McAfeeVulnerabilityManager7.5b2b-download.mcafee.com/.../v7.5/manuals/mvm750_product_guide… ·...

McAfee Vulnerability Manager 7.5.0Product Guide - For use with McAfee ePO

COPYRIGHT

Copyright © 2012 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONS

McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE,ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfeeNetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder,SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq aretrademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other namesand brands may be claimed as the property of others.

LICENSE INFORMATION

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOUPURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IFYOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATEDLICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVERECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ONTHE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMSSET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TOMCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

McAfee Vulnerability Manager2

ContentsIntroducing McAfee Vulnerability Manager for ePolicy Orchestrator. . . . . . . . . . . . . . . .5

System requirements for McAfee Vulnerability Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Installation and setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Install or upgrade the extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Uninstall the extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Set up a McAfee Vulnerability Manager registered server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Asset filter options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Using the extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Create an update server task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Set up Single-Sign On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Synchronize data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Adding a McAfee ePO data source from McAfee Policy Auditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Creating a McAfee ePO data source in McAfee Vulnerability Manager. . . . . . . . . . . . . . . . . . . . . . . . 13

Maintain association between McAfee Vulnerability Manager and McAfee ePO data. . . . . . . . . . . . . . . . . . . . 14

Change the maintenance schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Run the maintenance task manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Update the Foundstone Configuration Agent settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

McAfee Vulnerability Manager dashboard monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Foundscore overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Detected system details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Detected system interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Foundscore history details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

McAfee Vulnerability Manager system detail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

McAfee Vulnerability Manager systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

McAfee Vulnerability Manager vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

McAfee Vulnerability Manager web assets details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

McAfee Vulnerability Manager web asset pages information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

McAfee Vulnerability Manager web asset page vulnerabilities information. . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

McAfee Vulnerability Manager sitemap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Query type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Service information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3McAfee Vulnerability Manager

Vulnerability details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26


Contents

Introducing McAfee Vulnerability Manager forePolicy Orchestrator

The McAfee®Vulnerability Manager ePO extension allows you to import your McAfee

Vulnerability Manager data into your ePolicy Orchestrator®database, and then view

that data through an ePolicy Orchestrator dashboard.

McAfee Vulnerability Manager is also known as Foundstone.

NOTE: McAfee Vulnerability Manager is a separate product from ePolicy Orchestratorand the McAfee Vulnerability Manager ePO extension. You must have an existingMcAfee Vulnerability Manager database, with scanned asset data, in order to usethe McAfee Vulnerability Manager ePO extension.

System requirements for McAfee VulnerabilityManager

The extension requires:

• McAfee ePolicy Orchestrator 4.5 or later, or McAfee ePolicy Orchestrator 4.6 orlater

• Microsoft Windows Server

• Microsoft Windows Server 2003

• Microsoft Windows Server 2008

NOTE: The McAfee Vulnerability Manager ePO extension supports WindowsServer 2008. The McAfee Vulnerability Manager 7.5 software only supportsMicrosoft Windows Server 2008 R2. After installation, if you view the extensionin the McAfee Vulnerability Manager Configuration Manager, a message statesthat the version of Microsoft Windows running on the system is not supported.This message can be ignored.

• Microsoft Windows Server 2008 R2 (ePolicy Orchestrator 4.5 patch 4 or later,or 4.6)

• Microsoft SQL Server

• Microsoft SQL Server 2005

• Microsoft SQL Server 2005 Express

• Microsoft SQL Server 2008

• Microsoft SQL Server 2008 Express

• Run a task that imports McAfee Vulnerability Manager data into the ePolicyOrchestrator database


• McAfee Vulnerability Manager 7.5 (separate from the ePolicy Orchestratorextension)

• (Optional) McAfee Policy Auditor 5.3

NOTE: Previous versions of McAfee Vulnerability Manager/Foundstone and McAfeePolicy Auditor are not compatible with the McAfee Vulnerability Manager 7.5 ePOextension.

Introducing McAfee Vulnerability Manager for ePolicy OrchestratorSystem requirements for McAfee Vulnerability Manager


Installation and setup

To properly integrate McAfee Vulnerability Manager and ePolicy Orchestratorinformation, use the following setup order:

1 Install ePolicy Orchestrator 4.5 or 4.6.

2 Install McAfee Vulnerability Manager ePO extension. This includes installing aconfiguration manager agent (FC Agent) for communication with the McAfeeVulnerability Manager Configuration Manager.

3 Register the McAfee Vulnerability Manager 7.5 server in ePolicy Orchestrator.

4 Create an McAfee Vulnerability Manager Data Import server task.

5 (Optional) If you are integrating McAfee Vulnerability Manager with McAfeePolicy Auditor, or if you want to export your ePolicy Orchestrator assets toMcAfee Vulnerability Manager, then create an ePolicy Orchestrator data sourceusing the McAfee Vulnerability Manager web portal.

6 Run a McAfee Vulnerability Manager scan to scan your network.

7 After the scan is complete, run the McAfee Vulnerability Manager Data Importserver task.

Install or upgrade the extensionUse this task to install the McAfee Vulnerability Manager ePO extension.

NOTE: In McAfee Vulnerability Manager 7.5, the FSAssetVulnView.MultipleCVE columnhas been removed from the extension. Any custom queries that refer to this columnneed to be modified or deleted.

Before you begin

You must have installed ePolicy Orchestrator 4.5 or 4.6 on your McAfee ePO server.

Task

For option definitions, click ? in the interface.

1 Download and uncompress the McAfee Vulnerability Manager file on your McAfeeePO server. The file is available from the McAfee product download site.

2 Open the McAfee Vulnerability Manager folder and run Setup.exe. The SetupRequirements appears. If any requirement is not met, exit the installer andresolve any issues. Some applications must be installed for Vulnerability ManagerePO extension to function properly. These applications will be installed whenyou go to the next step in the installation.


3 Click Next. Any required applications are installed. You might need to selectYes to continue the installation. After the required applications are installed,the Welcome to McAfee step appears.

4 Click Next. The End User License Agreement appears.

5 Select a location from the Select location where purchased and used drop-downlist.

6 Select I accept the terms in the license agreement. If you do not acceptthe terms in the license agreement, click Cancel to exit.

7 Click OK. The Choose Destination Folder step appears. You can accept thedefault location or change the location by clicking the Browse button.

8 Click Next. The Set Administrator Information step appears.

9 Type the ePolicy Orchestrator global administrator user name and password.

10 Click Next. The Set Vulnerability Manager Configuration Manager Settings stepappears.

11 Type the server name or IP address for the system running the McAfeeVulnerability Manager Configuration Manager.

12 Type the port number the McAfee Vulnerability Manager Configuration Managerlistens on. The default port number is 3801.

13 Click Next. The Start Copying Files step appears. You can review your options.To make changes, click Back.

14 Click Next. The setup process runs and completes.

15 Click Finish.

Uninstall the extensionWhen uninstalling McAfee Vulnerability Manager ePO extension 7.5, use the WindowsAdd/Remove programs window. Uninstalling McAfee Vulnerability Manager usingthe ePolicy Orchestrator extension user-interface will not remove all of the McAfeeVulnerability Manager components from your system.

If you installed the McAfee Risk Advisor and the McAfee Vulnerability Manager ePOextensions, the McAfee Vulnerability Manager ePO extension cannot be deleted solong as McAfee Risk Advisor remains installed. This is due to a dependency of McAfeeRisk Advisor on McAfee Vulnerability Manager. Once McAfee Risk Advisor isuninstalled, you can then uninstall McAfee Vulnerability Manager.

Set up a McAfee Vulnerability Manager registeredserver

Once the McAfee Vulnerability Manager ePO extension is installed, you must set upyour McAfee Vulnerability Manager database as a registered server.

Task


Installation and setupUninstall the extension


1 Select Menu | Configuration | Registered Servers.

2 Click New Server.

3 Select Vulnerability Manager from the Server type list.

4 Type a name for this registered server. The Notes section is optional.

5 Click Next.

6 Type in the McAfee Vulnerability Manager database server host name or IPaddress. Examples: myhost or 123.45.67.89.

7 Select a server instance for the McAfee Vulnerability Manager database.

• Default – Select Default if Microsoft SQL was installed with the defaultsettings.

• Instance name – Select Instance name if the Microsoft SQL name waschanged. Type the name in the Instance name field.

• Port number – Select Port number if you must specify a port number forthe IP address. Type the port number in the port number field.

8 Allowed to use SSL to connect is enabled by default. Disabling this function willnot allow a SSL connection when communicating with the Vulnerability Managerdatabase. Microsoft SQL requires a SSL connection.

9 Type in your McAfee Vulnerability Manager database name in the Databasename field. The default McAfee Vulnerability Manager database name isfaultline.

10 Select an authentication type.

• Windows authentication – Select Windows authentication to enter aWindows user name and password to access the Vulnerability Managerdatabase. The user name for Windows authentication must include the domain(domain\user).

NOTE: If the Windows authentication user name does not include a domain,the Test Connection button is unavailable.

• SQL authentication – Select SQL authentication to enter a SQL user nameand password to access the McAfee Vulnerability Manager database.

11 Type in an organization name to only import data for that McAfee VulnerabilityManager organization.You can type only one organization name in this field. If you need the data frommore than one McAfee Vulnerability Manager organization, you must create aseparate registered server and type the name of the other McAfee VulnerabilityManager organization. If this field is left blank, the data from all McAfeeVulnerability Manager organizations is imported.

NOTE: You can import the data for all of your McAfee Vulnerability Managerorganizations or import data for specific McAfee Vulnerability Managerorganizations, but not both. Importing the data for all McAfee VulnerabilityManager organizations and importing data for specific McAfee VulnerabilityManager organizations can cause duplicate data in your ePO database.

12 Click Test Connection to check if ePolicy Orchestrator can connect to theMcAfee Vulnerability Manager database.

Installation and setupSet up a McAfee Vulnerability Manager registered server


The test connection could fail for several reasons. An error message will displaywith some information about why the test connection failed.

NOTE: If the McAfee Vulnerability Manager database is inaccessible (like beingoffline), the test connection will fail. A successful test connection is not requiredfor saving your Registered Server information.

Asset filter optionsSelecting different asset filter options results in different asset data being importedinto McAfee ePO.

• No filter options selected – Imports all McAfee Vulnerability Manager assetdata.

• Organization name – Imports all asset data for the organization.

• Import assets from ePO data source – Imports assets from a given McAfeeePO data source, which can include assets with tags and assets without tags.

• Import assets from asset tag – Imports assets with the given tag from theselected organization, including assets from other McAfee ePO data sources.

• Import only the tagged assets that are unrelated to ePO data sources –Imports assets with the given tag that are not part of any McAfee ePO datasource.

• Import assets from ePO data source and Import assets from asset tag –Imports assets from the selected McAfee ePO data source and all assets with thegiven tag, including assets from other McAfee ePO data sources.

• Import assets from ePO data source, Import assets from asset tag, andImport only the tagged assets that are unrelated to ePO data sources –Imports assets from the selected McAfee ePO data source and assets with thegiven tag, that are not part of any other McAfee ePO data source.

Installation and setupSet up a McAfee Vulnerability Manager registered server


Using the extensionThe McAfee Vulnerability Manager ePO extension allows you to import your McAfeeVulnerability Manager data into your ePolicy Orchestrator database. You can viewthat data through an ePolicy Orchestrator dashboard.

Once the McAfee Vulnerability Manager ePO extension is installed and your McAfeeVulnerability Manager server is registered in ePolicy Orchestrator, you must populateyour ePO database by importing asset data from your McAfee Vulnerability Managerdatabase by creating a server task.

Create an update server taskWhen you create the McAfee Vulnerability Manager Update server task, you can setthe time and intervals for when and how often your McAfee Vulnerability Managerdata is imported or updated.

Task


1 Select Menu | Automation | Server Tasks.

2 Select New Task. The Server Task Builder page appears.

3 Type a name for this new server task. The Notes section is optional.

4 Select Enabled.

5 Click Next.

6 From the query drop-down list, select Vulnerability Manager Data Import.

7 From the Server name drop-down list, select the McAfee Vulnerability Managerserver to import data from.

8 Select which data to import, then click Next.

• Delta – Imports only new or updated McAfee Vulnerability Manager datasince the last time you ran the server task. The first time you run the McAfeeVulnerability Manager server task, there is no McAfee Vulnerability Managerdata in your ePO database, so the Delta setting will import all of your McAfeeVulnerability Manager data.

NOTE: It is recommended to select Delta for importing and updating yourdata.

• All – Overwrites all existing McAfee Vulnerability Manager data in your ePOdatabase every time the server task runs. If there is a lot of McAfeeVulnerability Manager data to import, using the All data import takes a longtime. Use the All data option if there are issues with the McAfee VulnerabilityManager data in your ePO database and you want to start over.


9 Schedule the frequency, then click Next. Select start and end dates, and thetime you want this server task to run. You can schedule multiple times for thistask to run by selecting the "+" (Add) icon. You can also set a window of timeby selecting Between instead of At.

10 Review the server task summary, then click Save. If you want to run the servertask now, select Run for this server task from the Server Tasks page.

Set up Single-Sign OnThe McAfee Vulnerability Manager Single-Sign On feature allows McAfee PolicyAuditor users access to their McAfee Vulnerability Manager web portal to accessscan configurations.

Using Single-Sign On requires the creation of a McAfee Vulnerability ManagerWorkgroup with credentials that will allow a McAfee Policy Auditor user access tothe McAfee Vulnerability Manager web portal. This needs to be done by your McAfeeVulnerability Manager administrator. Setting up a McAfee Vulnerability ManagerWorkgroup cannot be done from ePolicy Orchestrator.

Task


1 Select Menu | Configuration | Server Settings.

2 Select Vulnerability Manager API Server.

3 Click Edit.

4 Type the Organization, User Name, and Password for the McAfee VulnerabilityManager Workgroup setup for ePolicy Orchestrator.

5 Select Enable Policy Auditor to use these server settings to enableSingle-Sign On through the ePolicy Orchestrator user-interface.

6 Click Save. The Organization and User Name display on the Server Settingstab for the Vulnerability Manager API Server.

Synchronize dataFrom the McAfee Vulnerability Manager web portal, a data synchronization can bedone with the ePO server. This data synchronization allows McAfee VulnerabilityManager to properly label ePolicy Orchestrator systems that have an ePO agentinstalled.

If you are having your McAfee Vulnerability Manager administrator create your ePOdata source, provide the following ePO database information:

• Server Address

• Database Name

• User name and password

Using the extensionSet up Single-Sign On


Adding a McAfee ePO data source from McAfee Policy AuditorUse this task to add a McAfee ePO data source from McAfee Policy Auditor.

Task


1 Click Menu, then select Risk & Compliance.

2 Click Audits.

3 Click Manage Foundstone Data Source.

A separate window appears with the McAfee Vulnerability Manager Data Sourcepage. Follow the Creating a McAfee ePO data source in McAfee VulnerabilityManager procedure.

Creating a McAfee ePO data source in McAfee VulnerabilityManager

To get here, you must be logged into the McAfee Vulnerability Manager web portal.

Task


1 Click Add Data Source.

2 Type a name for this data source.

3 Select ePO from the Data Source Type list.

4 Type the server address of the McAfee ePO database.

5 Type the name of the McAfee ePO database.

6 Type the user name and password.If your user name includes a domain, then you need to enter domain@username(example: admin@foundstone).

NOTE: The user name must have at least read-access to the McAfee ePOdatabase.

7 For McAfee ePO/Policy Auditor integration, select Enable Audit Request. TheMcAfee Vulnerability Manager Organization/Workgroup list becomes available.

8 Select the McAfee ePO/Policy Auditor workgroup from the drop-down list.

9 Select Active or Inactive for the Scheduler.

10 Select either a Schedule Type (Immediate or One Time) or a Recurring (Daily,Weekly, or Monthly).

NOTE: If you select Daily, Weekly, or Monthly, also select the appropriateSchedule options for this data source.

11 Click Save, then close the McAfee Vulnerability Manager window.

Using the extensionSynchronize data


Maintain association betweenMcAfee VulnerabilityManager and McAfee ePO data

As you add and delete systems from the System Tree, the system data associatedbetween McAfee Vulnerability Manager and McAfee ePO might no longer match.The MVM: Maintain links between MVM and ePO systems task checks forchanges between system data in McAfee ePO and system data in McAfee VulnerabilityManager and updates the system data, as needed.

By default, this task runs every hour. This is to ensure that the association betweenyour McAfee ePO system data and your McAfee Vulnerability Manager system dataare kept up to date. You can change the maintenance schedule to suit your needs.You can also manually run this maintenance task.

Change the maintenance scheduleUse this task to change the maintenance schedule for the MVM: Maintain linksbetween MVM and ePO systems task.

Task



2 Click Edit for the taskMVM: Maintain links betweenMVM and ePO systems.

3 Click Schedule.

4 Modify the schedule, then click Save.

Run the maintenance task manuallyUse this task to manually run the MVM: Maintain links between MVM and ePOsystems task.

Task



2 Click Run for the taskMVM: Maintain links betweenMVM and ePO systems.

Update the FoundstoneConfigurationAgent settingsUse this task to update the Foundstone Configuration Agent on your McAfee ePOserver.

Task


1 On the system tray, double-click the Foundstone Configuration Agent icon.If the Foundstone Configuration Agent icon does not appear in the system tray,you can open the agent window by double-clicking the FCAgentSettings.exe.

Using the extensionMaintain association between McAfee Vulnerability Manager and McAfee ePO data


This executable is located at C:\Program Files\McAfee\Vulnerability ManagerExtension for ePO\FCM on default installations.

2 In the Foundstone Configuration Agent Settings dialog box, type the new servername or IP address for the McAfee Vulnerability Manager Configuration Manager.Also type the port number the McAfee Vulnerability Manager ConfigurationManager listens on. The Bind to Local Interface settings are only used if yourMcAfee ePO server has multiple network cards and ports enabled. The Bind toLocal Interface settings allows you to set which port your McAfee ePO serverwill use when communicating with the McAfee Vulnerability ManagerConfiguration Manager.

3 Click Apply, then click Close.

Using the extensionUpdate the Foundstone Configuration Agent settings


McAfee Vulnerability Manager dashboardmonitors

There are two default dashboards for McAfee Vulnerability Manager, the McAfeeVulnerability Manager Summary and the McAfee Vulnerability Manager WebAssessment Summary.

Vulnerability Manager Summary Dashboard

The McAfee Vulnerability Manager Summary dashboard has six default monitors.

• FSE: Managed vs Unmanaged vs Infrastructure – A pie chart representingthe Managed, Unmanaged, and Infrastructure assets on your network. Clickingon the list or part of the pie chart will display a list of the assets in the selectedasset type (Managed, Unmanaged, Infrastructure).

• Managed – Assets that have an ePO agent installed.

• Unmanaged – Assets that do not have an ePO agent installed.

• Infrastructure – Assets that do not allow an ePO agent to be installed. Forexample, a network printer.

• FSE: Top 10 Vulnerable Systems – A list of the most vulnerable assets(Managed, Unmanaged, or Infrastructure) on your network. Click on an asset tosee further details about the selected asset.

• FSE: Top 10 Vulnerable Managed Systems – A list of the most vulnerableManaged assets on your network. Click on an asset to see further details aboutthe selected asset.

• FSE: Top 10 Vulnerable Unmanaged Systems – A list of the most vulnerableUnmanaged assets on your network. Click on an asset to see further details aboutthe selected asset.

• FSE: Top 10 Vulnerable Infrastructure Systems – A list of the mostvulnerable Infrastructure assets on your network. Click on an asset to see furtherdetails about the selected asset.

• FSE: Foundscore Trend for Last 30 Days – A trend graph of the Foundscorefor all assessed assets on your network, over the last 30 days. Click on an assetto see the Foundscore Trend table for a specific date.

Other summary monitors include:

• FSE: Imported Systems – A list of systems imported from a McAfee VulnerabilityManager server. The McAfee Vulnerability Manager server filter should be modifiedbefore use.

• FSE: Top 10 Vulnerable Systems with No Tag – A list of the most vulnerablesystems without a tag on the System Tree, based on the Foundscore. Use thismonitor to query McAfee Vulnerability Manager systems after these systemshave been promoted to the System Tree.


Vulnerability Manager Web Assessment Summary Dashboard

The McAfee Vulnerability Manager Web Assessment Summary dashboard has fivedefault monitors:

• FSE: Top 10 Vulnerable Host Systems By Web Vulnerability Count – A listof the most vulnerable systems running a web application, based on webvulnerabilities.

• FSE: Top 10 Vulnerable Web Assets – A list of the most vulnerable webapplications on your network.

• FSE: Top 10 Vulnerable Web Asset Pages – A list of the most vulnerable webpages from all of the host systems running a web application.

NOTE: To view the vulnerabilities associated with each web application, use thesystem details or detected system details pages.

• FSE: Foundscore Trend for Web Assets for Last 30 Days – A trend graphof the Foundscore for all assessed web assets on your network, over the last 30days. Clicking on the graph will show the Foundscore Trend table for a specificdate.

• FSE: Top 10 Web Vulnerabilities – A list of the web vulnerabilities that affectsthe highest number of assets in your network.

Foundscore overviewFoundscore is a security ranking system that compares aspects of your environmentagainst best practices in order to quantify your security risk. A scan can earn aFoundscore value from 0 to 100 for a full scan.

NOTE: If the scan does not check for vulnerabilities, the top Foundscore value is 50because it only detects running services and deducts the relevant points.

• A higher score reflects a more effective security posture (an environment withless risk).

• A low score indicates that your environment possesses more security weaknessesand, consequently, more risk.

These scores can be ranked with qualitative scores to give you an idea of yourenvironment's security posture.

Score Range Ranking

Poor0 - 25

Below Average26-50

Average51 - 70

Above Average71 - 85

Excellent86 - 100

McAfee Vulnerability Manager dashboard monitorsFoundscore overview


Detected system detailsDefinitionOption

Detected Systems Information

Agent GUID – The McAfee Agent ID for the asset.

Agent Version – The version number of the RSD agent on theagent.

Canonical Name – The name given to an asset by McAfee RogueSystem Detection, based on the information provided by the asset.The canonical name is the first "non-null" value of:

• DNS Name

• Computer Name (NetBIOS Name)

• IP Address

• MAC Address

Comments – User entered comments. Click Edit Comment andthen type a comment in the Actions Taken field. Click OK to save.

Computer Name – The Computer name for the asset.

Detection Source – The name of the product that gathered theasset information.

Device Type – Specifies the type of device detected.

DNS Name – The DNS name for the asset.

Domain – The domain the asset belongs to.

ePO Server Name – Specifies the name of the McAfee ePO serverthat manages this detected system.

Exception – Lists any exceptions applied to this asset.

Exception Category – Specifies which exception category thissystem belongs to.

Inactive – States whether or not the system is in an inactive state.

Is New Detection – States if a system is a new detection or not.A true statement means the system is new.

Last Agent Communication – The date and time of the lastcommunication between the McAfee Rogue System Detectionsystem and the RSD agent.

Last Detected IP Address – The IP address associated with theasset the last time a scan was run against the asset.

Last Detected MAC Address – The MAC address associated withthe asset the last time a scan was run against the asset.

Last Detected Organization Name – The organization associatedwith the asset the last time a scan was run against the asset.

Last Detected Time – The date and time the last scan was runagainst the asset.

Managed – States whether or not the system is managed by aMcAfee Agent.

NetBIOS Comment – Optional information entered when namingthe computer.

OS Family – The specific OS name, including service pack level.For example: Windows XP (Service Pack 2).

OS Platform – The general OS type. For example: Microsoft, Linux.

OS Version – The specific OS type. For example: OS_WinXP forWindows XP.

OUI – Specifies the Organizationally Unique Identifier of thedetected system.

McAfee Vulnerability Manager dashboard monitorsDetected system details


DefinitionOption

Recorded Time – Specifies the time this system was first detectedand recorded in the McAfee ePO database.

Rogue – These systems do not have a McAfee Agent.

Rogue Action – Shows the action taken by the McAfee RogueSystem Detection system for this asset.

Rogue State – The status of the asset in the McAfee Rogue SystemDetection system.

Users – Lists all users associated with the asset.

Detected System Interfaces

Detection Source – The name of the product that gathered theasset information.

IP Address – The IP address for the asset.

Last Detected Time – The date and time the last scan was runagainst the asset.

MAC Address – The MAC address for the asset.

Organization Name – The organization name the asset isassociated with.

Additional Detail for ManagedSystems

Vulnerability Manager system detail

Criticality – Criticality levels indicate how important an asset is toyour business, and the impact to your business should this assetbecome compromised. Criticality levels are set in McAfeeVulnerability Manager by an administrator.

• None – The criticality level has not been set.

• Low (1) – The lowest criticality; fixing the vulnerabilities onthis host is a low priority when compared to others.

• Limited (2)

• Moderate (3)

• Significant (4)

• Extensive (5) – The highest criticality; fixing the vulnerabilitieson this host should be the highest priority.

DNS Name – The DNS name for the asset.

ePO Agent GUID – The unique McAfee Agent identifier for theasset.

First Detected – The date the asset information was imported intothe McAfee ePO database.

Foundscore – The current Foundscore value for the asset.

Has wireless access point – McAfee Vulnerability Manager checksassets for wireless access. Wireless connections can providenetwork access to arbitrary users, completely bypassing firewallsand other security devices. They can also expose your networktraffic to anyone looking for it.

Import from Server – Lists the name of the server the informationwas gathered from.

IP Address – The IP address of the asset.

Last Changed – The last time the McAfee Vulnerability Managersystem details changed for this system.

MAC Address – The MAC address of the asset.

Modified Date – The date the last time the asset information wasupdated or modified.

My Foundscore – The current My Foundscore value for the asset.

McAfee Vulnerability Manager dashboard monitorsDetected system details


DefinitionOption

Open Ports – Lists open TCP and UDP ports on the asset. Clickingon a port number will take you to a services information page forthe system.

Organization Name – The name of the McAfee VulnerabilityManager organization the system is associated with.

OS Major Category – The operating system type. For example:Windows, Linux.

OS Name – The specific OS type. For example: OS_WinXP forWindows XP.

OS Subcategory – The specific OS name, including service packlevel. For example: Windows XP (Service Pack 2).

System Label – The System label for the asset.

System Name – The System name for the asset.

Vulnerabilities – Lists the number of threats the system isvulnerable to and not vulnerable to, based on the scanconfiguration. Clicking on a number takes you to a vulnerabilitiesinformation page for the system.

Workgroup – The Workgroup the asset is associated with.

Detected system interfacesDefinitionOption

The name of the product that gathered the assetinformation.

Detection Source

The IP address for the asset.IP Address

The date and time the last scan was run againstthe asset.

Last Detected Time

The MAC address for the asset.MAC Address

The organization name the asset is associated with.Organization Name

Foundscore history detailsDefinitionOption

The date and time of the selected Foundscore value.Date

The current Foundscore value for the asset.Foundscore

The current My Foundscore value for the asset.My Foundscore

McAfee Vulnerability Manager system detailDefinitionOption

Criticality levels indicate how important an asset is to yourbusiness, and the impact to your business should this asset

Criticality

McAfee Vulnerability Manager dashboard monitorsDetected system interfaces


DefinitionOption

become compromised. Criticality levels are set in McAfeeVulnerability Manager by an administrator.


• Low (1) – The lowest criticality; fixing the vulnerabilities onthis host is a low priority when compared to others.

• Limited (2)

• Moderate (3)

• Significant (4)

• Extensive (5) – The highest criticality; fixing thevulnerabilities on this host should be the highest priority.

The DNS name for the asset.DNS Name

The unique McAfee Agent identifier for the asset.ePO Agent GUID

The date the asset information was imported into the ePOdatabase.

First Detected


McAfee Vulnerability Manager checks assets for wireless access.Wireless connections can provide network access to arbitrary

Has wireless access point

users, completely bypassing firewalls and other security devices.They can also expose your network traffic to anyone lookingfor it.

Lists the name of the server the information was gathered from.Import from Server

The IP address of the asset.IP Address

The last time the McAfee Vulnerability Manager system detailschanged for this system.

Last Changed

The MAC address of the asset.MAC Address

The date the last time the asset information was updated ormodified.

Modified Date


Lists open TCP and UDP ports on the asset. Clicking on a portnumber will take you to a services information page for thesystem.

Open Ports

The name of the McAfee Vulnerability Manager organization thesystem is associated with.

Organization Name

The operating system type. For example: Windows, Linux.OS Major Category

The specific OS type. For example: OS_WinXP for Windows XP.OS Name

The specific OS name, including service pack level. For example:Windows XP (Service Pack 2).

OS Subcategory

The System label for the asset.System Label

The System name for the asset.System Name

Lists the number of threats the system is vulnerable to and notvulnerable to, based on the scan configuration. Clicking on a

Vulnerabilities

number takes you to a vulnerabilities information page for thesystem.

The Workgroup the asset is associated with.Workgroup

McAfee Vulnerability Manager dashboard monitorsMcAfee Vulnerability Manager system detail


McAfee Vulnerability Manager systemsDefinitionOption

Criticality levels indicate how important an asset is to yourbusiness, and the impact to your business should this asset

Criticality

become compromised. Criticality levels are set in McAfeeVulnerability Manager by an administrator.


• Low (1) – The lowest criticality; fixing the vulnerability onthis host is a low priority when compared to others.

• Limited (2)

• Moderate (3)

• Significant (4)

• Extensive (5) – The highest criticality; fixing thevulnerabilities on this host should be the highest priority.

The DNS name for the asset.DNS Name

The McAfee Agent unique identifier for the asset.ePO Agent GUID

Foundscore is a security ranking system that compares aspectsof your environment against best practices in order to quantifyyour security risk.

Foundscore

McAfee Vulnerability Manager checks assets for wireless access.Wireless connections can provide network access to arbitrary

Has wireless access point

users, completely bypassing firewalls and other security devices.They can also expose your network traffic to anyone lookingfor it.

The IP address for the asset.IP address

The MAC address for the asset.MAC address

When you activate MyFoundscore and specify MyFoundscoremetrics, the metrics apply to all scan configurations within theorganization.

My Foundscore

The general OS type. For example: Microsoft, Linux.OS major category

The specific OS name, including service pack level. For example:Windows XP (Service Pack 2).

OS name

The specific OS type. For example: OS_WinXP for Windows XP.OS subcategory

The McAfee Rogue System Detection unique label for the asset.System label

The McAfee Rogue System Detection unique name for the asset.System name

The system type information from McAfee Rogue SystemDetection.

System type

The name of the Workgroup the system is associated with.Workgroup

McAfee Vulnerability Manager vulnerabilitiesDefinitionOption

The point from which an attack could occur.Attack vector

CVSS Base Score set by McAfee.Basic threat score

McAfee Vulnerability Manager dashboard monitorsMcAfee Vulnerability Manager systems


McAfee Vulnerability Manager web assets detailsDescriptionOption

The date McAfee Vulnerability Manager first createdthe web asset information.

Created date

Criticality levels indicate how important an assetis to your business, and the impact to your business

Criticality

should this asset become compromised. Criticalitylevels are set in McAfee Vulnerability Manager byan administrator.


• Low (1) – The lowest criticality; fixing thevulnerabilities on this host is a low priority whencompared to others.

• Limited (2)

• Moderate (3)

• Significant (4)

• Extensive (5) – The highest criticality; fixingthe vulnerabilities on this host should be thehighest priority.


The HTTP port used by the web asset.HTTP port

The HTTPS port used by the web asset.HTTPS port

The number of indeterminate pages discovered onthe web asset. If a web page cannot be classified

Indeterminate pages

as Vulnerable or Not Vulnerable, it is labeled asIndeterminate.

The system label for the web asset.Label

The most recent date McAfee Vulnerability Managerupdated or modified the web asset information.

Modified date


The name of the McAfee Vulnerability Managerorganization the system is associated with.

Organization name

The full URL for the scanned web page.URL

The domain the URL belongs to. Typically comesafter the HTTP or HTTPS. For example:

URL domain

http://myhost.com/login, the domain would be"myhost.com".

The path used to access the web page. Forexample:

URL path

http://myhost.com/forms/user/preferences.html,the path to get to User Preferences is"/forms/user/preferences.html".

The port used when accessing the URL.URL port

The first part of the URL (examples: http or https)that determines the type of communication usedto access the web asset.

URL protocol

The number of vulnerable pages discovered on theweb asset.

Vulnerable pages

McAfee Vulnerability Manager dashboard monitorsMcAfee Vulnerability Manager web assets details


McAfee Vulnerability Manager web asset pagesinformation

DescriptionOption


Created date

The most recent date McAfee Vulnerability Managerupdated or modified the web asset information.

Modified date

The full URL for the scanned web page.URL

The total number of web vulnerabilities discoveredon this web page.

Vulnerability count

McAfee Vulnerability Manager web asset pagevulnerabilities information

DescriptionOption


Created date

The CVE identifier for this web vulnerability.

NOTE: CVE-MAP-NOMATCH means there is noassociated CVE identifier.

CVE

Shows the FaultlineID related to the vulnerability,if available.

Faultline ID

Information Assurance Vulnerability Alert, an alertgiven by the Department of Defense (DoD).

IAVA

States whether the vulnerability is intrusive or not.Intrusive vulnerabilities can disrupt the service ofthe asset.

Intrusive

The most recent date Vulnerability Managerupdated or modified the web asset information.

Modified date

The McAfee Vulnerability Manager module used fordiscovering this vulnerability.

Module

The Microsoft Bulletin ID for this vulnerability.MSFTID

Lists any associated Microsoft KnowledgeBaseidentifiers.

MSKBID

Provides additional information on how thevulnerability can be used to compromise a system,

Observation

which types of software are vulnerable, andreferences to additional information for furtherresearch on the vulnerability.

McAfee's recommendations on how to remedy thevulnerability. Provides patch information and showswhere to get additional information.

Recommendation

The McAfee Vulnerability Manager risk level for thethreat:

Risk

• High – An attacker might gain privileged access(administrative, root) to the machine over aremote connection.

McAfee Vulnerability Manager dashboard monitorsMcAfee Vulnerability Manager web asset pages information


DescriptionOption

• Medium – An attacker might gain non-privileged(user) access to the machine over a remoteconnection.

• Low – The vulnerability provides enticementdata to the attacker that can be used to launcha more informed attack against the targetenvironment. It can indirectly lead to some formof remote connection access to the machine.

• Informational – The available data that is lessvaluable to an attacker than the low riskvulnerability. You might not be able to addressinformational findings; they might be inherentto the network services or architecture in use.

A true statement means this vulnerability has beenidentified by the Federal Bureau of Investigation

SANS Top 20

as one of the top 20 most common vulnerabilities(both non-intrusive and intrusive checks).

The current state of the vulnerability.Status

A brief description of the vulnerability category.Vulnerability category description

The category the vulnerability belongs to.Vulnerability category name

A brief description of the vulnerability.Vulnerability description

The name of the vulnerability found on this webpage.

Vulnerability name

McAfee Vulnerability Manager sitemapDescriptionOption

The number of child page links discovered. Childpages are web pages that can be accessed by usinga hyperlink from this web page.

Child page count

The date McAfee Vulnerability Manager first createdthe web page information.

Created date

The most recent date McAfee Vulnerability Managerupdated or modified the web page information.

Modified date

The number of parent page links discovered. Parentpages are web pages that have hyperlinks thataccess this page.

Parent page count

The URL path used to access this page.URL

The number of vulnerabilities discovered on thispage.

Vulnerability count

Query typeDefinitionOption

A trend graph of the Foundscore for all assessedweb assets on your network, over the last 30 days.

FSE: Foundscore Trend for Web Assets for Last 30Days

A trend graph of the Foundscore for all assessedassets on your network, over the last 30 days.

FSE: Vulnerability Manager Trend for Last 30 Days

McAfee Vulnerability Manager dashboard monitorsMcAfee Vulnerability Manager sitemap


DefinitionOption

A list of systems imported from a McAfeeVulnerability Manager database.

FSE: Imported Systems

A pie chart representing the Managed, Unmanaged,and Infrastructure assets on your network.

FSE: Managed vs Unmanaged vs Infrastructure

A list of the most vulnerable systems running a webapplication, based on web vulnerabilities.

FSE: Top 10 Vulnerable Host Systems By WebVulnerability Count

A list of the 10 most vulnerable infrastructuresystems (McAfee Agent cannot be installed) on thenetwork.

FSE: Top 10 Vulnerable Infrastructure Systems

A list of the 10 most vulnerable managed systems(McAfee Agent installed) on the network.

FSE: Top 10 Vulnerable Managed Systems

A list of the 10 most vulnerable systems (Managed,Unmanaged, or Infrastructure) on the network.

FSE: Top 10 Vulnerable Systems

A list of the 10 most vulnerable systems without atag on the system tree based on the Foundscore.

FSE: Top 10 Vulnerable Systems with no Tags

A list of the 10 most vulnerable Unmanagedsystems (no McAfee Agent installed) on thenetwork.

FSE: Top 10 Vulnerable Unmanaged

A list of the most vulnerable web applications onyour network.

FSE: Top 10 Vulnerable Web Assets

A list of the most vulnerable web pages from all ofthe host systems running a web application.

FSE: Top 10 Vulnerable Web Asset Pages

A list of the web vulnerabilities that affects thehighest number of assets in your network.

FSE: Top 10 Web Vulnerabilities

Service informationDefinitionService

A description of the service.Description

The details of the service.Detail

The port number being used by the service.Port number

The protocol being used by the service.Protocol

The identified service running on the asset.Service name

Vulnerability detailsDefinitionOption

States whether the asset has buffer overflow protection or not.

NOTE: An asset could be covered for buffer overflowvulnerabilities, but the coverage could be disabled.

Buffer Overflow Protection Covered

McAfee Vulnerability Manager dashboard monitorsService information


DefinitionOption

States whether the buffer overflow protection is enabled ordisabled on an asset.

Buffer Overflow Protection Enable

The category affected by the vulnerability. Examples: Windows,Web, Miscellaneous.

Category

A description of the category affected by this vulnerability.Category Description

The CVE identifier for this vulnerability.

NOTE: CVE-MAP-NOMATCH means there is no associated CVEidentifier.

CVE

An overview of the vulnerability.Description

Information Assurance Vulnerability Alert, an alert given bythe Department of Defense (DoD).

IAVA

The IAVA reference number for the given vulnerability.IAVA Reference Number

States whether the vulnerability is intrusive or not. Intrusivevulnerabilities can disrupt the service of the asset.

Intrusive

The McAfee Vulnerability Manager module used for discoveringthis vulnerability.

Module

The Microsoft Bulletin ID for this vulnerability.MSFTID

Lists any associated Microsoft KnowledgeBase identifiers.MSKBID

Lists all CVE identifiers associated with this vulnerability.Multiple CVE

The name of the vulnerability.Name

Provides additional information on how the vulnerability canbe used to compromise a system, which types of software are

Observation

vulnerable, and references to additional information for furtherresearch on the vulnerability.

McAfee's recommendations on how to remedy the vulnerability.Provides patch information and shows where to get additionalinformation.

Recommendation

States whether the system is vulnerable, not vulnerable, orunknown.

Result

The McAfee Vulnerability Manager risk level for the threat:Risk

• High – An attacker might gain privileged access(administrative, root) to the machine over a remoteconnection.

• Medium – An attacker might gain non-privileged (user)access to the machine over a remote connection.

• Low – The vulnerability provides enticement data to theattacker that can be used to launch a more informed attackagainst the target environment. It can indirectly lead tosome form of remote connection access to the machine.

• Informational – The available data that is less valuable toan attacker than the low risk vulnerability. You might notbe able to address informational findings; they might beinherent to the network services or architecture in use.

A true statement means this vulnerability has been identifiedby the Federal Bureau of Investigation as one of the top 20

SANS Top 20

most common vulnerabilities (both non-intrusive and intrusivechecks).

McAfee Vulnerability Manager dashboard monitorsVulnerability details


DefinitionOption

The current state of the vulnerability.Status

McAfee Vulnerability Manager dashboard monitorsVulnerability details


Index

Aasset data import 11asset filter options 10attack vector 22

Bbasic threat score 22

Ddashboards 16data synchronization 12detected system details 18detected system interface 18detected system interfaces 20

FFC Agent 14FCM 14Foundscore history details 20Foundscore overview 17Foundscore trend 16Foundscore value 20Foundstone Configuration Agent 14

Iimported systems 16introduction 5

Mmaintenance schedule 14maintenance tasks 14McAfee ePO data source from McAfee Policy Auditor 13McAfee ePO data source from McAfee Vulnerability Manager13McAfee Vulnerability Manager installation 7McAfee Vulnerability Manager system details 18

McAfee Vulnerability Manager uninstall 8McAfee Vulnerability Manager upgrade 7Microsoft SQL 5Microsoft Windows 5monitors 16My Foundscore 20

Ooverview 11

Qquery type 25

Rregistered servers 8

Sserver task update 11service information 26setup 7single-sign on 12sitemap 25system data association 14system details 20system requirements 5systems 22

Vvulnerabilities 22vulnerability details 26vulnerable systems 16

Wweb asset page vulnerabilities information 24web asset pages information 24web assets 16web assets details 23



Index

McAfeeVulnerabilityManager7.5b2b-download.mcafee.com/.../v7.5/manuals/mvm750_product_guide… ·...

Documents

Transcript of McAfeeVulnerabilityManager7.5b2b-download.mcafee.com/.../v7.5/manuals/mvm750_product_guide… ·...