Release Notes McAfee Active Response Content Update 1.1.0.239
COPYRIGHT 2016 Intel Corporation TRADEMARK ATTRIBUTIONS Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence, McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Active Response Content Update 1.1.0.239 Release Notes
Contents 1 About this content update 5 2 What's included? 7 CommandLineHistory collector............................. 9 DisksAndPartitions collector.............................. 9 DNSCache collector................................. 10 EnvironmentVariables collector............................ 10 HostEntries collector................................ 10 HostInfo collector................................. 11 InstalledCertificates collector............................. 11 InstalledDrivers collector............................... 12 InteractiveSessions collector............................. 12 InstalledUpdates collector.............................. 13 LocalGroups collector................................ 13 NetworkSessions collector.............................. 13 NetworkShares collector............................... 14 ScheduledTasks collector............................... 14 Services collector.................................. 15 Startup collector.................................. 15 UsbConnectedStorageDevices collector......................... 16 UserProfiles collector................................ 16 3 Installation instructions 17 4 Finding Product Documentation 19 Index 21 McAfee Active Response Content Update 1.1.0.239 Release Notes 3
Contents 4 McAfee Active Response Content Update 1.1.0.239 Release Notes
1 About 1 this content update This content updates the Active Response built-in collectors. Release Date: September, 2016 Developed for use with: McAfee Active Response 1.1 Urgency rating: Optional. Apply this update if needed. Content updates are cumulative and include all content from previous content update versions. New content 1.1.0.239 InteractiveSessions collector A fix was implemented that solves the problem where the name output field was empty when searching on Windows endpoints. (BZ-1139731) Content from previous updates 1.1.0.214 HostInfo collector The physical interface IP address is reported for all hosts, instead of any virtual IP address. (BZ-1150489) InteractiveSessions collector The name output field now shows usernames from Linux endpoints. (BZ-1151820) Services collector On Linux endpoints, the collector returns information on recently stopped services. (BZ-1142734) 1.1.0.211 UserProfiles collector The 'Group' output field was renamed to 'Groups' to clarify that all user groups are listed in the field. (BZ-1145778) UserProfiles collector Member and group information was reformatted for better presentation. (BZ-1146293) 1.1.0.205 DNSCache collector Now the collector runs non-english Windows endpoints. (BZ-1139706) InteractiveSessions collector A change was made so that the name output field shows usernames from Windows endpoints. (BZ-1139731) UserProfiles collector The installdate output field now shows the date when the home folder was created for a new Windows user, not the date when the new user itself was created. (J-3099) 1.1.0.203 McAfee Active Response Content Update 1.1.0.239 Release Notes 5
1 About this content update CommandLineHistory collector NetworkSessions collector DisksAndPartitions collector NetworkShares collector EnvironmentVariables collector ScheduledTasks collector InstalledCertificates collector UsbConnectedStorageDevices collector Privacy notice Active Response collects information from the network, such as user names, system names, IP addresses, and audit data. Access to this information is available in Active Response pages within McAfee epo. Make sure that access to these pages is authorized and appropriately managed. McAfee epo restrictions to the System Tree through access management configuration do not prevent Active Response users from receiving information from systems outside their authorized segment of the system tree. Make sure that Active Response users are qualified and trained to appropriately handle private information from your users systems. 6 McAfee Active Response Content Update 1.1.0.239 Release Notes
2 What's 2 included? This content update provides a set of new Active Response collectors. CommandLineHistory Returns the command line history from managed Linux endpoints. DisksAndPartitions Collects information of disks and partitions. DNSCache Shows DNS information on endpoint local cache. EnvironmentVariables On Windows endpoints, EnvironmentVariables shows system, current user, volatile and processes variables. On Linux endpoints, EnvironmentVariables shows information from virtual files located in / proc/$processid/environ, where $PROCESSID is the process id number. HostEntries Returns the IP Address and Hostname from hosts file on Windows and Linux Systems. HostInfo Returns hostname, physical IP address and OS version. InstalledCertificates Returns information about installed certificates. InstalledDrivers Returns details about drivers installed on endpoint systems. InstalledUpdates Returns all installed updates, hot fixes and security updates. InteractiveSessions Gathers information about ongoing interactive sessions on managed systems. LocalGroups Shows the local groups on a host along with domain, description, and SID. McAfee Active Response Content Update 1.1.0.239 Release Notes 7
2 What's included? NetworkSessions Gets information of currently open network sessions on the endpoint. NetworkShares Finds network shared paths accessible from each managed endpoint. ScheduledTasks Shows the status of scheduled tasks on Windows endpoints, and also when it is scheduled to run next. Services List of registered services. Startup Shows information about start-up programs on endpoint systems. UsbConnectedStorageDevices Find which users have used USB mass storage devices on managed endpoints. This collector gets details on last usage and device details. UserProfiles Gathers data about local users on Windows endpoints. Contents CommandLineHistory collector DisksAndPartitions collector DNSCache collector EnvironmentVariables collector HostEntries collector HostInfo collector InstalledCertificates collector InstalledDrivers collector InteractiveSessions collector InstalledUpdates collector LocalGroups collector NetworkSessions collector NetworkShares collector ScheduledTasks collector Services collector Startup collector UsbConnectedStorageDevices collector UserProfiles collector 8 McAfee Active Response Content Update 1.1.0.239 Release Notes
What's included? CommandLineHistory collector 2 CommandLineHistory collector Returns the command line history from managed Linux endpoints. Collector output (Only on Linux) user String The user who runs the command. ID Number The incremental execution sequence number (number 1 is the first command executed). CommandLine String The command executed. The history of the command_line and the number depend on the previous configuration available on each endpoint. Show history of the usage of the service command CommandLineHistory where CommandLineHistory command_line contains "service" DisksAndPartitions collector Collects information of disks and partitions. Table 2-1 Collector output disk String Numeric index of the physical disk. model String Model of the physical disk. disk_size String Size of the physical disk. logical_sector String Size of the logical sector in bytes. On Windows, only NTFS partitions are supported. physical_sector virtual_loc disk_flags partition volume partition_size partition_freespace file_system type partition_flags String Size of the physical sector in bytes. String Virtual location of the physical device. (Only for Linux) String Flags of the disk. (Only for Linux) String Numeric index of the partition on a physical disk. String Volume of the partition or location where it is mounted. String Size of the partition. String Free space available in the partition. String Name of the file system. String Type of physical device. For example, fixed hard disk media, removable disk media. (Only for Windows) String Flags of the partition. Show the models of physical disks connected to endpoint "john-pc" DisksAndPartitions model where HostInfo hostname equals "john-pc" McAfee Active Response Content Update 1.1.0.239 Release Notes 9
2 What's included? DNSCache collector DNSCache collector The DNSCache collector shows DNS information on endpoint local cache. Table 2-2 Collector output hostname String The host name. ipaddress String The IP address for the host. Show DNS information for host "ping.alot.com" DNSCache where DNSCache hostname equals "ping.alot.com" EnvironmentVariables collector On Windows endpoints, EnvironmentVariables shows system, current user, volatile and processes variables. On Linux endpoints, EnvironmentVariables shows information from virtual files located in / proc/$processid/environ, where $PROCESSID is the process id number. Collector output username String The owner of the process that is running on the environment where this variable is set. process_id Number ID given by operating system to the process. name String The variable's name. value String Value set by variable. Show the PATH environment variable set on endpoint 192.168.0.5 EnvironmentVariables where EnvironmentVariables name equals "PATH" and HostInfo ip_address equals 192.168.0.5 HostEntries collector The HostEntries collector shows the IP addresses and host names from hosts file on Windows and Linux endpoints. Table 2-3 Collector output ipaddress IP An IP address set in the hosts file. hostname String The host name mapping for the IP address. Find endpoints whose hosts file configures access to www.malware.com. HostEntries where HostEntries hostname equals "www.malware.com" 10 McAfee Active Response Content Update 1.1.0.239 Release Notes
What's included? HostInfo collector 2 HostInfo collector The HostInfo collector shows an endpoint's host name, physical IP address, and operating system version. Table 2-4 Collector output hostname String The endpoint's host name. ip_address IP The endpoint's first physical IP address os String The endpoint's operating system version. Find all endpoints with Windows operating system. HostInfo where HostInfo os contains "Windows" InstalledCertificates collector Returns information about installed certificates. Collector output issued_to String The subject field identifies the entity associated with the public key stored in the subject public key field. issued_by String Identifies the entity that has signed and issued the certificate. expiration_date Time stamp Indicates the expiration date of the certificate. purposes String The key usage extension defines the purpose (for example, encipherment, signature, and certificate signing) of the key obtained in the certificate. The usage restriction might be employed when a key that could be sent for more than one operation is to be restricted. purposes_extended String This extension indicates one or more purposes for which the certified public key might be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension appears only in end entity certificates. This field is optional. (Extended Key Usage on Linux and Enhanced Key Usage on Windows). friendly_name String Displays a more friendly name of the certificate. (Only on Windows) On Linux files and certificates are ca-bundle.crt and ca-bundle.trust.crl at /etc/pki/tls/certs and on Windows certificates must be registered in the drivers at Certs:. Otherwise, the certificates aren't displayed. Show the installed certificates issued by Intel where installed_certificates issued_by contains "Intel" McAfee Active Response Content Update 1.1.0.239 Release Notes 11
2 What's included? InstalledDrivers collector InstalledDrivers collector The InstalledDrivers collector shows details about drivers installed on managed endpoints. Table 2-5 Collector output displayname String The display name for the driver. description String A description for the driver. installdate Timestamp A date-time value indicating when the driver was installed. name String A short name that uniquely identifies the driver. servicetype String The type of service provided to calling processes. startmode String The driver start-up mode. Boot the driver is started by the operating system loader. System the driver is started by the operating system. Automatic the driver starts automatically at system start-up. Manual the driver starts by the service control manager. Disabled the driver can no longer be started. state String The current state of the driver. path String The fully qualified path to the driver file. Show drivers which are disabled on endpoints. InstalledDrivers where InstalledDrivers state equals "disabled" InteractiveSessions collector The InteractiveSessions collector gathers information about ongoing interactive sessions on managed systems. Table 2-6 Collector output userid String The username that is logged into the session. name String The user's full name. Show interactive sessions for user 'owilde' InteractiveSessions where InteractiveSessions userid equals "owilde" On Windows endpoints, information of past sessions may appear in the results if they belonged to accounts from different domains that have the same userid as the currently active one. 12 McAfee Active Response Content Update 1.1.0.239 Release Notes
What's included? InstalledUpdates collector 2 InstalledUpdates collector The InstalledUpdates collector gathers data about installed updates, hotfixes, and security updates on Windows endpoints. Table 2-7 Collector output description String The description for the update package. hotfix_id String Microsoft knowledge base identifier for the update package. install_date Timestamp The date when the package was installed. installed_by String The user name that performed the installation, qualified by its namespace. Show which hotfix packages where installed by bad_user. InstalledUpdates where InstalledUpdates description equals "Hotfix" and InstalledUpdates installed_by contains "bad_user" LocalGroups collector The LocalGroups collector gathers data on local system groups. Table 2-8 Collector output groupname String The name of the group. groupdomain String The domain name of the local group. groupdescription String The description of the local group. islocal String Confirms that the group is stored locally on the endpoint. sid String The security identifier for the group. Show local groups under the "corp.sensitive" domain. LocalGroups where LocalGroups groupdomain contains "corp.sensitive" NetworkSessions collector Gets information of currently open network sessions on the endpoint. Collector output computer String IP or hostname of remote endpoint. user String User logged on to host through the network session. client String Remote session command provider. (Only on Windows.) file String Path of local resource being accessed by client. (Only on Windows.) idletime String Time since last session activity. (Only on Windows.) McAfee Active Response Content Update 1.1.0.239 Release Notes 13
2 What's included? NetworkShares collector Show which shared resources are being accessed by username "owilde" NetworkSessions where NetworkSessions user equals "owilde" NetworkShares collector Finds network shared paths accessible from each managed endpoint. Collector output name String Name of shared resource. description String Description of shared resource set either by the user or by default. path String Local path to the resource. When Samba service is started, only resources configured at /etc/samba/smb.conf are returned by the collector. It obtains information of the Network File System (NFS) from file /etc/samba/smb.conf. Show which paths on endpoint "owilde-office" are being shared NetworkShares path where HostEntries hostname equals "owilde-office" ScheduledTasks collector Shows the status of scheduled tasks on Windows and Linux endpoints, and also when it is scheduled to run next. Collector output folder taskname String The path from where the scheduled task runs. (Empty in Linux) String Name of task. nextruntime Date Time and date when the task will run. status task_run String Current task status can be ready, disabled, setting, running, or could not start. String Full command line to execute tasks. last_run Date Last time the task ran successfully. username schedule_on log_on_type String Name of the user that executed the task. String See Trigger field documentation. String Security logon method required to run tasks. See Log on Type documentation. (Only for Windows) 14 McAfee Active Response Content Update 1.1.0.239 Release Notes
What's included? Services collector 2 Show when will the task called 'backupdaily' run next ScheduledTasks taskname, nextruntime where ScheduledTasks taskname equals "backupdaily" Services collector The Services collector lists services installed on managed endpoints. Table 2-9 Collector output description String A description of the service's functionality. name String A short name that uniquely identifies the service. startuptype String The start-up mode. Boot specifies a device driver started by the operating system loader. System specifies a device driver started by the operating system. Automatic specifies a service that starts automatically at system start-up. Manual specifies a service started by the service control manager. Disabled specifies a service that can no longer be started. status String The current status of the service. user String The user that owns the service's process. Show services that are currently running and are set to start manually by users. Services where Services status equals "Running" and Services startuptype equals "Manually" Startup collector The Startup collector shows information about start-up applications on managed endpoints. Table 2-10 Collector output caption String The short name set by the application. command String The command line that starts the application. description String The description set by the application. name String The application's file name. user String The user name for whom this start-up command will run. Show applications that start up automatically for user 'owilde' Startup where Startup user equals "owilde" McAfee Active Response Content Update 1.1.0.239 Release Notes 15
2 What's included? UsbConnectedStorageDevices collector UsbConnectedStorageDevices collector Find which users have used USB mass storage devices on managed endpoints. This collector gets details on last usage and device details. Collector output vendor_id product_id serial_number device_type guid String Device's vendor ID. String Device's product ID. String Device's serial number. String Only "USB storage" type is supported. String ID provided by operating system. (Only on Windows) last_connection_time Date Last time the device was plugged. (Only on Windows) user_name String User that mounted the device. If no user was logged in when device was mounted, then the field will be empty. (Only on Windows) last_time_used_by_user Date Last time the operating system touched the device. Show all USB storage devices that were connected to computers with running Windows UsbConnectedStorageDevices where HostInfo os contains "win" UserProfiles collector The UserProfiles collector gathers data about local users on Windows endpoints. Collector output accountdisabled String True if the account is disabled. False otherwise. domain String The domain that holds the user. fullname String The user's full name. installdate Timestamp The creation date for the user's home folder (C:\Users\user name). The user must log in at least once for this date to be returned. localaccount String True if the user is stored locally on the endpoint. False otherwise. lockedout String True if the user has been locked out from the endpoint. False otherwise. accountname String The user's account name. sid String The security identifier for the user. passwordexpires String True if the password is configured to expire. False otherwise. group String A list of groups that contain the user account. Find user accounts that have been locked out from endpoints. UserProfiles where UserProfiles lockedout equals "true" 16 McAfee Active Response Content Update 1.1.0.239 Release Notes
3 3 Installation instructions Active Response Content Update package is automatically installed when the package is pulled in to the Master Repository. You must log in to McAfee epo as an administrator to complete these instructions. Task For option definitions, click? in the interface. 1 In McAfee epo, select Menu Software Master Repository and click Pull Now. 2 Select a Source site, a Branch, and Options according to you deployment needs. Then click Next. 3 In Package options section, select Selected packages. 4 In Package types section, select Active Response Content 1.1.0. Then click Next. 5 Click Start Pull. 6 Confirm the upgrade was successful. a Select Menu Systems Section Active Response Catalog. b Check that the new content appears on the catalog. McAfee Active Response Content Update 1.1.0.239 Release Notes 17
3 Installation instructions 18 McAfee Active Response Content Update 1.1.0.239 Release Notes
4 Finding Product Documentation Every McAfee product has a comprehensive set of documentation. Product Guide -- PD26296 Known Issues -- KB84472 McAfee Active Response Content Update 1.1.0.239 Release Notes 19
4 Finding Product Documentation 20 McAfee Active Response Content Update 1.1.0.239 Release Notes
Index B built-in collectors DNSCache collector 10 EnvironmentVariables collector 10 HostEntries collector 10 HostInfo collector 11 InstalledDrivers collector 12 InstalledUpdates collector 13 InteractiveSessions collector 12 LocalGroups collector 13 NetworkSessions collector 13 NetworkShares collector 14 ScheduledTasks collector 14 Services collector 15 Startup collector 15 UsbConnectedStorageDevices collector 16 UserProfiles collector 16 D DNSCache collector, See built-in collectors E EnvironmentVariables collector, See built-in collectors H I InstalledDrivers collector, See built-in collectors InstalledUpdates collector, See built-in collectors InteractiveSessions collector, See built-in collectors L LocalGroups collector, See built-in collectors N NetworkSessions collector, See built-in collectors NetworkShares collector, See built-in collectors P processes collector, See built-in collectors S ScheduledTasks collector, See built-in collectors Services collector, See built-in collectors Startup collector, See built-in collectors U UsbConnectedStorageDevices collector, See built-in collectors UserProfiles collector, See built-in collectors HostInfo collector, See built-in collectors McAfee Active Response Content Update 1.1.0.239 Release Notes 21
0-00