McAfee Active Response 2.3.0 Installation Guide (McAfee epolicy Orchestrator)
COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee, LLC or its susidiaries in the US and other countries. Other marks and rands may e claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Active Response 2.3.0 Installation Guide
Contents 1 Pre-Installation 5 System requirements for Active Response.......................... 5 Active Response network ports.............................. 6 2 Installing Active Response for the first time 9 Install the Active Response extensions.......................... 10 Install the Active Response server on an MLOS or CentOS system................. 10 Increase the McAfee epo maximum upload size efore installing the Active Response server... 11 Install the Active Response server on an MLOS system.................. 11 Install the Active Response server on a CentOS system................. 12 Create a McAfee Cloud account............................. 14 Changing the cloud storage geolocation....................... 15 Link an existing cloud account.............................. 15 Configure the DXL roker extension........................... 16 Configure McAfee epo proxy server settings (optional)..................... 16 Install aggregators (optional).............................. 17 Install the Active Response clients............................ 17 Uninstall Active Response clients............................. 18 Installation error messages............................... 18 Viewing the Active Response Health status......................... 19 3 Upgrading Active Response 21 Upgrade the Active Response extensions.......................... 21 Upgrade the Active Response server........................... 22 Upgrade clients................................... 23 Upgrade content packages............................... 24 Upgrade Trace rules content package........................... 24 4 Getting started 25 Configuring multiple McAfee epo servers......................... 25 Configure DXL rokers to connect multiple McAfee epo servers.............. 26 Bridged and non-ridged McAfee epo server configuration examples............ 28 Configuring McAfee Advanced Threat Defense........................ 28 Configure the McAfee Advanced Threat Defense server with Active Response......... 28 Configure McAfee Advanced Threat Defense in TIE server................ 29 5 Trouleshooting Active Response 31 Roll ack content rules................................ 31 McAfee Active Response 2.3.0 Installation Guide 3
Contents 4 McAfee Active Response 2.3.0 Installation Guide
1 Pre-Installation Contents System requirements for Active Response Active Response network ports System requirements for Active Response Make sure that your system environment meets these requirements and that you have administrator rights. For a complete list of components, supported platforms, environments, and operating systems for McAfee Active Response, see KB84473. Minimum requirements for the Active Response server The server can e installed on a physical server or a virtual machine. Minimum requirements Version McAfee Linux Operating System (MLOS) The latest version installs with Active Response server package. CentOS 6.8-7.3 Later versions were not tested, ut should work with endpoints running 64-it McAfee Agent. Processor 1 CPU with 4 cores 1 CPU with 4 cores Memory 8-GB RAM 8-GB RAM Hard drive 140-GB solid-state disk 140-GB solid-state disk ISO Yes No; select an ISO to deploy Hardened Yes No; follow the hardening instructions These recommendations vary on systems with Meltdown updates, see KB90333 for the latest details. Minimum requirements for the Active Response endpoint client Product Windows Linux macos McAfee epo 5.3.1 5.3.1 5.3.1 McAfee Agent 5.0.3 (< RS2) 5.0.5 (RS2/RS3) 5.0.5.658 5.0.5.658 (El Capitan and Sierra) 5.0.6.347 (High Sierra) Data Exchange Layer 3.0.0 + HF3 (< RS2) 3.1.0 (RS2/RS3) 3.0.0 + HF3 3.0.0 + HF3 McAfee Active Response 2.3.0 Installation Guide 5
1 Pre-Installation Active Response network ports Product Windows Linux macos Endpoint Security Threat Prevention with Threat Intelligence module 10.2.2** Endpoint Security with Adaptive Threat Protection 10.5.0 (< RS2) 10.5.1 (RS2) 10.5.3 (RS3)* 10.5.0*** Microsoft Windows 10 (version 1607) - Anniversary Update (Redstone 1 [RS1]) Microsoft Windows 10 (version 1703) - Creators Update (Redstone 2 [RS2]) Microsoft Windows 10 (version 1709) - Fall Creators Update (Redstone 3 [RS3]) Microsoft Windows 10 (version 1803) - Spring Creators Update (Redstone 4 [RS4]) *If you have Redstone 3 endpoints, McAfee Endpoint Security 10.5.3 must e checked in to the Master Repository efore installing the Active Response client undle. **Install McAfee Endpoint Security 10.2.2 on Linux endpoints efore installing Active Response. ***Install Endpoint Security 10.5.0 for macos efore installing Active Response. If an endpoint does not currently have a version of Endpoint Security or McAfee VirusScan Enterprise, the appropriate version of the Endpoint Security modules is installed automatically with the Active Response installation. If an endpoint currently has an unsupported version of Endpoint Security, upgrade the modules on the endpoint to a supported version. See also Installation error messages on page 18 Active Response network ports Active Response uses these ports for network connectivity. Make sure your network settings are not locking access to the Active Response server and clients through these ports. Tale 1-1 Server ports Port numer Open to 443 Connect to extensions on the McAfee epo server. 8883 Connect the DXL roker to the DXL client on the McAfee epo server. 8081 Connect McAfee Agent to the McAfee epo server. 22 Connect remotely through ssh to perform maintenance tasks. Incoming connections 123 UDP Network Time Protocol Yes Yes Yes Yes Yes Yes Outgoing connections Yes Yes Yes Yes 6 McAfee Active Response 2.3.0 Installation Guide
Pre-Installation Active Response network ports 1 Tale 1-2 Client ports Port numer Open to 8081 Connect McAfee Agent to a McAfee epo server. Incoming connections Outgoing connections 8883 Connect the DXL client to a DXL roker. Yes Yes Yes Yes McAfee Active Response 2.3.0 Installation Guide 7
1 Pre-Installation Active Response network ports 8 McAfee Active Response 2.3.0 Installation Guide
2 Installing 2 Active Response for the first time To successfully install Active Response, you must install the extensions, components, and client packages in a specific order. This is an overview of tasks if you are installing Active Response for the first time. See the detailed instructions for each task in the following sections. 1 Increase the upload file size limit in the McAfee epo Orion properties efore checking in the Active Response server package. This update requires restarting the McAfee epo server. Users do not have access during the restart process. 2 Install the extensions and client packages. 3 Install the DXL roker. See the product's installation guide for instructions. 4 Install the TIE server. See the product's installation guide for instructions. Best practice: If you are installing the TIE and Active Response servers for the first time, install the TIE server first. Run the TIE server in your environment for a few days efore enaling tracing on endpoints. a Files that do not show suspicious activity and have high prevalence ecause they are executed on a majority of endpoints, are automatically set to Might e Trusted reputation. This means you do not need to manually change occurrences of these reputations in the Active Response Workspace later. You can fine-tune the TIE Reputations dataase and decide on the reputations for your corporate-owned files and certificates efore Active Response starts inspecting running processes, looking for potential threats. 5 Install the Active Response server (MLOS or CentOS) y mounting the ISO in a supported virtual infrastructure or deploying the Active Response server package on a supported CentOS machine. 6 Create and configure a Cloud Bridge account, then configure the DXL roker extension. 7 Configure McAfee epo proxy settings. 8 Deploy the endpoints. 9 Check the Active Response Health Status page or Threat Event Log for installation errors. Contents Install the Active Response extensions Install the Active Response server on an MLOS or CentOS system Create a McAfee Cloud account Link an existing cloud account Configure the DXL roker extension Configure McAfee epo proxy server settings (optional) Install aggregators (optional) Install the Active Response clients Uninstall Active Response clients McAfee Active Response 2.3.0 Installation Guide 9
2 Installing Active Response for the first time Install the Active Response extensions Installation error messages Viewing the Active Response Health status Install the Active Response extensions Install the Active Response extensions on the McAfee epo server to e managed y Software Manager. Before you egin Verify that the system requirements for Active Response are met. Make sure you have installed McAfee Agent and Endpoint Security is checked in to the Master Repository and installed on the endpoints. Prepare the virtual machines for DXL roker and TIE server. See their respective installation guides for instructions. 1 Log on to McAfee epo as an administrator. 2 Select Menu Software Software Manager. 3 Locate and check in the following extensions and client packages. a DXL roker management extension c d e f TIE server management extension Active Response extension/packages undle DXL client package Active Response Workspace extension Active Response client package 4 From the Actions drop-down list, select Check In, then accept the license agreement for each package. 5 Install the DXL roker server. See this product's installation guide for instructions. 6 Install the TIE server. See this product's installation guide for instructions. Install the Active Response server on an MLOS or CentOS system Contents Increase the McAfee epo maximum upload size efore installing the Active Response server Install the Active Response server on an MLOS system Install the Active Response server on a CentOS system 10 McAfee Active Response 2.3.0 Installation Guide
Installing Active Response for the first time Install the Active Response server on an MLOS or CentOS system 2 Increase the McAfee epo maximum upload size efore installing the Active Response server To install the Active Response server package, you must first increase the maximum upload size in McAfee epo server properties. This update requires restarting the McAfee epo server. Users do not have access during the restart process. 1 Log on to McAfee epo as administrator. 2 Go to C:\Program Files (x86)\mcafee\epolicy Orchestrator\Server\conf\orion. 3 Right-click the orion.properties file and edit with Note++ or similar editor. 4 Locate orion.upload.max.size and change the value to 768435456. 5 Save the change and restart the McAfee epo server application on your virtual machine or physical server. During the restart process, McAfee epo services are not availale to users. You can now check in the Active Response server undle. Install the Active Response server on an MLOS system Install and configure the Active Response server on a virtual server or physical server. Before you egin Verify that the minimum requirements are met. Verify that the Active Response extensions are installed. Verify that the DXL roker server and TIE server are installed. See their respective installation guides for instructions. Active Response server is provided as an ISO image, packaging a McAfee Linux Operating System (MLOS) instance. 1 Log on to McAfee epo as an administrator. 2 Select Menu Software Software Manager and download the Active Response server ISO file. 3 Mount the ISO in a supported Virtual Infrastructure System. For supported systems, see KB84473. 4 Start the system where you are installing the Active Response server, making sure that it oots from the Active Response server ISO image. At power-on, the Active Response MLOS installation, and the actual installation of the server starts. It is automated, and installs all ase operating system packages. Bash, sage, and partitioning of the disk are done without interaction with the VM. When the installation finishes, the VM turns off and you can remove the ISO. 5 Restart the system, making sure that it starts from the installed system, not from the ISO image. 6 Configure the Active Response server. a Read the License Agreement and enter Y to accept its terms. Set a root password and confirm it. McAfee Active Response 2.3.0 Installation Guide 11
2 Installing Active Response for the first time Install the Active Response server on an MLOS or CentOS system c d e Create an operational account. Use this account to connect through ssh to the system, and use su to otain root permissions. Select the main network interface for the system to connect the Active Response server to McAfee epo and the Data Exchange Layer. Configure the network interface. Enter D for DHCP configuration. Enter M to manually set the network addresses. f g h i Set a host name and domain name for the system. If you don't have a domain name, you can leave it lank. Set the time server for the system. Configure McAfee Agent to set up the connection to McAfee epo. Select which services must run on the system. DXL Broker Installs a Data Exchange Layer roker. If your environment already has a least one DXL roker version 3.0.0 or later, you can choose not to install a new instance of the roker. AR Server Installs the Active Response server. FIPS Mode Enales the OpenSSL lirary. The Active Response server restarts in FIPS mode automatically after installation. See https://www.nist.gov/information-technology-laoratory/ fips-general-information for more information. j (Optional) Set proxy variales. http_proxy and https_proxy definitions are comma-separated lists of host names or IP addresses. no_proxy definition is a comma-separated list of host names, domains, or IP addresses. Proxy settings are for operating system administration only. Active Response does not use proxies to communicate with McAfee epo or network endpoints. k Set the DXL roker communication port. 7 Verify that the Active Response server is installed and working correctly. a Log on to McAfee epo as an administrator and verify that an Active Response server is listed in the System Tree on the Products ta. Check that the Active Response Catalog displays the uilt-in collectors. This confirms that the Active Response server is communicating with the McAfee epo server. 8 Select Menu Configuration Registered Servers to view the Active Response server's IP address and version numer. Registration of the Active Response server happens during the installation. Install the Active Response server on a CentOS system To install Active Response server on a CentOS system, you must first secure CentOS. Before you egin Verify that the minimum requirements are met. Verify that the Active Response extensions are installed. 12 McAfee Active Response 2.3.0 Installation Guide
Installing Active Response for the first time Install the Active Response server on an MLOS or CentOS system 2 Verify that the DXL roker server and TIE server are installed. See their respective installation guides for instructions. Verify at least one endpoint is running CentOS. Download and review the enchmark guide from https://www.cisecurity.org/enchmark/ centos_linux/. You are responsile for CentOS FIPS compliance on the Active Response server. You must install the OpenSSL FIPS version and enale FIPS mode to the operating system kernel. Before installing the Active Response server package, you must first harden CentOS. These instructions are for installing Active Response server for the first time, not for upgrading the Active Response server. 1 Set up your virtual machine and install these packages on a CentOS system. epel-release yum -y install epel-release iptales-services yum -y install iptales-services java-1.8.0-openjdk yum -y install java-1.8.0-openjdk 2 Install the 64-it McAfee Agent on the Linux endpoints. If the agent installed is not x64, the Active Response server installation fails. [root@centos7-x64 admin]# rpm -qa grep MFE MFErt-2.0-2.i686 MFEcma-5.0.5-658.x86_64 3 Configure communication etween McAfee epo server and McAfee Agent on the endpoints. iptales -A INPUT -p tcp -m tcp --dport [EPO_WAKEUP_PORT] -j ACCEPT service iptales save service iptales restart If you do not change the wake-up port communication, the default EPO_WAKEUP_PORT is 8081. 4 Log on to McAfee epo as an administrator. 5 From the McAfee epo server, select Menu Systems System Tree, select the endpoint to display the Summary, then click Wake Up Agents. 6 Select Menu Software Software Manager and check in the Active Response Server package. 7 To deploy the server package: a Select Menu Software Product Deployment, then click New Deployment. c d In the Package drop-down list, select the server package. Click Select Systems to select the CentOS server in your network. Select Run Immediately and click Save to start deployment. McAfee Active Response 2.3.0 Installation Guide 13
2 Installing Active Response for the first time Create a McAfee Cloud account 8 Verify that the Active Response server is installed and working correctly. a Log on to McAfee epo as an administrator and verify that an Active Response server is listed in the System Tree on the Products ta. Check that the Active Response Catalog displays the uilt-in collectors. This confirms that the Active Response server is communicating with the McAfee epo server. 9 Select Menu Configuration Registered Servers to view the Active Response server's IP address and version numer. Registration of the Active Response server happens during the installation. 10 Health Status page shows correct endpoint name and IP address of CentOS-secured Active Response server. Create a McAfee Cloud account Create a McAfee Cloud account and link it to the cloud ridge service. McAfee epo Cloud Bridge is an extension that you install on your local McAfee epo server, allowing you to link McAfee epo Cloud Bridge to your McAfee cloud account where you store threat data. You can register a new cloud account or configure your cloud account through the Workspace Configuration link. From the Workspace ar, click Configuration to view the status of your McAfee Cloud account. If your McAfee Cloud account is not configured, select a cloud data location or geolocation from the drop-down list. If you are upgrading to Active Response 2.3, the previous geolocation from Active Response 2.2 remains the default selection. If you have a McAfee Cloud account, click the link to log on to your account. Verify your account is linked to McAfee epo Cloud Bridge. If you do not have a McAfee Cloud account, click the link to create one. Switching etween different geolocations is not supported or recommended, ecause of a high risk of losing data. This setting is meant to e permanent. 1 Create a cloud account from the Configuration pane or register for a cloud account at https:// login.mcafee.com/v1/signup/en-us/epo/cloudtenantsignup. 2 Complete the company and contact information. The email address you provide is the email address used to create the McAfee Cloud account for your company. 3 Read and accept the license agreement to complete the registration and click Sumit. 4 After sumitting the form, you will receive an email to activate the McAfee Cloud account and set the password. 5 After the McAfee Cloud account is successfully activated, you must link it to the McAfee epo Cloud Bridge. a Log on to McAfee epo as administrator. Select Menu Configuration Server Settings McAfee epo Cloud Bridge. 14 McAfee Active Response 2.3.0 Installation Guide
Installing Active Response for the first time Link an existing cloud account 2 c d Click Edit. Type in the account credentials, accept the license agreement, and click Save. Changing the cloud storage geolocation Change the cloud storage location for your threat data. From the Workspace, click Configuration to select a different geolocation from the Cloud Account drop-down list. Here are guidelines for selecting different geolocations. Switching etween different geolocations is not supported or recommended, ecause of a high risk of losing data. This setting is meant to e permanent. The selected geolocation from the previous release of Active Response remains the default selection after upgrading. If you have ridged McAfee epo servers, you must select one geolocation and one McAfee Cloud account. You cannot point ridged McAfee epo servers to different geolocations. Check the Health Status page for alerts. If you have multiple McAfee epo servers that are not linked, you can select different geolocations, ut you must use the same McAfee Cloud ridge account. You are allowed one geolocation per DXL faric. You must use the same McAfee Cloud ridge account for all linked McAfee epo servers. Switching etween multiple cloud accounts is not supported or recommended, ecause of a high risk of losing data. We recommend using one cloud account for managing your cloud geolocation and ridged McAfee epo servers. Endpoint roaming is not supported. Data etween the cloud geolocations can't e shared. New geolocations are added to the selection menu as they ecome availale, without reinstalling or upgrading Active Response. Only one geolocation is accessile at a time for trace information. For example, if you change from geolocation X to geolocation Y, all existing threat data that was availale on geolocation X is no longer accessile. If you switch ack to geolocation X, old trace information is accessile, ut the new traces on geolocation Y are not accessile. You risk losing data y switching ack and forth etween one geolocation to another. Link an existing cloud account Link an existing cloud account to the McAfee epo Cloud Bridge. Before you egin Make sure that you have the McAfee Cloud account email and password. If you have forgotten your password, click Configuration on the Workspace and click Reset password. If you unlink an existing McAfee Cloud account from the McAfee epo Cloud Bridge settings, and link to a different McAfee Cloud account, you lose access to the threat data in the previous McAfee Cloud account. McAfee Active Response 2.3.0 Installation Guide 15
2 Installing Active Response for the first time Configure the DXL roker extension 1 Log on to McAfee epo as administrator. 2 Select Menu Configuration Server Settings McAfee epo Cloud Bridge. 3 Click Edit. 4 Enter the email address and password used to create your McAfee Cloud account, accept the license agreement, and click Save. Configure the DXL roker extension Broker extensions are additional features that can e enaled on a Data Exchange Layer roker to add new functionality created y other managed products. Enale the Trace roker extension used y Active Response. Active Response 2.1 or later requires at least one DXL roker version 3.0.0 or later. The Trace extension is not availale on previous roker versions. 1 Select Menu Configuration Server Settings DXL Topology. 2 Click Edit. 3 From the Actions drop-down list, select Create Hu. 4 Select Hu in the topology tree and set Broker 1 to the DXL roker. 5 Select Provides trace data to the cloud for MAR Workspace. 6 Set Broker 2 to the Active Response server. 7 Click Save. 8 Verify that the rokers are connected y selecting Menu Systems Data Exchange Layer Faric. The rokers are represented as green circles with a line connecting them. Configure McAfee epo proxy server settings (optional) If your company uses proxy addresses, enter the IP address for the Active Response server in the McAfee epo proxy settings. 1 Log on to McAfee epo as an administrator. 2 Select Menu Configuration Server Settings Proxy Settings. 3 Click Edit. 4 Enter the proxy information. 5 Click Save. 16 McAfee Active Response 2.3.0 Installation Guide
Installing Active Response for the first time Install aggregators (optional) 2 Install aggregators (optional) You are not required to install an aggregator to use Active Response. But, aggregators reduce the amount of DXL andwidth required, and increase the numer of managed endpoints supported. Install Active Response aggregators on DXL roker systems in your faric. We recommend that you install an aggregator on each system in your faric that runs only a DXL roker. Aggregators can't e installed on Active Response or TIE server systems. Do not pre-install the DXL client or install a DXL client upgrade package from McAfee epo on the DXL roker. Always use the Active Response Aggregator package to install the DXL client on the DXL roker. You can install the aggregator package from the Master Repository. 1 Log on to McAfee epo as an administrator. 2 Select Menu Software Software Manager and check in the Active Response Aggregator package. 3 Select Menu Software Product Deployment, then click New Deployment. 4 In the Package drop-down list, select the Active Response aggregator. 5 Click Select Systems and choose the DXL roker where to install the aggregator. 6 Select Run Immediately and click Save to start deployment. Install the Active Response clients Active Response clients are ready to function immediately after installation and configuration. Before you egin Verify that all Active Response endpoint client systems meet the minimum requirements. Remove McAfee VirusScan Enterprise from the endpoints or the installation will fail. If your endpoints are running McAfee Host Intrusion Prevention Content, make sure it is version 8.0.0.7364 or later. Make sure that any endpoint compatiilities or deployment errors are resolved (view the Health Status page). For Redstone 3 endpoints, verify that Endpoint Security 10.2.2 or 10.5.3 is checked in to the Master Repository efore installing the Active Response client undle. 1 Log on to McAfee epo as an administrator. 2 Select Menu Software Product Deployment, then click New Deployment. During deployment on Windows systems, Active Response disales Microsoft Protection Service momentarily to complete the installation. Endpoint users might see a warning that this service has een disaled. When the installation is complete, Microsoft Protection Service is restored and the warning can e ignored. McAfee Active Response 2.3.0 Installation Guide 17
2 Installing Active Response for the first time Uninstall Active Response clients 3 Select the Active Response client software package, McAfee Active Response 2.3.0 for Windows, Linux, and macos. On Linux 64-it systems, compatile 32-it liraries must e installed on endpoints for Active Response to work properly. See KB89991 for instructions. 4 Click Select Systems to select which endpoints to manage with Active Response. 5 Select Run Immediately and click Save to start deployment. 6 Deploy the Active Response clients. If an older version is already installed, the Active Response client is updated with the newer version. Also, if deploying on an older system that takes longer for a new deployment, create a client task and increase the timeout setting to more than 20 minutes (the default setting). This ensures the deployment does not time out efore it is complete. 7 Verify the deployment to endpoints is working correctly. a Log on to McAfee epo as an administrator. Select Systems Active Response Search, and enter HostInfo in the search ox. The list of deployed endpoints are displayed. After deploying the Active Response clients, make sure to configure the appropriate McAfee epo policies. Uninstall Active Response clients Remove Active Response clients from endpoints. This procedure does not remove Endpoint Security Threat Intelligence module, Endpoint Security Adaptive Threat Protection or Data Exchange Layer. 1 Log on to McAfee epo as an administrator. 2 Select Menu Software Product Deployment New Deployment. 3 Complete and save the new deployment information for the uninstall. 4 In the Product Deployment page, from the Action drop-down, select Uninstall. Then start the deployment to uninstall Active Response. Installation error messages Detailed endpoint installation errors are descried in the Threat Event Log to inform you of missing or invalid dependencies. If an installation fails, the error messages listed in the Server Log are generic and non-specific. Select Menu Reporting Threat Event Log to display detailed error messages caused y various deployment issues. Tale 2-1 Error messages Error code Error Message Description 0 UNKNOWN Unknown error 1 ESP_MISSING_PACKAGE_ON_EPO Endpoint Solutions Platform package missing on McAfee epo 18 McAfee Active Response 2.3.0 Installation Guide
Installing Active Response for the first time Viewing the Active Response Health status 2 Tale 2-1 Error messages (continued) Error code Error Message Description 2 TP_MISSING_PACKAGE_ON_EPO Threat Prevention package missing on McAfee epo 3 TIE_MISSING_PACKAGE_ON_EPO Threat Intelligence Exchange package missing on McAfee epo 4 ATP_MISSING_PACKAGE_ON_EPO Adaptive Threat Protection package missing on McAfee epo 5 DXL_MISSING_PACKAGE_ON_EPO Data Exchange Layer package missing on McAfee epo 6 VSE_INSTALLED VirusScan Enterprise installed 7 MA_INCOMPATIBLE_VERSION McAfee Agent incompatile version installed 8 ESP_INCOMPATIBLE_VERSION Endpoint Solutions Platform incompatile version installed 9 TP_INCOMPATIBLE_VERSION Threat Prevention incompatile version installed 10 HIP_INCOMPATIBLE_VERSION Host Intrusion Prevention incompatile version installed 11 ESP_INSTALLATION_FAILED Endpoint Solutions Platform installation failed 12 TP_INSTALLATION_FAILED Threat Prevention installation failed 13 TIE_INSTALLATION_FAILED Threat Intelligence Exchange installation failed 14 ATP_INSTALLATION_FAILED Adaptive Threat Protection installation failed 15 DXL_INSTALLATION_FAILED Data Exchange Layer installation failed 16 MAR_INSTALLATION_FAILED Active Response installation failed 17 ENS_INCOMPATIBLE_VERSION Endpoint Security incompatile version installed (Non-Windows only) 18 ATP_INCOMPATIBLE_VERSION Adaptive Threat Protection incompatile version installed 19 OS_INCOMPATIBLE_VERSION Not a supported operating system version The error codes are stored in the MarCustomEvent tale on McAfee epo server. The events are sent from the ased on its configuration. If you are using a McAfee Agent version equal to or greater than 5.0.6, you can see the Error code numer in the Running view output if an installation failure occurs. See also Viewing the Active Response Health status on page 19 System requirements for Active Response on page 5 Viewing the Active Response Health status The Active Response Health Status page displays the numer of endpoints, status of endpoint deployments, incompatile and unsupported versions, and connection issues with servers and services. The Active Response Health Status page is a central location to check the status of endpoints, servers, and cloud ridge connection. To view the Active Response Health Status page, select Menu Systems Active Response Health Status or click the link in the Health Status Alert window if it appears when you open the Workspace. The Health Status Alert window appears if the endpoints, servers, or cloud services need attention due to critical issues. McAfee Active Response 2.3.0 Installation Guide 19
2 Installing Active Response for the first time Viewing the Active Response Health status Tale 2-2 Health status of clients Status Total endpoints Active Response deployed Ready for Active Response deployment Incompatile with Active Response Active Response deployment failed Description Total numer of endpoints in the environment where Active Response is deployed, is pending deployment, and is incompatile for deployment. The numer of endpoints currently running Active Response and displays Trace status managed y McAfee epo. If the Trace plug-in is disaled, a warning message appears and the status displays the numer of endpoints affected. Click the link to see the list of hosts affected. Compatile endpoints pending deployment. The numer of new endpoints (macos, Windows, Linux) needing deployment and the numer of endpoints needing updates are displayed. Incompatile endpoints pending deployment. There is an Active Response requirement on the endpoint that is not met. The status lists: Unsupported versions of an endpoint client such as Endpoint Security or McAfee Agent and the numer of endpoints affected. Unsupported clients such as VirusScan Enterprise on the endpoint and the numer of endpoints affected. Endpoints with unsupported operating system versions and the numer of endpoints affected. The Active Response installer fails to install on endpoints with an unsupported operating system version, so you know which endpoints need upgrading. Numer of deployment failures on endpoints. Tale 2-3 Health status of servers Status Active Response Server 2.3 Advanced Threat Defense (version #) DXL Brokers 4.0 Threat Intelligence Exchange Servers 2.1 Cloud Storage & Services Description Displays the version and status of the Active Response server and a link to its configuration page. The status displays if the server is unreachale or needs to e updated. Click the link to trouleshoot the issue. Displays the name and IP address of the McAfee Advanced Threat Defense server. Click the link to edit the configuration. Displays the version and status of the DXL rokers that displays a successful or failed connection. If a roker is not availale, click the link to trouleshoot the issue. Displays the version and status of the TIE servers and a link to its configuration page. If a server is not availale, click the link to trouleshoot the issue. There are connection or configuration requirements that have not een met. For example, the Cloud Bridge connection is disrupted or a timeout occurred. The cloud account is not set up or configured correctly. Bridged McAfee epo servers are configured with different geolocations. You can select only one geolocation for each DXL faric. Bridged McAfee epo servers are linked to different cloud accounts. You can configure only one cloud account to ridged McAfee epo servers. See also Upgrade clients on page 23 Installation error messages on page 18 20 McAfee Active Response 2.3.0 Installation Guide
3 Upgrading 3 Active Response A complete upgrade installs a new Active Response server, extensions, and client packages. To minimize downtime during the upgrade process, install components in this order: 1 Active Response server: MAR-Server-Bundle_{version}.zip 2 Active Response extensions: Active_Response_MAR_{version}.zip 3 Active Response aggregator 4 Active Response clients on managed systems The Active Response aggregator is incompatile with the standard DXL client. For a DXL roker with Active Response aggregator installed, all DXL client updates are included in a new Active Response aggregator package. Contents Upgrade the Active Response extensions Upgrade the Active Response server Upgrade clients Upgrade content packages Upgrade Trace rules content package Upgrade the Active Response extensions Upgrade the Active Response extensions on McAfee epo server. Before you egin Active Response server of the same or later version must e installed. 1 Log on to McAfee epo as an administrator. 2 Select Menu Software Software Manager. 3 Select Software Not Checked In Licensed. 4 Locate and select the Active Response extensions undle and upgrade the extensions in this order to avoid compatiility issues. a DXL roker management extension c TIE server management extension Active Response extension/packages undle McAfee Active Response 2.3.0 Installation Guide 21
3 Upgrading Active Response Upgrade the Active Response server d e f DXL client package Active Response Workspace extension Active Response client package 5 From the Actions drop-down list, select Check in, then accept the license agreement for each package. 6 Upgrade the DXL roker if needed. See this product's installation guide for instructions. 7 Upgrade the TIE server if needed. See this product's installation guide for instructions. 8 Upgrade the Active Response server. 9 Upgrade the Active Response clients. Upgrade the Active Response server Install Active Response server update packages from the McAfee epo Software Manager. To install the Active Response server package, you must first increase the maximum upload size in the McAfee epo server properties. This update requires restarting the McAfee epo server. Users do not have access during the restart process. 1 Log on to McAfee epo as an administrator. 2 Go to C:\Program Files (x86)\mcafee\epolicy Orchestrator\Server\conf\orion. a Right-click the orion.properties file and edit with Note++ or similar editor. Locate orion.upload.max.size and change the value to 768435456. c Save the change and restart the McAfee epo server applications on your virtual machine or physical server. 3 Select Menu Software Software Manager and check in the Active Response server package. 4 To deploy the update package: a Select Menu Software Product Deployment, then click New Deployment. c d e f In the Package drop-down list, select the server update package. Click the + sign to add an additional package. In the Package drop-down list, select the server platform update package. Click Select Systems to select the Active Response server in your network. Select Run Immediately and click Save to start deployment. 22 McAfee Active Response 2.3.0 Installation Guide
Upgrading Active Response Upgrade clients 3 Upgrade clients Install a newer version of the Active Response client on managed systems to upgrade clients. Before you egin Verify that all Active Response endpoint client systems meet the minimum requirements. Remove McAfee VirusScan Enterprise from the endpoints or the installation will fail. If your endpoints are running McAfee Host Intrusion Prevention Content, make sure it is version 8.0.0.7364 or later. Make sure that any endpoint compatiilities or deployment errors are resolved (view the Health Status page). For Redstone 3 endpoints, verify that Endpoint Security 10.2.2 or 10.5.3 is checked in to the Master Repository efore installing the Active Response client undle. 1 Log on to McAfee epo as an administrator. 2 Select Menu Software Product Deployment, then click New Deployment. During deployment on Windows systems, Active Response disales Microsoft Protection Service momentarily to complete the installation. Endpoint users might see a warning that this service has een disaled. When the installation is complete, Microsoft Protection Service is restored and the warning can e ignored. 3 Select the Active Response client software package, McAfee Active Response 2.3.0, for Windows, Linux, and macos. On Linux 64-it systems, compatile 32-it liraries must e installed on endpoints for Active Response to work properly. See KB89991 for instructions. 4 Click Select Systems to select which endpoints to manage with Active Response. 5 Select Run Immediately and click Save to start deployment. 6 Deploy the Active Response clients. If an older version is already installed, the Active Response client is updated with the newer version. Also, if deploying on an older system that takes longer for a new deployment, create a client task and increase the timeout setting to greater than 20 minutes (the default setting). This ensures the deployment does not timeout efore it completes. 7 Verify the deployment to endpoints is working correctly. a Log on to McAfee epo as an administrator. Select Systems Active Response Search, and enter HostInfo in the search ox. The list of deployed endpoints are displayed. You can upgrade Active Response clients while they are online. As soon as the new version is installed, clients respond to the Active Response server. See also Viewing the Active Response Health status on page 19 McAfee Active Response 2.3.0 Installation Guide 23
3 Upgrading Active Response Upgrade content packages Upgrade content packages Install content packages to get new collectors and reactions, or new versions of existing uilt-in collectors and reactions. New versions of collectors and reactions in the content package might make some of your saved searches and triggers unusale. This only happens if the update changes a uilt-in collector output field, or if the update changes uilt-in reaction arguments. Check the McAfee Active Response Content Update Release Notes for information aout changes to collectors and reactions introduced y a content package. 1 Log on to McAfee epo as an administrator. 2 Select Menu Software Software Manager and check in the Active Response content package. Content packages have this naming convention: BaseActiveResponseContent MajorVersion.MinorVersion.PatchVersion BuildVersion.zip If you have Auto Update enaled for deployments, after the package checks in to the Master Repository it is installed automatically. If you do not have Auto Update enaled, create an update deployment task. Upgrade Trace rules content package The Active Response rules content package adds, updates, and removes old Trace rules. You can automatically deploy Trace rules content updates to endpoints when a new update is availale in Software Manager. Trace rules determine a potential threat and its severity, and displays it in the Trace timeline. The mechanism to automatically update Trace rules content is enaled y default, with update tasks scheduled every 240 minutes (4 hours). This is an unattended task that is enaled in McAfee epo. 1 Log on to McAfee epo as an administrator. 2 Select Menu Policy Policy Catalog, then click My Default. 3 On the General ta, select Enale Unattended Content Updates to disale or enale this feature. If you disale this feature, you can update the rules manually. 4 To change the default time for Unattended Content Updates Timeout (minutes), edit the numeric value in the field. Updates are checked every cycle, and if there is a new update, it is deployed to the endpoints to update their Trace rules. See also Roll ack content rules on page 31 24 McAfee Active Response 2.3.0 Installation Guide
4 4 Getting started Contents Configuring multiple McAfee epo servers Configuring McAfee Advanced Threat Defense Configuring multiple McAfee epo servers In an environment with multiple McAfee epo servers, there is more than one McAfee epo server connected to DXL rokers on ridged DXL farics. Bridging farics allows DXL rokers that are managed y different McAfee epo servers to communicate with each other. Using a multiple McAfee epo server environment To expand your remediation and upgrade capailities: Deploy Active Response client packages from one McAfee epo server to upgrade another ridged McAfee epo server's endpoints. Share saved and custom searches using collectors and reactions across ridged McAfee epo servers with a single Active Response server. McAfee Active Response 2.3.0 Installation Guide 25
4 Getting started Configuring multiple McAfee epo servers Manage potential threats across ridged McAfee epo servers and store threat data in the cloud, using a single cloud storage location. Switching etween multiple cloud accounts is not supported or recommended, ecause of a high risk of losing data. We recommend using one cloud account for managing your cloud geolocation and ridged McAfee epo servers. Investigate and remediate potential threats across McAfee epo servers that you manage with a single TIE server. Active Response 2.1 and earlier does not support environments where two or more McAfee epo servers have ridged DXL hus. Configure DXL rokers to connect multiple McAfee epo servers Connect multiple McAfee epo servers using DXL rokers. Before you egin If upgrading from Active Response 2.1 to 2.2 and ridging multiple McAfee epo servers, upgrade the DXL extensions, client, and at least one online roker to version 4.0. See KB84473 for details. Install DXL 4.0 roker, extensions, and client. See KB84473 for DXL requirements for multiple McAfee epo servers. Deploy the Active Response client 2.2 or later to all endpoints managed y the different McAfee epo servers. Verify that the DXL roker farics etween McAfee epo servers are ridged. 26 McAfee Active Response 2.3.0 Installation Guide
Getting started Configuring multiple McAfee epo servers 4 1 From McAfee epo server A, select Menu Configuration Server Settings DXL Topology, then select roker A and click Edit. 2 From the topology tree, select the top-level hu, and from the Actions drop-down list, select Create Hu. a Select the newly created hu, and from the Actions drop-down list, select Create Incoming Bridge - Remote epo Hu. From the drop-down list, set Broker 1 to DXL roker A, then click Save. 3 Download hu information for server A. a Select Incoming Bridge - Remote epo Hu and click Edit. Click Export Local Hu Information to download a.zip file with information aout McAfee epo server A, to import into the remote hu for McAfee epo server B, then click Save. 4 From McAfee epo server B, select Menu Configuration Server Settings DXL Topology, then select DXL roker B and click Edit. 5 From the topology tree, select the top-level hu, and from the Actions drop-down list, select Create Hu. a Select the newly created hu and from the Actions drop-down list, select Create Outgoing Bridge - Remote epo Hu. From the drop-down list, set Broker 1 to DXL roker B, then click Save. 6 Download hu information for server B. a Select Outgoing Bridge - Remote epo Hu and click Edit. Click Export Local Hu Information to download a.zip file with information aout McAfee epo server B, to import into the local hu for McAfee epo server A, then click Save. 7 From the DXL Topology page on McAfee epo server A, click Edit. a Select Incoming Bridge - Remote epo Hu, and click Import Remote Hu Information. Click Choose File and upload the.zip file for McAfee epo server B, then click OK. Review the settings and click OK. 8 From the DXL Topology page on McAfee epo server B, click Edit. a Select Outgoing Bridge - Remote epo Hu, and click Import Remote Hu Information. Click Choose File and upload the.zip file for McAfee epo server A, then click OK. Review the settings and click OK. 9 Refresh the connections for McAfee epo servers A and B. a Select Menu Automation Server s Manage DXL Brokers, then click Run. c From the System Tree, select the DXL roker and click Wake Up Agents. Select Force complete policy and task update and click OK. McAfee Active Response 2.3.0 Installation Guide 27
4 Getting started Configuring McAfee Advanced Threat Defense 10 Select Menu Systems Data Exchange Layer Faric to verify the configuration. A line etween two circles represents the ridge etween DXL roker A and DXL roker B. If you do not see the connector etween the roker icons, wait a few minutes for the DXL client to wake up and complete the configuration, or refresh the display. 11 For each McAfee epo server, select a roker icon and click the Bridges ta, then the Services ta to verify the services are connected. Bridged and non-ridged McAfee epo server configuration examples Examples of ridged and non-ridged multiple McAfee epo server environments. McAfee epo servers are ridged A company ridges their USA and Germany McAfee epo servers on a single DXL faric to use their TIE dataase worldwide for consistent hash reputations. In this scenario, they use a single cloud account and single cloud storage geolocation. McAfee epo servers are not ridged A company has not yet ridged their USA and Germany McAfee epo servers on a single DXL faric. They want parallel deployments for each geography ecause of a possile restriction where certain data cannot e shared etween countries. The USA and Germany sites each have separate McAfee epo servers with separate TIE and Active Response servers. They each have different geolocations and use different cloud accounts. Endpoint roaming is not supported A company has two non-ridged McAfee epo servers assigned to different geolocations (USA and Germany). An employee travels to a different company site with her laptop managed y McAfee epo server A and geolocation USA. When she connects to McAfee epo server B in Germany, potential threats on her laptop will not appear in the Workspace managed y McAfee epo server B. Configuring McAfee Advanced Threat Defense Contents Configure the McAfee Advanced Threat Defense server with Active Response Configure McAfee Advanced Threat Defense in TIE server Configure the McAfee Advanced Threat Defense server with Active Response View the McAfee Advanced Threat Defense connection status in the Active Response Health Status page and reputation status in the Sandox Results card. Before you egin Make sure that you have the McAfee Advanced Threat Defense URL and logon credentials. Verify you are running McAfee Advanced Threat Defense version 4.4 or later. See the McAfee Advanced Threat Defense product guide for details aout integrating with Active Response. Only one Advanced Threat Defense server can e configured with this version of Active Response. It supports a standalone server or the primary server of a cluster of physical or virtual servers. 28 McAfee Active Response 2.3.0 Installation Guide
Getting started Configuring McAfee Advanced Threat Defense 4 1 Log on to McAfee epo as an administrator. 2 Select Menu Configuration Server Settings Advanced Threat Defense Server, then click Edit. 3 Enter the URL of the Advanced Threat Defense server. 4 Enter user name and password. 5 Click Validate Certificate and save the configuration. An error message appears if you are configuring an unsupported version of Advanced Threat Defense. 6 To disconnect the Advanced Threat Defense server from the Active Response environment, enale Delete Connection and save the configuration. Configure McAfee Advanced Threat Defense in TIE server Enale the Advanced Threat Defense sandoxing feature in the TIE server management policy. See the configuration instructions in the TIE and Advanced Threat Defense installation guides for details. 1 Log on to McAfee epo as an administrator. 2 Select Menu Policy Policy Catalog. 3 From the Product drop-down list, select McAfee Threat Intelligence Exchange Server Management. 4 Select My Default policy and enale McAfee Advanced Threat Defense on the Sandoxing ta. 5 Configure the McAfee Advanced Threat Defense server list, connection settings, and files types availale and click Save when finished. McAfee Active Response 2.3.0 Installation Guide 29
4 Getting started Configuring McAfee Advanced Threat Defense 30 McAfee Active Response 2.3.0 Installation Guide
5 Trouleshooting 5 Active Response Roll ack content rules The last update of Trace rules can e rolled ack to a previous version y creating a client task. Two product properties are associated with the endpoint rules content rollack. Blacklisted Rules Version The version that is not applied when upgraded. Rules Version The current version of the client. View the properties, then create a task to roll ack the rule. 1 Log on to McAfee epo as an administrator. 2 Select Menu Policy Client Catalog. 3 Under Client Types, locate and select Active Response 2.3.0. 4 Select Roll Back Dat Rules. 5 Click New and click OK. 6 Type in a name for the task. 7 In the Roll Back Rules text ox, enter the version numer of the rules you want to remove or lock. When you run this task, a new locked version is sent to the client and if one of them is already applied, the version automatically rolls ack to the previously installed update. You can only roll ack one rules version. 8 Click Save. 9 Select Menu Policy Client Assignments to assign this new task to all applicale endpoints. 10 Verify the completion of the rollack in the Threat Events logs to see the status. Reuse this client task to roll ack susequent rules updates. In the Roll Back Rules text ox, add a comma to separate the previous version numer from the new version numer to lacklist. See also Upgrade Trace rules content package on page 24 McAfee Active Response 2.3.0 Installation Guide 31