P-McAfee ePO Virus Scan


This package handles the use cases for endpoint VirusScan solution managed by McAfee ePolicy Orchestrator.

Main Use Cases - User stories

This package supports Use Cases and User Stories for the following Activate Framework Packages:

L1 Malware Monitoring User Stories

  • Resolved Malware Events

  • Quarantined Malware Events

  • Unresolved Malware Events

  • Same Malware Infected Multiple Times a Host

  • Multiple Different Malware Infections in Host

L2 Malware Monitoring User Stories

  • Malware Outbreak ( per malware )

  • Malware Outbreak in Zone

  • Malware Outbreak in DMZ Zone

  • Same Malware Infected Multiple Times a Critical Host

  • Same Malware Infected Several Hosts in Zone

  • Same Malware Infected Several Hosts in DMZ Zone

  • Several Different Malware Infection detected in Critical Host

  • Several Different Malware Infection detected in DMZ Zone

  • Unresolved Malware on Critical Host

  • Unresolved Malware on DMZ Host

L1 Entity Monitoring Use Cases

  • Entity Authentication
  • Entity Management

L2 Entity Monitoring Use Cases

  • Privileged User Account Authentication
  • Privileged User Account Management

Supported Log Sources

Here are the log source types supported by this package as delivered:

Vendor Product Version(s) Comments
McAfee ePolicy Orchestrator virusscan8.8/ePO5.1&5.3  

Package Download Instructions

The latest package can be downloaded from the Activate Marketplace.

Package Installation

Prerequisites

Ensure the following is complete:
  • Device and SmartConnector are configured as per the device configuration guide:

https://community.softwaregrp.com/t5/ArcSight-Connectors/SmartConnector-for-McAfee-ePolicy-Orchestrator-DB/ta-p/1584952
  • Activate Base Package version 2.4.0.0 or higher has been installed
  • Ensure that the ESM is setup to sort packages by their IDs:

    - Open ESM server.properties (<ARCSIGHT_HOME>)\manager\config)

    - Add following line:

    export.archive.reference.sort.order=id

  • For ESM in Compact Mode: Restart the ESM Manager

    or For ESM in Distributed Mode: Restart the ESM Manager, Aggregator(s), and Correlator(s)

Package Installation Procedure


1. Download and extract P-McAfee ePO VirusScan zip file into your ArcSight console's home directory.  
2. Open a command prompt and navigate to ARCSIGHT_HOME  
3. Execute the P-McAfee_ePO_VirusScan_1.1.0.0.bat file to install the package. inst1.jpg
4. You will be prompted to enter the manager hostname and port, username and password. The password is displayed in cleartext, please be aware of your environment. inst2.jpg
5. After the package installation, your packages in ArcSight ESM will look like the screenshot to the right. If you run into any issues, the errors will be displayed in the command prompt window. inst3.jpg
6. If you open the navigator panel within ArcSight Console, in the Packages Tab, you will see the 2 packages installed. inst4.jpg
6. You can now delete the files from ARCSIGHT_HOME
  • P-McAfee_ePO_VirusScan_1.1.0.0.arb
  • P-McAfee_ePO_VirusScan_1.1.0.0.bat
 

Content Hooks for Product Packages

As a guideline, please follow the below procedure to configure your Product filters. The below example demonstrates how to configure multiple Product filters with the "All Quarantined Malware Events" filter:


1. Within the Navigator panel select Filters and expand the tree up to /All Filters/ArcSight Activate/Solutions/Malware Monitoring/Indicators and Warnings/ and double click the All Quarantined Malware Events filter.
hook1.jpg
3. Double click the filter to open the Inspect/Edit panel that will display the filter attributes; Select the Filter tab and from there select the event1 node and click on Filters. From the window select McAfee All VirusScan Quarantined Malware filter, click OK to close the window. hook3.jpg
3. The McAfee All VirusScan Quarantined Malware filter appears selected in the filter Tab. If there are multiple AV products in the environment, add them joined within an OR statement. hook4.jpg
Use the above-mentioned steps to configure the following corresponding filters of L1-Malware Monitoring - Indicators and Warnings package:

L1-Malware Monitoring Resource URI: L1-Malware Monitoring URI: P-McAfee ePO VirusScan
All Quarantined Malware Events
  • /All Filters/ArcSight Activate/Solutions/Malware Monitoring/Indicators and Warnings/All Quarantined Malware Events
  • /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - VirusScan/Product Specific/AV Suspicious Events/McAfee All VirusScan Quarantined Malware
All Resolved Malware Events
  • /All Filters/ArcSight Activate/Solutions/Malware Monitoring/Indicators and Warnings/All Resolved Malware Events
  • /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - VirusScan/Product Specific/AV Suspicious Events/McAfee All VirusScan Resolved Malware
All Unresolved Malware Events
  • /All Filters/ArcSight Activate/Solutions/Malware Monitoring/Indicators and Warnings/All Unresolved Malware Events
  • /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - VirusScan/Product Specific/AV Suspicious Events/McAfee All VirusScan Unresolved Malware
Unsuccessful Scan Events
  • /All Filters/ArcSight Activate/Solutions/Malware Monitoring/Indicators and Warnings/Unsuccessful Scan Events
  • /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - VirusScan/System Errors/McAfee Enterprise VirusScan OPS Scan Failed
Signatures Update Failure
  • /All Filters/ArcSight Activate/Solutions/Malware Monitoring/Indicators and Warnings/Signatures Update Failure
  • /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - VirusScan/System Errors/McAfee Enterprise VirusScan OPS Update Failed

When configuring hooks for L1-Entity Monitoring - Indicators and Warningspackage, follow the steps below, which demonstrates how to hook 2 or more filters into the same L1 level filter:

1. Double click the /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Modification. usermodification1.jpg
2. On the conditions tab, click the OR icon. Then we click on the Filters icon and from the opened window we select both, the /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - VirusScan/Entity Management/ePO User Changed Permission Sets and the /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - VirusScan/Entity Management/ePO User Updated filters, click OK. usermodification2.jpg
3. Now the 2 Device Product Package filters appeared OR'ed in the L1 Level Filter. Click OK to save the filter. usermodification3.jpg

Use the above-mentioned steps to configure the following corresponding filters of L1-Entity Monitoring - Indicators and Warnings package:

L1-Entity Monitoring Resource URI: L1-Entity Monitoring URI: P-McAfee ePO Virus Scan
User Account Logon
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logon
  • /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - VirusScan/Entity Authentication/ePO User Successful Log On
User Account Logon Failure
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logon Failure
  • /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - VirusScan/Entity Authentication/ePO User Failed Log On
User Account Logoff
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logoff
  • /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - VirusScan/Entity Authentication/ePO User Log Off
User Account Modification
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Modification
  • /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - VirusScan/Entity Management/ePO User Changed Permission Sets
  • /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - VirusScan/Entity Management/ePO User Updated
User Account Created
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Created
  • /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - VirusScan/Entity Management/ePO User Created
User Account Deleted
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Deleted
  • /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - VirusScan/Entity Management/ePO User Removed

Package Uninstallation

NOTE: When Uninstalling this package make sure you un-configure any filter configurations made on L1 Packages to AVOID ANY BROKEN RESOURCESthat depend on the P-McAfee ePO - VirusScan resources ( filters ).

1. In Packages tab, select and right click both, the P-McAfee ePO VirusScan and the P-McAfee ePO VirusScan - Active Lists packages and select Uninstall Packages. uninstall1.jpg
2. Click OK to begin the Uninstall process. uninstall2.jpg
3. After the Uninstall is complete click OK to close the dialog box. uninstall3.jpg
4. To delete the packages, select both of them, right click and select Delete Packages. uninstall4.jpg

Test Plan

PMcAfeeEpoTestPlan provides methodology for testing this package.

Extensibility

McAfee All VirusScan Quarantined Malware, !McAfee All VirusScan Resolved Malware and !McAfee All VirusScan Unresolved Malware filters base their detection on event ID's stored in corresponding active lists within the URI /All Active Lists/ArcSight Activate/Core/Product Active Lists/McAfee ePO - VirusScan/Product Specific. If specific event ID's need to be added, removed or changed from such active lists, it can be done through the ArcSight Console:

1. On the Navigator panel, select Lists from the drop-down menu and from there go to the URI /All Active Lists/ArcSight Activate/Core/Product Active Lists/McAfee ePO - VirusScan/Product Specific and right-click the desired active list and from the drop-down menu select Show Entries config1.jpg
2. On the Viewer panel, the selected active list shows its entries. From there, if an entry needs to be removed, you can right click and select Delete from the drop-down menu or Edit if you need to modify it; If this is the case, after selecting Edit, the entry will appear in the Inspect/Edit panel and will allow you to perform the required changes and click the Modify button after changes are done. config2.jpg

Resources

The link below contains a table of all resources included in this package:
Topic attachments
I Attachment Action Size Date Who Comment
inst4.jpgjpg inst4.jpg manage 96.7 K 24 Mar 2017 - 22:29 OswaldoDimas  
usermodification1.jpgjpg usermodification1.jpg manage 68.5 K 23 Mar 2017 - 21:36 OswaldoDimas  
usermodification2.jpgjpg usermodification2.jpg manage 140.8 K 23 Mar 2017 - 21:36 OswaldoDimas  
usermodification3.jpgjpg usermodification3.jpg manage 56.4 K 23 Mar 2017 - 21:36 OswaldoDimas  
Topic revision: r10 - 18 Aug 2018, OswaldoDimas


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback