For use with McAfee ePolicy Orchestrator...D. McAfee ® ePolicy Orchestrator (McAfee ePO ) and...

Product Guide

McAfee Active Response 2.0.0For use with McAfee ePolicy Orchestrator

COPYRIGHT

© 2016 Intel Corporation

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Active Response 2.0.0 Product Guide

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Product overview 7What is Active Response? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7How it works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Installation 11Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Install the McAfee ePO extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Configure McAfee ePO proxy server settings (optional) . . . . . . . . . . . . . . . . . . . 13Configure the McAfee ePO Cloud Bridge server settings . . . . . . . . . . . . . . . . . . 13Install the Threat Intelligence Exchange server . . . . . . . . . . . . . . . . . . . . . . 14Install the Active Response server . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Configure the DXL broker extension . . . . . . . . . . . . . . . . . . . . . . . . . . 15Install aggregators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Manage Active Response clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Install clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Uninstall clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Viewing Active Response status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18View health status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Install content packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3 Upgrade 21Upgrade the Active Response server . . . . . . . . . . . . . . . . . . . . . . . . . . 21Upgrade the McAfee ePO extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 21Upgrade clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4 Configuration 23Network ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Active Response Service configuration . . . . . . . . . . . . . . . . . . . . . . . . . 24Client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Create an Active Response policy . . . . . . . . . . . . . . . . . . . . . . . . 25Access management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

5 Using Active Response 27Using the Threat Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Threat Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Investigate and remediate a threat . . . . . . . . . . . . . . . . . . . . . . . 29View threat remediation history . . . . . . . . . . . . . . . . . . . . . . . . . 30

Searching endpoint data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

McAfee Active Response 2.0.0 Product Guide 3

Use the search box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Save a search expression . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Use a saved search expression . . . . . . . . . . . . . . . . . . . . . . . . . 33Search syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Collecting endpoint data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Built-in collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Custom collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Reacting to incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Built-in reactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Create a custom reaction . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Apply a reaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Catching threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Create a trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Trigger types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Adding custom content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Content output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Content arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Content types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Backing up and sharing content . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Index 71

Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all ofits features.

ConventionsThis guide uses these typographical conventions and icons.

Italic Title of a book, chapter, or topic; a new term; emphasis

Bold Text that is emphasized

Monospace Commands and other text that the user types; a code sample; a displayed message

Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes

Hypertext blue A link to a topic or to an external website

Note: Extra information to emphasize a point, remind the reader of something, orprovide an alternative method

Tip: Best practice information

Caution: Important advice to protect your computer system, software installation,network, business, or data

Warning: Critical advice to prevent bodily harm when using a hardware product


Find product documentationOn the ServicePortal, you can find information about a released product, including productdocumentation, technical articles, and more.

Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.

2 In the Knowledge Base pane under Content Source, click Product Documentation.

3 Select a product and version, then click Search to display a list of documents.

PrefaceFind product documentation


https://support.mcafee.com

1 Product overview

McAfee®

Active Response is a part of the Endpoint Threat Defense and Response solution. The solutionprovides unified security components that work together through an open, integrated approach withshared visibility, threat intelligence, and simplified work flows. Through early detection of suspiciousactivity or by detecting indicators of prior attacks, network administrators can use Active Response toquickly and effectively deal with security breaches.

Contents What is Active Response? Key features How it works

What is Active Response?Active Response offers continuous visibility and powerful insights into endpoints so you can identifyand remediate breaches faster.

By providing information about potentially malicious processes, Active Response reduces the resourcesneeded to detect risks from unknown applications and processes running on endpoints. By integratingprocess reputation, Active Response allows you to act on shared threat intelligence with simplifiedworkflows. You can take quick corrective actions to remediate a threat, and adapt protection measuresagainst future attacks.

Active Response brings together McAfee®

Threat Intelligence Exchange (TIE) and McAfee®

DataExchange Layer (DXL). Together they provide global threat information with locally collected,customer-specific intelligence that can be shared, allowing multiple security solutions to operate asone.

Together Active Response, Threat Intelligence Exchange, and Data Exchange Layer narrow the gapfrom encounter to containment for advanced targeted attacks from days, weeks, or months down tomilliseconds.

Key featuresActive Response provides a single-click action to protect, respond, and adapt, reducing the need formultiple tools and steps into one streamlined operation.

It includes built-in data collectors, triggers, and reactions to get started right away. Incidentresponders can easily introduce custom content for specific use.

Active Response offers these key features.

DetectUse Active Response to detect threats on compromised systems.

1


• Use the Threat Workspace to see active threats on endpoints, where they started, and how theymoved through the environment, and see the threat time lines.

• Prioritize the high-risk threats based on behavior to focus your investigation on the most importantthreats.

• Search live and historical threat data to determine the full scope of an attack.

• Monitor your environment with customizable collectors that search for indicators of attack that arenot only running or lying dormant, but that might have been deleted.

Respond

Use Active Response to stop threats when they are detected. You can take immediate action onaffected endpoints.

• Use triggers and reactions to detect threatening events and react immediately.

• Automate reactions based on triggers and act on multiple endpoints remotely at the same time.

• Take remediation actions from the Threat Workspace with a single-click. For example, you can stopa running process on a single endpoint, or remove a threat and block it from recurring in theenvironment.

Adapt

Use Active Response to learn from and automate threat responses and provide live security protectionwithout manual intervention.

• Customize collectors and reactions for adapting threat investigation and detection flows.

• Adapt protection settings to automatically block persistent attacks.

• Learn what to include in security policies.

How it worksActive Response is composed of the service, a set of extensions, and endpoint clients.

The Active Response client, which runs on managed endpoints, includes a Trace module that scans andcaptures data about potential threats (processes) on the managed endpoints. This data is then sent tocloud storage via the Data Exchange Layer. The Trace module is available on Microsoft Windowssystems only.

The Active Response Threat Workspace, installed as an extension to McAfee ePO, retrieves the datastored in the cloud and enables visualization of threats that are seen across the endpoints. In-depthinvestigation of a threat is performed in the Threat Workspace, with additional information retrievedon-demand from the endpoints by the Active Response server. You can remediate a threat from theThreat Workspace, and the remediation actions take effect immediately on the endpoints. You can alsoblock future recurrences of a threat by changing the reputation of a process, which is updated in theThreat Intelligence Exchange server.

1 Product overviewHow it works


Overview

This diagram shows an overview of how Active Response works.

A. Active Response client

The Active Response client agent runs on endpoints. It enables:

• Continuous incident information collection

• Responses to information queries from the Active Response server

• Execution of remediation actions on specific threats

The incident information gathered from endpoints is aggregated and stored in the customer's cloudstorage. Active Response supports both Windows and Linux endpoints. The Linux solution currentlydoes not support the continuous incident-information gathering capability.

B. Data Exchange Layer

The DXL brokers and clients are the communication channel for Active Response operations. Fordetails about using DXL, see the Data Exchange Layer Product Guide.

C. DXL Cloud Bridge

The DXL component that connects your network to the Active Response Cloud Storage and Services.

D. McAfee® ePolicy Orchestrator® (McAfee® ePO™) and Active Response extensions

McAfee ePO is the management platform for all McAfee products. The managed products have theirown extensions. Active Response has two main extensions.

• Threat Workspace — Enables the visualization of incident information gathered from the endpoints.In-depth investigation of a threat is performed in the Threat Workspace, with additional informationretrieved on-demand from the endpoints by the Active Response server. You can remediate a threatfrom the Threat Workspace, and the remediation actions take effect immediately on the endpoints.

• Active Response search — Enables real-time searches over the endpoints. It also provides theability to save searches, create custom collectors, and define triggers and reactions.

Product overviewHow it works 1


E. Cloud Storage and Services

The incident information from the endpoints is stored in the cloud (up to 90 days of endpoint data).Aggregation of endpoint data in the cloud provides the overall health status of the enterprise. Ifendpoint data is not sent to the cloud, for example, if an endpoint is offline, the Threat Workspacedisplays past information only, if available in the cloud storage. If no incident information is availablein the cloud for any of the endpoints, the Threat Workspace does not display threat information.Search features still retrieve real-time information from endpoints that are reachable.

F. Active Response server

This is the central coordinator of the Active Response solution. It communicates with the ActiveResponse client running on managed endpoints to collect data and execute remediation actions.

G. Threat Intelligence Exchange servers

The reputation management system that provides reputation information and helps to investigatethreats. You can override a reputation setting in the Threat Workspace, and that setting is sent to theTIE server and updated throughout your environment.

1 Product overviewHow it works


2 Installation

The installation includes several components and clients.

• McAfee ePO extensions

• McAfee ePO proxy and Cloud Bridge configuration

• Threat Intelligence Exchange server

• Data Exchange Layer brokers

• Active Response server

• Active Response aggregators

• Active Response clients on endpoints

• Active Response content packages

Contents Requirements Install the McAfee ePO extensions Configure McAfee ePO proxy server settings (optional) Configure the McAfee ePO Cloud Bridge server settings Install the Threat Intelligence Exchange server Install the Active Response server Configure the DXL broker extension Install aggregators Manage Active Response clients Viewing Active Response status Install content packages

RequirementsFor a successful installation, check that these minimum requirements are met before installing ActiveResponse components.

Minimum requirements for the Active Response solution• McAfee ePolicy Orchestrator 5.3.1 or later

• McAfee® Endpoint Security 10.2 or later

• McAfee Endpoint Security Threat Intelligence 10.2 or McAfee Endpoint Security Adaptive ThreatProtection 10.5 or later (for use with McAfee Endpoint Security 10.5 or later)

If upgrading your environment from a previous version of Active Response or from Threat IntelligenceExchange 2.0, these requirements are also needed:

2


• Data Exchange Layer 3.0.0. At least one DXL broker must be version 3.0.0 or greater.

• Threat Intelligence Exchange server 2.0.0

Minimum requirements for the Active Response server

The server can be installed on a physical server or a virtual machine.

• 1 CPU with 4 cores

• 8 GB RAM

• 140 GB solid-state disk

Supported web browsers for the user interface extension

• Internet Explorer 11 or later

• Microsoft Edge on Windows 10.0

• Chrome 53.0 or later

• Firefox 46.0 or later

• Safari 8.0 or later (on Macintosh operating systems only)

Minimum requirements for the Active Response endpoint client

• McAfee® Agent 5.0.3 or later for Windows and Linux endpoints

• Data Exchange Layer 3.0.0 client

• Endpoint Security Threat Prevention 10.2 or later

• Endpoint Security Threat Intelligence module 10.2 (for Endpoint Security 10.2) or EndpointSecurity Adaptive Threat Protection module 10.5 or later (for Endpoint Security 10.5 or later)

If an endpoint does not currently have a version of Endpoint Security or McAfee VirusScan Enterprise,the appropriate version of the Endpoint Security modules are installed automatically with the ActiveResponse installation. If an endpoint currently has an unsupported version of Endpoint Securityinstalled, follow the Endpoint Security documentation for steps about upgrading the modules on theendpoint to a supported version.

Supported operating systems for the Active Response endpoint client

Operating system Version Architecture Processor RAM Minimum FreeHard Disk space

Windows 10Enterprise,Anniversary Update

Base 32-bit and 64-bit 2 GHz or higher 3 GB 1 GB

Windows 8.0 Base 32-bit and 64-bit 2 GHz or higher 3 GB 1 GB

Windows 8.1Enterprise

Base, U1 32-bit and 64-bit 2 GHz or higher 3 GB 1 GB

Windows 2012 Server Base, R2, U1 64-bit 2 GHz or higher 3 GB 1 GB

Windows 2008 R2Enterprise

SP1 64-bit 2 GHz or higher 3 GB 1 GB

Windows 2008 R2Standard

SP1 64-bit 2 GHz or higher 3 GB 1 GB

Windows 7 Enterprise Up to SP1 32-bit and 64-bit 1.4 GHz or higher 2 GB 1 GB

2 InstallationRequirements


Operating system Version Architecture Processor RAM Minimum FreeHard Disk space

Windows 7Professional

Up to SP1 32-bit and 64-bit 1.4 GHz or higher 2 GB 1 GB

Windows Server 2016 Base 64-bit 2 GHz or higher 3 GB 1 GB

CentOS * 6.5 32-bit 2 GHz or higher 2 GB 1 GB

RedHat * 6.5 32-bit 2 GHz or higher 2 GB 1 GB

* Does not support the Trace functionality or displaying data on the Threat Workspace.

Install the McAfee ePO extensionsThe extensions for Active Response, Threat Intelligence Exchange, and Data Exchange Layer areincluded in a single bundle file.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to McAfee ePO as an administrator.

2 Select Menu | Software | Software Manager.

3 Locate the Active Response Extensions Bundle.

4 Click Check in.

5 Accept the License Agreement and click OK.

Configure McAfee ePO proxy server settings (optional)If your company uses proxy addresses, enter the IP address for the Active Response server in theMcAfee ePO proxy settings.



2 Select Menu | Configuration | Server Settings | Proxy Settings.

3 Click Edit.

4 Enter the proxy information.

5 Click Save.

Configure the McAfee ePO Cloud Bridge server settingsMcAfee ePO Cloud Bridge is an extension that you install on your local McAfee ePO server, allowing youto link your on-premise McAfee ePO server to your McAfee ePO Cloud account.

InstallationInstall the McAfee ePO extensions 2




2 Select Menu | Configuration | Server Settings | McAfee ePO Cloud Bridge.

3 Click Edit.

4 Enter your McAfee ePO Cloud account credentials and accept the license. If you don't have anaccount, follow the link to create one.

5 Click Save.

Install the Threat Intelligence Exchange serverInstall and configure the Threat Intelligence Exchange server. TIE provides file and certificatereputation information and enables you to block or allow them from running in your environmentbased on their reputation.

See the Threat Intelligence Exchange documentation for information about installing and configuringTIE.

Install the Active Response serverActive Response server is provided as an .iso image, packaging a McAfee

®

Linux Operating System(MLOS) instance.

Task1 Log on to McAfee ePO as an administrator.

2 Select Menu | Software | Software Manager and download the Active Response server ISO file.

3 Start the system where the Active Response server will be installed, making sure that it boots fromthe Active Response server ISO image. MLOS and all necessary packages are installedautomatically after the system starts.

4 When the installation finishes, restart the system. Make sure that it starts from the installedsystem, not from the .iso image.

5 Configure the Active Response server.

a Read the License Agreement and enter Y to accept its terms.

b Set a root password and confirm it.

c Create an operational account. You can use this account to connect through ssh to the system,and use su to obtain root permissions.

d Select the main network interface for the system. This interface connects the Active Responseserver to McAfee ePO and the Data Exchange Layer.

2 InstallationInstall the Threat Intelligence Exchange server


e Configure the network interface.

• Enter D for DHCP configuration.

• Enter M to manually set the network addresses.

f Set a host name and domain name for the system.

g (Optional) Enable IPv6 routing.

h Set the time server for the system.

i (Optional) Set proxy variables.

http_proxy and https_proxy definitions are comma-separated lists of host names or IPaddresses. no_proxy definition is a comma-separated list of host names, domains, or IPaddresses.

Proxy settings are for operating system administration only. Active Response does not useproxies to communicate with McAfee ePO or network endpoints.

j Configure McAfee Agent to set up the connection to McAfee ePO.

k Select which services must run on the system.

• DXL Broker — Installs a Data Exchange Layer broker. If your environment already has a leastone DXL broker version 3.0.0 or later, you can choose not to install a new instance of thebroker.

• AR Server — Installs the Active Response server.

l Set the DXL broker communication port.

6 Log on to McAfee ePO as an administrator and verify that there is an Active Response server islisted in the System Tree.

Configure the DXL broker extensionBroker extensions are additional features that can be enabled on a Data Exchange Layer broker to addnew functionality created by other managed products. Enable the Trace broker extension used byActive Response.

Active Response 2.0 requires at least one DXL broker version 3.0.0 or later. The Trace extension is notavailable on previous broker versions.


1 Select Menu | Configuration | Server Settings | DXL Topology.

2 Click Edit.

3 Select a broker and next to Broker Extension, select Provides trace data to the cloud for MAR Workspace.

4 Click Save.

InstallationConfigure the DXL broker extension 2


Install aggregatorsYou are not required to install an aggregator to use Active Response. However, aggregators reduce theamount of DXL bandwidth required, and increase the number of managed endpoints supported.

Install Active Response aggregators on DXL broker systems in your fabric. We recommend that youinstall an aggregator on each system in your fabric that runs only a DXL broker. The broker systemswith aggregators must not have a DXL client deployed on that system. Aggregators can't be installedon Active Response or TIE server systems.



2 Select Menu | Software | Software Manager and check in the Active Response Aggregator package.

3 Select Menu | Software | Product Deployment, then click New Deployment.

4 In the Package drop-down list, select the Active Response aggregator.

5 Click Select Systems and choose the DXL broker where to install the aggregator.

6 Select Run Immediately and click Save to start deployment.

You can also install the aggregator package from the Master Repository.

Manage Active Response clientsUse these tasks to manage the Active Response client on endpoints.

Install clientsActive Response clients are ready to function immediately after installation and configuration.

Before you beginMake sure your endpoints are running McAfee Agent 5.0.3 or later before installing anddeploying Active Response clients.

All endpoint client packages were checked in with the Active Response bundle. Ensure thatthey are checked in at the same branch as the Endpoint Security modules, EndpointSecurity Threat Intelligence, and the DXL client.

For details about product features, usage, and best practices, click ? or Help.

Task1 Log on to McAfee ePO as an administrator.

2 Deploy the Active Response clients. All necessary clients are installed.

During deployment on Windows systems, Active Response disables Microsoft Protection Servicemomentarily to complete the installation. Endpoint users might see a warning that this service has

2 InstallationInstall aggregators


been disabled. When the installation is complete, Microsoft Protection Service is restored and thewarning can be ignored.

a Select Menu | Software | Product Deployment, then click New Deployment.

b Select the Active Response client software package for Windows or Linux.

On Linux 64-bit systems, compatible 32-bit libraries must be installed on endpoints for ActiveResponse to work properly.

c Click Select Systems to select which endpoints to manage with Active Response.

d Select Run Immediately and click Save to start deployment.

If an older version is already installed, the Active Response client is updated with the newerversion. Also, if deploying on an older system that takes longer for a new deployment, create aclient task and increase the timeout setting to greater than 20 minutes (the default setting). Thisensures the deployment does not time out before it completes.

After deploying the Active Response clients, make sure to configure the appropriate McAfee ePOpolicies.

Uninstall clientsRemove Active Response clients from endpoints.

This procedure does not remove Endpoint Security, Threat Intelligence Exchange server, or DataExchange Layer. For details about uninstalling software, see the McAfee ePolicy OrchestratorInstallation Guide.



2 Select Menus | System | System Tree.

3 From the Systems tab, select the endpoints where you want to uninstall Active Response clients.Then select Actions | Agent | Run Client Task Now.

4 Start a new client task to uninstall Active Response clients.

a Under Product, select McAfee Agent.

b Under Task Type, select Product Deployment.

c Under Task Name, select Create New Task.

d In Target platforms, select Windows or Linux.

e In Products and components, select the Active Response client package.

If you have more than one version in your Master Repository, select the latest Active Responsepackage version.

f In the Action drop-down list, select Remove.

5 Click Run Task Now.

InstallationManage Active Response clients 2


Viewing Active Response statusYou can view the status of the Active Response server, the TIE server, and the DXL brokers. You canalso see the status of Cloud Storage and service availability, and the Active Response deployments onmanaged endpoints.

View health statusThe Health Status page shows the status of Active Response and its components.


• Select Menu | Systems | Active Response Health Status.

The Active Response Health Status page shows this information:

• Total endpoints — The total number of endpoints in the environment where Active Response isdeployed, awaiting deployment, incompatible, or deployment failed.

• Active Response deployed — The number of endpoints currently running Active Response.

• Ready for Active Response deployment — An installation or deployment task is pending, but has not yetrun.

• Incompatible with Active Response — There is an Active Response requirement on the endpoint that isnot met. For example, an unsupported version of Endpoint Security or McAfee Agent.

• Active Response deployment failed — An installation or deployment task ran but failed to complete.

• Active Response Server — Status of the Active Response server and link to its configuration page. Ifthe server is not available, click the link to troubleshoot the issue.

• DXL Brokers — Status of the DXL brokers and link to its configuration page. If a broker is notavailable, click the link to troubleshoot the issue.

• Threat Intelligence Exchange Servers — Status of the TIE servers and a link to its configuration page. Ifa server is not available, click the link to the Health page to troubleshoot the issue.

• Cloud Storage and Services — Status of the Cloud Services required for Active Response.

Install content packagesInstall content packages to get new collectors and reactions, or new versions of existing built-incollectors and reactions.

New versions of collectors and reactions in the content package might turn some of your savedsearches and triggers unusable. This only happens if the update changes a built-in collector output field,or if the update changes built-in reaction arguments. Check the Active Response Content PackageRelease Notes for information about changes to collectors and reactions introduced by a contentpackage.

2 InstallationViewing Active Response status




2 Select Menu | Software | Software Manager and check in the Active Response content package.

Content packages have this naming convention: BaseActiveResponseContent‑MajorVersion.MinorVersion.PatchVersion‑BuildVersion.zip

If you have Auto Update enabled for deployments, after the package checks in to the MasterRepository it is installed automatically. If you do not have Auto Update enabled, create an updatedeployment task.

InstallationInstall content packages 2


2 InstallationInstall content packages


3 Upgrade

A complete upgrade installs a new Active Response server, extensions, and client packages.

To minimize down-time during the upgrade process, install components in this order:

• Active Response server: Active_Response_{version}.zip

• Active Response extensions: mar-extensions-{version}.zip

• DXL and Active Response clients on managed systems

Contents Upgrade the Active Response server Upgrade the McAfee ePO extensions Upgrade clients

Upgrade the Active Response serverManage Active Response server update packages in the McAfee ePO Software Manager.



2 Select Menu | Software | Software Manager and check in the Active Response Server package.

3 Deploy the update package.

a Select Menu | Software | Product Deployment, then click New Deployment.

b In the Package drop-down list, select the server update package.

c Click Select Systems to select the Active Response server in your network.

d Select Run Immediately and click Save to start deployment.

After the update package is installed, see Upgrade the McAfee ePO extensions to continue.

Upgrade the McAfee ePO extensionsUpgrade the Active Response extensions on McAfee ePO.

Before you beginActive Response server of the same or later version must be installed.

3




2 Locate the Active Response Extensions Bundle.

3 Click Check in.

4 Accept the License Agreement, then click OK.

After the extensions are installed, upgrade the Active Response client.

See also Upgrade clients on page 22

Upgrade clientsInstall a newer Active Response client version on managed systems to upgrade clients.

If an endpoint is using McAfee Agent 5.0.2 or earlier, you must upgrade that endpoint to McAfee Agent5.0.3 or later before installing and deploying Active Response clients.

You can upgrade Active Response clients while they are online. As soon as the new version is installed,clients respond to the Active Response server.

To complete the upgrade, follow the instructions in Install Clients.

3 UpgradeUpgrade clients


4 Configuration

Configure the Active Response extensions, service, and clients from McAfee ePO.

Contents Network ports Active Response Service configuration Client configuration Access management

Network portsActive Response uses these ports for network connectivity.

Make sure your network settings are not blocking access to the Active Response server and clientsthrough these ports.

Table 4-1 Server ports

Port number Open to Incomingconnections

Outgoingconnections

443 Connect to extensions on the McAfeeePO server.

Yes Yes

8883 Connect the DXL broker to the DXLclient on the McAfee ePO server.

Yes Yes

8081 Connect McAfee Agent to the McAfeeePO server.

Yes Yes

22 Connect remotely through ssh toperform maintenance tasks.

Yes Yes

123 UDP Network Time Protocol Yes Yes

Table 4-2 Client ports

Port number Open to Incoming connections Outgoing connections

8081 Connect McAfee Agent to a McAfeeePO server.

Yes Yes

8883 Connect the DXL client to a DXLbroker.

Yes Yes

4


Active Response Service configurationConfigure how the Active Response service works. Use the Active Response option in the McAfee ePOServer Settings page.

Search execution time-to-live

Active Response search expressions execute collectors on managed endpoints. Because endpointsmight come online or offline during the execution of a collector, Active Response can't know when allendpoints that could answer have already answered. This configuration tells Active Response to stopexpecting search results after a certain time has passed.

Authentication

The Active Response service relies on McAfee ePO certificates to authenticate access, so that onlyActive Response extensions can make service requests. This configuration is set up after theinstallation of the Active Response service. If you change the certificates used by McAfee ePO, use thisconfiguration option to reset the certificates in the Active Response server.

Active Response Workspace configuration

These Workspace configuration settings control what you see on the Threat Workspace. The Processinstances setting controls the number of threat instances that display on the trace chart. The Eventsper instance setting controls the number of threat events that display on the trace chart.

Server and aggregator tags

After installation, the Active Response server and aggregator systems are automatically applied withthese tags:

• MARSERVER — Identifies the Active Response server.

• MARAGG — Identifies an Active Response aggregator system.

• DXLBROKER — Identifies both the Active Response server and the aggregators.

You can review and edit the tags applied to your systems in the McAfee ePO System Tree.

Client configurationUse McAfee ePO policies to configure Active Response clients.

Using policies, you can:

• Set the maximum number of results returned by search expressions.

• Enable endpoints to execute triggers.

• Enable Network Flow and File Hashing collectors and triggers.

• Enable the Trace plug-in on the endpoint. This is required to see threat activity in the ThreatWorkspace.

• Set database limits and maximum number of results returned by the Network Flow collector.

• Set database limits, maximum number of results returned, and files excluded by the File Hashingcollector.

4 ConfigurationActive Response Service configuration


• Set database and data limits for the Trace collector.

• Enable system logging on managed endpoints.

Preset McAfee ePO policies

After installing Active Response, the following McAfee ePO policies are available in the Policy Catalog:

• McAfee Default — This is the policy enforced by default after installation. When this policy is enforced,Network Flow and Trace collectors are enabled. Triggers and File Hashing are disabled.

• Full Visibility — When this policy is enforced, NetworkFlow, File Hashing, and Trace collectors areenabled. Triggers are disabled.

• Full Monitoring — When this policy is enforced, all collectors and triggers are enabled.

Create an Active Response policyCreate an Active Response policy with custom settings.


1 Select Menu | Policy | Policy catalog.

2 From the Product list, select Active Response.

3 Select New Policy, or select an existing policy and select Duplicate.

4 Enter a name and a brief description for the new policy, then click OK.

5 Complete the fields on the Policy Catalog page for the options you want to apply to the policy.

After you create a policy, assign it to managed systems to configure the Active Response clients onthose systems. See the McAfee ePO documentation for information about assigning policies.

Access managementAfter installation, Active Response creates permission sets to manage access to its resources.

• Group Active Response Editor — allows access to all features and resources. Most importantly, thispermission set allows users to create, edit, and delete collectors, triggers, and reactions. Set thispermission set for users that need to:

• Create custom content.

• Set triggers to automatically catch events on endpoints and execute reactions.

• Back up or share custom content with other McAfee ePO instances.

• Group Active Response Responder — allows access to Active Response Search. It also allows users to seethe content and configuration of collectors, triggers, and reactions, but not to edit or delete them.Set this permission set for users that need to:

• Actively monitor endpoints for indicators of compromise.

• Quickly execute reactions from Active Response Search results.

ConfigurationAccess management 4


• Group Active Response Responder Workspace Monitor — allows access to the Threat Workspace and ActiveResponse Search functions. It allows users to see threat behavior activity, and to execute searchesto investigate a threat but not take remediation actions. Set this permission for users that need to:


• Inform incident responders who can remediate a possible threat.

• Group Active Response Workspace Responder — allows full access to the Threat Workspace and ActiveResponse Search functions. It allows users to see threat behavior activity, execute searches toinvestigate a threat and take immediate action through the Threat Workspace, or automate taskson endpoints through triggers and reactions. Set this permission for users that need to:


• Take immediate action on endpoints using the Threat Workspace.

• Quickly execute reactions from search results.

• Create custom content.

• Set triggers to automatically catch events on endpoints and execute reactions.

• Back up or share custom content with other McAfee ePO instances.

You can also customize access management by creating your own permission sets.

Privacy information and Active Response

Active Response collects information from managed endpoints, such as user names, system names,and IP addresses. It also includes process activity such as modified registry entries, files created, andestablished network connections. Access to this information is available in Active Response pages inMcAfee ePO. Make sure that access to these pages is authorized and appropriately managed.

McAfee ePO restrictions to the System Tree through access management configuration do not preventActive Response users from receiving information from systems outside their authorized segment ofthe System Tree. Make sure that Active Response users are qualified and trained to appropriatelyhandle private information from your users’ systems.

Intel Security also collects data that is not personally identifiable to further enhance threatintelligence, but cannot search the data or trace it back to a specific organization. For moreinformation, review the License Agreement.

4 ConfigurationAccess management


5 Using Active Response

Use Active Response to search incidents, collect data, trigger reactions, and take action on threats inyour environment.

Contents Using the Threat Workspace Searching endpoint data Collecting endpoint data Reacting to incidents Catching threats Adding custom content Backing up and sharing content Error codes

Using the Threat WorkspaceThe Threat Workspace is where you can see all potential threats on managed endpoints and respondto them.

This is where you can detect and remediate threats in one place. Actions performed on threats areimmediately made available to all managed endpoints in the environment.

Threat WorkspaceThere are several parts to the Threat Workspace where you can view and react to threats. Theworkflow moves from left to right.

Only Microsoft Windows systems information is included on the Threat Workspace. Dates displayedthroughout Active Response are based on the timezone setting in the user's browser.

5


Table 5-1 Parts of the Threat Workspace

Name Description

Total Threats When a process executes on a managed endpoint, its behavior is traced using theActive Response client. Based on the detected behavior, the process is categorized andassigned a severity level, but ultimately you decide whether it is a threat, and what todo about it. The severity levels are:• High Risk — The process appears to be a high risk of being a threat and must be

investigated and remediated immediately.

• Suspicious — The process appears suspicious and should be investigated andremediated.

• Monitored — The risk for the process cannot be determined. Active Response continuesto monitor the process and change its status based on behavior and further analysis.

PotentialThreats

The processes at a particular severity level, for example, Monitored, Suspicious, or HighRisk. The threats displayed are based on the selected time frame.If a process in the list is unique to your environment and is not a threat, you can set itto Known Trusted. Threats whose enterprise reputation is Known Malicious are notlisted, they are blocked by the Endpoint Security protection products. However, aKnown Trusted process can be listed if it exhibits suspicious behavior.

• Age is the time that has passed since the threat was first seen.

• Prevalence is the number of hosts that the threat has impacted (in the present andpast).

ThreatTimeline

The number of threat instances in the environment. This can be current or pastinstances, showing trends in the environment.

Affected Hosts A list of managed hosts impacted by a selected potential threat. The hosts displayed arebased on the time frame selected, and include only those for which you have access to.You can select one or more hosts and apply an action:

• Stop process — Stops the selected threat process currently running on the hosts.

• Stop and remove — Stops the selected threat process and deletes it from the hosts.

Trace Detailed trace information about a process for each endpoint that it ran on. You can seewhere the process started, registry modifications, network connections, and file creationevents for the selected process. These events are represented by circular icons on thetrace chart. A numbered badge on the event icon indicates that there are multipleinstances of the same event.• Clicking an event icon shows details about the event and enables you to perform an

action for the select host. For example, you can stop and remove a particular processfrom the host that you're investigating.

• You can expand the trace chart to full-screen view.

• The JSON details of the processes that are displayed in the trace chart can be savedinto a file.

• A navigation bar along the top of the trace chart shows activity spikes, and enablesyou to select the time frame to view in the trace chart.

5 Using Active ResponseUsing the Threat Workspace


Table 5-1 Parts of the Threat Workspace (continued)

Name Description

Reputation The selected threat's reputation information from the TIE server. You can perform anaction on a threat, and that action applies throughout the environment where ever thethreat is present.

• Make Known Malicious — Changes the reputation of the selected process to KnownMalicious and updates the reputation information in the TIE database. The process isblocked and cleaned on systems that use TIE policies that block malicious files. Theprocess continues to display on the threat workspace until the action is successfullycompleted on all affected hosts.

• Make Known Trusted — Changes the reputation of the selected process to Known Trustedand updates the reputation information in the TIE database.

Threat Details Detailed information about the file. Selecting More displays additional information aboutthe threat.

Investigate and remediate a threatYou can view the list of potential threats and easily see data about what the threat is, how long it hasbeen in your environment, and which host systems are affected. You can then remediate the threatwithout having to open another window or product.

If an endpoint is offline, the most current endpoint data might not be available in the ThreatWorkspace. In that case, the Threat Workspace displays past information that is available in the cloudstorage. Remediation actions performed on outdated threat information might not affect thoseendpoints that are offline, or the threats that are no longer active.


1 Select Menu | Systems | Active Response Workspace.

2 Select the type of threats you want to see, for example High Risk, Suspicious or Monitored.

The Potential Threats list shows all threat processes of that type. A process can appear as a threat,but ultimately you decide whether it is, and what to do about it.

To find a specific threat, select Total to see all threats and use the search box to filter. You cansearch for a process name, file hash, IP address, or registry key.

3 Select a threat from the Potential Threats list.

Using Active ResponseUsing the Threat Workspace 5


The information about that threat is displayed on the Threat Workspace.

• The Affected Hosts lists the detailed information about each host affected by the threat. These canbe hosts where the threat is running or has run in the past. This information comes from theThreat Intelligence module or Endpoint Security Adaptive Threat Protection module on theendpoint.

• The Reputation and Threat Details shows detailed information about the file that generated thethreat. Click More to see additional details.

• The Trace information shows details about where the threat started on a particular host, whatother processes it started, and how those processes moved through the hosts in yourenvironment. You can change what is visible on the Trace time line, for example, processes,files, registry keys, and network connections. Clicking an event on the time line displays itsdetails in the Event Details pane.

Clicking a link in the Event Details pane opens a separate browser tab for advanced searching.For example, on a network event, you can search for more outgoing or incoming flow from thatendpoint. On a registry event, you can search for the same Registry key on other endpoints. Orsearch for the same file path or file hash on other endpoints.

4 Select an action to perform on the selected threat process:

• To perform an action on one or more selected hosts — Select one or more hosts in theAffected Hosts list, then select Host Actions to either stop the process currently running and leaveit on the host, or stop the process and delete it from the host. If you stop a process and leave iton the host, you can restart it later.

• To perform an action from the Trace time line — Select an event icon for the process youwant to stop, then select Host Actions to either stop the process currently running and leave it onthe selected host, or stop the process and delete it from the host.

• To perform a global action on all hosts — From the Reputation pane of the selected threat,change the threat processes' reputation to Known Malicious or Known Trusted. The new reputationsetting is updated and saved in the Threat Intelligence Exchange database, and the process iseither blocked or allowed to run on managed endpoints throughout your environment,depending on the TIE policy configurations.

When you perform an action on a process, a progress indicator appears next to the threat in thePotential Threats list, showing that the action is in process. Go to the Remediation History page tosee details about the action.

View threat remediation historyWhen an action is taken on a threat process in the Threat Workspace, a remediation item is created.You can view the remediation actions that were taken on specific threats, regardless of who initiatedthem.


1 Click the Remediation History link at the top of the Threat Workspace. Or, select Menu | Reporting |Remediation History.

The Remediation History page shows the threat processes that have been remediated. Theinformation includes the action taken, the number of host systems affected by the remediation,and other details about the threat process.

5 Using Active ResponseUsing the Threat Workspace


2 Select an action to see its details.

• Selecting Make Known Malicious or Make Known Trusted shows the current Threat Intelligence Exchangereputation information for the file.

• Selecting Stop process or Stop and remove shows details about the threat, including where it wasrunning, the McAfee Agent GUID, and event information.

3 Select Impacted Hosts to see a list of the host systems affected by a specific threat.

Tasks• Delete threat remediation history on page 31

Use a server task to delete threat remediation history information.

Delete threat remediation historyUse a server task to delete threat remediation history information.

Server tasks are configurable actions that run on McAfee ePO at scheduled time or intervals. You cancreate a server task to delete remediation entries older than a specific date.


1 Select Menu | Automation | Server Tasks, then click New Task.

2 Give the task an appropriate name, and decide whether the task has a Schedule status. If youwant the task to run automatically at set intervals, click Enabled, then click Next.

3 From the Actions drop-down, click Purge Remediation History. Specify how old a remediation record mustbe before it's purged, then click Next.

4 Choose the schedule type (the frequency), start date, end date, and schedule time to run the task.

The Summary page appears.

5 Click Save to save the task.

The new task appears in the Server Tasks list.

Searching endpoint dataActive Response searches data on your managed endpoints in real time.

To avoid stressing the network, all searches time out automatically after a configurable amount of time.See Service configuration for more information.

The search box understands simple syntax to combine collectors and build powerful searchexpressions and filters. A search expression consists of two parts:

• A projection of at least one collector. The collector name specifies the data that Active Responsereturns. The projection lists the output fields that appear as columns in the Search results table. If nooutput fields are specified, the default output fields are presented.

• A filter applied to the values in the output fields, optionally. Filters specify conditions to match inreturned data. Only data that matches the filter appear in the Search results table.

Using Active ResponseSearching endpoint data 5


Simple search expressionGet all records returned by the Processes collector.

Processes

Search expression with projected fieldsGet the name, SHA1, and MD5 values for all records returned by the Processes collector.

Processes name,sha1,md5

Search expression with filtered valuesGet the name, SHA1, and MD5 values from the Processes collector, for processes files thathave the ".exe" extension.

Processes name, sha1, md5 where Processes name contains ".exe"

Search expression with multiple collectors in the projectionGet the name and path of process files that currently spawn more than five threads.

Processes name and Files dir where Processes threadCount greater than 5

System Tree restrictions to search results

When you run a search expression, not every endpoint on the DXL fabric replies with results. Resultscome only from those endpoints where your McAfee ePO administrator has granted access to you. Forexample, suppose that you have access to endpoints in China and don't have access to endpoints inPoland. When you run a search expression, only endpoints in China reply with results.

These access restrictions are set on the System tree sections of the Permission Sets that apply to yourMcAfee ePO user.

Use the search boxWrite search expressions to navigate results.


1 Select Menu | Systems | Active Response Search.

2 In the Search box, enter a search expression.

See Search syntax for details about writing search expressions.

5 Using Active ResponseSearching endpoint data


3 Click Search to start collecting data from managed endpoints.

If Search is disabled, check for errors in the search expression.

• Click Cancel to stop an ongoing search.

• Click Save search to store the search expression in the Searches tab of the Active Response Catalog.

Get the names and IDs of processes that execute 10 or more threads:

Processes name, id where Processes threadCount greater equal than 10

See also Search syntax on page 34CurrentFlow collector on page 37Files collector on page 38HostEntries collector on page 39HostInfo collector on page 40InstalledUpdates collector on page 41LocalGroups collector on page 42NetworkFlow collector on page 43Processes collector on page 45UserProfiles collector on page 48WinRegistry collector on page 49

Save a search expressionYou can save any number of expressions in the Searches tab of the Active Response Catalog.

For details about product features, usage, and best practices, click ? or Help.

Task1 Select Menu | Systems | Active Response Search.

2 In the Search box, type a search expression.

3 Click Save search.

4 Enter a name and description for the search expression. This information appears as details in theSearches tab of the Active Response Catalog.

5 Click OK.

See also Search syntax on page 34

Use a saved search expressionQuickly start an Active Response search from a previously saved search expression.

Before you beginA search expression must be saved in the Active Response Catalog to complete this task.




1 Select Menu | Active Response Catalog | Searches.

2 Click the name of the search expression that you want to run.

To import, export or delete saved search expressions, use Actions in the Searches tab of the ActiveResponse Catalog.

See also Search syntax on page 34

Search syntaxUse this detailed example to create powerful, real-time searches.

Get the names and IDs of processes that execute 10 or more threads.

Processes name, id where Processes threadCount greater equal than 10

Projection

The projection clause specifies which columns to show in the search results table. This example showsonly two columns: process name and id.

Processes name, id

Term Name Description

Processes Collector name Specifies the search capabilities and output fields of the specificcollector. In the example, the collector for running processes isselected.

name, id Collector outputfields

Selects an output field from the collector. In the projection, theoutput field represents a column in the result table.

Filter

The filter clause specifies conditions to match in the returned data. Only data that matches the filterappear in the search results table. In this example, only processes that execute 10 or more threadsmatch the filter.

where Processes threadCount greater equal than 10


where Filter keyword The keyword that starts a filter clause.

Processes Collector name Specifies the search capabilities and output fields of thespecific collector. In the example, the collector forrunning processes is selected.

threadCount Collector output field Specifies which data must be matched against thecondition output field from the collector.

5 Using Active ResponseSearching endpoint data



greater equalthan

Comparison operator The operator that defines the condition to match.Different operators are available for different literaltypes.

10 Literal A literal value.

Logical operators

Operator Used in Usage Description

and Projectionsand filters Projection:

Processes name and FilesdirFilter:where Processes namestarts with "abc" andProcesses threadCountequals 5

In a projection, and selects output fieldsfrom different collectors. In a filter, itdisplays a result record if both the firstcondition and the second condition aretrue.

or Filters where Processes namestarts with "abc" orProcesses name startswith "xyz"

Displays a result record if either the firstcondition or the second condition aretrue.

not Filters where Processes name notstarts with "abc"

Negates a comparison operator, so thatthe condition returns true if thecomparison is false, or returns false ifthe comparison is true.

Comparison operators

Data type Operator Usage

Timestamp before where Files last_access before"2014-12-31"

after where Files last_access after"2014-12-31"

Number equals where Files size equals 1024greater than where Files size greater than

1024greater equalthan

where Files size greater equalthan 1024

less than where Files size less than 1024less equal than where Files size less equal than

1024String

All string comparisons are caseinsensitive.

equals where Files name equals "abc"contains where Files name contains "abc"starts with where Files name starts with

"abc"ends with where Files name ends with "abc"

IP

Filtering by IPv4 omits IPv6 resultsand, likewise, filtering by IPv6 omitsIPv4 results.

equals where NetworkFlow src_ip equals10.250.45.15

contains where NetworkFlow src_ipcontains 10.250.0.0/24



Literals

When searching for a path, you must enter an additional \ character in directory paths, for example,Users\\Administrator\\Documents. When searching for a value that includes a double quotationmark, use the \ character before the quotation, for example, Files where File name contains \".

Type Sample values

Timestamp "2014", "2014-12", "2014-12-31"Number 123, 123.45IP 10.250.45.15, 10.250.45.15/24, 2001:0DB8::1428:57ab,

2001:0DB8::1428:57ab/96String "aString123", "This is another string", "quotes\"in\"string"Win Registry String "My Computer\\HKEY_LOCAL_MACHINE\\HARDWARE\\VIDEO", "0x00000001"

Collecting endpoint dataActive Response collects real-time data from managed endpoints. Active Response collectors arecomponents that run on managed endpoints, executed by search expressions.

Collectors specify what data to collect from managed endpoints, and how to report it back to ActiveResponse. There are two main types of collectors.

• Built-in — Active Response provides these collectors by default, available after installation.

• Custom — You create these collectors to gather specific data.

Collector summary

A name and description identify each collector. Give meaningful names and descriptions to collectors,based on the domain of the collected data, to easily find them in the Active Response Catalog.

Collector content

A collector's content specifies the code that Active Response executes on a managed operating systemto collect data. See Custom content for information about content types and usage.

Collector output

The data returned by a collector is accessible through the collector's output fields. The output data fillsthe search results table after running a search expression. To create columns for the result table, acollector defines three attributes:

• Name — Sets a column header.

• Type — Specifies a data type for the values in the column. See Literals section in Search syntax fora list of available data types.

• Show by default — Sets the column to appear by default in the search results table.

5 Using Active ResponseCollecting endpoint data


Built-in collectorsActive Response provides several collectors, available out of the box after installation.

CommandLineHistory collectorReturns the command line history from managed Linux endpoints.

Collector output (Only on Linux)

Field Type Description

user String The user who runs the command.

ID Number The incremental execution sequence number (number 1 is the first commandexecuted).

CommandLine String The command executed.

The history of the command_line and the number depend on the previous configuration available oneach endpoint.

Show history of the usage of the service command

CommandLineHistory where CommandLineHistory command_line contains "service"

CurrentFlow collectorThe CurrentFlow collector gathers real-time data on the network flow from managed endpoints.

Collector output


local_ip IPv4 or IPv6 address IP address of the source of the packet. Supports CIDR blocknotation.

local_port Number Port number originating the packet.

remote_ip IPv4 or IPv6 address IP address of the destination of the packet. Supports CIDR blocknotation.

remote_port Number Port number receiving the packet.

status String The status of the TCP transaction (not available in UDPtransactions).

process_id Number The originating process' ID.

user String The user that owns the originating process.

user_id String The user ID of the process owning the socket.

proto String The packet's protocol: TCP or UDP.

md5 String The MD5 hash code for the source process.

sha1 String The SHA1 hash code for the source process.

Show process image names for current flow originating on CIDR block10.250.45.0/24 and targeting endpoint 10.0.0.2.

CurrentFlow process_id where CurrentFlow local_ip contains 10.250.45.0/24 and CurrentFlow remote_ip equals 10.0.0.2

Using Active ResponseCollecting endpoint data 5


See also Use the search box on page 32

DNSCache collectorThe DNSCache collector shows DNS information on endpoint local cache.

Table 5-2 Collector output


hostname String The host name.

ipaddress String The IP address for the host.

Show DNS information for host "ping.alot.com"

DNSCache where DNSCache hostname equals "ping.alot.com"

EnvironmentVariables collectorThis collector returns information about system environment variables, current user, and volatile andprocess variables.

Collector output


username String The owner of the process that is running on the environment where this variableis set.

process_id Number ID given by operating system to the process.

name String The variable's name.

value String Value set by variable.

Show the PATH environment variable set on endpoint 192.168.0.5

EnvironmentVariables where EnvironmentVariables name equals "PATH" and HostInfo ip_address equals 192.168.0.5

Files collectorThe Files collector gathers data about managed endpoints' file systems.



name String The file name.

dir String The directory path where the file lives.

When matching directories with the equals operator, a trailing path separator isneeded.

Windows example: dir equals "C:\\Program Files\\"Linux example: dir equals "/bin/"

full_name String The fully qualified file name, including its path.

size Number File size in bytes.

last_write Date The last time the operating system wrote the file.



Table 5-3 Collector output (continued)


md5 String The file's content, in MD5 format.

sha1 String The file's content, in SHA1 format.

created_at Date Time stamp when the file was created.

deleted_at Date Time stamp when the file was deleted.

status String Shows current for files that are currently on the file system, or deleted for filesthat were removed from the file system.

Show files in the C:\Windows\Boot\DVD\EVE\ path.

Files where Files dir equals "c:\\windows\\boot\\dvd\\efi\\"

File hashing

To provide information about file systems, Active Response must first complete the file hashingprocess to record file system metadata in its databases.

Active Response hashes only non-removable file systems.

• On Windows, Active Response hashes only media that return DRIVE_FIXED after calling theGetDriveTypeA function.

• On Linux, Active Response hashing ignores all paths that return RM = 1, TYPE = part,MOUNTPOINT != "" after running the command lsblk -o RM,TYPE,MOUNTPOINT -r.

Restrictions

Some restrictions apply to what files are returned by the collector.

• Only endpoints where the user has System Tree permissions reply with results.

• Only files that are note excluded by ignore policies appear in search results.

• Depending on the database size limit set on file hashing policies, information about files deletedbefore the past 30 days might not appear in search results.


HostEntries collectorThe HostEntries collector shows the IP addresses and host names from hosts file on Windows and Linuxendpoints.



ipaddress IP An IP address set in the hosts file.

hostname String The host name mapping for the IP address.

Find endpoints whose hosts file configures access to www.malware.com.

HostEntries where HostEntries hostname equals "www.malware.com"




HostInfo collectorThe HostInfo collector shows an endpoint's host name, physical IP address, and operating systemversion.



hostname String The endpoint's host name.

ip_address IP The endpoint's first physical IP address

os String The endpoint's operating system version.

Find all endpoints with Windows operating system.

HostInfo where HostInfo os contains "Windows"


InstalledCertificates collectorReturns information about installed certificates.

Collector output


issued_to String The subject field identifies the entity associated with the public keystored in the subject public key field.

issued_by String Identifies the entity that has signed and issued the certificate.

expiration_date Timestamp

Indicates the expiration date of the certificate.

purposes String The key usage extension defines the purpose (for example,encipherment, signature, and certificate signing) of the key obtained inthe certificate. The usage restriction might be employed when a key thatcould be sent for more than one operation is to be restricted.

purposes_extended String This extension indicates one or more purposes for which the certifiedpublic key might be used, in addition to or in place of the basic purposesindicated in the key usage extension. In general, this extension appearsonly in end entity certificates.This field is optional. (Extended Key Usage on Linux and Enhanced Key Usage onWindows).

friendly_name String Displays a more friendly name of the certificate. (Only on Windows)

On Linux files and certificates are ca-bundle.crt and ca-bundle.trust.crl at /etc/pki/tls/certs and onWindows certificates must be registered in the drivers at Certs:. Otherwise, the certificates aren'tdisplayed.

Show the installed certificates issued by Intel

where installed_certificates issued_by contains "Intel"



InstalledDrivers collectorThe InstalledDrivers collector shows details about drivers installed on managed endpoints.



displayname String The display name for the driver.

description String A description for the driver.

last_modified_date Timestamp A date-time value indicating when the driver was last modified.

name String A short name that uniquely identifies the driver.

servicetype String The type of service provided to calling processes.

startmode String The driver start-up mode.• Boot — the driver is started by the operating system loader.

• System — the driver is started by the operating system.

• Automatic — the driver starts automatically at system start-up.

• Manual — the driver starts by the service control manager.

• Disabled — the driver can no longer be started.

state String The current state of the driver.

path String The fully qualified path to the driver file.

Show drivers which are disabled on endpoints.

InstalledDrivers where InstalledDrivers state equals "disabled"

InstalledUpdates collectorThe InstalledUpdates collector gathers data about installed updates, hotfixes, and security updates onWindows endpoints.



description String The description for the update package.

hotfix_id String Microsoft knowledge base identifier for the update package.

install_date Timestamp The date when the package was installed.

installed_by String The user name that performed the installation, qualified by its namespace.

Show which hotfix packages where installed by bad_user.

InstalledUpdates where InstalledUpdates description equals "Hotfix" and InstalledUpdates installed_by contains "bad_user"




InteractiveSessions collectorThe InteractiveSessions collector gathers information about live interactive sessions on endpoint systems.



userid String The username that is logged into the session.

name String The user's full name.

This field is not reported for non-local users.

Show interactive sessions for user 'owilde'

InteractiveSessions where InteractiveSessions userid equals "owilde"

On Windows endpoints, information of past sessions may appear in the results if theybelonged to accounts from different domains that have the same userid as the currentlyactive one.

LocalGroups collectorThe LocalGroups collector gathers data on local system groups. Access Directory groups are notreturned.



groupname String The name of the group.

groupdomain String The domain name of the local group.

groupdescription String The description of the local group.

islocal String Confirms that the group is stored locally on the endpoint.

sid String The security identifier for the group.

Show local groups under the "corp.sensitive" domain.

LocalGroups where LocalGroups groupdomain contains "corp.sensitive"


LoggedInUsers collectorThe LoggedInUsers collector gathers data about users logged into managed systems.



id String The user ID set by the operating system.

userdomain String The domain to which the user belongs.

username String The log-in username.

Show users logged under the "RISK" domain

LoggedInUsers where LoggedInUsers userdomain equals "RISK"



NetworkFlow collectorThe NetworkFlow collector gathers historical data on network usage from managed endpoints.



src_ip IPv4 or IPv6address

IP address of the source of the packet. Supports CIDR block notation.

src_port Number Port number originating the packet.

dst_ip IPv4 or IPv6address

IP address of the destination of the packet. Supports CIDR blocknotation.

dst_port Number Port number receiving the packet.

time Date Date and time when the packet was collected.

status String The status of the TCP transaction (not available in UDP transactions).

The TCP status must be interpreted as follows:

• On a TCP connection open operation, the CONNECTED valuemeans that the source endpoint sent a SYN message andreceived an ACK,SYN message from the remote server.

• On a TCP connection close operation, the CLOSED valuemeans that the source endpoint sent a SYN message andreceived an ACK,FIN message from the destination server.

• The final ACK message is ignored on both open and closeoperations.

process String The originating process' image name.


user String The user that owns the originating process.



flags String One of TCP flags ACK, SYN, RST, FIN.

direction String Specifies whether the packet came in to the managed endpoint, or wassent out of the endpoint.

ip_class Number Specifies the IP class used for the transaction:• IPv4 returns 0• IPv6 returns 1• Unknown returns 2

seq_number Number TCP transaction sequence number (not available in UDP transactions).

src_mac String MAC address of originating endpoint.

dst_mac String MAC address of destination endpoint (Linux only).





Show process IDs and image names for network flow originating on CIDR block10.250.45.0/24 and targeting endpoint 10.0.0.2.

NetworkFlow process, process_id where NetworkFlow src_ip contains 10.250.45.0/24 and NetworkFlow dst_ip equals 10.0.0.2


NetworkInterfaces collectorThe NetworkInterfaces collector lists network interfaces on managed endpoints.



bssid String The BSSID to which the interface is connected.

displayname String The interface's short name on the operating system.

gwipaddress IP The IP address of the gateway to which the interface is connected.

gwmacaddress String The MAC address of the gateway to which the interface is connected.

ipaddress IP The interface's IP address.

ipprefix Number The IP prefix for the interface's IP address.

macaddress String The interface's MAC address.

name String The interfaces name.

ssid String The SSID to which the interface is connected.

type String The interface's type.

wifisecurity String The WiFi security algorithm used by the interface on the current connection.

NetworkSessions collectorGets information of currently open network sessions on the endpoint.

Collector output


computer String IP or hostname of remote endpoint.

user String User logged on to host through the network session.

client String Remote session command provider. (Only on Windows.)

file String Path of local resource being accessed by client. (Only on Windows.)

idletime String Time since last session activity. (Only on Windows.)

Show which shared resources are being accessed by username "owilde"

NetworkSessions where NetworkSessions user equals "owilde"



NetworkShares collectorFinds network shared paths accessible from each managed endpoint.

Collector output


name String Name of shared resource.

description String Description of shared resource set either by the user or by default.

path String Local path to the resource.

When Samba service is started, only resources configured at /etc/samba/smb.conf are returned by thecollector. It obtains information of the Network File System (NFS) from file /etc/samba/smb.conf.

Show which paths on endpoint "owilde-office" are being shared

NetworkShares path where HostEntries hostname equals "owilde-office"

Processes collectorThe Processes collector gathers data on processes running on managed endpoints.



name String The name of the running process.

id Number The process' system identifier.

threadCount Number The number of active threads spawned by the process.

parentId Number The system identifier for the process that spawned the current process.

parentname String The name of the process that spawned the current process.

size Number The amount of resident RAM used by the process.

md5 String The MD5 hash code for the process.

sha1 String The SHA1 hash code for the process.

cmdline String The command that started the process.

imagepath String Path to the process' image name.

kerneltime Number The process' use of kernel mode CPU time, in seconds.

usertime Number The process' use of user mode CPU time, in seconds.

uptime Number The number of seconds passed since the process started.

user String The user name that started the process.

user_id String The ID for the user that started the process.

Show processes' names and RAM size for processes that use more than 10 MB ofresident RAM.

Processes name, size where Processes size greater than 10240




ScheduledTasks collectorShows the status of scheduled tasks on Windows and Linux endpoints, and also when it is scheduledto run next.

Collector output


folder String The path from where the scheduled task runs.(Empty in Linux)

taskname String Name of task.

nextruntime Date Time and date when the task will run.

status String Current task status can be ready, disabled, setting, running, or could notstart.

task_run String Full command line to execute tasks.

last_run Date Last time the task ran successfully.

username String Name of the user that executed the task.

schedule_on String See Trigger field documentation.

log_on_type String Security logon method required to run tasks. See Log on Type documentation.(Only for Windows)

Show when will the task called 'backupDaily' run next

ScheduledTasks taskname, nextruntime where ScheduledTasks taskname equals "backupDaily"

Services collectorThe Services collector lists services installed on managed endpoints.



description String A description of the service's functionality.

name String A short name that uniquely identifies the service.

startuptype String The start-up mode.• Boot — specifies a device driver started by the operating system loader.

• System — specifies a device driver started by the operating system.

• Automatic — specifies a service that starts automatically at system start-up.

• Manual — specifies a service started by the service control manager.

• Disabled — specifies a service that can no longer be started.

status String The current status of the service.

user String The user that owns the service's process.

Show services that are currently running and are set to start manually by users.

Services where Services status equals "Running" and Services startuptype equals "Manually"



https://msdn.microsoft.com/en-us/library/windows/desktop/aa383915(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/aa382075(v=vs.85).aspx

Software collectorThe Software collector lists software installed on managed endpoints.



displayname String Commonly used software name.

installdate Timestamp A date-time value indicating when the object was installed.

publisher String The name of the software's supplier.

version String Software version information.

Show installed software provided by 'Bad Co.' publisher

Software where Software publisher equals "Bad Co."

Startup collectorThe Startup collector shows information about start-up applications on managed endpoints.



caption String The short name set by the application.

command String The command line that starts the application.

description String The description set by the application.

name String The application's file name.

user String The user name for whom this start-up command will run.

Show applications that start up automatically for user 'owilde'

Startup where Startup user equals "owilde"

UsbConnectedStorageDevices collectorFind which users have used USB mass storage devices on managed endpoints. This collector getsdetails on last usage and device details.

Collector output


vendor_id String Device's vendor ID.

product_id String Device's product ID.

serial_number String Device's serial number.

device_type String Only "USB storage" type is supported.

guid String ID provided by operating system. (Only on Windows)

last_connection_time Date Last time the device was plugged. (Only on Windows)

user_name String User that mounted the device. If no user was logged in when device wasmounted, then the field will be empty. (Only on Windows)

last_time_used_by_user Date Last time the operating system touched the device.



Show all USB storage devices that were connected to computers with runningWindows

UsbConnectedStorageDevices where HostInfo os contains "win"

UserProfiles collectorThe UserProfiles collector gathers data about local users on Windows endpoints.

Collector output


accountdisabled String True if the account is disabled. False otherwise.

This field is not returned for non-local users.

domain String The domain that holds the user.


fullname String The user's full name.


installdate Timestamp The creation date for the user's home folder (C:\Users\user‑name). Theuser must log in at least once for this date to be returned.

localaccount String True if the user is stored locally on the endpoint. False otherwise.

lockedout String True if the user has been locked out from the endpoint. False otherwise.


accountname String The user's account name.

sid String The security identifier for the user.

passwordexpires String True if the password is configured to expire. False otherwise.


Find user accounts that have been locked out from endpoints.

UserProfiles where UserProfiles lockedout equals "true"




WinRegistry collectorThe WinRegistry collector gathers Windows registry data from endpoints.

Collector output


keypath Win Registry String A path to a registry key. The path does not include the key name.

Only equals and starts_with operators are valid for this outputfield.

keyvalue Win Registry String The key value name.

valuedata Win Registry String The data stored by the key value.

valuetype Win Registry String The data type of the registry data.

Show registry data related to Active Response installation on managed endpoints.

WinRegistry where WinRegistry keypath equals "hkey_local_machine\\software\\mcafee\\mar"

Strings in conditions and filters are case insensitive: "software" and "SOFTWARE" matchthe same registry entries.


Custom collectorsCustom collectors use the output of content execution to gather specific data from managedendpoints.

The collector parses content output as records of comma-separated values data. Then, it matches thefields in the records to the output fields defined for the collector, in order of appearance.

If a collector's content executes the following lines:

echo "value1","value2"echo "value3","value4"

Active Response maps "value1" and "value3" to the first output field, and "value2" and "value4" tothe second output field, like this:

Output field 1 Output field 2

value1 value2

value3 value4

See also Create a custom collector on page 49

Create a custom collectorSpecify what data to collect from endpoints with custom collectors.




1 Select Menu | Systems | Active Response Catalog.

2 Select the Collectors tab, then click New Collector.

3 Enter a name and description for the collector.

4 For either or both the Windows and Linux tabs, insert the collector's content.

a Use the Type drop-down list to select the appropriate content type.

b In the Content code editor, enter the commands or code that Active Response executes onmanaged endpoints.

Add content to both Windows and Linux tabs to run the collector on both Windows and Linux managedendpoints.

5 Click Add Output or + to add an output field.

6 Enter a name for the field.

7 From the Type drop-down list, select a type for the field's data.

8 Select Show by default to make the output field a default field in the Search results table.

9 Click Save to finish.

If Save is disabled, check for problems in the form fields.

See also Custom collectors on page 49Adding custom content on page 59Content output on page 60Content types on page 62

Reacting to incidentsActive Response acts on managed endpoints by executing reaction code.

Reaction summary

A reaction specifies an action to take on managed endpoints. A name and description identify thereaction. Give meaningful names and descriptions to reactions based on what effect each reactionproduces. This way you can find reactions easily in the Active Response Catalog.

Reaction content

A reaction's content specifies the code that Active Response executes on managed endpoints. SeeCustom content for information about content types and usage.

Reaction arguments

A reaction's content supports named arguments to pass values during execution.

5 Using Active ResponseReacting to incidents


These fields define an argument:

• Name -- Specifies the argument's handle

• Type -- Specifies a data type for the argument. See Literals section in Search syntax for a list ofavailable data types.

Argument mappings

Reaction arguments are related to trigger and collector output fields.

When a trigger is set to run a reaction, the trigger output fields are passed as values to reactionarguments. So if a trigger returns a filename as output, this filename can be passed as value in areaction argument that expects a filename.

Also, you can map arguments to collector output fields. After running a search expression, you canexecute a reaction on endpoints related to Search Results. If the reaction arguments are mapped tocollector output fields used in the search expression, then Active Response knows which values to passas arguments during reaction execution.

System Tree restrictions when applying reactions

When you apply a reaction, not every endpoint on the DXL fabric is affected. Only those endpointswhere your McAfee ePO administrator has granted access to you are affected by the reaction. Forexample, suppose that you have access to endpoints in China and don't have access to endpoints inPoland. When you execute a reaction, only endpoints in China are affected.


Built-in reactionsActive Response provides several reactions, available out of the box after installation.

DeleteRegistryValue reactionDeletes a Windows Registry value in a specified registry key path.

This reaction can only delete key values that are not protected by other software.

Table 5-17 Arguments

Name Type Description

keypath Win Registry String The absolute path to a registry key. The path does not include the keyvalue name.

keyvalue Win Registry String The key value name to erase.

KillProcess reactionUse this reaction to kill processes on endpoints by passing the process' ID.



pid Number The process ID, set by the operating system.

Using Active ResponseReacting to incidents 5


KillProcessByHash reactionUse this reaction to kill processes that have a specific hash value on endpoints.

If the target endpoint is offline when this reaction is executed, the reaction is saved on the ActiveResponse server and executes when the endpoint is back online. If a specific file cannot be deletedbecause it is blocked by a process, the file will be deleted when the endpoint reboots.



MD5 String The process' MD5 value.

SHA1 String The process' SHA1 value.

RemoveFile reactionUse this reaction to delete files from endpoint filesystems.

If the target endpoint is offline when this reaction is executed, the reaction is saved on the ActiveResponse server and executes when the endpoint is back online. If a specific file cannot be deletedbecause it is blocked by a process, the file will be deleted when the endpoint reboots.



full_name String The fully qualified file name, including its path.

Create a custom reactionReactions execute custom content on managed endpoints.



2 Select the Reactions tab, then click New Reaction.

3 Enter a name and description for the reaction.

4 Enter the reaction's content.

a Use the Type drop-down list to select the appropriate content type.

b In the Content code editor, enter the commands or code that Active Response executes onmanaged endpoints.

Add content to both Windows and Linux tabs so that the reaction applies both to Windows and Linuxmanaged endpoints.

5 Click Add Argument or + to add an argument.

a Enter a name for the argument.

An argument's name must match the name given in the reaction's content between {{ and }}.

5 Using Active ResponseReacting to incidents


b From the Type drop-down list, select a type for the argument values.

c Click Set Collector Mapping to map the reaction argument to specific collector output fields.



See also Content arguments on page 61

Apply a reactionFire reactions from the Search Results table.

Reactions applied on endpoints cannot be undone. Proceed with care.


1 Select Menu | Systems | Active Response Search, then run a search expression.

2 When results appear in the Search Results table, select the rows you want to target.

Remember that a single row might reference more than one managed endpoint, expressed in thecount column. In that case, the reaction is applied to all endpoints referenced by the row.

3 Click Actions | Apply Reaction.

4 Select a reaction from the drop-down list. If the reaction takes arguments, insert values for eachargument.

Some arguments may be mapped to the collector output fields used in the search expression. Thevalues returned by such output fields will be passed to the mapped arguments.

5 Click Yes to confirm.

See also Built-in reactions on page 51

Catching threatsActive Response triggers track system activity to detect possible threats. They can be set to catchspecific events on managed endpoints and react immediately.

Based on Active Response data collection capabilities, triggers catch events in managed endpoints andfire reactions.

Trigger summary and configuration

A name and description identify a trigger. Triggers can be enabled or disabled.

• Enabled triggers are set and active on managed endpoints, listening to events. Even if the endpointgoes offline, the trigger is still enabled and operational.

• Disabled triggers are stored in the Triggers catalog for future use, but do not listen to events onmanaged endpoints.

Using Active ResponseCatching threats 5


Also, triggers select an Event Severity. This is the level of urgency that is reported in the McAfee ePOThreat Event Log when the trigger is fired.

Detection

A trigger's detection settings specify what fires the trigger. Triggers have a type. Each trigger typelistens to different events and returns different output fields. For example, the Files trigger typelistens to Created, Modified, and Deleted events on files. It returns the file's name, size,last_access, md5, and sha1.

Optionally, triggers can specify a condition that must be met for the trigger to be fired. For example, aFiles type trigger can be set to catch Modified events only in files with a specific name or size.

See Trigger types for detailes on each type of trigger.

Reaction

When a trigger fires, it can execute a reaction. The reaction is selected from the Reactions catalog.

If the reaction takes arguments, they can be matched to the trigger type's output fields. Thismatching means that when the trigger fires, its output passes as arguments to the reaction. Forexample, a reaction that deletes files can take the file name to delete as an argument. When thetrigger catches an event in a file, it can pass the file name to the reaction, and that particular file isdeleted.

System Tree restrictions to setting triggers

When you enable a trigger, it is not set on every endpoint of the DXL fabric. Only those endpointswhere your McAfee ePO administrator has granted access to you can set the trigger. For example,suppose that you have access to endpoints in China and don't have access to endpoints in Poland.When you run a search expression, only endpoints in China reply with results.

Also, only users that have access to the same endpoints that you have can modify your triggers onthose endpoints. In other words, users that don't have access to an endpoint where you have set atrigger can't modify your trigger.


Create a triggerTriggers are set on managed endpoints to catch and react to specific events.



2 Select the Triggers tab, then click New Trigger.

3 Enter a name and description for the trigger.

4 Set the status to Enabled if you want the trigger immediately set on managed endpoints. Else, set itto Disabled.

5 From the Trigger Type drop-down list, select a type for the trigger.

6 From the Event drop-down list, select the event to catch.

5 Using Active ResponseCatching threats


7 In the Condition text box, enter a condition to meet when catching events.

8 From the Reaction Name drop-down list, select a reaction.

Be careful that the reaction you select doesn't recreate the condition that sets the trigger off. Aninfinite loop happens if when your trigger sets off, it executes a reaction which in turn sets yourtrigger off again, and so on.

9 In the Arguments table, use the drop-down lists in the Trigger Output column to map output fields toreaction arguments.



See also Reacting to incidents on page 50

Trigger typesActive Response provides different trigger types to catch events on managed endpoints.

See also Reacting to incidents on page 50

Files triggerThe Files trigger listens to events on managed endpoints' file systems.

Events

Event Description

FileCreated A matching file is created on a target endpoint.

FileModified A matching file is changed on a target endpoint.

FileDeleted A matching file is deleted on a target endpoint.

Output fields


name String The file name.

dir String The directory path where the file lives.

When matching directories with the equals operator, a trailing path separator isneeded.

Windows example: dir equals "C:\\Program Files\\"Linux example: dir equals "/bin/"

full_name String The fully qualified file name, including path.

size Number File size in bytes.

last_write Date The last time the operating system wrote the file.

md5 String The file's content, in MD5 format.

sha1 String The file's content, in SHA1 format.

created_at Date Time stamp when the file was created.




deleted_at Date Time stamp when the file was deleted.

status String Shows current for files that are currently on the file system, or deleted for filesthat were removed from the file system.

Match *.exe files with SHA1 hash 97eb5a5b721e28f9696729d14ef9d4076c9b4e2ename ends with '.exe' and sha1 equals '97eb5a5b721e28f9696729d14ef9d4076c9b4e2e'

A trigger condition is like an Active Response search expression filter without the wherekeyword or the collector name. See Search syntax for more information.

File creation and hashing race condition

When a file is created on a managed endpoint, Active Response starts hashing the file and fires theFileCreated event. But if the file is large enough, the event might be caught before the hashing processfinishes. In this situation, an incomplete MD5 or SHA1 hash of the file is reported with the event.

Triggers set to catch files over FileCreated events based on an MD5 or SHA1 hash can fail under this racecondition: when a file large enough is created, Active Response reports an incomplete file hash.Because the trigger condition is set to match the file hash, this trigger is not executed.

However, when the hashing process finishes, the complete file hash is created. Then, a FileModfied eventis caught, reporting the complete hash. To avoid this condition, you are encouraged to create twotriggers: one for the FileCreated event and another one for the FileModfied event. Set both triggers tomatch the complete file hash.

Network triggerThe Network trigger listens to events on network flow to or from managed endpoints.

Connection events

McAfee Active Response catches these events on Windows and Linux systems.

Event Description

ConnectionOpen A connection is opened.

ConnectionClose A connection is closed.

Connection output fields


src_ip IPv4 or IPv6address

IP address of the source of the packet. Supports CIDR block notation.


dst_ip IPv4 or IPv6address

IP address of the destination of the packet. Supports CIDR blocknotation.

dst_port Number Port number receiving the packet.

time Date Date and time when the packet was collected.




status String The status of the TCP transaction. (Not available in UDP transactions.)

The TCP status must be interpreted as follows:

• On a TCP connection open operation, the CONNECTED valuemeans that the source endpoint sent a SYN message andreceived an ACK,SYN message from the remote server.

• On a TCP connection close operation, the CLOSED value meansthat the source endpoint sent a SYN message and received anACK,FIN message from the destination server.

• The final ACK message is ignored on both open and closeoperations.

process String The originating process' image name.


user String The user who owns the originating process.



flags String One of TCP flags ACK, SYN, RST, FIN.

direction String Specifies whether the packet came in to the managed endpoint, or wassent out of the endpoint.

ip_class Number Specifies whether IPv4 (0) or IPv6 (1) was used for the transaction.

seq_number Number TCP transaction sequence number (not available in UDP transactions).

src_mac String MAC address of originating endpoint.

dst_mac String MAC address of destination endpoint (Linux only).



Match network flow originating on CIDR block 10.250.45.255/24 and targetingendpoint 10.0.0.2 on port 22.

src_ip contains 10.250.45.255/24 and dst_ip equals 10.0.0.2 and dst_port 22


Port events

McAfee Active Response only catches these events on Windows managed endpoints.

Event Description

PortOpened (Windows only) A port is opened for listening.

PortClosed (Windows only) A port is closed.



Port output fields



user String The user who owns the originating process.





Match network flow originating on port 22 by the system administrator.

src_port equals 22 and user equals "NT AUTHORITY\\SYSTEM"

Processes triggerThe Processes trigger listens to events on running processes.

Events

Event Description

ProcessCreated A matching process is created on an endpoint.

ProcessTerminated A matching process is terminated on an endpoint.

Output fields


name String The name of the running process.

id Number The process' system identifier.

parentId Number The system identifier for the process that spawned the current process.

parentname String The name of the process that spawned the current process.

md5 String The MD5 hash code for the process.

sha1 String The SHA1 hash code for the process.

cmdline String The command that started the process.

imagepath String Path to the process' image name.

user String The user name that started the process.

user_id String The ID for the user that started the process.

Match processes started by user "blackhat" with the SHA1 hash:97eb5a5b721e28f9696729d14ef9d4076c9b4e2euser equals 'blackhat' and sha1 equals '97eb5a5b721e28f9696729d14ef9d4076c9b4e2e'




WinRegistry triggerThe WinRegistry trigger listens to changes on Windows Registry keys.

Events

Event Description

ValueCreatedOrModified Key value created or value data changed.

ValueDeleted Key value deleted or renamed.

Output fields


keypath Win Registry String Mandatory. A path to a registry key. The path does not include the keyname. If the value is not a valid registry path, the trigger can't besaved.

Only equals and starts_with operators are valid for this outputfield.

keyvalue Win Registry String The key value name.

valuedata Win Registry String The data stored by the key value.

All values must be expressed as REG_DWORD values.

valuetype Win Registry String The data type of the registry data.

Catch when the DisableAllTriggers key is set to 1 in the registry key path forActive Response configuration.

keypath equals "hkey_local_machine\\software\\mcafee\\mar" and keyvalue "DisableAllTriggers" and valuedata equals "1"


Adding custom contentCustom content specifies code or scripts that Active Response clients execute on managed endpoints.

This content lives inside the custom collectors and reactions that you create:

• Content written for a collector prints Comma-Separated Value (CSV) records to standard output.

• Content written for a reaction can take values passed as arguments to the operations executed onendpoints.

Limitations

On Windows, commands that require access to STDIN or the desktop fail to execute because ActiveResponse runs on endpoints as a non-interactive service.

See also Create a custom collector on page 49Create a custom reaction on page 52

Using Active ResponseAdding custom content 5


Content outputDuring content execution, Active Response gathers from standard output all lines produced by customcontent.

This means that your content must print to standard output only those lines to be parsed ascomma-separated value (CSV) records. Consider the following examples.

Content with incorrect dataThis simple content executes the PS command on a managed endpoint.

ps

This is a sample output for the command:

PID PPID PGID WINPID TTY UID STIME COMMAND 1440 18908 1440 11236 pty2 2831382 14:40:33 /usr/bin/sh19184 2128 19184 11640 pty3 2831382 17:16:00 /usr/bin/ps13708 1 19200 13708 ? 2831382 14:43:33 /usr/bin/dbus-launch16196 1440 1440 12284 pty2 2831382 14:43:33 /usr/bin/xinit 808 1 808 808 ? 2831382 14:43:33 /usr/bin/dbus-daemon

Because the command output's first line contains a header, the following CSV document isconstructed:

PID,PPID,PGID,WINPID,TTY,UID,STIME,COMMAND1440,18908,1440,11236,pty2,2831382,14:40:33,/usr/bin/sh19184,2128,19184,11640,pty3,2831382,17:16:00,/usr/bin/ps...

Active Response incorrectly interprets the first line in the CSV document as being validdata.

Removing incorrect data from outputContrast this example to Content with incorrect data. This content executes the pscommand, but removes the header line.

ps | tail -n +2

This is a sample output for the command:

1440 18908 1440 11236 pty2 2831382 14:40:33 /usr/bin/sh19184 2128 19184 11640 pty3 2831382 17:16:00 /usr/bin/ps13708 1 19200 13708 ? 2831382 14:43:33 /usr/bin/dbus-launch16196 1440 1440 12284 pty2 2831382 14:43:33 /usr/bin/xinit 808 1 808 808 ? 2831382 14:43:33 /usr/bin/dbus-daemon

Then, a CSV document with only valid data is constructed:

1440,18908,1440,11236,pty2,2831382,14:40:33,/usr/bin/sh19184,2128,19184,11640,pty3,2831382,17:16:00,/usr/bin/ps...

CSV value escaping

These characters must be escaped in content output to avoid problems when executing collectors andreactions:

' \ , [space]

5 Using Active ResponseAdding custom content


To escape one of these characters in content output, place them between double quotes (" and ").

To escape the double quotes character, use a slash. To escape the slash character, use another slash.

For example:

"escaped [space]""escaped ,""escaped ' ""escaped \"quotes\" ""escaped \\"

Value strings encodingAll values printed to standard output must be encoded as UTF-8 characters. Using any other encodingcan produce characters that break the execution of the collector, producing incorrect output values orno output values at all.

When creating content for collectors, you have the option to encode content output to UTF-8automatically. If your search results contain broken character encodings, try encoding your customcollector content in UTF-8, or enabling the Convert collector output to UTF-8 encoding option from the collectordetails page.

Timestamp output fieldsIf your custom collector specifies an output field of type Timestamp, you must make sure that the timestamp is generated in full when the content is executed. A complete time stamp includes both dateand time values.

Example Description2015-01-09 08:43:25 This time stamp is complete.2015-01-09 Incomplete: missing time value.2015-01 Incomplete: missing day and time values.08:43:25 Incomplete: missing date value.


Content argumentsDuring content execution, Active Response can pass values as arguments to be expanded in thecontent.Arguments are specified in the content by placing the argument name between {{ and }}.

Content with argumentsIn this example content, two arguments are defined: {{dir_glob}} and {{file_glob}}.

for file in {{dir_glob}}/{{file_glob}}.exe; do rm $file; done

This content is suitable for a reaction that deletes all files in specific directories, withknown file names, ending with the .exe extension. When this content is executed on amanaged endpoint, Active Response can expand the argument names with values passedby, for example, a trigger.

See also Create a custom reaction on page 52



Content typesActive Response supports several content types.


Operating system commandsThis content type executes a system command in a managed endpoint.

Only reference operating system commands and libraries from a trusted source in Active Responsecustom content.

Linux system commandShow the endpoint's system time.

date +%T

Windows system commandShow the endpoint's system time.

time /t

Windows echo display rulesWhen executing Windows operating system commands, Active Response follows these display rules forthe echo command.

• The first space after the command name is ignored.

• Trailing spaces in message are ignored.

• Functions and variables not enclosed between back quotes (`) are evaluated.

• To include special characters like < | >, enclose them in double quotes (") or back quotes. You canalso precede them with the ASCII escape character, or use the /X option of the SETDOS command.

• To display %, you can alternately use two % marks for each one to be displayed: %%

• To display trailing spaces, either enclose them in back quotes, or append a pair of back quotesbehind them.

• The ASCII NUL character cannot be included.

• If stdout is the console, after displaying content on the current line, the cursor moves to thebeginning of the next line.

• If stdout is a file, the CR LF sequence is appended to the content.

• To display a blank line, use one of these forms:

echo `` (two consecutive back quotes)

echo. (special syntax for compatibility with CMD)




Bash scriptsThis content type executes a Bash script.


Show interactive users logged on endpoints.

#!/bin/bash## Copyright (C) 2015 McAfee, Inc. All Rights Reserved.#if [ `w | awk '{ if( NR>2 ) print $3, $1 }' | grep -E ^\: | wc -l` != 0 ]; then w | awk '{ if( NR>2 ) print $3, $1 }' | grep -E ^\: | awk '{ print $2 }';else echo "No interactive users found"fi


PowerShell scriptsThis content type executes a PowerShell script.


Return information about endpoint system information.

## Copyright (C) 2015 McAfee, Inc. All Rights Reserved.## Summary : This script lists endpoint system information#$PhysicalMemory = (get-wmiObject -class win32_ComputerSystem).TotalPhysicalMemory$LocalTime = get-wmiObject -class win32_LocalTime$OperatingSystem = get-wmiObject -class win32_OperatingSystem$Processor = get-wmiObject -class win32_Processor$TimeAndDate = get-date

$o = new-object PSObject$o | add-member NoteProperty PhysicalMemory $PhysicalMemory$o | add-member NoteProperty LocalTime $LocalTime$o | add-member NoteProperty OperatingSystem $OperatingSystem$o | add-member NoteProperty Processor $Processor$o | add-member NoteProperty TimeAndDate $TimeAndDate

$p = $o | ConvertTo-CSV -NoTypeInformation | select -Skip 1

$p = $p.replace('\', '\\')$p

Visual Basic scriptsThis content type executes a Visual Basic script.




Return information about local users on Windows endpoints.

'' Copyright (C) 2015 McAfee, Inc. All Rights Reserved.'' Summary : This script will list all local user' information, to include group memberships.'Option Explicit

' ***********************************************' Declare all variables' ***********************************************

Dim strComputerDim varUseWmi, varRunWmiQuery, varWmiValueDim colGroupsDim objGroup, objUser

' ***********************************************' Call WMI to gather Windows' user account information.' ***********************************************

strComputer = "."

set varUseWmi = GetObject("winmgmts:\\.\root\cimv2")set varRunWmiQuery = varUseWmi.ExecQuery("Select * from Win32_UserAccount")

' ***********************************************' List all groups for each user, and put into an ' array.' ' Next, echo back all of the user info, to include' the group.' ***********************************************

For Each varWmiValue In varRunWmiQuerySet colGroups = GetObject("WinNT://" & strComputer)colGroups.Filter = Array("group") For Each objGroup In colGroups For Each objUser In objGroup.Members If objUser.name = varWmiValue.Name Then Wscript.Echo varWmiValue.Disabled & "," & varWmiValue.Domain & "," & varWmiValue.FullName & "," & varWmiValue.InstallDate & "," & varWmiValue.LocalAccount & "," & varWmiValue.Lockout & "," & varWmiValue.Name & "," & varWmiValue.SID & "," & varWmiValue.PasswordExpires & "," & objGroup.Name End If Next NextNext


Python 2.7 scriptsThis content type executes a Python 2.7 script.

Do not create Python custom content unless you are sure that the Python interpreter on endpoints isinstalled in a system-protected location!

Return information about routes.

## Copyright (C) 2015 McAfee, Inc. All Rights Reserved.#import subprocess



process = subprocess.Popen("route PRINT -4", stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)output, error = process.communicate()process = Falseimport remap_list = []

for x in output.split('\r'): if "Metric" in x: process = True continue if process: data = re.sub('\s+', ' ',x).strip().split(" ") if len(data)>=3: print( ",".join(data))


Backing up and sharing contentYou can export Active Response content to a file in JSON format. Use the exported file to restorecontent after product upgrade or to share your collectors, triggers, and reactions with other ActiveResponse installations.

To export and import content, look for Export, Export all, and Import in Active Response Catalog.

Error codesThese error codes appear in Active Response Search or in Active Response client logs. Use this table totroubleshoot a problem or as reference when contacting product support.

Table 5-21 Generic errors

Code Name Description Workaround

1 MAR_E_UNKNOWN Failed to execute asearch expression,enable a trigger, orexecute a reaction.

Check the customcollector content, thereaction content, or thetrigger condition.

2 MAR_E_UNDEFINED Failed to execute asearch expression,enable a trigger, orexecute a reaction.

Check the customcollector content, thereaction content, or thetrigger condition.

3 MAR_E_REQUEST_FAIL_TO_BE_PLACE Failed to access clientplug-in. The ActiveResponse client might becorrupted.

Redeploy Active Responseclient on endpoint.

4 MAR_E_INTERNAL_ERROR Failed during processboot. The ActiveResponse client might becorrupted.

Redeploy Active Responseclient on endpoint.

Using Active ResponseBacking up and sharing content 5


Table 5-21 Generic errors (continued)


6 MAR_E_MERGE_SIZE_MAX_REACHED The search expressionproduced too manyresults.

Add filters to reduce thenumber of results orremove collectors fromthe projection. SeeSearch syntax for moreinformation.

7 MAR_E_MISSING_ARGUMENT Failed to create McAfeeePO events.

Check Active Responseserver and clientversions.The server version mustbe equal or higher thatthe client one.

8 MAR_E_INVALID_ARGUMENT A McAfee ePO eventfailed to create properarguments due to anunsupported event ID.

Check Active Responseserver and clientversions.The server version mustbe equal or higher thatthe client one.

9 MAR_E_REQUEST_TIMEOUT A collector took too longto return results.

Reduce the executiontime of your customcollectors.

10 MAR_E_PLUGIN_SHUTTING_DOWN A plug-in is shuttingdown and has not yetended.

None

11 MAR_E_UNSUPPORTED_API An API from a differentversion is trying to runand is not supported.

None

160 MAR_E_GENERIC_PLUGIN_IS_DISABLED A required ActiveResponse plug-in isdisabled on theendpoint.

Enable the plug-in in theActive Response policyenforced on the endpoint.

Table 5-22 Runtime plug-in errors


257 MAR_E_RUNTIME_FAIL A collector or reactionfailed during the executionof its content.

Check the content ofthe collector orreaction.

258 MAR_E_MISSING_CONTENT Failed to execute collectoror reaction due to missingcontent. The collector orreaction might be empty.

Check content ofcollector or reaction.

259 MAR_E_MISSING_SCRIPT_ENGINE A collector o reactioncontent failed to beexecuted due to missingscript engine.

Check that Python,VisualBasic, or Bashengines are availableon the endpoint.

260 MAR_E_MISSING_SCRIPT_DATA Failed to execute collectoror reaction due to missingcontent. The content isempty or there is aproblem in the ActiveResponse server.

Check the content ofcollector or reaction.

5 Using Active ResponseError codes


Table 5-22 Runtime plug-in errors (continued)


261 MAR_E_SCRIPT_ENGINE_UNSUPPORTED The Active Response clientdoesn't support the scriptengine that it tries to use.

Check that versions ofActive Response serverand clients match.

262 MAR_E_FORMAT_ERROR Failed to parse collectoroutput.

Check the outputvalues in the collectorcontent. Check thecollector output fielddefinitions.

263 MAR_E_MISSING_PYTHON_ENGINE Python interpreter can't befound.

Install Python on theendpoint.

264 MAR_E_SHELL_IS_NOT_TRUSTED The script interpreterdoesn't match a trustedinterpreter. ActiveResponse will not executeany script using it.

None

416 MAR_E_RUNTIME_PLUGIN_IS_DISABLED A required ActiveResponse plug-in isdisabled on the endpoint.

Change the ActiveResponse policyenforced on theendpoint to enable theplug-in.

Table 5-23 NetworkFlow errors


513 MAR_E_NETWORK_MAX_REACHED The NetworkFlowcollector returned toomany results.

Add filters to reduce thenumber of results. SeeSearch syntax for moreinformation.

672 MAR_E_NETWORK_PLUGIN_IS_DISABLED The NetworkFlowplug-in is disabled onthe endpoint.

Change the ActiveResponse policy enforcedon the endpoint to enablethe plug-in.

Table 5-24 File hashing errors


769 MAR_E_FILE_HASHING_MAX_REACHED The Files collectorreturned too manyresults.

Add filters to reducethe number of results.See Search syntax formore information.

770 MAR_E_FILE_HASHING_HASH_IN_PROGRESS Active Response ishashing the filesystem on thisendpoint.

Wait for file hashing tocomplete and retryyour search.

771 MAR_E_FILE_HASHING_REMOVE_FILE_ERROR An error occurredwhen MAR tried todelete a file.

None

928 MAR_E_FILE_HASHING_PLUGIN_IS_DISABLED The File Hashing plug-inis disabled on theendpoint.

Change the ActiveResponse policyenforced on theendpoint to enable theplug-in.

Using Active ResponseError codes 5


Table 5-25 Processes errors


1025 MAR_E_AQUIRE_PROCESS The endpoint'soperating system ispreventing ActiveResponse fromcollecting runningprocessesinformation.

Retry your searchexpression.

1026 MAR_E_SYSTEM_INFO_INVALID_PARAMETERS The client detectedinvalid systeminformationparameters.

Verify that the correctparameters are used.Set the logger level inDebug to check whichparameters the clientis receiving and retry.

1027 MAR_E_CANNOT_KILL_PROCESS The client cannot killthe specified process.

Verify that the processexists and its ID isentered correctly.

1028 MAR_E_CANNOT_STOP_SERVICE The client failed tostop the specifiedservice.

Verify that the serviceexists and its ID isentered correctly.

1029 MAR_E_CANNOT_KILL_SERVICE_PROCESS The client failed to killthe specified service.

Verify that the serviceexists and its ID isentered correctly.

1030 MAR_E_CANNOT_SET_SERVICE_AS_MANUAL The client failed to setservice 'Startup Type'to Manual. Theprocess has beenkilled, but the serviceis still automatic.

Retry if the processstarts again.

1031 MAR_E_CANNOT_KILL_TRUSTED_PROCESS The client does not killtrusted processes.

None

1184 MAR_E_SYSTEM_INFO_PLUGIN_IS_DISABLED McAfee ePO hasn't yetinitialized the policieson the endpoint, sothe Processes plug-in isdisabled.

Wait for McAfee ePOto initialize policies onthe endpoint and tryagain.

Table 5-26 WinRegistry errors


1281 MAR_E_WIN_REGISTRY_MAX_REACHED The WinRegistrycollectorreturned toomany results.

Add filters toreduce the numberof results. SeeSearch syntax formore information.

1282 MAR_E_WIN_REGISTRY_INVALID_PARAMETERS A WinRegistryreaction receivedinvalidparameters

The keypath/keyvalue specifieddoesn't exist.Check that thecorrect keypath/keyvalue is used.

1283 MAR_E_WIN_REGISTRY_ACCESS_DENIED A WinRegistryreaction did nothave permissionto execute itstask.

None



Table 5-26 WinRegistry errors (continued)


1284 MAR_E_WIN_REGISTRY_UNDEFINED_ERROR A WinRegistryreactionreturned anunknown error.

None

1285 MAR_E_WIN_REGISTRY_MISSING_ARGUMENT A WinRegistryreaction did notreceive all theparameters itwas expecting.

This error is notgenerated in theActive Responseclient. Check theservice orextension.

1286 MAR_E_WIN_REGISTRY_CANNOT_FIND_USER A WinRegistryreaction couldnot find thespecified user.

Check that thecorrect user isspecified.

1287 MAR_E_WIN_REGISTRY_INVALID_KEYPATH_OPERATOR A condition forthe keypath fieldused an invalidoperator.

The Keypathoperator supportsonly the equals orstarts withoperators. Changethe condition touse one of theseoperators.

1288 MAR_E_WIN_REGISTRY_KEYPATH_IS_MANDATORY A condition wasexecuted withoutusing Keypath asa filter.

WinRegistryqueries must applya filter related tothe Keypathcondition.

1440 MAR_E_WIN_REGISTRY_PLUGIN_IS_DISABLED The WinRegistryplug-in isdisabled on theendpoint.

Change the ActiveResponse policyenforced on theendpoint to enablethe plug-in.

Using Active ResponseError codes 5


Index

Aabout

Active Response 7about this guide 5access management, Active Response

editor role 25

responder role 25

actions taken on threats 30

Active Responseabout 8configure 23

Endpoint Threat Defense and Response solution 7installation status 18

installing 11

policy configuration 24

upgrade 21

Active Response componentsData Exchange Layer cloud bridge 8

affected hosts 27

aggregator tags, configuring 24

aggregators, installing 16

authentication, configuring 24

Bbuilt-in collectors 37–49

CurrentFlow collector 37

DNSCache collector 38

EnvironmentVariables collector 38

Files collector 38

HostEntries collector 39

HostInfo collector 40

InstalledDrivers collector 41

InstalledUpdates collector 41

InteractiveSessions collector 42

LocalGroups collector 42

LoggedInUsers collector 42

NetworkFlow collector 43

NetworkInterfaces collector 44

NetworkSessions collector 44

NetworkShares collector 45

Processes collector 45

ScheduledTasks collector 46

Services collector 46

built-in collectors 37–49 (continued)Software collector 47

Startup collector 47

UsbConnectedStorageDevices collector 47

UserProfiles collector 48

WinRegistry collector 49

Cclient, Active Response 24

cloud bridgecreating accounts 13

registering Active Response 13

storage and services 8collector arguments 61

collector output fields, See custom content, Active Response collectors 36

common core extensions, installing 13

configurationaccess management 25

client 24

network ports 23

services 24

content back-up, Active Response 65

conventions and icons used in this guide 5create an Active Response policy 25

custom collectors 49

creating 49

custom content, Active Response 61, 62

adding 59

Bash content type 63

collector output fields 60, 62

operating system command content type 62

PowerShell content type 63

Python 2.7 content type 64

Visual Basic content type 63

DData Exchange Layer

cloud bridge 8, 13

install the extension 13

DeleteRegistryValue reaction, See reactions DNSCache collector, See built-in collectors


documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5

EEndpoint Security extensions

installation status 18

Endpoint Threat Defense and Response solution 7EnvironmentVariables collector, See built-in collectors

Ffeatures, Active Response 7File Hashing, enabling 24

Files collector, See built-in collectors files trigger, See triggers

Hhealth status information 18

HostInfo collector, See built-in collectors

Iimport and export content, Active Response 65

installation requirements, Active Response 11

installation, Active Response 11, 14

client deployment 16

common core extensions 13

content update 18

McAfee ePO Cloud Bridge 13

proxy server settings 13

requirements 11

status on servers and endpoints 18

TIE server 14

uninstall clients 17

InstalledDrivers collector, See built-in collectors InstalledUpdates collector, See built-in collectors InteractiveSessions collector, See built-in collectors

KKillProcess reaction , See reactions KillProcessByHash reaction, See reactions

LLocalGroups collector, See built-in collectors Log files, enabling 24

LoggedInUsers collector, See built-in collectors

MMcAfee ePO Cloud Bridge 13

McAfee ServicePortal, accessing 6

Nnetwork data collectors, See built-in collectors

network trigger, See triggers NetworkFlow collector, See built-in collectors NetworkInterfaces collector, See built-in collectors NetworkSessions collector, See built-in collectors NetworkShares collector, See built-in collectors

Ppermission sets, Active Response, See access management policy configuration 24

policy, creating 25

ports, Active Response 23

potential threats 27

processes collector, See built-in collectors processes trigger, See triggers proxy server settings 13

Rreactions 50–52

applying 53

creating 52

DeleteRegistryValue reaction 51

KillProcess reaction 51

KillProcessByHash reaction 52

RemoveFile reaction 52

remediation 29, 30

delete history 31

RemoveFile reaction , See reactions

Ssaved search expressions 33

ScheduledTasks collector, See built-in collectors search expressions 31

saving 33

syntax reference 34

using 32

server, Active Response 21, 24

ServicePortal, finding product documentation 6Services collector, See built-in collectors Software collector, See built-in collectors Startup collector, See built-in collectors

Ttechnical support, finding product information 6Threat Intelligence Exchange

install the extension 13

install the TIE server 14

server 8threat remediation 30

delete history 31

remediate a threat 29

threat time line 27

Threat Workspaceaffected hosts 27

configuring 24

Index


Threat Workspace (continued)investigate a threat 29

number of threats 27

parts of the page 27

threat time line 27

trace information 27

threatsinvestigating and getting details 29

remediate a threat 29

total threats 27

Trace 27

enabling 24

triggers 53, 55, 56, 58, 59

creating 54

files type 55

network type 56

triggers 53, 55, 56, 58, 59 (continued)processes type 58

winregistry type 59

Uupgrade, Active Response 21

client deployment 22

extensions 21

server 21

UsbConnectedStorageDevices collector, See built-in collectors UserProfiles collector, See built-in collectors

WWinRegistry collector, See built-in collectors winregistry trigger, See triggers

Index


For use with McAfee ePolicy Orchestrator...D. McAfee ® ePolicy Orchestrator (McAfee ePO ) and...

Documents

Transcript of For use with McAfee ePolicy Orchestrator...D. McAfee ® ePolicy Orchestrator (McAfee ePO ) and...