurations.

Discuss project and business objectives Project participants should use this opportunity to clearly identify the project and business objectives. A common business objective is “Improved security by applying technical safeguards that enforce policies.” Ensure that your company’s information security strategy aligns with strategy objectives.

You can get the conversation started by asking the project participants the following questions:

Table 3: Questions regarding Project and Business Objectives

Question Response What is our success criteria for the ENS Upgrade Project?

Have we identified any business risks concerning the project?

How can the results of this project make our organization more effective?

Discuss security requirements Review specific use cases and core product capabilities as needed to ensure policy configurations will meet the organizations defined security requirements

Different policy configurations for workstations and servers Different policy configurations based on server role / function Different policy configurations for functional user groups Different policy configurations for specific enterprise applications Different policy configurations for LAN or remote VPN users

Discuss end user communications Users, administrators, and internal support personnel (including help desk) will need to understand the potential impact of the ENS Modules. New security functionality will likely be introduced that was previously not present in the organization.

Determine if the organization has identified end users for testing as part of the pilot deployment


Determine if end users have been notified about the project and the deployment timeline

Determine if end users have been informed of how to report any suspected problems

Discuss additional planning topics Review and identify any additional planning topics which may be unique to the environment.

These topics should focus on project success and related business outcomes. Implementation, solution validation and operational topics will follow.

Identify additional topics that may be required:

- change control process and lead time to establish change control windows - training requirements and kick-off call for pilot user group - collecting network traffic diagrams for critical applications - Identifying critical infrastructure servers (examples include Active Directory, SQL and

DHCP Servers) - Collecting a list of vendor recommended exclusions.

o NOTE: Review McAfee KB66909 “Consolidated list of Endpoint Security/VirusScan Enterprise exclusion articles.”

- other topics as specified

Discuss product features Review product features, capabilities, and operational functionality.

Review McAfee KB86704 “FAQs for Endpoint Security”, Review McAfee KB82761 “Supported platforms, environments, and operating systems

for Endpoint Security” Review ENS product guides, and release notes for further information.

Determine which modules or core features will be implemented for Endpoint Security; Threat Prevention, Adaptive Threat Protection, Firewall, and Web Control, or McAfee Client Proxy.

Endpoint Migration Assistant

The Endpoint Migration Assistant walks you through the migration process. You can let the Migration Assistant migrate all your settings and assignments automatically, based on your current settings and new product defaults, or you can select and configure them manually.

Use the Endpoint Migration Assistant to migrate product settings where a supported legacy version of a product module is installed.

https://kc.mcafee.com/corporate/index?page=content&id=KB66909




The Endpoint Migration Assistant ensures that the settings in your legacy policies are moved to the correct policies in Endpoint Security. In some cases, they are merged with other Endpoint Security settings, and in others, new default settings are applied to support updated technologies.

Refer to the ENS 10.5 Migration Guide and review the following information:

Installing the Endpoint Migration Assistant extension to ePO Migrating policies automatically Migrating policies manually Maps of migrated policies (old solution to ENS 10.5)

Endpoint Upgrade Assistant (EUA)

The McAfee® Endpoint Upgrade Assistant is a McAfee® ePolicy Orchestrator® (McAfee® ePO™) extension that simplifies and automates the tasks required to upgrade the McAfee products on your managed endpoint. The Endpoint Upgrade Assistant features minimize the number of upgrade tasks and ensure product interoperability.

Refer to McAfee KB88141 and the EUA Product Guide for the following information:

Installing the Endpoint Upgrade Assistant extension to ePO Understand the Analyze tab, to assess current endpoints in the environment Understand the Prepare tab, to verify correct prerequisites have been met Understand the Plan tab, to view and create required upgrade tasks Understand the Deploy tab, to configure and deploy upgrade tasks

Discuss product feature parity Review the relationship between the ENS 10.5 Modules and legacy endpoint security solutions.

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26801/en_US/emg_1050_mg_0-00_en-us.pdf


https://kc.mcafee.com/corporate/index?page=content&id=PD26982


Threat prevention

The Endpoint Security Threat Prevention module replaces McAfee VirusScan® Enterprise 8.8, and Host Intrusion Prevention® - IPS security protections. Threat Prevention detects threats in realtime, leveraging McAfee Global Threat Intelligence (GTI) and AMCore security content files. Updates are delivered automatically to target vulnerabilities and block emerging threats from executing.

Layered protection includes Anti-malware scanning, script scanning, Access Protection and Exploit Prevention. Threat prevention checks for viruses, spyware, unwanted programs, and other threats automatically when users access them at any time.

Adaptive Threat Protection

Endpoint Security Adaptive Threat Protection (ATP) analyzes content from your enterprise and decides what to do based on file reputation, rules, and reputation thresholds.

The Adaptive Threat Protection module is supported on Microsoft Windows only, and is an optional Endpoint Security module.

Real Protect

McAfee Real Protect is a real-time behavior detection technology which monitors suspicious activity on an endpoint. Real Protect leverages system learning and automated behavioral-

•Replaces Host Intrusion Prevention IPS and VirusScan Enterprise

Threat Prevention

• Includes Dynamic Application Containment and Real Protect and the Threat Intelligence Exchange Module. Replaces the Threat Intelligence module for VSE

Adaptive Threat Protection

•Replaces Host Intrusion Prevention Firewall

Firewall

•Replaces Site Advisor

Web Control

•An optional component that integrates with McAfee Web Gateway

McAfee Client Proxy


based classification on the local system, and in the cloud to detect zero-day malware in real time

Dynamic Application Containment (DAC)

DAC allows unknown/untrusted applications to run inside a container. Several containment rules limit what an application is allowed to do.

Review McAfee KB87843 – “List of and best practices for Endpoint Security Dynamic Application Containment rules. Identify DAC rules that align with use cases and/or security concerns, to define an appropriate workflow for tuning DAC

Figure 1: High Level DAC Tuning Workflow

Firewall

Endpoint Security Firewall updates and replaces the McAfee Host Intrusion Prevention® - Firewall. The integrated, stateful firewall dynamically inspects traffic on the network, blocking malicious or undesired traffic.

Set Rules to Report only

Monitor logs/reports

Set reputations or DAC exclusions

for trusted applications

https://kc.mcafee.com/corporate/index?page=content&id=KB87843&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US


Policy configuration features include: trusted networks, trusted/untrusted executables, Location Aware Groups, Connection isolation, and Timed firewall groups for end-user VPN connections.

ENS Firewall rule policies are similar to legacy Host IPS, and the migration of existing rules/policies typically completes without issue.

Web Control

Endpoint Security Web Control improves on McAfee Site Advisor Enterprise with updated Web Control browser toolbars to improve user experience. Integration of Web Control with Threat Prevention using Global Threat Intelligence™ ensures users safe, reputable, web browsing, and secure browser file downloads. Web Control notifies users of threats while they search or browse websites.

Security administrators can prevent disabling of browser plug-ins, control access to sites, pages, and downloads, based on safety rating or type of content. Identify sites as blocked or allowed, based on URLs and domains. Customize notifications that appear when users attempt to access a blocked website, and create detailed reports of website usage. Endpoint Security Web Control supports user based policies, making it easy to configure customized security policies and user controls.

Figure 2: Web Control – Policy Recommendations

Enable Secure Search to block links to risky sites in search results

Websites that McAfee has tested have a risk rating attached to it. Unsafe websites have a red x. Left clicking on the malicious link will not open the unsafe website

Block links to Risky sites in Search Results

Block the use of unsupported browsers

Allow Web Control to Analyze Downloaded Files

Allow Web Control to “stand down” if an on premise appliance is present


Figure 3: Web Control - Secure Search

Allow Web Control to examine files that are downloaded from the Web. Web Control will perform a GTI lookup on files prior their download.

Web Control works in conjunction with Threat Prevention to provide an additional level of scanning for file downloads.


Figure 4: Web Control Examining File Downloads

Web Control enforcement can be disabled while connected to the corporate network and protected by perimeter security appliances such as a McAfee Web Gateway, Blue Coat Proxy Server or a Palo Alto Firewall. For additional information on integrating with McAfee Web Gateway solutions, refer to the McAfee Client Proxy 2.3 product guide or configuring McAfee Client Proxy with McAfee Web Gateway.

For more information on any of Endpoint Security components, refer to the product guide.

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26833/en_US/mcp_230_pg_en-us.pdf

https://community.mcafee.com/docs/DOC-4996



Discuss supported platforms Review the existing infrastructure and identify systems being considered for the project.

Review McAfee KB82761 – “Supported platforms, environments, and operating systems for Endpoint Security”

*NOTE: This knowledge base article is updated frequently as new Operating Systems, Browsers and Virtualization technologies are released.

Identify which Operating Systems, virtualization technologies, and internet browsers are in use within the environment.

Discuss supported McAfee agents Supported McAfee Agents include McAfee 5.0.2 and later. Determine if the McAfee agent will need to be upgraded. It is always recommended to deploy the most recent patch version. McAfee Agent versions are listed at McAfee KB82105

Discuss integration with other McAfee solutions ENS integrates with McAfee Threat Intelligence Exchange, (TIE) Data Exchange Layer (DXL), and McAfee Active Response (MAR) to provide a comprehensive security solution.

TIE, DXL and MAR all directly integrate with ENS.

When installed and configured, TIE reputations are leverage by all Endpoint Security modules to assist in verifying security threats throughout the entire infrastructure.

TIE reputations are also leveraged directly by ENS Adaptive Threat Protection/Dynamic Application Containment to determine whether containment rules should be triggered.

If McAfee Threat Intelligence Exchange is already deployed for legacy products, the upgraded endpoints will be upgraded when the ENS 10.5 Adaptive Threat Protection module is installed.

Discuss conflicts with existing products McAfee KB85522 provides a detailed list of 3rd-party security products which can be removed by the Endpoint Security installer, when ENS is installed.

Identify other security products within the environment and determine if there are any known uninstall or interoperability issues.

https://kc.mcafee.com/corporate/index?page=content&id=KB82761&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US

https://kb.mcafee.com/agent/index?page=content&id=KB82105






Figure 5: Workflow to Identify and Remediate other security Products

*NOTE: The ENS 10.5 Installer is not able to successfully remove all security products.

Discuss any known operating system incompatibilities and review McAfee KB82450 “Endpoint Security 10.x Known Issues”

Discuss the implementation process Components within the infrastructure will change during the endpoint security implementation. Review processes to successfully recover or revert components to their prior condition should any implementation failures occur.

Determine how software will be deployed to managed clients:

Deployment through ePO Deployment through a 3rd party application (e.g. Microsoft SCCM, KACE, Altiris, etc.) Use of ENS Package Designer (if desired). For information about installing and using

Package Designer, see KB86438.

Repository Considerations

Review the ePolicy Orchestrator Distributed Repositories and methods used to populate repositories (i.e. lazy caching, replication tasks).

Peer to Peer (P2P) Updating Considerations

Review Peer-to-Peer updating ability of the McAfee Agent. In nearly all circumstances, Peer-to-Peer updating reduces the load on the distributed repositories, and enables software and

Identify if ENS security product removal is supported

In a test environment, attempt to install ENS

Verify whether or not the other security product was cleanly uninstalled.

If remnants of a supported product are present, contact McAfee support.




content to be distributed faster. The steps below can be used to gradually implement P2P Agent communications for the environment.

1) Consider enabling P2P on laptops, physical workstations and servers. 2) Systems that are not good candidates for P2P are:

Laptops that spend the majority of the time connected via VPN Fixed function machines that have extremely limited spare processing cycles

3. Systems that may be good candidates for P2P are:

Physical or Virtual Machines in the datacenter • These machines typically have an extremely high bandwidth connection to a

repository, so bandwidth costs are very low

4. Review performance metrics, both before and after P2P is enabled to establish a baseline, and the actual load of the P2P process (work with the network admin and monitor traffic via Wireshark or a similar Trace program).

5. If network performance is acceptable, enable P2P on a subset of workstations. Document how many nodes are in these specific broadcast domains

6. Review performance metrics 7. If network performance is acceptable, expand the number of workstations that have

P2P enabled 8. Review performance metrics 9. Continue repeating this process

Identify systems for the initial pilot deployment Identify systems that will be part of the initial pilot deployment. It is recommended to use a variety of systems representative of the overall environment.

Determine the operating system platforms to be managed (e.g. Windows, Mac, Solaris, etc. as supported by the product).

Determine groups for type of systems; workstations or servers, remote users or VPN etc.

The scope of your project may be limited to only workstations, only servers, or both etc.

Verify McAfee Agent deployment credentials for each platform are available.

Record the list of hostnames on a pilot system planning sheet.

Table 4: Pilot System Plan

Application(s) OS App Owner Contact # Pilot Devices


EMC Backup Server Win Server 2012 [email protected] 2

DHCP Server Win Server 2016 [email protected] 2

Common Desktop Applications

Win 7 and 10 (x86 and 64bit)

[email protected] 4

[Critical App 1] Win Server 2016 [email protected] 3

Mac Desktop MacOS 10.12 [email protected] 1

Discuss McAfee application validation testing Application validation testing should be planned for the McAfee solution being installed. Discuss and review the high-level activities which will be performed for your ENS deployment.

These activities are designed to validate the solution is working as designed, and are not intended to fulfill or replace existing requirements for the validation of critical business applications.

Endpoint Security validation tests

Validation tests ensure the ENS product is capable of blocking/monitoring activity and producing logs/events that are viewable on the client system and from the ePolicy Orchestrator console.

Validation tests should be created for ENS modules and features planned for deployment.

Tests may include, but are not limited to:

On Access Scanning – EICAR Test Viewing the Quarantine Folder Exploit Prevention - Hidden PowerShell Detected Dynamic Application Containment Firewall policy block/allow Web Control

Figure 6: Example Format for a Validation Test

Test Name Test ID#


Validation Steps Step 1)

Step 2)

Step 3)

Expected Results Expected results

Actual Results

*NOTE: The results of validation testing should provide discussion points for additional policy configurations as required.

Figure 7: Tracking Test Results

Test ID Test Name Results

Test-01 On Access Scanning Test Pass

Test-02 Exploit Prevention - Hidden PowerShell Detected Fail

Discuss business application testing procedures Prior to installation, determine the application testing practices for the organization. Understand any existing business application testing which needs to be performed, and may require additional support (e.g. Exchange, SharePoint, database applications, VPN, etc.)

Best Practice: Perform the initial installation in a Lab, Development, or other non-production environment.

Best Practice: IT Application Administrators and Business Application Users should perform any existing application tests prior to the full production rollout.

If the organization doesn’t have current functional application testing practices defined, it is recommended to create a basic set of practices, based on current industry standards.

A basic functional application testing process should include:

Discuss organization specific testing procedures (what testing is done for other applications being rolled out to users?)

Determine basic tests that should be performed (e.g. Windows Updates, enterprise application use, etc.)

Establish methodology, or testing scripts to produce repeatable tests

Prepare the test environment

Perform the installation


Conduct testing and analyze the results

Resolve application issues, should any arise

Discuss performance testing and baseline metrics Prior to installation of ENS, determine whether application performance testing baseline metrics exist for legacy security products within the organization. Understand existing performance issues which may be a concern, and should be baselined prior to installation of ENS. Identify the performance testing benchmarks to be measured before and after upgrade to ENS. The tests and benchmark indicators need to be consistent for both testing environments.

McAfee Endpoint Security Scan Avoidance is the most efficient way to ensure optimal performance on the endpoint. This feature, only available in ENS, leverages the AMCore Trust Model to help recognize when a scan is not necessary. This mechanism provides the greatest performance increase because it not only indicates whether a scan is necessary early in the scan workflow, but also has longer term relevance because cached Trusted + Clean results survive an AMCore Content update whereas Clean results alone will not.

Endpoint Security 10.2 and later includes a policy setting to allow the administrator to trust certain third-party certificates. These certificates are from third-party software that client systems have identified and reported back to ePolicy Orchestrator. Once trusted, file accesses by trusted processes and of trusted files will benefit from the performance optimization provided through Scan Avoidance. McAfee recommends that you review your legacy policies to decide whether they are relevant to the new Endpoint Security scan optimization architecture. Endpoint Security includes by default, an optimized “Let McAfee Decide” option for On-Access Scanning. See KB88205 - How to improve performance with Endpoint Security 10.

Discuss current security management practices It is recommended to identify existing processes for the following areas:

Event or change management Incident Response: Identification of existing processes and procedures associated with

Incident Response. Operations: What portion of the business will be responsible for the day-to-day

operations of the ePO application and/or any of the applications that the ePO Solution will be managing? This will tie into the users and permissions discussion.

Maintenance: Maintenance windows, coordination, regular scheduled basis or any other potentially impacting processes.

Governance and Compliance: Which organizations are currently addressing Compliance within the environment?



Discuss change control processes Review and verify the applicable change control procedures.

Discuss options and impacts as needed to address existing change control processes and procedures within the environment.

It is assumed that all changes to non-production environments do not need a change control.

It is assumed that all changes to the production environment will need a change control. A list of changes that will need to take place is shown below:

1) Installation of ENS related extensions in the ePO server

2) Installation of ENS related packages in the ePO server

3) Creation/Modification of policies on the ePO server

4) Deployment of software to nodes in the production environment.

Change control approval

Develop a back out and recovery plan in the event of unforeseen issues, or installation failures.

This is particularly important when installing on shared file servers, application servers, or database servers

Verify access to the original installation software for operating system, database, and/or other applications

Verify and create Virtual Machine (VM) snapshots or backups of any existing application server and SQL databases

Discuss back out and recovery plans Develop a back out and recovery plan in the event of unforeseen issues, or installation failures.

This is particularly important when installing on shared file, application, or database servers

Verify access to the original installation software for operating system, database, and/or other applications

Verify and create VM snapshots or backups of any existing application server and SQL databases

Discuss software updates The McAfee Support Notification Service (SNS) can be leveraged to provide alerts regarding hotfixes, patches and other notifications relating to ENS 10.5.



The Support Notification Service (SNS) delivers valuable product news, alerts, and best practices to help you increase the functionality and protection capabilities of your McAfee products.

*NOTE: It is recommended to review the release notes for the current patch for ENS 10.5 and for the current version of McAfee Agent.

Discuss signature content testing Discuss and review ENS content updates to understand the importance of testing updates prior to a full production deployment. Refer to ENS 10.5 Product Guide, “How content files work” section to review the types of content ENS uses.

AMCore content package

McAfee Labs releases AMCore content packages daily by 7:00 p.m. (GMT/UTC). To receive alerts regarding delays or important notifications, subscribe to the Support Notification Service (SNS). See KB67828.

The AMCore content package includes these components:

AMCore — Engine and content

o Contains updates to the Threat Prevention scan engine and signatures based on results of ongoing threat research.

Adaptive Threat Protection — Scanner and rules

o Contains rules to dynamically compute the reputation of files and processes on the endpoints. McAfee releases new Adaptive Threat Protection content files every two months.

Real Protect — Engine and content

o Contains updates to the Real Protect scan engine and signatures based on results of ongoing threat research. Real Protect is a component of the optional Adaptive Threat Protection module.

Exploit Prevention content package

McAfee Labs releases Endpoint Security Exploit Prevention signature content on the 2nd Tuesday of every month. Monthly Exploit Prevention content release notes can be found here.

The Exploit Prevention content package includes:

Memory protection signatures — Generic Buffer Overflow Protection (GBOP), caller validation, Generic Privilege Escalation Prevention (GPEP), and Targeted API Monitoring.

Application Protection List — Processes that Exploit Prevention protects. Exploit Prevention content is similar to the McAfee Host IPS content files.



https://www.mcafee.com/us/content-release-notes/exploit-prevention/index.aspx


Discuss GetClean Consider using McAfee GetClean on representative systems, or enterprise images running in the Common Operating Environment COE).

Use of this utility can help optimize scanning performance of unknown, files and utilities within the system environment. The tool provides scanning-related information to McAfee that is used to update McAfee cloud intelligence with information on known, good files present in your environment.

GetClean is a McAfee Labs initiative to minimize false-positive detections in the field. McAfee KB73044 provides an introduction to GetClean.

*NOTE: Refer to KB88288 - Endpoint Security Quick Start Tasks for summarized deployment information using GetClean.

Figure 8: GetClean Workflow

Note: McAfee will send an email acknowledgement and a confirmation that the submitted files were added to McAfee Labs test systems.

Discuss reporting requirements During this step the project participants and stakeholders should document an understanding of all required reporting requirements.

Clearly identify and document the reporting requirements of the various business units. The individual business units should be held to fully documenting their reporting requirements. These requirements should identify:

Purpose of the report Permissions to run reports

Track Results

Scan Directories and submit Clean Files

Download GetClean

Identify a machine

with a “gold image”





Access to related data Scheduling requirements

• What frequency is required for the individual reports? Report distribution requirements

Determine if there is an established process for requesting reports. This process should include a review of the requirement, approval, creation of the report(s), and acceptance from the requesting party that the report(s) will satisfy the requirement.

Discussions should address the basics to demonstrate the solution is:

Reporting on the status of the security solution within the environment; • i.e. identifying the versions of McAfee Security Software that are installed,

identifying the latest policy being enforced, etc. Reporting on compliance of the enterprise with your security standards as identified Reporting on Risk and Risk Mitigation within the enterprise Reporting on Incidents: i.e. violations of rules, malware, etc.

Reporting on Incident Response: i.e. information on how the applications reacted to incidents (e.g. quarantined, blocked, would have been prevented, etc.)

Review corporate security policies and supporting documentation

Corporate security policies and supporting documentation Policies, standards, guidelines and related practices and procedures These documents communicate management’s direction for reducing risk and establish the control framework

Electronic copies of documents related to: Acceptable use of assets Access controls Malware prevention, detection, and correction Information and system backup Security logging and monitoring Change control Management of technical vulnerabilities

• System patch management • Patch testing procedures

Secure system engineering principles and requirements • System hardening and configuration standards • Firewall policy documentation

System acceptance testing Information security continuity Data retention and disposal policies


Corporate security policies and supporting documentation As built documentation For the security solutions and platforms related to the

implementation:

System hardening and configuration standards Network segmentation and configuration standards Database server hardening and configuration

standards Network diagrams End user computing configuration standards for

example, gold disk images


Design Project participants should discuss the current network and systems architecture to facilitate design and implementation of the McAfee security solution.

Table 5: Design Checklist

Design

Prepare for… By addressing these considerations…

Solution Integration Explain and confirm the high-level design

Discuss: McAfee solution architecture overview system architecture network infrastructure services McAfee network services registered servers

Design Principles: Least privilege, segregation of duties, access control

Discuss: roles and responsibilities users and groups

Validate Design Confirm readiness prior to implementation

Review: release notes known issues Knowledge Base articles product compatibility

Verify:

the installation environment meets specifications accounts and permissions prerequisite software is installed pilot systems configuration

Discuss the McAfee solution architecture overview Project participants and stakeholders should possess a high-level understanding of the ENS Security Platform. Stakeholders should discuss how the total solution addresses their security use cases.


Figure 9: How McAfee Endpoint Threat Protection defenses work together

Project participants should review the Endpoint Threat Protection whitepaper located at https://www.mcafee.com/us/resources/data-sheets/ds-endpoint-threat-protection.pdf. This whitepaper will provide participants with a high level understanding of ENS and its related components.

Discuss the system architecture Each ENS module is centrally adminstistered via McAfee ePO. An active McAfee agent must be installed on each system in order for a device to receive policy and task configurations that were configured in ePO.

Figure 10: McAfee Endpoint Security platform

https://www.mcafee.com/us/resources/data-sheets/ds-endpoint-threat-protection.pdf


Discuss the network infrastructure services Discuss the current infrastructure services which are needed to facilitate deployment of the McAfee security solution.

DNS

DHCP

NTP

SMTP

Discuss McAfee network services ENS 10.5 leverages the existing ports that have been configured in your ePO environment.

Figure 11: McAfee Agent Port Reference

Default Port

Protocol Traffic Direction

80 TCP Outbound connection to the ePO server/Agent Handler

443 TCP Outbound connection to the ePO server/Agent Handler

8081 TCP Inbound connection from the ePO server/Agent Handler. If the agent is a SuperAgent repository, inbound connection from other McAfee Agents.

8082 UDP Inbound connection to agents. Inbound/outbound connection from/to SuperAgents.

8083 UDP Relay server discovery for the McAfee agent

Discuss registered servers Registered servers allow for the integration of ePO software with other, external servers. For example, register your LDAP server to connect with the Active Directory server. Registering a server can increase the effectiveness of ENS

Each type of registered server supports or supplements the functionality of ENS with other McAfee solutions. For example, if you have TIE/DXL deployed in your environment and ENS ATP is enabled, you can leverage reputation information from TIE to block applications from executing. ePO Users are then able to view TIE server information in ePO reports and dashboards.


Discuss roles and responsibilities Discuss roles and responsibilities, segregation of duties, and requirements for access to ePO and other applications. Discuss with the project participants and identify which types of users require access to the system. Spend time understanding their unique roles and responsibilities. This information can then be used to describe and create permission sets which allow them to perform their job successfully.

Users should be assigned privileges based upon their operational role for the solution. Operational Roles might include: • ePO Global Administration • Product Administration • Global Reviewer • Product level reviewer

In the production ePO environment, consider providing global administrators with two accounts:

1) A global administrator account

2) A “day-to-day” operations type of account that has more restrictive permissions than the global admin account.

Typical user permissions • Read-access to events in ePO • Read-access to policies in ePO • Read-access to system tree objects in ePO

Typical “administrative” permissions (only to be used in a change control window) • Full access to policies • Full access to system tree

Discuss users and groups Users

There are two types of users: Global administrators and users with limited permissions.

Discuss Global Admin users, mapping the Global Admin users to AD accounts. Identify users requiring access to ePO and other applications

Groups

To facilitate management of the solution, McAfee recommends developing a group structure linked to an existing Active Directory or LDAP directory.

For installation and ongoing operation of the solution, consider creating the following Active Directory groups (Global/Universal Groups):


Group Description

ENS_Administrators ePO Permissions: Users requiring full access to ENS Policies, Queries and Dashboards.

ENS_Reviewers ePO Permissions: Users requiring review permissions to ENS Policies, Queries and Dashboards

Review release notes McAfee products operate on a broad range of platforms and operating systems. McAfee quality assurance activities attempt to identify incompatibilities prior to product release. A current list of known issues is provided with the product release notes and is maintained online.

Review known issues Knowledge Base articles The list of known product incompatibilities can be located through the McAfee Service Portal and will be reviewed with you as part of your McAfee Professional Services engagement. Please reference McAfee KB82450 for Endpoint Security 10.x Known Issues

Review the product compatibility matrix The Endpoint Upgrade Assistant (EUA) can provide you with compatibility information that is specific to your ePO environment. The EUA examines the software packages in your repository and compares that info against the list of ENS compatibility software. The “Analyze” Tab and “Prepare” tab in Endpoint upgrade assistant provides a visual representation of minimum software versions supported by McAfee Endpoint Security 10.5.

Figure 12: EUA Workflow

Analyze Prepare Plan Deploy




Figure 13: EUA - Deployment Prerequisites.

Verify that the installation environment meets specifications Compare the systems in your environments against KB82761 - “Supported platforms, environments, and operating systems for Endpoint Security”.

*Note: This KB article is updated frequently as new operating systems are released.

There will likely be a mix of operating systems versions and hardware configurations in your environment. The table below was taken from KB82761 and provides an “at a glance view” of the system requirements for ENS 10.5. Pay special attention to Operating Systems that are not supported with ENS 10.5

Table 6: System Requirements

Operating System Service Pack

32bit 64bit Processor RAM Minimum Hard Disk Space

Free Windows 10

X X 2 GHz or

higher 3 GB 1 GB

Windows 10 with November update

X X 2 GHz or

higher 3 GB 1 GB




Windows 8.1 Update 1

X X 2 GHz or higher

3 GB 1 GB

Windows 8.1

X X 2 GHz or higher

3 GB 1 GB

Windows 8 (Except RT)

X X 2 GHz or higher

3 GB 1 GB

Windows 7 SP1 X X 1.4 GHz or higher

2 GB 1 GB

Windows Embedded Standard 7

X

1 GHz or higher

1 GB 1 GB

Windows Vista (not supported with ENS 10.5)

SP2 X X 1.4 GHz or higher

2 GB 1 GB

Windows XP Pro (No longer supported by Microsoft.) (not supported with ENS 10.5)

SP3 X

1 GHz or higher

1 GB 1 GB

Windows Embedded for POS (WEPOS)

X

1 GHz or higher

1 GB 1 GB

Windows Embedded 8 (Pro, Standard, and Industry)

X

1 GHz or higher

1 GB 1 GB

Windows Server 2016

X 2 GHz or higher

3 GB 1 GB

Windows Server 2012 R2 Update 1

X 2 GHz or

higher 3 GB 1 GB

Windows Server 2012 R2 Essentials, Standard, and Datacenter (including Server Core Mode)

X 2 GHz or

higher 3 GB 1 GB

Windows Server 2012 Essentials, Standard, and Datacenter (including Server Core Mode)

X 2 GHz or

higher 3 GB 1 GB


Windows Server 2008 Essentials, Standard, Datacenter, and Enterprise Web (including Server Core Mode) (not supported with ENS 10.5)

SP2 X X 1.4 GHz or greater

2 GB 1 GB

Windows Server 2008 R2 Essentials, Standard, Datacenter, and Enterprise Web (including Server Core Mode)

SP2 X X 1.4 GHz or greater

2 GB 1 GB

Windows Storage Server 2008 (not supported with ENS 10.5)

X X 1.4 GHz or

higher 2 GB 1 GB

Windows Storage Server 2008 R2

X X 1.4 GHz or

higher 2 GB 1 GB

Windows Server 2003, 2003 R2 – All No longer supported by Microsoft.

X

1.4 GHz or higher

2 GB 1 GB

Windows Small Business Server 2008 (not supported with ENS 10.5)

X

1.4 GHz or higher

2 GB 1 GB

Windows Small Business Server 2011

X

1.4 GHz or higher

2 GB 1 GB

Windows Embedded Standard 2009

X

1 GHz or higher

1 GB 1 GB

Windows Point of Service 1.1

X

1 GHz or higher

1 GB 1 GB


Windows Point of Service Ready 2009

X

1 GHz or higher

1 GB 1 GB

Verify accounts and permissions Verify that the account(s) have the correct permissions. The same account may be used to upgrade software and deploy solution components on endpoints as needed.

ePO administrative account McAfee Agent deployment ENS deployment (as needed to perform upgrades)

Verify prerequisite software is installed Verify that prerequisite software is installed by using Endpoint Upgrade Assistant, and reviewing the product release notes.

Verify pilot systems configuration Verify that pilot systems have supported versions of the McAfee Agent software installed. Also, ensure that pilot systems meet the system requirements as listed in KB82761 - “Supported platforms, environments, and operating systems for Endpoint Security”.




Assess During this phase, project participants will perform an assessment of the current production environment configuration to provide guidance and recommendations for the upgrade.

Activities performed during the assessment will result in changes to the production environment – Specifically, checking in the extension for the Endpoint Upgrade Assistant (EUA). Prior to checking in the EUA extension, McAfee recommends following your organization’s practices for submitting change requests, performing system backups and developing a back out plan

Table 7: Assessment Checklist

Assess

Prepare for… By performing these activities…

Recovery In the event of a failure

Prepare for installation Backup the ePO application server and database

Installation Of assessment tools for the production environment

Obtain the installation software Check in required packages Install required management extensions

Technical review Run Endpoint Upgrade Assistant Analyze Endpoint Upgrade Assistant results Review dashboards and queries Perform McAfee VirusScan Enterprise policy review(s) Perform McAfee Host Intrusion policy review(s) Perform SiteAdvisor Enterprise policy review(s) Export production policies Export production tasks

Prepare for installation Implementation begins by preparing your production environment for recovery in the unlikely event of an installation or upgrade failure. Back out and recovery plans should be verified with project participants and stakeholders.


Backup the ePO application server and database Verify that snapshots or backups of the production ePO server completed successfully, and that the ePO database was also backed up. If backups of both were taken, their integrity should be verified prior to installing the management extensions

Obtain the installation software The Endpoint Upgrade assistant can be obtained from the following locations:

The McAfee Download Page in the section named Utilities & Connectors (requires a valid Grant#)

Within the ePO console by navigating to Software > Software Manager > Utilities & Connectors > Endpoint Upgrade Assistant 1.3 (or perform a search for the latest version)

Install required management extensions Install the latest version of the Endpoint Upgrade assistant. Once installed, the Endpoint Upgrade Assistant can be accessed from Menu > Software > Endpoint Upgrade Assistant.

Run Endpoint Upgrade Assistant In this phase (Assess), you will be running the Endpoint Upgrade Assistant (EUA) so that you can get an idea of what machines in your production environment are currently ready for migration to ENS 10.5.

Refer to the Introduction to Endpoint Upgrade Assistant for explanation of the tool, video overview, and links to product documentation.

Analyze Endpoint Upgrade Assistant results Carefully analyze the results of the Endpoint Upgrade Assistant and prepare to implement the recommended upgrade scenarios (after you’ve completing testing – See Test phase.) The objective of this initial analysis is to understand the “Upgrade Readiness” of your environment.

Review dashboards and queries Review the ePolicy Orchestrator dashboards and queries for the following products:



VirusScan Host IPS Site Advisor

These dashboards and queries will likely need to be ported into their ENS 10.5 equivalent.

Identify if automated queries and reports are configured for endpoint security products. Document this information and create an “action plan” to ensure the existing level of operational effectiveness. This review can provide an opportunity to introduce additional monitoring insights into the existing operational processes. Refer to the ePolicy Orchestrator product guide for additional information on monitoring and reporting configuration

Table 8: Example Future State Dashboard for Endpoint Security Products

Operational Dashboard Monitor Name Description Action Plan

Antivirus Installed/Missing

This Boolean chart shows machines that have AV installed as well as machines that are missing AV. The approved antivirus software is VirusScan

Update the query to include criteria for ENS 10.5 Threat Prevention.

HIPS Content Compliance

Shows devices running up to date HIPS content (Signatures)

Add a new monitor that also shows content compliance for Exploit Prevention

VirusScan Current DAT Adoption

Displays the number of workstations which have recent VirusScan DATs (Within 2 versions of the master repository)

Add a new monitor that shows AMCore Content (Threat Prevention) within 2 version versions of the Master Repository

Perform McAfee VirusScan Enterprise policy review(s) The Endpoint Migration Assistant can be used to successfully migrate VirusScan policies and tasks to ENS 10.5. In order to streamline the migration activities, consider consolidating the number of On Access Scanning (OAS) VirusScan policies that are present in the environment. Identify the business purpose for each VirusScan policy, paying special attention to On Access Scanning policies.

Identify a policy consolidation workflow that works for your environment. The example workflow shown in the figure below can be used as a starting point.



Figure 14: VSE OAS – Example Policy Consolidation Workflow

Track policy consolidation decisions as this will provide traceability for why new ENS OAS policies were created.

Table 9: VirusScan Policies - Consolidation Tracking Sheet

VirusScan Policies - Consolidation Tracking Sheet VSE Policy Name Description Action Plan

Finance.Corp-OAS Policy

This policy includes exclusions Legacy financial applications that have known performance issues. The exclusions are recommended by the vendor

The list of exclusions for these Applications will be placed into a new policy named “Finance-OAS-G1” Revenue Cycle-OAS

Policy This policy includes exclusions for the app named Revenue Cycle. The exclusions are recommended by the vendor

Note: Repeat the above methodology for all configured VirusScan tasks. Task consolidation decisions need to ensure whether new or additional ENS product tasks might need to be created.

Review existing On Access scanning Policies

Identify policies that are very similar. Consolidate exclusions into new On

Access Scanning policy(s)

Document the consolidated policies and

their exclusion lists.

Present the consolidated policies & exclusion list to the Information Security

Office and receive sign off


Table 10: VirusScan Tasks - Consolidation Tracking Sheet

VirusScan Tasks - Consolidation Tracking Sheet VSE Task Name Description Action Plan

Update All Updates DAT files for VSE None – This task will be used for ENS content updates

Weekly ODS Performs full system scan a weekly basis Schedule a new Scan task for ENS 10.5

Perform McAfee Host Intrusion Prevention policy review(s) The Endpoint Migration Assistant can be used to successfully migrate Host IPS policies and tasks to ENS 10.5.

Project participants and Stakeholders will review and consolidate Host IPS policies, Exclusions and Firewall rules.

*NOTE: Host Intrusion Prevention, IPS Protection and Rules policies may contain exceptions and/or changes to the severity of a specific signature. Capture policies settings that deviate from the McAfee default and attempt to consolidate the IPS rules policies. *Refer to the ENS Migration Guide for further information on ‘Exception Rules’.

Exception Rules

Exception Rules from the IPS Rules policy migrate to the Access Protection and Exploit Prevention policies as executables under Exclusions.



Table 11: The Migration of Exception Rules in the HIPS 8.0 IPS Rules policy

Exception Rules with signatures

IPS Exceptions can include custom signatures. The executables and parameters from exceptions are appended to the Endpoint Security Access Protection Rule created during signature migration.

If all McAfee-defined signatures are added to a subrule exception, the exception migrates as a global exclusion in the Access Protection and Exploit Prevention policies.

Source exception

Signature Type

Target Endpoint Security Policy

Target Setting

Executables, Caller module, and API

All McAfee-defined signatures supported in the Threat Prevention Exploit Prevention policy (for example, Buffer Overflow and Illegal API Usage signatures

Exploit Prevention Exclusions

Executables and Parameters

FILE/REGISTRY/PROGRAM/SERVICE signatures

Access Protection Executables and subrule parameters

Executables No signature Access Protection Exploit Prevention

Global Exclusions

GPEP (General Privilege Escalation Prevention) signature

Severity/reaction signature (ID 6052 Exploit Prevention Enable General Privilege Escalation Prevention


Table 12: HIPS IPS Rules Policies - Consolidation Tracking Sheet

HIPS IPS Rules Policies - Consolidation Tracking Sheet HIPS IPS Rules

Policy Description Action Plan

IPS Rules-Marketing Contains exceptions for an app used by Marketing.

The list of exclusions pertaining to these applications will be consolidated into a new policy named IPS Rules-General-Apps

IPS Rules Publishing Contains exceptions for an app used by Marketing.

*NOTE: The environment may have many firewall policies with rules in them that are not currently linked to the Host IPS Firewall Catalog.

You can reduce the complexity of firewall rules by leveraging Host IPS Catalog. The Host IPS Catalog contains reusable items that can be imported into firewall policies.

Consider maintaining a baseline firewall policy which satisfies most of the security requirements of the organization. Create additional catalog and policy items for specific types of users/groups as required.

The workflow shown in the figure below can act as a spring board for consolidating firewall policies and rules.


Figure 15: Firewall Consolidation Workflow

Understand planning decision points regarding firewall policy consolidation.

Table 13: Host IPS Firewall Rules Policies - Consolidation Tracking Sheet

HIPS Firewall Rules Policies - Consolidation Tracking Sheet HIPS Firewall Rules

Policy Description Action Plan

FW Rules-Coders Firewall rules used by software coders The firewall rules for these applications will be placed into a new firewall policy named FW-Rules-Developers

FW Rules-Programmers

Firewall rules used by Python Programmers

Understand the network topology and computing environment•This provides the ability to create a strong

baseline policy that satisfies most business cases

Analyze firewall rules•Firewall rules should have descriptive

names and the notes field should be used to identify the purpose behind the rule.

Identify possible areas for consolidation•Review network traffic diagrams for

common and critical applications.

Optimize firewall rule sets•Firewall policies should be checked for

redundant, shadowed or blocked rules, and unused rules that can be eliminated or changed to reduce the size and complexity of the firewall catalog.

Repeat•Applications change frequently, so the

administrator should repeat this process to ensure that only relevant firewall policies are present in the environment


Review any configured Host IPS product specific tasks. Task consolidation decisions need to ensure whether new or additional ENS product tasks might need to be created to mirror specific task goals.

Perform SiteAdvisor Enterprise policy review(s) There are over 100 web categories that Site Advisor and Web Control can take action on. Identify if the environment has an acceptable internet usage policy, and block web categories which violate those usage policies.

If numerous site advisor policies contain similar or identical settings (example: Blocking the same web categories), use the policy comparison tool or an excel sheet to find identical settings which can possibly be consolidated in the policies.

Identify which web browsers are approved for use in the environment- both Site Advisor and Endpoint Security Web control can be configured to block unsupported internet browsers.

Identify if an established workflow is in place for unblocking websites that are incorrectly categorized. Website’s categorization and reputation is linked to McAfee’s TrustedSource.org. The workflow diagram below provides an example workflow for safely reviewing websites that have been blocked by Site Advisor or ENS Web Control (Zoom in to see the text clearly)


Figure 16: Website Review Process

Website Review Process

StartEnd-user Opens ticket

for blocked site

Was a screen shot of the block page and business

justification provide by the user?

Yes Ask the user to provide a screen shot of the block

page

No

Review the website on a “non production” PC

that is not on the corporate network.

Is this a legitimate website that is free of

malicious content?

Yes

Perform a Google search using words from the business

justification and try to identify the correct

website.

No

Add web domain or website to

“Allowed list”

Await Response

Submit re-categorization request to TrustedSource.org

Was the correct website identified?

Yes

Inform the user that you were unable to

determine which website they are

attempting to access and ask them to

contact the vendor.

No

Is the website mis-categorized?

Yes

Is the site blocked because of Risk

Reputation?

Yes

Outcome 3

Provide the user with the correct

website

No

No

Outcome 2

Escalate to ePO Admin so that the

end-user’s web surfing policy can be reviewed

Outcome 1

Notify the user that the website is now

accessible

Review any configured Site Advisor Enterprise product specific tasks. Task consolidation decisions need to ensure whether new or additional ENS product tasks need to be created to mirror specific task goals.

Export production policies Export the recently reviewed/consolidated production policies for VirusScan, Host IPS, and Site Advisor. These policies will be referenced in the next phase (Test), specifically when the Endpoint Migration Assistant is used for policy/task conversation to ENS 10.5


Export production tasks Export the recently reviewed/consolidated production tasks for VirusScan, Host IPS, and Site Advisor. These tasks will be referenced in the next phase (Test), specifically when the Endpoint Migration Assistant is used for policy/task conversation to ENS 10.5


Test During this phase, project participants will install, configure, upgrade and validate the McAfee solution in a non-production environment.

Table 14: Test checklist

Test




Installation Check in required packages Install required management extensions Validate distributed repository replication Run Endpoint Upgrade Assistant Analyze Endpoint Upgrade Assistant results Import production policies Import production tasks

Configuration Configure users and permission sets Perform initial validation testing Run the Endpoint Migration Assistant

• Migrate policies • Migrate tasks

Configure the baseline policy Assign the migrated policies to systems Assign the migrated tasks to systems Configure a deployment dashboard Configure product deployment tasks

Upgrade Deploy: McAfee Agents to pilot systems, as needed McAfee Endpoint Security to pilot systems

Validation Verify the technical implementation meets the security objectives discussed in the plan and design phases

Monitor McAfee Agent and Endpoint Security deployments Perform post-upgrade validation testing Export the baseline policy


Prepare for installation Implementation begins by preparing your test environment for recovery in the unlikely event of an installation or upgrade failure. Back out and recovery plans should be verified with project participants and stakeholders.

Successful installation of the solution requires following a phased approach which takes into account several activities.

Best Practice: McAfee recommends that you perform the initial installation or upgrade in a lab, development, or other non-production environment that is representative of the production environment.

Best Practice: During the technical implementation, McAfee recommends that you use a phased deployment approach. This typically begins with a series of pilot deployments that bring IT and business units together.

Best Practice: McAfee recommends that your environment’s Service Desk personnel be involved as early as possible to gain valuable experience needed to provide support for the organization.

Backup the ePO application server and database Verify that snapshots or backups of the Test ePO server completed successfully, and that the ePO database was also backed up. If backups of both were taken, their integrity should be verified prior to installing the management extensions

Check in required packages The installation software can be obtained directly from the ePolicy Orchestrator Software Manager or via the McAfee Products download page (https://secure.mcafee.com/apps/downloads/my-products/login.aspx).

• TIP: The easiest way to obtain all required extensions and packages for ENS 10.5 is to download the McAfee Endpoint Security 10.5.x bundle from the ePO Software Manager. The McAfee Client Proxy package/extension is included in the bundle.

• The Endpoint Migration Assistant and the Endpoint Upgrade Assistant are available for download via the software manager separate from the bundle.

*NOTE: The Adaptive Threat Protection Software is optional and not in the ENS bundle. A valid grant # for ATP is required for separate download availability.

The packages for ENS 10.5 are listed in the following table:

https://secure.mcafee.com/apps/downloads/my-products/login.aspx


Table 15: ENS 10.5 Packages

Component Type Version Endpoint Security Web Control Package 10.5.x Endpoint Security Threat Prevention Package 10.5.x Endpoint Security Platform Package 10.5.x Endpoint Security Firewall Package 10.5.x McAfee Client Proxy Package 2.3 Endpoint Security Adaptive Threat Protection (If purchased)

Package 10.5.x

Install required management extensions Management extensions allow the point products to be managed via ePO using policies.

Table 16: Management Extensions

Component Type Version Endpoint Security Web Control Extension 10.5.x Endpoint Security Threat Prevention Extension 10.5.x Endpoint Security Platform Extension 10.5.x Endpoint Security Firewall Extension 10.5.x Endpoint Security Adaptive Threat Protection (if purchased)

Extension 10.5.x

McAfee Client Proxy Extension 2.3.x McAfee Common Catalog Framework Extension 2.0.0.190 McAfee Common Catalog Extension 2.0.0.190

Each module also has a corresponding “help” extension. The help extensions enable “context sensitive help” for each of the specific products.

Table 17: Help Extensions

Component Type Version Endpoint Security Web Control help Extension 10.5.x Endpoint Security Threat Prevention help

Extension 10.5.x

Endpoint Security Platform help Extension 10.5.x Endpoint Security Firewall help Extension 10.5.x Endpoint Security Adaptive Threat Protection help (if purchased)

Extension 10.5.x

McAfee Client Proxy Extension 2.3.x

Additional extensions that will aid in the policy migration and upgrade effort are listed in the table below:


Table 18: Additional Extensions

Component Type Version Endpoint Migration Assistant Extension Latest Endpoint Upgrade Assistant Extension Latest

Validate distributed repository replication Prior to deploying the software, ensure that distributed repositories are working as expected. If lazy caching is used, perform a deployment task on a single machine that is pointed to a repository to ensure that the ENS packages/content are available.

Run Endpoint Upgrade Assistant Analyze Endpoint Upgrade Assistant results

Import production policies Import the consolidated policies for VirusScan, Host IPS and Site Advisor. These policies will undergo a conversion to their ENS 10.5 counterparts as the Endpoint Migration Assistant tool is utilized.

Import production tasks Import the consolidated tasks for VirusScan, Host IPS and Site Advisor. These tasks will undergo a conversion to their ENS 10.5 counterparts as the Endpoint Migration Assistant tool is utilized.

Configure users and permission sets Upon checking in the ENS 10.5 extensions, new permissions for Endpoint Security 10.5 will become available. Update existing permission sets to include these new products and/or create new permission sets that focus on ENS 10.5.

Existing ePO Users that are responsible for endpoint security should have their assigned permission sets updated to reflect the additional ENS 10.5 products. Existing permission sets will have “no permissions” for ENS specific products until they are manually added.


Figure 17: ENS Permissions Categories

Perform initial validation testing On your test machines, collect basic performance information prior to installing ENS. This will provide you with a simple baseline to measure against once ENS has been installed.

Run the Endpoint Migration Assistant Refer to the Endpoint Security Migration Guide for specific steps required to migrate policies before ENS installation.

The Endpoint Migration Assistant can be accessed from Menu > Policy > Endpoint Migration Assistant

The migration assistant will perform a policy/tasks conversion of your currently in place VSE/HIPS/SAE settings and migrate them to their corresponding ENS counterparts. Two Migration Modes are present:

1) Manual Migration – Recommended for environments that have unnecessary policies/tasks that should be consolidated for easier administration. This may need to be run multiple times as different policies are migrated.

2) Automatic Migration – Not recommended as unnecessary policies may be needlessly migrated.



*IMPORTANT: Configure and assign policies to systems and groups prior to deploying ENS 10.5.

Migrate policies When you use the manual migration option, you have an opportunity to selectively migrate policies and make policy adjustments on the fly.

Migrate tasks Ensure that you migrate relevant “On-Demand Scan Tasks”

Configure the baseline policy Configure and assign the baseline policy to system groups, or individual systems.

Assign the migrated policies to systems Assign migrated policies to devices in your test environment.

Assign the migrated tasks to systems Assign migrated tasks to devices in your test environment.

Configure a deployment dashboard The deployment dashboard will show systems which are in scope for ENS 10.5.

Consider creating a Boolean pie chart query that contains matching criteria for ENS 10.5 security modules. Systems which lack the matching criteria will appear as “non-compliant”.

A default query named “Endpoint Security: Installation Status Report” displays the total number of systems which have ENS 10.5 installed.

Consider adding the query to the deployment dashboard.


Figure 18: ENS Installation Status Report - Stacked Bar Chart

Figure 19: ENS Installation Status Report - Stacked Bar Chart Details

Configure product deployment tasks Review and identify the deployment task method(s) to be used for controlling the scope of the software deployments. Several methods exist for deploying ENS 10.5 and its associated modules.

This guide presents the following two methods:

Method 1: Deploy Upgrade Automation Task utilizing the Endpoint Upgrade Assistant Method 2: Selectively Deploy ENS Modules via the Client Task Catalog and system tree

assignment


Method 1: Deploy Upgrade Automation Task

The package named ENS Upgrade Assistant 1.0.x can be used to upgrade devices to ENS 10.5. All ENS 10.5 packages/extensions must be checked into ePO prior to deploying this package.

The ENS upgrade assistant package will attempt to deploy three ENS modules (TP, WC, and FW). If you do not wish to deploy all modules, you can create a task in the Client Task Catalog that explicitly specifies the modules to be deployed, or remove that package from that branch of the repository. Refer to the Endpoint Upgrade Assistant product guide for further information.

*IMPORTANT: Perform extensive testing prior to using the Deploy Upgrade Automation Task.

The workflow for the Deploy Upgrade Automation task is shown in the figure below:

Figure 20: Deploying EUA Package

Method 2: Selectively Deploy ENS Modules via the Client Task Catalog and system tree assignment.

Create a task in the task catalog that includes all or some of the ENS Modules.

Figure 21: Example Task with all ENS Modules



*NOTE: You might be more familiar with leveraging Method 2 as it is the legacy method.

Deploy McAfee Agents to pilot systems, as needed If the required version of McAfee Agent is not currently installed, deploy the required McAfee Agent version for the test environment to pilot systems before deploying ENS 10.5.

Deploy McAfee Endpoint Security to pilot systems Deploy ENS 10.5 using the planned deployment method.

Monitor McAfee Agent and Endpoint Security deployments The overwhelming majority of your ENS deployments should be successful. Capture any reported issues and document the solutions for those issues. Engage McAfee Support when necessary.

Perform post-upgrade validation testing Verify the technical implementation meets the security objectives discussed in the Plan and Design phases.

These activities will validate the newly created ENS 10.5 policies configured for the environment. Validate any additional testing criteria which may have been defined in the Plan and Design phases, for specific use case(s).

*NOTE: Verify any additional performance and functional testing requirements planned for your critical enterprise applications. Ensure the application performs the required business tasks that were discussed as requirements with business owners in the planning phase.

ENS Validation Tests


Validation tests verify your McAfee products are functional; blocking/monitoring activity and producing logs/events which are viewable on client systems and from the ePolicy Orchestrator console.

Example validation tests for ENS specific features are shown in the following figures/tables:

Figure 22: On Access Scanning - EICAR Test

On Access Scanning – EICAR Test TC-ENS-001

Validation Steps

1) Create a new text file 2) Within the text file, enter the following string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

3) Save and close the text file 4) Attempt to copy the text file

Expected Results

The test file will be deleted and a popup message similar to the one shown below will be produced.

Actual Results

Figure 23: Viewing the Quarantine Folder

Options – Viewing the Quarantine Folder TC-ENS-002

Validation Steps 1) Navigate to C:\quarantine 2) Verify that files appear in the quarantine folder

Expected Results

Files that have been quaratined will be in compresed zip format.

Actual Results


Figure 24: Exploit Prevention - Blocking Hidden PowerShell

Exploit Prevention - Hidden PowerShell Detected TC-ENS-003

Test Setup 1) Create a TEMP Policy in the Category: Endpoint Security Threat Prevention>Exploit Prevention

2) Name the Policy: TEMP-6070_Hidden_Powershell 3) Set the signature ID 6070 to Block+Report. 4) Save the policy 5) Assign the policy to a single test device

Validation Steps 1) Open Microsoft PowerShell and attempt to execute a command in hidden mode by pasting in the following command:

PowerShell.exe -windowstyle hidden {Invoke-Item c:\windows\system32\calc.exe} 2) Open the Endpoint Security console and view the Event Log. Verify

that a detection event was generated for Exploit Prevention Expected Results

The Event Log will show a recent Exploit Prevention Event (See example screen shot)

Actual Results

Figure 25: Web Control - Blocking Navigation to a malicious website

Web Control – Blocking Navigation to a Malicious Site TC-ENS-004

Test Setup 1) Ensure that the browser plugin for McAfee Endpoint Security Web Control is running

Validation Steps 1) Open the Google Chrome Browser 2) Navigate to http://red.test.csm-testcenter.org/

http://red.test.csm-testcenter.org/


Expected Results

The site is blocked because it is has a “red rating” (See screen shot)

Actual Results Attachments How to test SiteAdvisor Enterprise 3.x category ratings


Figure 26: Web Control – Blocking Navigation to a Phishing page

Web Control – Blocking Navigation to a Phishing page TC-ENS-005

Test Setup 1) Ensure that the browser plugin for McAfee Endpoint Security Web Control is running

Validation Steps 1) Open the Google Chrome Browser 2) Navigate to http://www.testingmcafeesites.com/testcat_ph.html

Expected Results

The phishing webpage is blocked because phishing is a category on the block list” (See screen shot)


http://www.testingmcafeesites.com/testcat_ph.html


Actual Results Attachments How to test SiteAdvisor Enterprise 3.x category ratings


Table 19: Exploit Prevention – Viewing Aggregated Events

Exploit Prevention – Viewing Aggregated Events TC-ENS-006

Validation Steps 1) Open the ePO console 2) Navigate to Reporting > Exploit Prevention Events 3) Aggregate on “Analyzer Rule ID + Threat Target File Path + Action

Taken 4) Drill into an event with Analyzer ID 6070 5) On the page named “Aggregated Exploit Prevention Events Details”,

click Actions > Add Exclusion” 6) In the “Select a destination policy” page, click the policy named

“TEMP-6070_Hidden_Powershell” and select ok 7) Navigate to the policy named “TEMP-6070_Hidden_Powershell” (it can

be found at “Endpoint Security Threat Prevention : Policy Category > Exploit Prevention > TEMP-6070_Hidden_Powershell”)

8) Select “Show Advanced” Expected Results

An exclusion for the process “POWERSHELL.EXE” was created in the policy (See screen shot)



Actual Results

*Optional TIE/DXL Validation Tests Table 20: Threat Intelligence Exchange – Manually changing a file’s reputation to “most likely malicious”

Threat Intelligence Exchange – Manually changing a file’s reputation to “most likely malicious”

TC-ENS-007

Test Setup 1) The TIE and DXL Infrastructure must be up and running in your environment.

2) ATP must be enabled 3) The action enforcement setting to Block when reputation threshold

reaches “Most Likely Malicious” must be enabled. 4) Download and install the software named “Putty”. It can be

downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html Note: If you are currently using Putty for business purposes please select a different .exe to test.

Validation Steps 1) Navigate to Menu > Systems > Reputation > Tie Reputations 2) Using the Quick Find, search for “putty” 3) Select Putty.exe and click Actions > Most Likely Malicious 4) Attempt to launch putty from your test computer

Expected Results

A McAfee Endpoint Security Alert is produced on your test computer (see screen shot)

The file is blocked on execute.

https://www.chiark.greenend.org.uk/%7Esgtatham/putty/latest.html


Note: Revert Putty’s reputation by setting the Reputation for Putty to “known trusted”

Actual Results

Example ENS Validation Results

The results of the Application Validation testing should be captured and shared with the project participants.

Table 21: Example ENS Validation Results

Test ID Test Name Results TC-ENS-001 On Access Scanning – EICAR Test Pass

TC-ENS-002 Options – Viewing the Quarantine Folder Pass

TC-ENS-003 Exploit Prevention - Hidden PowerShell Detected Pass

TC-ENS-004 Web Control – Blocking Navigation to a Malicious Site Pass

TC-ENS-005 Web Control – Blocking Navigation to a Phishing page Pass

TC-ENS-006 Exploit Prevention – Viewing Aggregated events Pass

TC-ENS-007 Threat Intelligence Exchange – Manually changing a file’s reputation to “most likely malicious” Pass

Export the baseline policy The migration assistant was used to convert policies to their ENS 10.5 equivalents. These newly converted policies are now ready to be exported from the test environment and imported into the production environment.

*IMPORTANT: Ensure you are exporting all of the policies which were validated in your test environment.


Implement During this phase, project participants will install, configure, upgrade and validate the McAfee solution in a production environment.

The activities listed in this phase will closely mirror the activities completed in the “Test” phase.

Activities performed during this phase will result in changes to the production environment. McAfee recommends following your organization’s practices for submitting change requests, performing system backups and developing a recovery plan.

Implement




Install Check in the required client packages Install required management extensions Validate distributed repository replication Import the baseline policies Import the baseline tasks Configure users and permission sets Configure a deployment dashboard

Deploy Run the Endpoint Upgrade Assistant Analyze Endpoint Upgrade Assistant results Configure the baseline policy Assign the migrated policies to systems Assign the migrated tasks to systems Configure product deployment tasks Deploy McAfee Agents to systems, as needed Deploy McAfee Endpoint Security to systems

Validation Verify the technical implementation meets the security objectives discussed in the plan and design phases

Monitor McAfee Agent and Endpoint Security deployments Perform validation testing


Prepare for installation Production implementation begins by preparing the environment for recovery in the unlikely event of an installation or upgrade failure. Discuss your Back out and recovery plans with the project participants.

Best Practice: Refer to any lessons learned that were discovered when upgrading devices to ENS in 10.5 in the test environment

Backup the ePO application server and database Verify that snapshots or backups of the Production ePO server completed successfully, and that the ePO database was also backed up. If backups of both were taken, their integrity should be verified prior to installing the management extensions

Check in required packages Ensure that software versions in the production environment are the same as those in the test environment.

The installation software can be obtained directly from the ePolicy Orchestrator Software Manager or via the McAfee Products download page (https://secure.mcafee.com/apps/downloads/my-products/login.aspx).

Tip: The easiest way to obtain all required extensions and packages for ENS 10.5 is to download the McAfee Endpoint Security 10.5.x bundle from the ePO Software Manager. The McAfee Client Proxy package/extension is included in the bundle.

The Endpoint Migration Assistant and the Endpoint Upgrade Assistant are available for download via the software manager separate from the bundle.

*NOTE: The Adaptive Threat Protection Software is optional and not in the ENS bundle. A valid grant # for ATP is required for separate download availability.

The packages for ENS 10.5 are listed in the following table:

https://secure.mcafee.com/apps/downloads/my-products/login.aspx


Table 22: ENS 10.5 Packages

Component Type Version Endpoint Security Web Control Package 10.5.x Endpoint Security Threat Prevention Package 10.5.x Endpoint Security Platform Package 10.5.x Endpoint Security Firewall Package 10.5.x McAfee Client Proxy Package 2.3 Endpoint Security Adaptive Threat Protection (If purchased)

Package 10.5.x

Install required management extensions Ensure that the same extensions were that were checked into test, are also checked into production.

Management extensions allow the point products to be managed via ePO using policies.

Table 23: Management Extensions

Component Type Version Endpoint Security Web Control Extension 10.5.x Endpoint Security Threat Prevention Extension 10.5.x Endpoint Security Platform Extension 10.5.x Endpoint Security Firewall Extension 10.5.x Endpoint Security Adaptive Threat Protection (if purchased)

Extension 10.5.x

McAfee Client Proxy Extension 2.3.x McAfee Common Catalog Framework Extension 2.0.0.190 McAfee Common Catalog Extension 2.0.0.190

Each module also has a corresponding “help” extension. The help extensions enable “context sensitive help” for each of the specific products.

Table 24: Help Extensions

Component Type Version Endpoint Security Web Control help Extension 10.5.x Endpoint Security Threat Prevention help

Extension 10.5.x

Endpoint Security Platform help Extension 10.5.x Endpoint Security Firewall help Extension 10.5.x Endpoint Security Adaptive Threat Protection help (if purchased)

Extension 10.5.x

McAfee Client Proxy Extension 2.3.x


Additional extensions that will aid in the policy migration and upgrade effort are listed in the table below:

Table 25: Additional Extensions

Component Type Version Endpoint Migration Assistant Extension Latest Endpoint Upgrade Assistant Extension Latest

Validate distributed repository replication Prior to deploying the software, ensure that distributed repositories are working as expected. If lazy caching is used, perform a deployment task on a single machine that is pointed to a repository to ensure that the ENS packages/content are available. Refer to the ePolicy Orchestrator Best Practices Guide for additional information.

Import the baseline policies Import the polices that you worked with in the test environment. These policies were from the production environment and have undergone a migration to ENS 10.5 via the Endpoint Migration Assistant.

Ensure that policies have been tested and tailored for critical applications

Import the baseline tasks Import the baseline tasks so that your devices can run the necessary tasks to stay protected.

Configure users and permission sets Upon checking in the ENS 10.5 extensions, new permissions for Endpoint Security 10.5 will become available. Update existing permission sets to include these new products and/or create new permission sets that focus on ENS 10.5.

Existing ePO Users that are responsible for endpoint security should have their assigned permission sets updated to reflect the additional ENS 10.5 products. Existing permission sets will have “no permissions” for ENS specific products until they are manually added.

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25519


Figure 27: ENS Permissions Categories

Configure a deployment dashboard Ensure that the dashboard is viewable by those tracking the deployment.

The deployment dashboard will show systems which are in scope for ENS 10.5.

Consider creating a Boolean pie chart query that contains matching criteria for ENS 10.5 security modules. Systems which lack the matching criteria will appear as “non-compliant”.

A default query named “Endpoint Security: Installation Status Report” displays the total number of systems which have ENS 10.5 installed.

Consider adding the query to the deployment dashboard (repeat the steps that you performed in the “Test” phase)

Run the Endpoint Upgrade Assistant Ensure that you have set the tool to focus on an ENS 10.5.x Upgrade.

Analyze Endpoint Upgrade Assistant results The upgrade scenarios that are displayed in the production environment might be different than those in the test environment. Perform additional testing where necessary to ensure a smooth ENS upgrade.


Configure the baseline policy Configure and assign the baseline policy to system groups, or individual systems.

Assign the migrated policies to systems Assign migrated policies to devices in your production environment.

Assign the migrated tasks to systems Assign migrated tasks to devices in your test environment.

Configure product deployment tasks Ensure that the tasks are set to execute in accordance with the information listed in the change request. Please see the section in the “Test” phase named Configure product deployment tasks

Deploy McAfee Agents to systems, as needed Machines that have a broken McAfee Agent will need to be remediated prior to deploying ENS 10.5 through ePO

Deploy McAfee Endpoint Security to systems Use a phased implementation approach and tightly control the number of devices that receive ENS 10.5.

Monitor McAfee Agent and Endpoint Security deployments The overwhelming majority of ENS deployments should be successful. Closely monitor any failed deployments and identify common scenarios that result in failure. Engage McAfee Support when necessary

Perform validation testing Ensure that stake holders (specifically, application owners) are aware of the implementation timeline. Encourage stakeholders to validate system performance once ENS 10.5 modules are installed on critical servers. Application owners should perform a regression test against their application to ensure that ENS 10.5 has not introduced a new issue into your environment.


Note: Please see the section in the “Test” phase regarding “Post-upgrade validation testing”


Appendix Upgrade Project Planning Checklist Table 26: Upgrade Project Planning Checklist

Plan [ ] Identify business applications, administrators and application owners [ ] Discuss project and business objectives [ ] Discuss security requirements [ ] Discuss end user communications [ ] Discuss additional planning topics [ ] Discuss product features [ ] Discuss product feature parity [ ] Discuss supported platforms [ ] Discuss supported McAfee agents [ ] Discuss integration with other McAfee solutions [ ] Discuss conflicts with existing products [ ] Discuss the implementation process [ ] Identify systems for the initial pilot deployment [ ] Discuss McAfee application validation testing [ ] Discuss performance testing and baseline metrics [ ] Discuss business application testing procedures [ ] Discuss current security management practices [ ] Discuss change control processes [ ] Discuss back out and recovery plans [ ] Discuss software updates [ ] Discuss signature content testing [ ] Discuss McAfee GetClean [ ] Discuss reporting requirements [ ] Review corporate security policies and supporting documentation

Design [ ] Discuss the McAfee solution architecture overview [ ] Discuss the system architecture [ ] Discuss the network infrastructure services [ ] Discuss McAfee network services [ ] Discuss registered servers [ ] Discuss roles and responsibilities [ ] Discuss users and groups [ ] Review release notes [ ] Review known issues Knowledge Base articles [ ] Review the product compatibility matrix


[ ] Verify that the installation environment meets specifications [ ] Verify accounts and permissions [ ] Verify prerequisite software is installed [ ] Verify pilot systems configuration

Assess [ ] Prepare for installation [ ] Backup the ePO application server and database [ ] Obtain the installation software [ ] Install required management extensions [ ] Run Endpoint Upgrade Assistant [ ] Analyze Endpoint Upgrade Assistant results [ ] Review dashboards and queries [ ] Perform McAfee VirusScan Enterprise policy review(s) [ ] Perform McAfee Host Intrusion Prevention policy review(s) [ ] Perform SiteAdvisor Enterprise policy review(s) [ ] Export production policies [ ] Export production tasks

Test [ ] Prepare for installation [ ] Backup the ePO application server and database [ ] Check in required packages [ ] Install required management extensions [ ] Validate distributed repository replication [ ] Run Endpoint Upgrade Assistant [ ] Analyze Endpoint Upgrade Assistant results [ ] Import production policies [ ] Import production tasks [ ] Configure users and permission sets [ ] Perform initial validation testing [ ] Run the Endpoint Migration Assistant [ ] Migrate policies [ ] Migrate tasks [ ] Configure the baseline policy [ ] Assign the migrated policies to systems [ ] Assign the migrated tasks to systems [ ] Configure a deployment dashboard [ ] Configure product deployment tasks [ ] Deploy McAfee Agents to pilot systems, as needed [ ] Deploy McAfee Endpoint Security to pilot systems [ ] Monitor McAfee Agent and Endpoint Security deployments [ ] Perform post-upgrade validation testing


[ ] Export the baseline policy

Implement [ ] Prepare for installation [ ] Backup the ePO application server and database [ ] Check in required packages [ ] Install required management extensions [ ] Validate distributed repository replication [ ] Import the baseline policies [ ] Import the baseline tasks [ ] Configure users and permission sets [ ] Configure a deployment dashboard [ ] Run the Endpoint Upgrade Assistant [ ] Analyze Endpoint Upgrade Assistant results [ ] Configure the baseline policy [ ] Assign the migrated policies to systems [ ] Assign the migrated tasks to systems [ ] Configure product deployment tasks [ ] Deploy McAfee Agents to systems, as needed [ ] Deploy McAfee Endpoint Security to systems [ ] Monitor McAfee Agent and Endpoint Security deployments [ ] Perform validation testing

endpoint security 10.5 upgrade project planning guide · pdf file ·...

Documents