McAfee Endpoint Security Customer POC Guide

Transcription

1 McAfee Endpoint Security Customer POC Guide Date : 11/2017

2 Important note: The enclosed material is proprietary to McAfee Inc. and is copyrighted. This document may not be disclosed in any manner to anyone other than the addressee and the employees or representatives of the addressed firm who are directly responsible for evaluation of its contents. This document may not be used in any manner other than for the purpose it was distributed. Any unauthorized use; reproduction or transmission in any form is strictly prohibited. Copyright 2017 McAfee Inc. 2 Rev Date: 12/1/17

3 Table of Contents 1 Business Case Proof of Concept Pre-Requisites POC Use Cases Customer success criteria Assumptions: Limitations Customer acceptance Rev: 12/1/17 3

4 The following contacts will be available to assist throughout the execution of this proof of concept. Please complete the following details before the agreed evaluation commencement date. Customer Contacts: Name Title Telephone Number(s) Partner Contacts: Name Title Telephone Number(s) McAfee Contacts: Sales Executives: Name Title Telephone Number(s) Sales Engineering Team: Name Title Telephone Number(s) 4 Rev Date: 12/1/17

5 1 Business Case Today s corporations face the challenge in security of defending the corporate network and users from malicious code disrupting business, in the past 18 months, both corporate and home users have been exposed to new types of malicious code in the form of ransomware attacks on networks. Based on the industry trends, the malicious code writers are creating malware faster and with more sophisticated and devastating payloads then the Security Industry can keep pace with, added to this is the fact that almost all the security vendors current Anti-Malware solutions are based on what is deemed legacy code, meaning that some changes have been made to the Anti-virus solution but not enough to provide the next generation of protection needed to protect against these next generation attacks. Below is a graphic of the growth of malware over the past 5 years, you can see the total growth number of known malware to date (ref: AV test.org- McAfee Endpoint Security 10 (ENS) Rev: 12/1/17 5

6 New endpoint protection solution emphasizes integration, automation, and orchestration as the foundation of the threat defense lifecycle. It harnesses the power of machine learning to detect zero-day threats in near real-time and streamlines the ability to quickly expose and remediate advanced attacks. Detect zero-day malware ENS can unmask evasive threats by combining reputation analysis with new machine learning classification and behavioral modelling. Our endpoint protection stops greyware, ransomware, and other advanced threats before they infect patient zero or spread to other systems. Dynamic application containment pre-emptively blocks suspicious files from using common malicious processes to shield the first endpoint and isolate the network from infection. Real protect offers static pre-execution analysis and post-execution dynamic behavioral analysis, leveraging machine learning classification from the cloud, to detect zeroday malware in near real time, without relying on traditional signatures. Other capabilities include: Centralized (epo/saas) and standalone management. Threat Prevention module that scans for and lets you act on detected malware and unwanted programs (McAfee Endpoint Security capabilities). Ability to create custom exploit prevention rules that give customers unparalleled granular control over what s important to them. Firewall module that acts as a filter between computer and network or Internet (McAfee ENS - Firewall capabilities). Web Control module for protection while browsing or searching websites (McAfee ENS Web Control and Global Threat Intelligence - GTI capabilities). Adaptive Threat Protection module provides advanced machine learning capabilities, integration with ATD, and dynamic application containment. Anti-Malware Core Engine (AMCore) technology with built-in intelligence strategy to practice scan avoidance and only scan items that really need to be scanned, instead of scanning all items equally. Policy migration tool to migrate policies and client tasks and remove McAfee products that are no longer needed, such as VirusScan Enterprise and Host Intrusion Prevention Firewall. Guided and automated migration using the Endpoint Upgrade Assistant extension and Endpoint Automation tool. Optional integration with McAfee Data Exchange Layer (DXL) and McAfee Threat Intelligence Exchange (TIE) solutions. 6 Rev Date: 12/1/17

7 2 Proof of Concept Pre-Requisites Below are the software and hardware pre-requisites to setup an evaluation environment to run through business use cases. Please refer to below given KB article for more details. ( ) Supported Windows Operating Systems: Below is the list of supported workstation operating systems, recommended to pick OS for testing which represent product environment. Microsoft Operating System Windows 10 Fall Creators Update (version 1709) Windows 10 Creators Update (version 1703) Windows 10 Anniversary Update (version 1607) Windows 10 November Update (version 1511) Windows 10 (version 1507) Windows 8.1 Update 1 Windows 8 (Not including Windows 8 RT (Run Time) edition) Windows to Go (All versions) Minimum Service Pack (SP) Required ENS Windows 7 SP1 Windows Embedded 8: Pro, Standard, and Industry Windows Embedded Standard 7 Note: Unsupported Windows versions for Real Protect feature are, - Microsoft Windows Embedded Standard Microsoft Windows Embedded Standard 7 - Microsoft System Centre Configuration Manager (SCCM) 2012 R2 - Microsoft Certified Windows to Go Device Below is the list of supported server operating system, recommended to pick OS for testing which represent product environment. Windows Server Microsoft Operating System (including Server Core Mode) Windows Server 2012 R2 Update 1: Essentials, Standard, and Datacenter (including Server Core Mode) Windows Server 2012 R2 1 Windows Server 2012 Windows Storage Server 2012 and 2012 R2 ENS Rev: 12/1/17 7

8 Windows Server 2008 R2: Standard, Datacenter, Enterprise, and Web (including Server Core Mode) Windows Server 2008 Windows Storage Server 2008 Windows Storage Server 2008 R2 Windows Small Business Server 2011 Windows Small Business Server 2008 Windows Server 2003 and 2003 R2 3 See below. No longer supported by Microsoft. No No No No Supported McAfee Agent version for POC is, Product Minimum MA Version ENS MA or later / MA is recommended Below is the list of supported virtual infrastructure: Please NOTE: - If a product and/or version is not listed, we do not support it. - Citrix VDI-in-a-Box environments are not supported. Virtualization Server and Versions Application Tested AWS 2012 R2 Azure Win 81 Citrix XenApp 7.6 Citrix XenDesktop 7.0, 7.11, 7.13 Citrix XenServer 6.2 Microsoft Hyper-V Server Microsoft Hyper-V Server 2012 R MSFT AAP V 5.2 VMware ESXi 5.5, 6.0, 6.5 VMware Player VMware vsphere 5.5, 6.0 VMware Workstation 10 Hardware requirements - CPU - Intel Pentium processor or compatible architecture - RAM as follows as shown below, 8 Rev Date: 12/1/17

9 Operating System Service Pack Windows 10 X X Windows 8.1 X X Windows 8 (Except RT) X X Windows 7 SP1 X X Windows Embedded Standard 7 32-bit 64-bit Processor RAM X 2 Ghz or higher 2 Ghz or higher 2 Ghz or higher 1.4 Ghz or higher 1 Ghz or higher Minimum Hard Disk Space Free 3 GB 1 GB 3 GB 1 GB 3 GB 1 GB 2 GB 1 GB 1 GB 1 GB Windows Vista (not supported with ENS 10.5) Windows XP Pro (No longer supported by Microsoft.) (not supported with ENS 10.5) SP2 X X X X X SP3 X X X X Windows Embedded for POS (WEPOS) X 1 Ghz or higher 1 GB 1 GB Windows Embedded 8 (Pro, Standard, and Industry) X 1 Ghz or higher 1 GB 1 GB Windows Server 2016 X 2 Ghz or higher 3 GB 1 GB Windows Server 2012 R2 Update 1 X 2 Ghz or higher 3 GB 1 GB Windows Server 2012 R2 Essentials, Standard, and Datacenter (including Server Core Mode) X 2 Ghz or higher 3 GB 1 GB Windows Server 2012 Essentials, Standard, and Datacenter (including Server Core Mode) X 2 Ghz or higher 3 GB 1 GB Windows Server 2008 Essentials, Standard, Datacenter, and Enterprise Web (including Server Core Mode) (not supported with ENS 10.5) SP2 X X X X X Rev: 12/1/17 9

10 Windows Server 2008 R2 Essentials, Standard, Datacenter, and Enterprise Web (including Server Core Mode) SP2 X X 1.4 Ghz or greater 2 GB 1 GB Windows Storage Server 2008 (not supported with ENS 10.5) X X X X X Windows Storage Server 2008 R2 X X 1.4 Ghz or higher 2 GB 1 GB Windows Server 2003, 2003 R2 - All (No longer supported by Microsoft.) X X X X Windows Small Business Server 2008 (not supported with ENS 10.5) X X X X Windows Small Business Server 2011 X 1.4 Ghz or higher 2 GB 1 GB Windows Embedded Standard 2009 X 1 Ghz or higher 1 GB 1 GB Windows Point of Service 1.1 X 1 Ghz or higher 1 GB 1 GB Windows Point of Service Ready 2009 X 1 Ghz or higher 1 GB 1 GB Supported Internet browsers: Browser Google Chrome Microsoft Edge ENS 10.x Including Web Control No Comments Mozilla Firefox Firefox 51 is compatible with ENS Web Control. Microsoft Internet Explorer 11 Microsoft Internet Explorer 10 Microsoft Internet Explorer 7 Supported only on Windows Vista. Supported when ENS Web Control contacts Security Center only. Not supported when ENS Web Control contacts epo Cloud or epo on-premises. 10 Rev Date: 12/1/17

11 NOTES: Because of the high frequency with which Chrome and Firefox browsers are released, ENS Web Control support for Chrome or Firefox may not support new browser version. The next ENS patch release will target adding back support for the browser. ENS Web Control is not 64-bit and does not support native 64-bit browsers, but it does support 64-bit browsers in 32-bit mode. Enhanced Protected Mode in Internet Explorer is not supported Supported platforms, environments, and operating systems for Endpoint Security for Mac Please refer to below given KB article for more details on Mac support. ( Supported Operating Systems Operating System Version ENSM / Hotfix / ENSM High Sierra x Both Client and Server No Sierra x Both Client and Server El Capitan x Both Client and Server Yosemite x Both Client and Server No Mavericks 10.9.x Both Client and Server No No Supported McAfee Agent Versions Product Version ENSM ENSM ENSM ENSM ENSM McAfee Agent McAfee Agent for Mac on macos High Sierra Version: and later Rev: 12/1/17 11

12 Minor Version: 347 McAfee Agent McAfee Agent McAfee Agent McAfee Agent McAfee Agent for Mac on macos El Capitan and Sierra Version: and later Minor Version: 658 McAfee Agent for MAC Version: and later Minor Version: 470 McAfee Agent for MAC Version: and later Minor Version: 283 McAfee Agent for MAC Version: and later Minor Version: 185 No No No No No No Supported Architecture Product Configuration Mac Running with the supported OS system configuration Supported Internet Browser Versions Browser Google Chrome Version 49 and later ENSM ENSM No ENSM HF HF Safari 11.0.x No No No Safari 10.1.x No No No Safari 10.0.x No No No Safari 9.0.x No Safari 8.0.x No Safari 7.1.x No No ENSM Rev Date: 12/1/17

13 Supported platforms, environments, and operating systems for Endpoint Security for Linux Threat Prevention Please refer to below given KB article for more details on Linux support. ( Supported Operating Systems NOTE: ENSLTP cannot be used on 32-bit platforms. Operating System Service Pack ENSLTP ENSLTP Amazon Linux AMI (64-bit) No No Amazon Linux AMI 2014 and later (64-bit) CentOS 7.4 (64-bit) No No CentOS 7.1 / 7.2 / 7.3 (64-bit) CentOS 6.x (64-bit) Debian No No Debian No Fedora 25 / 26 (desktop and server) No No Fedora 22 / 23 / 24 (desktop and server) No Linux Mint 17.0 Qiana No Novell Open Enterprise Server 11 (64-bit) SP1 opensuse 42.1 No Oracle Enterprise Linux 7.x both Red Hat and UEK 6.7 (64-bit) Oracle Enterprise Linux 6.x both Red Hat and UEK 6.7 (64-bit) Red Hat Enterprise Linux 7.4 Server (64-bit) No No Red Hat Enterprise Linux 7.1 / 7.2 / 7.3 Server (64-bit) Red Hat Enterprise Linux 6.x Server (64-bit) Red Hat Enterprise Linux Workstation 7.4 No No Red Hat Enterprise Linux Workstation 7.1 / 7.2 / 7.3 No Red Hat Enterprise Linux Workstation 6.x No Red Hat Enterprise Linux 7 on Amazon Elastic Compute Cloud (Amazon EC2) (64-bit) SUSE Linux Desktop 12 SP2 No SUSE Linux Desktop 11 SP3 No SUSE Linux Enterprise Server 12.x (64-bit) ENSLTP Rev: 12/1/17 13

14 SUSE Linux Enterprise Server 11.x (64-bit) SP2 SUSE on Amazon Elastic Compute Cloud (Amazon EC2) (64-bit) Ubuntu (64-bit) Ubuntu (64-bit) Ubuntu 15.x (64-bit) Ubuntu (64-bit) Ubuntu (64-bit) Ubuntu on Amazon Elastic Compute Cloud (Amazon EC2) (64-bit) Supported epolicy Orchestrator (epo) Versions Version ENSLTP / / epo and later Supported McAfee Agent Versions McAfee Agent Version ENSLTP / ENSLTP McAfee Agent and later McAfee Agent No System Requirements Component Processors Requirements 1. Intel x86_64 architecture-based processor that supports Intel Extended Memory 64-bit technology (Intel EM64T) 2. AMD x86_64 architecture-based processor with AMD 64-bit technology Memory Minimum: 2 GB RAM Recommended: 4 GB RAM 14 Rev Date: 12/1/17

15 Free disk space Virtual platforms Para virtual environment Minimum: 1 GB Citrix Xen KVM Virtual box VMware Xen Guest operating system on Xen Hypervisor Ports required for epo management Port Default Description Traffic direction Agent-server communication port Agent-server communication secure port Software Manager, Product Compatibility List, and License Manager port 80 TCP port that the epo server service uses to receive requests from agents. 443 TCP port that the epo server service uses to receive requests from agents and remote Agent Handlers. TCP port that the epo server's Software Manager uses to connect to McAfee. TCP port that the epo server uses to connect to the McAfee software updates server (sdownload.mcafee.com), McAfee license server (lc.mcafee.com), and McAfee Product Compatibility List (epo.mcafee.com). Inbound connection to the Agent Handler and the epo server from the McAfee Agent. Inbound connection to the epo server from the remote Agent Handler. Inbound connection to the Agent Handler and the epo server from the McAfee Agent. Inbound connection to the epo server from the remote Agent Handler. Outbound connection from the epo server to McAfee servers. Agent wake-up communication port Super Agent repository port 8081 TCP port that agents use to receive agent wake-up requests from the epo server or Agent Handler. TCP port that the SuperAgents configured as repositories that are used to receive content from the epo server during repository replication, and to serve content to client machines. Inbound connection from the epo server/agent Handler to the McAfee Agent. Inbound connection from client machines to Super Agents configured as repositories. Rev: 12/1/17 15

16 Agent broadcast communication port Console-toapplication server communication port Client-to-server authenticated communication port SQL server TCP port 8082 UDP port that the Super Agents use to forward messages from the epo server/agent Handler TCP port that the epo Application Server service uses to allow web browser UI access TCP Port that the Agent Handler uses to communicate with the epo server to get required information (such as LDAP servers) TCP port used to communicate with the SQL server. This port is specified or determined automatically during the setup process. Outbound connection from the Super Agents to other McAfee Agents. Inbound connection to the epo server from the epo console. Outbound connection from remote Agent Handlers to the epo server. Outbound connection from the epo server/agent Handler to the SQL server. SQL server UDP port 1434 UDP port used to request the TCP port that the SQL instance hosting the epo database is using. Outbound connection from the epo server/agent Handler to the SQL server. LDAP server port 389 TCP port used to retrieve LDAP information from Active Directory servers. Outbound connection from the epo server/agent Handler to an LDAP server. SSL LDAP server port SMB Windows domain controller port 636 TCP port used to retrieve LDAP information from Active Directory servers. 445 TCP port used for epo console login when authenticating Active Directory users. Outbound connection from the epo server/agent Handler to an LDAP server. Outbound connection from the epo server to the domain controller (Active Directory) server. epo (Ports/Traffic Quick Reference) epo Server Default port Protocol Traffic direction 80 TCP Inbound connection to the epo server 389 TCP Outbound connection from the epo server 443 TCP Inbound/outbound connection to/from the epo server 445 SMB Outbound connection from the epo server 16 Rev Date: 12/1/17

17 636 TCP Outbound connection from the epo server 1433 TCP Outbound connection from the epo server 1434 UDP Outbound connection from the epo server 8081 TCP Outbound connection from the epo server 8443 TCP Inbound connection to the epo server 8444 TCP Inbound connection to the epo server Remote Agent Handler(s) Default port Protocol Traffic direction 80 TCP Inbound/outbound connection to/from the Agent Handler 389 TCP Outbound connection from the Agent Handler 443 TCP Inbound/outbound connection to/from the Agent Handler 636 TCP Outbound connection from the Agent Handler 1433 TCP Outbound connection from the Agent Handler 1434 UDP Outbound connection from the Agent Handler 8081 TCP Outbound connection from the Agent Handler 8443 TCP Outbound connection from the Agent Handler 8444 TCP Outbound connection from the Agent Handler McAfee Agent Default port Protocol Traffic direction 80 TCP Outbound connection to the epo server/agent Handler 443 TCP Outbound connection to the epo server/agent Handler 8081 TCP 8082 UDP Inbound connection from the epo server/agent Handler. If the agent is a Super Agent repository, inbound connection from other McAfee Agents. Inbound connection to agents. Inbound/outbound connection from/to Super Agents UDP Relay server discovery for version 4.8 agents Rev: 12/1/17 17

18 SQL Server Default port Protocol Traffic direction 1433 TCP Inbound connection from the epo server/agent Handler 1434 UDP Inbound connection from the epo server/agent Handler McAfee Updates Default port Protocol Traffic direction 21 TCP Outbound from the epo server to ftp://ftp.nai.com 80 TCP Outbound from the epo server to TCF Outbound from the epo server to s-download.mcafee.com and epo.mcafee.com NOTE: These URLs are not accessible in browsers. 18 Rev Date: 12/1/17

19 3 POC Use Cases Use Case 1 -Deploy Endpoint Protection via management solution. 1. Check in the software to the epo server, make sure that you have all extensions checked in as per image provided. Run the Update Repository Server Task. For information on installing epo, please refer to the Product/Install Guide. Make sure that all the following extensions are checked in: 1. Endpoint Security Platform 2. Endpoint Security Threat Prevention 3. Endpoint Security Web Control 4. Endpoint Security Firewall 5. Endpoint Security Migration Assistant 6. Endpoint Security Adaptive Threat Protection 7. Endpoint Upgrade Assistant 2) Verify the packages are check-in to the master repository Rev: 12/1/17 19

20 3. Identify the pilot machines to be used for the proof of concept pilot prior to deployment. Make sure that the following is enable on the Pilot machines: 1. You have an account that has rights to deploy to the endpoint. 2. You can reach the Admin$ share from epo. 4. Create a product deployment Task within epo to deploy ENS to the pilot group of machines. 5. Select the New Deployment button to create a new deployment for the pilot. 20 Rev Date: 12/1/17

21 6. Provide details of the deployment for reference as seen below, make sure to select fixed method if not this task will continue to run indefinably. Rev: 12/1/17 21

22 7. Select the ENS components to be deployed in the deployment 22 Rev Date: 12/1/17

23 8. Make sure to select the systems identified for deployment 9. If required, schedule the deployment or use the run immediately option If the customer has existing McAfee VirusScan enterprise 8.8, Make sure to use the Migration Assistant and Endpoint Upgrade Assistant prior to migrating test machines to ENS. This guide does not cover the usage of those tools. Rev: 12/1/17 23

24 Use Case 2 -Configure endpoint policies to test Dynamic Application Containment (DAC) feature 1. Access the policy for DAC (Dynamic Application Containment), as below: 2. Select the options policy first to configure how DAC will behave. 24 Rev Date: 12/1/17

25 3. The default configuration is set to observe only, as shown in the screen capture below. In this mode Adaptive Threat Protection module would not contain or block any detections. 4. Remove the check to disable Observe mode, as below, Rev: 12/1/17 25

26 5. Copy the following file to the endpoint to test Dynamic Application Containment, you may need to modify the file hash so that file becomes a new sample for testing. DACRuleTester.zip 6. Extract the test file form the zip and follow these steps to change hash of the test file to create a unique sample. 7. Use hex editor tool (or Notepad ++ works too) and just add any random numbers to the file at any location to change the hash of the sample. You can download hex editor on below link. ( 8. To modify the testing tool, open with hex editor as shown in here, then locate any row and add a few random numbers to the testing file, save this as it will create a new binary never seen by GTI and thus get blocked by DAC. Example below Make sure Observe Mode is turned OFF otherwise it will not prompt 26 Rev Date: 12/1/17

27 10. Once In the policy, by default all DAC rules are set to report only, however for POC purpose please enable all to BLOCK. 11. If a false positive is observed, click on the show Advanced radio button to add it as an exclusion. Note this is for windows only Rev: 12/1/17 27

28 Use Case 3 - Configure policies to test Real Protect (RP) feature 1. With the policy note that by default Real Protect both client based and cloud based scanning are enabled as you can see in the policy screen shot below. 2. Confirm client system has access to the Internet before testing Real Protect sample files. 3. As suggested above please change the hash of the file before testing each time so that TIE reputation does not trigger block, using the method given previously. 4. Please note to trigger Real Protect you may have to disable TIE and DAC if required. 28 Rev Date: 12/1/17

29 5. Use these RP sample files for testing the module, please use password clean to extract sample files. RP-TestFile.zip 6. Once you are able to trigger RP event you can find the events on the client side on the ENS event logs. Once the threat events are pushed to epo server please use below dashboard to view the threat event summery. ATP_Threat_Summery-Dashboard.xml Rev: 12/1/17 29

30 Use Case 4 - Configure policy to test HIPS Expert Rules With HIPS expert rules within ENS, we ll demonstrate the ability to block all encoded powershell commands except for the command that we exclude from being blocked. 1. Open the ENS Threat Prevention Exploit Prevention Policy. 2. Click Expert Rules 3. Choose Processes 4. Make policy selections. a. Title Exclude powershell parameters b. Dropdown level Low c. Action Check Block and Report d. Rule Type Processes e. Rule Content Open this text file and copy/paste it into the Rule Content Section. expert rule.txt 30 Rev Date: 12/1/17

31 f. Enter any applicable notes. g. This rule will do the following i. Block powershell when used with the -NoLogo switch. ii. Block any Encoded commands, or any command that starts with e. iii. Allow the above embedded command which pulls a directory listing of C:\Program Files. 5. To test the created rule, ensure it is applied to your test system, open up a command window and type the following commands. a. powershell -nologo #This command will be blocked b. powershell #This command will be allowed c. exit #To exit the shell you just entered d. powershell -E dir C:\Program Files. This will be blocked because it includes a parameter that tries to encode the command. e. powershell -EncodedCommand ZABpAHIAIAAnAGMAOgBcAHAAcgBvAGcAcgBhAG0AIABmAGkAbABlAHMAJwAgAA= = i. This command will be allowed and should pull a dir of C:\Program files 4 Customer success criteria Below are the success criteria for ENS, please note that customer requirement s may be needed to be added in case they are not listed Test Description Result On-Demand Detection On-Access Detection Administrative Functions Testing While in its Default Configuration, the product must demonstrate through On-Demand testing that it Detects Malware. While in its Default Configuration, the product must demonstrate through On-Access testing that it Detects Malware. The product must be configurable both locally and using the management platform to perform the following changes: Enable and disable the Detection of Malware; Retrieve and apply the latest Engine and Rev: 12/1/17 31

32 Malware Detection Required Log Events 32 Log Data Presentation Web Protection Block malicious websites Secure Search future Desktop Firewall Dynamic Application Blocking User notification Administrative Functions Signatures over the Internet; Review Required Log Data. The product must have the ability to block uninstallation of the solution and tampering of services. The product must have the capability to log the results of all Malware Detections and other threat events from all modules of ENS. All Required Log presented in a Log must be presented in a human readable format. The product must provide a website rating based on the following: 2) Safe/good 3) Unknown 4) High Risk 5) Medium risk The solution must be able to block a website based on its reputation. The product must ability to search securely on the internet The product must: Provide the ability to block specific application communication. Provide the ability to block a port or range of ports. Provide IP spoofing protection. Provide exploit prevention, example would be buffer overflows etc. The solution must provide ability to block malicious activity without Signatures. The user must be provided with a prompt when action happens The product must provide configuration for exclusions for false positive or in-house applications. Rev Date: 12/1/17

33 Real Protect Blocking Report RP event on client and epo Zero day / unknown malware protection The solution should provide the ability to block malicious behavior of a sample which are not present in the current DAT signature. The admin should be able to get local events for users and events recorded on epo for further action. The product should be able to block under the following conditions: Create a new file out of the sample file and change the hash of the file using one of the techniques. Execute the sample file to block the execution or action. Read details on the event viewer. Rev: 12/1/17 33

34 5 Assumptions: All pre-requisite infrastructure is in place prior to the POC Customer will have assigned team in place to assist with the POC in a timeous fashion. POC setup should have epo, DXL, and TIE infrastructure built. Please refer to TIE and DXL product guide for detailed instruction on building DXL and TIE. 6 Limitations McAfee will not be responsible for creation of any accounts on customer s site except for within the McAfee epo console. Our definition of a POC is defined as a max of 25 endpoints/servers The POC will be limited to a testing environment, unless negotiated prior to POC If the POC is to be in live production, McAfee will not be held responsible for support of systems damaged, loss of production or any incidents arising from the POC McAfee will not supply live malware samples for testing. 7 Customer acceptance By signing this document, I acknowledge that I have delivered all the stated deliverables at the agreed to for the proof of concept project. McAfee SE Name and Signature: By signing this document, I acknowledge that I have received all the stated deliverables at the agreed to Proof of concept project Customer Name and Signature: Date: Date: 34 Rev Date: 12/1/17