Detailed instructions for use are in the User's Guide.
[. . . ] Walkthrough Guide
revision 2. 0
ePolicy Orchestrator
®
A product overview and quick set up in a test environment version 3. 6
McAfee System Protection
®
Industry-leading intrusion prevention solutions
Walkthrough Guide
revision 2. 0
ePolicy Orchestrator
®
A product overview and quick set up in a test environment version 3. 6
McAfee System Protection
®
Industry-leading intrusion prevention solutions
COPYRIGHT
Copyright © 2005 McAfee, Inc. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc. , or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP DESIGN (STYLIZED E), DESIGN , (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE. COM, MCAFEE VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. [. . . ] The ability to specify the event categories that generate a notification message and the frequencies with which notifications are sent are highly configurable. This feature notifies specified individuals when the conditions of a rule are met. These can include: Detection of a virus or other potentially unwanted program by your anti-virus software product. Although almost any anti-virus software product is supported, events from VirusScan Enterprise 8. 0i include the IP address of the source attacker so that you can isolate the system infecting the rest of your environment. For example, 1000 virus detected events are received within five minutes. Compliance events from McAfee System Compliance Profiler. For example, systems are found that are not current with the latest Microsoft patches. High-level compliance of ePolicy Orchestrator server events. For example, a replication task did not complete. This feature also allows you to configure notification rules to execute command lines and launch registered executables when the specified conditions are met.
About Notifications
Before you plan the implementation of Notifications, you should understand how this feature works with ePolicy Orchestrator and its Directory.
This feature does not follow the inheritance model of policy enforcement.
Note
61
ePolicy Orchestrator® 3. 6 Walkthrough Guide
ePolicy Orchestrator Notifications
About Notifications
6
When events occur on systems in your environment, they are delivered to the ePolicy Orchestrator server, and the notification rules (associated with the group or site that contains the affected systems and each parent above it) are applied to the events. If the conditions of any such rule are met, a notification message is sent, or an external command is run, per the rule's configurations. This design allows you to configure independent rules at the different levels of the Directory. These rules can have different: Thresholds used to send a notification message. For example, a site administrator wants to be notified if viruses are detected on 100 systems within 10 minutes on the site, but a global administrator does not want to be notified unless viruses are detected on 1000 systems within the same amount of time within the entire environment. Recipients for the notification message. For example, a site administrator wants to receive a notification message only if a specified number of virus detection events occur within the site. Or, a global administrator wants each site administrator to receive a notification message if a specified number of virus detection events occur within the entire Directory.
Throttling and aggregation
You can configure when notification messages are sent by setting thresholds based on aggregation and throttling.
Aggregation
Use aggregation to determine the thresholds of events at which the rule sends a notification message. For example, you can configure the same rule to send a notification message when the ePolicy Orchestrator server receives 100 virus detection events from different systems within an hour or whenever it has received 1000 virus detection events altogether from any system.
Throttling
Once you have configured the rule to notify you of a possible outbreak situation, you may want to use throttling to ensure you do not get too many notification messages. If you are administering a large network, then you may be receiving tens of thousands of events during an hour, creating thousands of notification messages based on such a rule. ePolicy Orchestrator Notifications allows you to throttle the number of notification messages you receive based on a single rule. For example, you can specify in this same rule that you don't want to receive more than one notification message in an hour. When using throttling, the notification message received contains a summary of events that occurred within the throttling period that would have triggered the rule otherwise.
62
ePolicy Orchestrator® 3. 6 Walkthrough Guide
ePolicy Orchestrator Notifications
About Notifications
6
Notification rules and Directory scenarios
To show how this feature functions with the Directory, two scenarios are used. [. . . ] Now that the sensor is deployed and installed you are ready to configure a response for the feature to take on a rogue when one is detected.
STEP
6
Configure an automatic response
You can configure automatic responses for ePolicy Orchestrator to execute on rogue systems that are detected. There is a considerable amount of flexibility within this feature regarding the level of granularity available when defining the actions to take, and the conditions you can add to them. For complete information, see the ePolicy Orchestrator 3. 6 Product Guide. There are many situations where you may not want an automatic response to be taken. [. . . ]