ePolicy Orchestrator Architecture and Concepts

Indrajit Majumder
Agenda

 Define ePolicy Orchestrator.

 McAfee Architecture for NIC.
 Repository.
 Rogue Sensor System.
 Installation, Updation and Uninstallation.
 User Awareness.
What is ePolicy Orchestrator ?

 ePolicy Orchestrator is a management tool from McAfee Antivirus which

provide a tool for centralized anti-virus management , security policy
management and enforcement.

Usage of ePolicy Orchestrator :-

4. Deploy McAfee Products.
5. Updation of the Products.
6. Enforcement and management of policies.
Components

 The ePolicy Orchestrator software contain following components :-

 The ePolicy Orchestrator Server :- It is a management server and a repository for

all data collected from distributed ePolicy Orchestrator agents.

 The ePolicy Orchestrator Console :- A clear , understandable view of all virus

activity and status, with the ability to manage and deploy agents and products.

 The ePolicy Orchestrator Agent :- An intelligent link between the ePolicy

Orchestrator Server and the anti-virus and security products that enforces policies
and tasks on client computers.
Communication Port

 Different communication Port in ePolicy Orchestrator :-

 Agent to Server communication Port : 80

 Console to server communication Port : 81
 Agent Wake-Up communication Port : 8081
 Agent Broadcast communication Port : 8082
 Sensor to Server communication Port : 8444
 Security Threats HTTP port : 8801
MCAFEE ARCHITECTURE FOR NIC
REPOSITORY

What is Repository ?

Repository is a Place or folder which content all Virus Updates, SuperDAT,

Patches for all McAfee product, Signature, McAfee default Policy, etc.

Component of Repository ?
 Source Repository ( McAfee Updates.ini sites).
 Master Repository ( NIC-800000-EPO1 placed in Head Office).
 Distributed Repository ( in 24 Regional Offices).
 Clients Machines ( In all over Operating Offices).
Source Repository

 A Source Repository is a location from which Master Repository retrieves Updates.

 Scheduled from 8:00 PM onwards.

 HTTP:// update.nai.com /Products/ CommonUpdater.

FTP:// ftp.nai.com/ CommonUpdater.
Master Repository

 The Master Repository maintain a original copy of Source Repository.

 The Master Repository distribute (PUSH) all the packages to the Distributed
Repository. (Schedule from 5:00 AM to 9:00 AM)

 The Master Repository is placed in Head Offices that is NIC-800000-EPO1.

Distributed Repository

 The Distributed Repository maintain a

duplicate copy of Master Repository.

 The DR PULL all the packages from

the Master Repository.

 Clients computer retrieves updates

from Distributed Repository.
Clients

 Clients present on Operating Offices running with McAfee Antivirus , retrieves

updates from there respective Regional Offices.

 Schedule from 11:00 AM to 11:45 AM.

 Normally Clients download new policies from ePO Server ( NIC-800000-EPO1) , and
SDAT from Distributed Repository.
Repository Flow Chart
Rogue Sensor System

 Rogue system detection means find unmanaged computers in your network or

subnet.
 Rogue means “ computers which do not have ePolicy Orchestrator Agent ” or the
computer that is not managed by an ePO agent but should be.
 The Rogue System Detection system helps you to monitor all the system on your
network-Not only the once ePO manages already , but also the rogue system
( system without agent) as well.
 Rogue system Detection integrates with your ePO Server to provide real-time
detection of rogue system.
 The Rogue sensor placed on each network broadcast segment.
 Rogue Sensor System ( cont…)

 In NIC Rogue Sensor are placed on Genisys Server of each Operating office. It
detect all the rogue machines in there network and send report to ePO Server( NIC-
800000-EPO1) placed in HO.

 HOW IT WORKS ?
 The Sensor is a small WIN32 native executable application. We deploy at least one
sensor to each broadcast segment. The sensor run on any NT-based Windows
operating system.
 To detect system on the network, the sensor utilize WinPCap , an open source
packet capture library. Using WinPCap , the rogue system detection sensor captures
network layer two broadcast packets sent by computers connected to the same
network broadcast segment.
Rogue Sensor System ( cont…)

 The sensor listens for Address Resolution Protocol (ARP) , Reverse Address
Resolution Protocol (RARP) , and IP traffic.
 The sensor is able to “listen” to the broadcast traffic of all that part of the network.
Like Rogue computers , Printer , router , Switch and all other devices.
 The Rogue sensor system gather all information includes DNS name ,IP, MAC
Address, NetBIOS name , Operating system version , and list of currently logged-in
users . And after that send all those information to ePO Server sensor that is
NIC-800000-EPO1 placed in HO.
 The Sensor-to-Server communication Port is : 8444
Rogue Sensor System ( cont…)
Rogue Sensor System ( cont…)
Rogue Sensor System ( cont…)
Rogue Sensor System ( cont…)
INSTALLATION

 Installation of ePO Agent. (FramePkg.exe)

 Installation of VirusScan Enterprise (setupvse.exe)

 Updation of ePO Agent and VirusScan Enterprise.

 Distributed Repository selection.

 Uninstallation.
 ePO Agent Installation

 In the MacAfee package all these files

are available. First we have to install
ePO agent then we will install MacAfee
virus scan enterprise.

 McAfee Package present in

ftp://10.80.0.25/ domainjoin/ McAfee Package.

 For installation of ePO agent double

click on
“ FramePkg.exe ”
 ePO Agent Installation

 it will start installation.

 After ePO agent installation is

complete it show msg. “ Setup
completed successfully”. Press
OK.
 VirusScan Enterprise Installation

 Double Click on
Setupvse.exe” .

 First screen come for McAfee

VirusScan Enterprise Setup.
Click “ NEXT ” .
VirusScan Enterprise Installation

 In the License expiry type, we

need to select “ Perpetual”
And Select country where
purchased and used. We
need to select " United States
{default for use in US}”.

 Select “ I accept the terms in

the License agreement ”. Click
OK.
VirusScan Enterprise Installation

 Select “Typical ”. Click NEXT.

 Click “ Install ”. Then it starts

Installation.
 VirusScan Enterprise Installation

 Deselect “ update Now ” and

“ Run On-Demand Scan ”

 Installation is complete now.

Press YES.
VirusScan Enterprise Installation

 After we restart the machine the

Following LOGO will come.

 First check Symbol of VirusScan

Enterprise in the Right hand side
corner of the Desktop. That means
virus scan installed successfully.
 Updation of ePO Agent

 If ePO agent symbol not come

in the Right hand side corner of
the Desktop. Do following steps.

 Go to: Start  Run  cmd.

 Type the complete path for

enforces Policies.
C:\Program Files\Network
Associates\Common
Framework> cmdagent /P /E /C
Distributed Repository selection.

 Right click on VirusScan

Enterprise symbol Select “
VirusScan Console.”.

 Go to: Tools  Edit

AutoUpdate Repository List
Distributed Repository selection.

 If we are installing this package

for CRO-1 Operating office. Then
select CRO-1 and deselect all
other Repositories.

 Then click Move up.

 Click OK.
Update of VirusScan Enterprise

 Right click on VirusScan Enterprise

symbol.

 Click Update Now.

 Then you can see the VirusScan

Enterprise take update from CRO-1.
Update of ePO Agent

 Again Right click on ePO agent

symbol.

 Click Update Now.

 Then you can see the ePO

agent take update from CRO-1.
 Update of ePO Agent

 Right click on ePO agent

symbol.

 Click Status Monitor.

 Finally click on Collect and

Send Properties.

 Then the client collects all

update automatically from
server.
 Uninstallation of ePO agent

 Go to: Start  Run 

cmd.

 Type the complete path for

uninstall ePO agent.
C:\Program Files\Network
Associates\Common
Framework> frminst.exe
/remove=agent
 Uninstallation of ePO agent

 Click OK. Uninstallation is

complete.

 And for uninstall Virus Scan

Enterprise click remove from
CONTROL PANAL 
ADD/REMOVE program.
USER AWARENESS

 ePO Agent and Virus Scan Enterprise Symbol must be shown in the Task bar.
 On- Access Scan must be enabled.
 Super DAT Of McAfee Virus Scan Enterprise must be updated. User can check latest
Version of Super DAT from FTP:// 10.80.0.25/ domain join/ MacAfee-Package . Or
HTTP://10.X.0.3/epo/Current/VSCANDAT1000/DAT/0000/dat ( Where X = Regional
office code ) .
 ePO Agent of client machines must communicate with NIC-800000-EPO1 ( main
server ) Properly. At least once in a day click-on “Collects and send Properties” of
ePO Agent.
 ePO Agent and Virus Scan Enterprise must be taking updates from there respective
Regional Office only.
 User should scan there computer completely at least once in a week.