global threat intelligence proxy 2.0.0 product guide · pdf fileproduct guide revision a...

Product GuideRevision A

McAfee® Global Threat Intelligence™

Proxy 2.0.0For use with ePolicy Orchestrator® 4.6.0 Software

COPYRIGHTCopyright © 2012 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States andother countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee® Global Threat Intelligence™ Proxy 2.0.0 Product Guide

Contents

Preface 7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1 Introducing McAfee Global Threat Intelligence Proxy 9About Global Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9About McAfee GTI Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

McAfee ePO and McAfee GTI Proxy and how they work together . . . . . . . . . . . . 10McAfee GTI Proxy features . . . . . . . . . . . . . . . . . . . . . . . . . . . 11File reputation lookup process . . . . . . . . . . . . . . . . . . . . . . . . . 11Performance estimates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12McAfee GTI Proxy Appliance security . . . . . . . . . . . . . . . . . . . . . . . 12

2 Install McAfee GTI Proxy 13System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Ports information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14The installation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Download the installation package . . . . . . . . . . . . . . . . . . . . . . . . . . 15Install McAfee GTI Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Deploy the virtual image of the proxy appliance . . . . . . . . . . . . . . . . . . 16Initial configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Set up the McAfee Agent on the proxy appliance . . . . . . . . . . . . . . . . . . 23

Install McAfee ePO components for the proxy appliance . . . . . . . . . . . . . . . . . . 24Install the McAfee GTI Proxy package . . . . . . . . . . . . . . . . . . . . . . 25Deploy the Global Threat Intelligence Proxy Appliance plug-in . . . . . . . . . . . . 26Deploy the Global Threat Intelligence Proxy Agent plug-in . . . . . . . . . . . . . . 27

Upgrade McAfee GTI Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29The upgrade process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Install the McAfee GTI Proxy package . . . . . . . . . . . . . . . . . . . . . . 31Deploy the Global Threat Intelligence Proxy Appliance plug-in . . . . . . . . . . . . 31Deploy the Global Threat Intelligence Proxy Agent plug-in . . . . . . . . . . . . . . 33Deploy the latest McAfee GTI Proxy virtual image to replace McAfee GTI Proxy 1.1 . . . . 35

Apply a patch to the proxy appliance . . . . . . . . . . . . . . . . . . . . . . . . . 36Confirm VirusScan Enterprise can process file reputation lookup requests . . . . . . . . . . . 38Uninstall the McAfee GTI Proxy plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . 38

Uninstall the McAfee GTI Proxy Agent plug-in from VirusScan Enterprise . . . . . . . . 38Remove the McAfee GTI Proxy package from McAfee ePO . . . . . . . . . . . . . . . . . 40

Delete plug-in client tasks from McAfee ePO . . . . . . . . . . . . . . . . . . . 40Remove the McAfee GTI Proxy Appliance plug-in from McAfee ePO . . . . . . . . . . . 41Remove the McAfee GTI Proxy Agent plug-in from McAfee ePO . . . . . . . . . . . . 41Remove the McAfee GTI Proxy Appliance extension from McAfee ePO . . . . . . . . . . 41Remove the McAfee GTI Proxy Agent extension from McAfee ePO . . . . . . . . . . . 42

Remove the virtual image of McAfee GTI Proxy . . . . . . . . . . . . . . . . . . . . . 42

McAfee® Global Threat Intelligence™ Proxy 2.0.0 Product Guide 3

3 Configure the McAfee GTI Proxy Appliance 43Configure the proxy appliance for lookup requests . . . . . . . . . . . . . . . . . . . . 43

Configure communication between the proxy appliance and Global Threat Intelligence service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Configure fallback servers on the McAfee GTI Proxy Agent . . . . . . . . . . . . . . 45Configure tiered proxy appliance access . . . . . . . . . . . . . . . . . . . . . 49

Set up access to the proxy appliance using authentication keys . . . . . . . . . . . . . . . 51Set up SSH using an existing public/private key pair . . . . . . . . . . . . . . . . 51Set up SSH using a new public/private key pair . . . . . . . . . . . . . . . . . . 52

Configure permissions for users accessing the proxy appliance in McAfee ePO . . . . . . . . . 53Configure performance data settings for the proxy appliance . . . . . . . . . . . . . . . . 53

Configure performance data collection interval . . . . . . . . . . . . . . . . . . . 54Configure performance log purging and archiving . . . . . . . . . . . . . . . . . 54

4 Custom GTI file reputation scores 57Set up secure authentication for custom GTI file reputation scores . . . . . . . . . . . . . . 57Configure custom GTI file reputation scores . . . . . . . . . . . . . . . . . . . . . . . 60

Add custom GTI file reputation scores in a batch . . . . . . . . . . . . . . . . . . 60Add custom GTI file reputation scores manually . . . . . . . . . . . . . . . . . . 61Apply custom GTI file reputation score collections to a proxy appliance . . . . . . . . . 62Edit custom GTI file reputation scores . . . . . . . . . . . . . . . . . . . . . . 63Delete a custom GTI file reputation score collection . . . . . . . . . . . . . . . . 64Remove assigned custom GTI file reputation score collections . . . . . . . . . . . . 65

Verify custom GTI file reputation score setup . . . . . . . . . . . . . . . . . . . . . . 65Resolve custom GTI file reputation score conflicts . . . . . . . . . . . . . . . . . . . . 66Export a custom GTI file reputation scores collection . . . . . . . . . . . . . . . . . . . 67Export a command file containing the custom GTI file reputation scores . . . . . . . . . . . . 67Import a command file to a proxy appliance . . . . . . . . . . . . . . . . . . . . . . 68Display custom GTI file reputation score collection details . . . . . . . . . . . . . . . . . 68

5 Update the McAfee Linux Operating System 71Configure the proxy appliance to get MLOS updates from a server . . . . . . . . . . . . . . 71Apply the McAfee Linux Operating System Updates . . . . . . . . . . . . . . . . . . . . 72

6 McAfee GTI Proxy diagnostics 75Diagnostics on the proxy appliance . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Check proxy appliance status . . . . . . . . . . . . . . . . . . . . . . . . . . 75How to restart or shut down the proxy appliance . . . . . . . . . . . . . . . . . . 76Check the keyboard settings are configured correctly . . . . . . . . . . . . . . . . 76Lookup request diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . 77Plug-in diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80McAfee Agent diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . 82McAfee Linux Operating System (MLOS) diagnostics . . . . . . . . . . . . . . . . . 84

Diagnostics in McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Proxy agent diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Check the managed Global Threat Intelligence Proxy Appliance plug-in installation . . . . 91Check the proxy appliance status in McAfee ePO . . . . . . . . . . . . . . . . . . 91How to start and stop the proxy appliance in McAfee ePO . . . . . . . . . . . . . . 92

7 McAfee GTI Proxy Appliance logs 95Pulling proxy appliance logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

How to pull a log that exceeds the size limit . . . . . . . . . . . . . . . . . . . . 95Pull system logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Pull proxy appliance logs . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Pull plug-in logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Purging proxy appliance logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Contents


Purge proxy appliance logs . . . . . . . . . . . . . . . . . . . . . . . . . . 98Purge performance logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Purge proxy appliance syncd logs . . . . . . . . . . . . . . . . . . . . . . . . 99

Proxy appliance logs for debugging . . . . . . . . . . . . . . . . . . . . . . . . . . 100View CMA logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100View plug-in logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

8 McAfee GTI Proxy Appliance reports 103About reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103View the McAfee GTI Proxy Agent coverage and performance reports . . . . . . . . . . . . 104

Archive proxy appliance performance report records . . . . . . . . . . . . . . . . 105Delete the proxy appliance performance report records . . . . . . . . . . . . . . 105

View the proxy appliance average response time report . . . . . . . . . . . . . . . . . 106Create a dashboard for the proxy appliance . . . . . . . . . . . . . . . . . . . . . . 106Create a dashboard for the custom GTI file reputation score key pair mapping . . . . . . . . 107

A Frequently asked questions 109

Index 111

Contents


Contents


Preface

This guide provides the information you need for all phases of product use, from installation toconfiguration to troubleshooting.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Security officers — People who determine sensitive and confidential data, and define thecorporate policy that protects the company's intellectual property.

ConventionsThis guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder orprogram.

Code A code sample.

User interface Words in the user interface including options, menus, buttons, and dialogboxes.

Hypertext blue A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing anoption.

Tip: Suggestions and recommendations.


Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.

Find product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFind product documentation


http://mysupport.mcafee.com

1 Introducing McAfee Global ThreatIntelligence Proxy

McAfee® Global Threat Intelligence™ (McAfee GTI) Proxy allows McAfee® VirusScan® Enterpriseendpoints to perform file reputation queries without needing direct access to the Global ThreatIntelligence service.

Use McAfee GTI Proxy when network restrictions or DNS restrictions prevent your VirusScan Enterpriseendpoints from sending queries to the Global Threat Intelligence service to enable file reputationprotection. VirusScan Enterprise endpoints have an agent installed that configures them to make thefile reputation requests through the McAfee GTI Proxy Appliance.

McAfee GTI Proxy file reputation provides almost real‑time protection against known and unknownthreats in .pdf and .exe files.

McAfee GTI Proxy is managed through McAfee® ePolicy Orchestrator® (McAfee ePO™).

With McAfee GTI Proxy you get the same level of file reputation protection as you would if you connectyour endpoints directly to the Global Threat Intelligence service.

Contents About Global Threat Intelligence About McAfee GTI Proxy

About Global Threat IntelligenceUsing Global Threat Intelligence technologies, McAfee is able to obtain data from all threat areas. Thisdata aids in understanding the details within attacks so that Global Threat Intelligence can helpprotect your organization from known and future electronic security threats.

Figure 1-1 Global Threat Intelligence technologies

1


Global Threat Intelligence enables McAfee products to protect customers against both known andemerging electronic threats across all threat areas:

• File reputation — File reputation service to protect against malware‑based threats

• Web reputation — URL and web domain reputation service to protect against web‑based threats

• Network connection reputation — IP address, network port, and communications protocolreputation service to protect against network threats

• Message reputation — Message and sender reputation service to protect against message‑basedthreats

Each of these technologies work together to provide information about the threats and vulnerabilities,which gives Global Threat Intelligence the ability to predictively adjust reputations across all threatareas and thereby avoid attacks.

About McAfee GTI ProxyMcAfee GTI Proxy comprises components that include the McAfee GTI Proxy Appliance (sometimesreferred to as the proxy appliance) and a package for McAfee ePO.

• McAfee GTI Proxy Appliance — Virtual appliance that performs the file reputation lookups onVirusScan Enterprise endpoints

• McAfee ePO — Provides management and control of the entire McAfee GTI Proxy Appliance

McAfee ePO and McAfee GTI Proxy and how they work togetherUse McAfee ePO to configure, manage, monitor, and control the McAfee GTI Proxy and its interactionwith VirusScan Enterprise endpoints.

There are four McAfee GTI Proxy components in McAfee ePO:

• Global Threat Intelligence Proxy Agent extension — Allows you to configure and manageVirusScan Enterprise endpoints

• Global Threat Intelligence Proxy Agent plug‑in — Allows McAfee ePO to communicate withVirusScan Enterprise

• Global Threat Intelligence Proxy Appliance extension — Allows you to interact with andmanage the proxy appliance

• Global Threat Intelligence Proxy Appliance plug‑in — Allows McAfee ePO to communicate withthe proxy appliance

All of the components are installed in one step using the Install Extension feature in McAfee ePO.

You can also use McAfee ePO to:

• Configure the proxy appliance to communicate with the Global Threat Intelligence cloud‑basedservice.

• Manage log files on the proxy appliance.

• Manage the proxy appliance process for querying the proxy appliance's status and also to performoperations like start, stop, and so on.

• Provide reports on the proxy appliance's performance.

• Provide reports for the VirusScan Enterprise endpoints that are configured to use the McAfee GTIProxy Appliance.

1 Introducing McAfee Global Threat Intelligence ProxyAbout McAfee GTI Proxy


See also Install McAfee GTI Proxy on page 16Install McAfee ePO components for the proxy appliance on page 24Check the proxy appliance status in McAfee ePO on page 91

McAfee GTI Proxy featuresThe McAfee GTI Proxy performs file reputation lookups and offers services to set up and manage theproxy appliance.

McAfee GTI Proxy Appliance is delivered as a virtual image using the McAfee Linux Operating System(MLOS). MLOS is the McAfee‑managed distribution of Red Hat Linux.

• The proxy appliance performs file reputation lookup requests from VirusScan Enterprise endpointson the enterprise network; there are two processes (gtiproxy and syncd) running on the system toservice the file reputation lookup requests.

• McAfee GTI Proxy supports the creation of custom McAfee GTI file reputation scores that overridethe file reputation response from the Global Threat Intelligence service.

• The proxy appliance caches file reputation lookup responses. The file reputation information iscached for a period of time determined by the Global Threat Intelligence service, and the filereputation information is valid for any additional lookups during that time. When the information inthe cache expires, the proxy appliance connects to the Global Threat Intelligence service toperform a new lookup and update the cache.

• McAfee GTI Proxy provides tiered support for multiple McAfee GTI Proxy Appliances on theenterprise network.

File reputation lookup processThe McAfee GTI Proxy Appliance acts as a central controller within an enterprise network to performfile reputation lookup requests for VirusScan Enterprise endpoints.

Figure 1-2 File reputation lookup request process

Step in the requestprocess

Description

The VirusScan Enterprise endpoint initiates a file reputation lookup request.

McAfee GTI Proxy Appliance sends the request if the cache does not containan entry that is within the caching period time value. If an entry for the filereputation is present and has not expired, then the proxy applianceimmediately sends the information back to the VirusScan Enterprise endpoint.

McAfee Global Threat Intelligence service processes the request.

McAfee Global Threat Intelligence service sends the file reputation informationback to the McAfee GTI Proxy Appliance.

Introducing McAfee Global Threat Intelligence ProxyAbout McAfee GTI Proxy 1


Step in the requestprocess

Description

McAfee GTI Proxy Appliance caches the file reputation information and sendsthe information to the VirusScan Enterprise endpoint.

VirusScan Enterprise endpoint receives the file reputation.

When the VirusScan Enterprise endpoint initiates another file reputation lookup request after thecache expires, the McAfee GTI Proxy Appliance initiates a new lookup to the McAfee Global ThreatIntelligence service and updates the cache. The cache is updated only when a new request is initiatedafter the cache period is expired, it is not automatically updated. The update process keeps theMcAfee GTI Proxy Appliance synchronized with information from the McAfee Global Threat Intelligenceservice.

See also Check the proxy appliance status in McAfee ePO on page 91Install McAfee ePO components for the proxy appliance on page 24

Performance estimatesMcAfee GTI Proxy processes file reputation requests almost as if you were connected directly to theGlobal Threat Intelligence service.

Request processing estimates

A single McAfee GTI Proxy Appliance (installed on the specified VMware environment) can typicallyprocess requests from 100,000 VirusScan Enterprise endpoints that are enabled for file reputationrequests. Each McAfee GTI Proxy Appliance can support up to 25,000 requests per second.

The use of a cache speeds up the rate at which the McAfee GTI Proxy Appliance can issue responses.

Network traffic estimates

The network traffic generated by file reputation queries is light.

If the file reputation sensitivity is set to Very Low or Low, you can expect an average of 10 to 15queries per day for each VirusScan Enterprise endpoint. If the sensitivity is set to Medium, High, orVery High you can expect an average of 40 to 50 queries per day for each endpoint.

See also McAfee GTI Proxy features on page 11

McAfee GTI Proxy Appliance securityTo make it as secure as possible, McAfee GTI Proxy Appliance installs only those operating systemcomponents that are needed.

1 Introducing McAfee Global Threat Intelligence ProxyAbout McAfee GTI Proxy


2 Install McAfee GTI Proxy

This chapter provided instructions for installing, upgrading, and uninstalling all necessary componentsfor McAfee GTI Proxy.

Contents System requirements Ports information The installation process Download the installation package Install McAfee GTI Proxy Install McAfee ePO components for the proxy appliance Upgrade McAfee GTI Proxy Apply a patch to the proxy appliance Confirm VirusScan Enterprise can process file reputation lookup requests Uninstall the McAfee GTI Proxy plug-ins Remove the McAfee GTI Proxy package from McAfee ePO Remove the virtual image of McAfee GTI Proxy

System requirements Before you install McAfee GTI Proxy, make sure you understand what you need to install to run it.

Table 2-1 McAfee GTI Proxy Appliance requirements

Component Requirements

VMware • VMware Workstation 8.x

• VMware ESX 4.x

• VMware ESXi 4.x/5.x

Disk Minimum of 35 GB available

Memory Minimum of 2 GB available

CPU 64‑bit CPU

McAfee recommends that you have a sufficient understanding of VMware to install the McAfee GTI ProxyAppliance image.

To install the McAfee GTI Proxy components in McAfee ePO, ensure your system meets the followingrequirements.

2


Table 2-2 McAfee ePO requirements for McAfee GTI Proxy

Item Requirements

McAfee ePO McAfee ePO 4.6 for Microsoft Windows

McAfee GTI Proxy Agent (extension and plug‑in) • McAfee® Agent 4.6 for Microsoft Windows

• VirusScan Enterprise 8.7 with:

• DAT release version 6338 or later

• Engine 5400 or later

• VirusScan Enterprise 8.8 with:

• DAT release version 6472 or later

• Engine 5400 or later

McAfee GTI Proxy Appliance (extension and plug‑in) McAfee® Agent 4.6 for Linux

McAfee recommends that you have a sufficient understanding of McAfee ePO to load the McAfee GTIProxy Appliance extension, push the McAfee ePO agents, and manage the McAfee GTI Proxy Appliance.

Ports informationTo implement McAfee GTI Proxy in your environment, you will need to open the following ports.

See KB66797 for more information on port usage in McAfee ePO.

Table 2-3 Ports

Requirement Port number

From VirusScan Enterprise to McAfee GTI ProxyAppliance

53 (UDP access)

Port 53 is fixed for this communication andcannot be changed

From McAfee ePO and McAfee GTI ProxyAppliance for configuration

8081

From McAfee GTI Proxy Appliance to McAfeeePO for reporting

443

Console‑based configuration of McAfee GTIProxy Appliance

22 TCP (over SSH)

From McAfee ePO and McAfee GTI ProxyAppliance for agent wake‑up calls

8081

From McAfee GTI Proxy Appliance to theMcAfee GTI cloud

53 or 443 (UDP or DTLS)

Uses port 80 to verify the SSL connection andcertificates when the communication starts. ACertificate Revocation List (CRL) is necessary.

From McAfee GTI Proxy Appliance to theMcAfee GTI Cloud for MLOS updates

22 TCP (over SSH)

This is the same to go from a McAfee GTI ProxyAppliance to another McAfee GTI ProxyAppliance to retrieve MLOS updates.

2 Install McAfee GTI ProxyPorts information


https://mysupport.mcafee.com/Eservice/Article.aspx?id=KB66797

McAfee GTI Proxy supports two methods of access. The method you choose dictates which port youneed to open:

• UDP access — port 53; provides access similar to access given between a VirusScan Enterpriseendpoint with no McAfee GTI Proxy Appliance installed

• DTLS access — port 443‑UDP; provides access using the UDP protocol over SSL

The installation processYou will install and configure several components during the McAfee GTI Proxy installation process.

1 Download the installation package.

2 Deploy the McAfee GTI Proxy virtual appliance image.

3 Perform initial configuration tasks on the proxy appliance virtual image.

4 Install the McAfee Agent on the proxy appliance.

5 Install McAfee ePO components for the proxy appliance.

a Install the proxy appliance extensions on McAfee ePO.

b Deploy the proxy appliance plug‑ins.

6 Verify that the VirusScan Enterprise endpoints can process file reputation lookup requests.

Download the installation packageDownload the installation package for McAfee GTI Proxy.

Before you beginYou will need your McAfee VirusScan Enterprise grant number to download McAfee GTIProxy. VirusScan Enterprise is also part of several McAfee product bundles. The grantnumber associated with each bundle provides access to the McAfee downloads page.

The download includes:

GTI Proxy Package.zip — The installation file that you download from the McAfee downloads page,which contains all necessary installation files:

• GTIPA.zip — The McAfee GTI Proxy virtual appliance software

• GTI Proxy.zip — The McAfee ePO extensions and plug‑ins installation package

Task1 Open a web browser and go to the McAfee downloads page at www.mcafee.com/us/downloads.

2 Use your McAfee license grant number to log on and download the appropriate version of theMcAfee GTI Proxy installation package.

3 Select the directory where you want to save the installation file and click OK.

Extract the GTIPA.zip and GTI Proxy.zip files from the installation package. You will use these files inlater installation tasks.

Install McAfee GTI ProxyThe installation process 2


Install McAfee GTI Proxy This section describes how to install the McAfee GTI Proxy using VMware and the McAfee Agent.To perform the tasks in this section effectively, you need to be familiar with the VMware environmentand McAfee ePO.

This document does not provide detailed information about installing or using McAfee ePO or VMwaresoftware. See the VMware and McAfee ePO product documentation for more information.

After you install the McAfee GTI Proxy virtual image, you must complete the initial configuration taskson the McAfee GTI Proxy Appliance before proceeding with the McAfee Agent and the McAfee ePOcomponents installation.

Tasks

• Deploy the virtual image of the proxy appliance on page 16McAfee GTI Proxy is delivered as a virtual image that you need to convert and deploy.

• Initial configuration on page 17You must complete the configuration tasks in this section before proceeding with theinstallation. Initial configuration tasks include setting up the network configuration, settingthe time zone, and setting the date and time.

• Set up the McAfee Agent on the proxy appliance on page 23To manage the McAfee GTI Proxy Appliance through McAfee ePO, you need to install theMcAfee Agent on the proxy appliance.

See also Upgrade McAfee GTI Proxy on page 29

Deploy the virtual image of the proxy applianceMcAfee GTI Proxy is delivered as a virtual image that you need to convert and deploy.

Before you beginYou should have already downloaded and unzipped the installation package, which includesthe GTIPA.zip file used in this task.

The McAfee GTI Proxy virtual image is delivered in OVF format, which allows a single deliverable whilesatisfying multiple VMware product requirements for the conversion process.

Task

1 Log on to the system where you will install the proxy appliance virtual image.

2 Extract the GTIPA.ovf package from the GTIPA.zip file.

3 Convert the .ovf package to one of the supported VMware versions.

4 Set up the McAfee GTI Proxy virtual image by following the installation instructions for the versionof VMware you choose to use. The version must be one of those specified in the systemrequirements of this document.

5 To verify the McAfee GTI Proxy software is installed on the VMware image:

a Log on to the McAfee GTI Proxy Appliance as gtip with the default password (provided in thepassword.txt file available from the download site).

b Type the command rpm ‑q mfegtiproxy, then press Enter.

The installed McAfee GTI Proxy Appliance package is shown with the current version.

2 Install McAfee GTI ProxyInstall McAfee GTI Proxy


c Type the command rpm ‑q MFErt, then press Enter.

The installed MFErt package is shown with the current version.

d Type the command rpm ‑q mfemer, then press Enter.

The installed mfemer package is shown with current version.

McAfee recommends that you change the gtip user password. To do so, type password, then pressEnter.

Initial configurationYou must complete the configuration tasks in this section before proceeding with the installation.Initial configuration tasks include setting up the network configuration, setting the time zone, andsetting the date and time.The initial configuration tasks must be completed before installing the McAfee Agent and McAfee ePOcomponents for McAfee GTI Proxy. Follow these steps the first time you install McAfee GTI Proxy. Youdo not need to go through them again to upgrade the software.

Tasks• Configure network settings on page 17

McAfee GTI Proxy Appliance is configured with DHCP by default. Use the tasks in thissection to configure McAfee GTI Proxy Appliance to use DHCP or static IP addressing for itsnetwork configuration.

• Configure static routing settings on the proxy appliance on page 20Set static routing on a network interface within the McAfee GTI Proxy Appliance.

• Configure the time zone on page 21Use this task to set the time zone you want to use on the McAfee GTI Proxy Appliance tosynchronize with McAfee ePO time.

• Configure the date and time on page 22Use this task to set the date and time for the McAfee GTI Proxy Appliance.

• Configure the keyboard settings on page 22Set the keyboard mapping for McAfee GTI Proxy Appliance.

Configure network settings McAfee GTI Proxy Appliance is configured with DHCP by default. Use the tasks in this section toconfigure McAfee GTI Proxy Appliance to use DHCP or static IP addressing for its networkconfiguration.McAfee recommends using static IP addressing for the network configuration.

Tasks• Configure DHCP addressing for the proxy appliance on page 18

The McAfee GTI Proxy Appliance is set up to use DHCP addressing by default. When theproxy appliance is not already using DHCP addressing, use this task to set up DHCPnetwork configuration on the proxy appliance.

• Configure static addressing for the proxy appliance on page 19Use this task to set up static network configuration on the McAfee GTI Proxy Appliance.

• Restart the network interface on page 20Restart the network interface on the McAfee GTI Proxy Appliance after you modify thenetwork configuration settings on the proxy appliance.

Install McAfee GTI ProxyInstall McAfee GTI Proxy 2


Configure DHCP addressing for the proxy applianceThe McAfee GTI Proxy Appliance is set up to use DHCP addressing by default. When the proxyappliance is not already using DHCP addressing, use this task to set up DHCP network configuration onthe proxy appliance.

Before you beginGather the following information before beginning this task:

• Host name for the proxy appliance

• Domain name for the proxy appliance

Use the Quit option to cancel the task without saving changes at any time during configuration.

Task

1 Open the VMware console for the McAfee GTI Proxy Appliance and log on as gtip with the defaultpassword (provided in the password.txt file available from the download site).

If you changed the password, use the new password instead.

2 Type the command sudo /usr/sbin/system‑config‑network, then press Enter.

3 Select Edit devices, then press Enter.

4 Select eth0 (eth0), then press Enter.

5 Select Use DHCP.

6 Select OK, then press Enter.

7 Select Save, then press Enter.

8 Select Edit DNS configuration, then press Enter.

9 Select Hostname.

10 Type the host name and domain for the McAfee GTI Proxy Appliance using the formathostname.domain.


12 Select Save&Quit, then press Enter.

13 Update the Hosts file:

a While logged on to the appliance as gtip, type hostname at a command prompt and pressEnter.

b Note the host name and type sudoedit /etc/hosts and press Enter.

c Press Shift+G, then press o (lowercase letter).

Type 127.0.0.1 with a space after the 1.

d Enter the host name from step b, then press Esc.

e Press : (colon), then press W.

f Press Q, then press Enter.

You must restart the network interface on the McAfee GTI Proxy Appliance to apply these changes.



See also Restart the network interface on page 20

Configure static addressing for the proxy applianceUse this task to set up static network configuration on the McAfee GTI Proxy Appliance.

Before you beginGather the following information before beginning this task:

• Host name for the proxy appliance

• Domain name for the proxy appliance

• IP address for the proxy appliance

• Subnet mask for IP address

• IP address for the default gateway used by the proxy appliance

• IP addresses of the DNS servers used by the proxy appliance

Use the Quit option to cancel the task without saving changes at any time during configuration.

Task1 Open the VMware console for the McAfee GTI Proxy Appliance and log on as gtip with the default

password (provided in the password.txt file available from the download site).


2 Type the command sudo /usr/sbin/system‑config‑network, then press Enter.

3 Select Edit devices, then press Enter.

4 Select eth0 (eth0), then press Enter.

5 Deselect Use DHCP.

6 Type the static IP address, then press Enter.

7 Type the netmask, then press Enter.

8 Type the default gateway IP address, then press Enter.


10 Select Save, then press Enter.

11 Select Edit DNS configuration, then press Enter.

12 Select Hostname.

13 Type the host name and domain for the McAfee GTI Proxy Appliance using the formathostname.domain.

14 Type the IP addresses for the DNS servers.


16 Select Save&Quit, then press Enter.



17 Update the Hosts file:

a While logged on to the proxy appliance as gtip, type hostname at a command prompt and pressEnter.

b Note the host name and type sudoedit /etc/hosts and press Enter.

c Press Shift+G, then press o (lowercase letter).

Type 127.0.0.1 with a space after the 1.

d Enter the host name from step b, then press Esc.

e Press : (colon), then press W.

f Press Q, then press Enter.

You must restart the network interface on the McAfee GTI Proxy Appliance to apply these changes.


Restart the network interfaceRestart the network interface on the McAfee GTI Proxy Appliance after you modify the networkconfiguration settings on the proxy appliance.

Task

1 Open the VMware console for the McAfee GTI Proxy Appliance, and log on as gtip with the defaultpassword (provided in the password.txt file) available from the download site.


2 Type the following command, then press Enter:

sudo /etc/init.d/network restart

Configure static routing settings on the proxy applianceSet static routing on a network interface within the McAfee GTI Proxy Appliance.

Before you beginGather the following information before you begin this task:

• Address for subnet you want to route to.

• Address for gateway device on the destination network.

• Device interface through which the gateway device may be accessed.

The example used in the task below shows how to create a static route for eth0 to accesssubnet 10.10.10.0/24 using gateway 10.10.10.1 accessed through device eth1.

No routing information is specified in the configuration for the default proxy appliance setup. Thisinformation can be added by creating and modifying network‑scripts located in /etc/sysconfig/network‑scripts on the appliance. There are separate files for each network interface. The file namesare in the form route‑<interface> (for example, route‑eth0, route1‑eth1, and so on). Content providedin these files will change the routing information for the specified interface.

None of the routing scripts exist in the default configuration. Editing them for the first time will createthe files.



For more information on the contents of the routing syntax use the command man route on theappliance.

Incorrectly defining the routing settings on the McAfee GTI Proxy Appliance can lead to a loss ofnetwork on the appliance.

When using static route settings McAfee recommends using static IP addressing for the proxyappliance's network configuration.

This task is optional; only perform this if you want to configure a static routing on your McAfee GTIProxy Appliance.




2 Update the network routing file.

a Type sudoedit /etc/sysconfig/network‑scripts/route‑eth0 and press Enter.

b Press I.

c Type 10.10.10.0/24 via 10.10.10.1 dev eth1 and press Enter.

d Press Esc.

e Press the : key.

f Type wq and press Enter.

3 Restart the network interface.


Configure the time zoneUse this task to set the time zone you want to use on the McAfee GTI Proxy Appliance to synchronizewith McAfee ePO time.




2 Type the command sudo /usr/bin/system‑config‑date, then press Enter.

3 Select the timezone and click OK, then press Enter.

4 Type the command date, then press Enter.

The time zone is displayed.



Configure the date and timeUse this task to set the date and time for the McAfee GTI Proxy Appliance.

You must complete this task before the McAfee Agent is installed on the proxy appliance. If the date ortime is changed on the proxy appliance, the system should be restarted so that the McAfee Agentadjusts for the change.

Task



2 Type the following command: sudo /bin/date –s "day mmm dd tt:tt:tt tz yyyy" replacing thequoted text with the actual date and time as follows.

Input Example

day — day of the week in three letter abbreviation Thu (for Thursday)

mmm — month in three letter abbreviation Jan (for January)

dd — date of the month 27tt:tt:tt — time of day in hours:minutes:seconds 10:12:14tz — timezone EST (for Eastern Standard Time)

yyyy — year 2011

Example command: sudo /bin/date –s "Thu Jan 27 10:12:14 EST 2011"

Choose the time zone based on your locale (EST, PST, GMT, and so on), and set the day, month,date, time, and year to current values.

3 Press Enter.

The date is set as specified in the command.

Configure the keyboard settingsSet the keyboard mapping for McAfee GTI Proxy Appliance.

Before you beginGather the following information before beginning this task: New keyboard mapping for theMcAfee GTI Proxy Appliance

Task



2 Type the command sudo /usr/bin/system‑config‑keyboard and press Enter.

The following text will be displayed and is expected behavior:

Starting graphical mode failed. Starting text mode instead.

The keyboard mapping utility will be loaded and will display a list of available keyboard mappings.



3 Use the arrow keys to highlight the desired keyboard mapping

4 Press the Tab key to select the OK button.

5 Press Enter to set the highlighted keyboard mapping and exit the utility.

6 Type logout, then press Enter to apply the keyboard settings.

The user gtip is logged off the proxy appliance.

Set up the McAfee Agent on the proxy applianceTo manage the McAfee GTI Proxy Appliance through McAfee ePO, you need to install the McAfee Agenton the proxy appliance.

Before you beginYou must complete the initial configuration tasks for the proxy appliance and have McAfeeePO installed and running. Gather the following information before beginning this task:

• IPv4 address of the McAfee ePO server

• Agent‑to‑server communication port of the McAfee ePO server

• Agent wake‑up communication port of the McAfee ePO server

• McAfee Agent for Linux 4.6 should be present in McAfee ePO

Tasks• Determine the McAfee ePO Agent communication ports on page 23

Use this task to verify the Agent‑to‑server and Agent wake‑up communication portsconfigured in McAfee ePO.

• Install McAfee Agent on the proxy appliance on page 23Use this task to install McAfee Agent on the McAfee GTI Proxy Appliance.

Determine the McAfee ePO Agent communication ports Use this task to verify the Agent‑to‑server and Agent wake‑up communication ports configured inMcAfee ePO.

TaskFor option definitions, click ? in the interface.

1 Log on to the McAfee ePO server as an administrator.

2 Select Menu | Configuration | Server Settings.

3 In Setting Categories, click Ports.

The communication ports appear in the list of ports.

4 Make note of the Agent‑to‑server and Agent wake‑up communication ports.

Install McAfee Agent on the proxy appliance Use this task to install McAfee Agent on the McAfee GTI Proxy Appliance.

For more information about the terms used in this task, see the McAfee Agent 4.6 Product Guide.






2 Type the command sudo /usr/local/sbin/configure_ma.sh, then press Enter.

3 When prompted, "Provide IP Address and port of ePO server," type the McAfee ePO server IPaddress and the Agent‑to‑server communication port separated with a colon (IP:port), then pressEnter.

The McAfee Agent installer is downloaded from the McAfee ePO server and the Global ThreatIntelligence Agent plug‑in is deployed on the proxy appliance.

4 If the "Firewall is off. Do you want to turn it on?" message appears, type y, then press Enter.

This message appears only when the system firewall is not running.

5 When prompted, "Enter new port if it is different on McAfee ePO," enter the Agent wake‑upcommunication port if it is different than the port displayed in the prompt. If there is no difference,press Enter.

6 Wait for the first Agent‑server communication interval (ASCI) to complete.

To verify that the ASCI is complete, view the Server Task Log (select Menu | Automation | Server TaskLog.)

The port is configured and the proxy appliance is now managed through McAfee ePO.

7 To verify the McAfee Agent installation and version:



b Type the command rpm ‑q MFEcma, then press Enter.

MFEcma and the version appear.

8 Type logout, then press Enter. The user gtip is logged off the proxy appliance.

Install McAfee ePO components for the proxy applianceInstall the Global Threat Intelligence Proxy extensions and deploy plug‑ins that are needed tocommunicate with and manage the proxy appliance using McAfee ePO.To perform these tasks effectively you need to be familiar with McAfee ePO and basic UNIX shellinteraction.

The entire installation package is provided as the single GTI Proxy.zip file, which contains two McAfeeePO extensions and their plug‑ins.

2 Install McAfee GTI ProxyInstall McAfee ePO components for the proxy appliance


Tasks

• Install the McAfee GTI Proxy package on page 25Use this task to install the McAfee GTI Proxy Agent, McAfee GTI Proxy Appliance, andMcAfee ePO extensions, and check in the plug‑ins.

• Deploy the Global Threat Intelligence Proxy Appliance plug-in on page 26Use this task to install the Global Threat Intelligence Proxy Appliance plug‑in on themanaged McAfee GTI Proxy Appliance.

• Deploy the Global Threat Intelligence Proxy Agent plug-in on page 27Use this task to deploy the Global Threat Intelligence Proxy Agent plug‑in on the VirusScanEnterprise endpoints.

Install the McAfee GTI Proxy package Use this task to install the McAfee GTI Proxy Agent, McAfee GTI Proxy Appliance, and McAfee ePOextensions, and check in the plug‑ins.

Before you beginDownload and unzip the installation package, which includes the GTI Proxy.zip file used inthis task.

If the default McAfee GTI Proxy Appliance queries have been modified, rename them beforeyou continue.

The single GTI Proxy.zip file installs or upgrades the two McAfee ePO extensions for the McAfee GTIProxy Appliance, and checks in to the McAfee ePO master repository the two plug‑ins you will deploy— GTI Proxy Agent plugin and GTI Proxy Appliance plugin. Follow steps in subsequent tasks todeploy these plug‑ins using McAfee ePO client tasks after installing the extensions.

This task checks packages in to the McAfee ePO master repository; make sure no other operation (suchas a pull operation) is being performed on the master repository while performing this task.


1 Copy the GTI Proxy.zip file for the version you are installing to a temporary location on the systemwhere you will access McAfee ePO.


3 Select Menu | Software | Extensions | Install Extension. The Install Extension dialog box appears.

4 Click Browse to locate the GTI Proxy.zip file, click Open, then click OK. The Install Package page appearswith the extension names and version details.

5 Click OK.

The extensions are installed and the McAfee ePO Extensions page appears.

6 On the Extensions page in McAfee ePO, click GTI Proxy to verify that the GTI Proxy Agent and GTIProxy Appliance extensions are installed.

7 Select Menu | Software | Master Repository to verify that the plug‑ins are checked in and ready fordeployment

The McAfee GTI Proxy Agent and McAfee GTI Proxy Appliance plug‑ins are listed.

Install McAfee GTI ProxyInstall McAfee ePO components for the proxy appliance 2


Deploy the Global Threat Intelligence Proxy Appliance plug-in Use this task to install the Global Threat Intelligence Proxy Appliance plug‑in on the managed McAfeeGTI Proxy Appliance.

Before you beginMake sure you have installed the McAfee Agent on the proxy appliance. This ensures theproxy appliance is managed by McAfee ePO.

The plug‑in must be installed on the proxy appliance using McAfee ePO client tasks.



2 Select Menu | Systems | System Tree | Assigned Client Tasks.

3 Click Actions, then select New Client Task Assignment.

4 On the Description page, enter the following information, then click Create New Task.• Product — Select McAfee Agent

• Task Type — Select Product Deployment

5 On the Client Task Catalog page, enter the following information:

• Name — Type a name for the task

• Description — Enter any description you have for this task (optional)

• Target Platforms — Select Linux

• Products and components — Select GTI Proxy Appliance• Action — Select Install

• Language — Select your language

• Branch — Leave default

• Command line — Leave empty

• Options — No selections

6 On the Client Task Assignment Builder page, click Save. Select the newly created task, then click Next.

7 On the Schedule page, schedule the task to run immediately, then click Next:• Schedule status — Select Enabled

• Schedule type — Select Run immediately


8 Review the summary of the task, then click Save. To make changes, click Back.

The task is added to the list of client tasks.

9 Wake up the agent to complete the task:

a Select System Tree and click the Systems tab.

b Select the proxy appliance from the systems list.



c Click Wake Up Agents at the bottom of the window.

d On the Wake Up McAfee Agent page, select Force Complete Policy and Task Update, then click OK.

e Verify the agent wake up completed before completing any other steps.

10 Verify that the proxy appliance plug‑in is deployed.

Verify on the proxy appliance:



b Type the command rpm ‑q gtipa and press Enter.

The installed version number appears.

Verify using McAfee ePO:

a Select Menu | Systems | System Tree | Systems.

b Select the McAfee GTI Proxy Appliance, and click Wake Up the Agents.

c On the Wake Up McAfee Agent page, click OK to send the wake‑up call.

d Confirm the agent wake‑up call completed successfully.

e Double‑click the McAfee GTI Proxy Appliance.

f Click the Products tab.

g In the Product list, select GTI Proxy Appliance.

h Scroll down to verify the product version.

Deploy the Global Threat Intelligence Proxy Agent plug-in Use this task to deploy the Global Threat Intelligence Proxy Agent plug‑in on the VirusScan Enterpriseendpoints.

McAfee ePO allows you to create tasks to deploy products on a single endpoint, or on groups of theSystem Tree. The plug‑in must be installed on the managed VirusScan Enterprise endpoints usingMcAfee ePO client tasks.




3 Select the appropriate group in the System Tree.

4 Click Actions and select New Client Task Assignment.

The Client Task Builder wizard appears.



Install McAfee GTI ProxyInstall McAfee ePO components for the proxy appliance 2





• Target Platforms — Select Windows

• Products and components — Select GTI Proxy Agent

• Action — Select Install





7 Click Save.

8 On the Client Task Assignment Builder page, select the newly created task and click Next.

9 On the Schedule page, schedule the task to run immediately, then click Next:

• Schedule status — Select Enabled





11 Wake up the VirusScan Enterprise system to complete the task:

a Select Menu | System | System Tree.

b Select your VirusScan Enterprise system from the systems list.



Verify the agent wake‑up completed before completing any other steps.

12 Verify that the agent plug‑in is deployed.

Verify on the VirusScan Enterprise:

a Log on to the system where VirusScan Enterprise is installed.

b Open the system control panel and go to the installed programs list (such as Add/RemovePrograms).

c Verify that Global Threat Intelligence Proxy Agent is listed.


a To view the updated details, select Menu | Systems | System Tree | Systems.

b Select the VirusScan Enterprise system, and click Wake Up the Agents.

c Confirm that the agent wake‑up call completed successfully.

d Double‑click the VirusScan Enterprise system.



e Click the Products tab.

f In the Product list, select GTI Proxy Agent.

g Scroll down to verify the product version.

Upgrade McAfee GTI ProxyThis section provides instructions for upgrading McAfee GTI Proxy using McAfee ePO. The upgradeinstructions install upgrades for McAfee ePO and McAfee GTI Proxy Appliance.

Before you begin• Clear your web browser's temporary files before or after the upgrade process. This

ensures the cached static files (js, css, and so on) are deleted and only the updated filesfrom the upgrade version are used.

• Use only the steps given in this section to upgrade the McAfee GTI Proxy Appliance. Donot uninstall the current version before you install the upgrade version.

• All the current policy settings are migrated during upgrade. However, McAfeerecommends that you check the policy settings for McAfee GTI Proxy Appliance afterupgrading to verify they are correct.

McAfee GTI Proxy 1.0 and McAfee GTI Proxy 2.0 are based on different operating systems.To upgrade to McAfee GTI Proxy 2.0 from McAfee GTI Proxy 1.0, you need to completelyre‑install the appliance virtual machine.

Use McAfee ePO to complete the upgrade. The McAfee GTI Proxy Appliance software is also upgradedduring the upgrade of the appliance's plug‑in. There is no separate upgrade task needed for upgradingthe virtual appliance software.

The McAfee GTI Proxy Appliance has disk partitions aligned on a block boundary. You may see a slightincrease in performance, but it is not necessary for McAfee GTI Proxy to operate. The partitionalignment is only available in new installations and not in upgraded virtual machines. To takeadvantage of the block alignment feature, you must do a complete installation of the appliance virtualmachine.

To ensure that file reputation features are available, complete these tasks in the order in which they arelisted. All VirusScan Enterprise endpoints must be upgraded before all features are supported,regardless of whether the McAfee GTI Proxy Appliance has been upgraded.

Automatic archiving and report purging settings are reset during the upgrade process, and need to bereconfigured after the upgrade has finished.

Install McAfee GTI ProxyUpgrade McAfee GTI Proxy 2


Tasks• The upgrade process on page 30

Several McAfee GTI Proxy components must be upgraded during the upgrade process.

• Install the McAfee GTI Proxy package on page 25Use this task to install the McAfee GTI Proxy Agent, McAfee GTI Proxy Appliance, andMcAfee ePO extensions, and check in the plug‑ins.

• Deploy the Global Threat Intelligence Proxy Appliance plug-in on page 26Use this task to install the Global Threat Intelligence Proxy Appliance plug‑in on themanaged McAfee GTI Proxy Appliance.

• Deploy the Global Threat Intelligence Proxy Agent plug-in on page 27Use this task to deploy the Global Threat Intelligence Proxy Agent plug‑in on the VirusScanEnterprise endpoints.

• Deploy the latest McAfee GTI Proxy virtual image to replace McAfee GTI Proxy 1.1 on page35Use these tasks to deploy the latest virtual image of McAfee GTI Proxy 2.0 to replace anexisting McAfee GTI Proxy 1.1 proxy appliance.

See also McAfee GTI Proxy Appliance logs on page 4Configure performance log purging and archiving on page 54Install McAfee GTI Proxy on page 16Install the McAfee GTI Proxy package on page 25Deploy the Global Threat Intelligence Proxy Appliance plug-in on page 26Configure the proxy appliance for lookup requests on page 43

The upgrade processSeveral McAfee GTI Proxy components must be upgraded during the upgrade process.

These steps describe how to upgrade from McAfee GTI Proxy 1.1 to McAfee GTI Proxy 2.0. If you havean older version of McAfee GTI Proxy installed, you must remove it from your system before you startto install McAfee GTI Proxy 2.0.

Task• Upgrade to McAfee GTI Proxy 2.0:

• Download the installation package.

• Upgrade the McAfee ePO components for the proxy appliance.

• Upgrade the proxy appliance extensions on McAfee ePO.

• Deploy the proxy appliance plug‑ins.

• Verify that VirusScan Enterprise can process file reputation lookup requests.

All VirusScan Enterprise endpoints must be upgraded before all features are supported.

2 Install McAfee GTI ProxyUpgrade McAfee GTI Proxy


Install the McAfee GTI Proxy package Use this task to install the McAfee GTI Proxy Agent, McAfee GTI Proxy Appliance, and McAfee ePOextensions, and check in the plug‑ins.

Before you beginDownload and unzip the installation package, which includes the GTI Proxy.zip file used inthis task.

If the default McAfee GTI Proxy Appliance queries have been modified, rename them beforeyou continue.

The single GTI Proxy.zip file installs or upgrades the two McAfee ePO extensions for the McAfee GTIProxy Appliance, and checks in to the McAfee ePO master repository the two plug‑ins you will deploy— GTI Proxy Agent plugin and GTI Proxy Appliance plugin. Follow steps in subsequent tasks todeploy these plug‑ins using McAfee ePO client tasks after installing the extensions.

This task checks packages in to the McAfee ePO master repository; make sure no other operation (suchas a pull operation) is being performed on the master repository while performing this task.


1 Copy the GTI Proxy.zip file for the version you are installing to a temporary location on the systemwhere you will access McAfee ePO.


3 Select Menu | Software | Extensions | Install Extension. The Install Extension dialog box appears.

4 Click Browse to locate the GTI Proxy.zip file, click Open, then click OK. The Install Package page appearswith the extension names and version details.

5 Click OK.

The extensions are installed and the McAfee ePO Extensions page appears.

6 On the Extensions page in McAfee ePO, click GTI Proxy to verify that the GTI Proxy Agent and GTIProxy Appliance extensions are installed.

7 Select Menu | Software | Master Repository to verify that the plug‑ins are checked in and ready fordeployment

The McAfee GTI Proxy Agent and McAfee GTI Proxy Appliance plug‑ins are listed.

Deploy the Global Threat Intelligence Proxy Appliance plug-in Use this task to install the Global Threat Intelligence Proxy Appliance plug‑in on the managed McAfeeGTI Proxy Appliance.

Before you beginMake sure you have installed the McAfee Agent on the proxy appliance. This ensures theproxy appliance is managed by McAfee ePO.

The plug‑in must be installed on the proxy appliance using McAfee ePO client tasks.












• Target Platforms — Select Linux

• Products and components — Select GTI Proxy Appliance• Action — Select Install

















10 Verify that the proxy appliance plug‑in is deployed.






b Type the command rpm ‑q gtipa and press Enter.










h Scroll down to verify the product version.

Deploy the Global Threat Intelligence Proxy Agent plug-in Use this task to deploy the Global Threat Intelligence Proxy Agent plug‑in on the VirusScan Enterpriseendpoints.

McAfee ePO allows you to create tasks to deploy products on a single endpoint, or on groups of theSystem Tree. The plug‑in must be installed on the managed VirusScan Enterprise endpoints usingMcAfee ePO client tasks.





4 Click Actions and select New Client Task Assignment.










• Products and components — Select GTI Proxy Agent• Action — Select Install





7 Click Save.

8 On the Client Task Assignment Builder page, select the newly created task and click Next.






11 Wake up the VirusScan Enterprise system to complete the task:

a Select Menu | System | System Tree.




Verify the agent wake‑up completed before completing any other steps.

12 Verify that the agent plug‑in is deployed.




c Verify that Global Threat Intelligence Proxy Agent is listed.


a To view the updated details, select Menu | Systems | System Tree | Systems.

b Select the VirusScan Enterprise system, and click Wake Up the Agents.


d Double‑click the VirusScan Enterprise system.


f In the Product list, select GTI Proxy Agent.

g Scroll down to verify the product version.



Deploy the latest McAfee GTI Proxy virtual image to replaceMcAfee GTI Proxy 1.1Use these tasks to deploy the latest virtual image of McAfee GTI Proxy 2.0 to replace an existingMcAfee GTI Proxy 1.1 proxy appliance.


1 Deploy McAfee GTI Proxy 2.0 in to the VMware infrastructure, and set up the proxy appliance.

2 Check in the McAfee GTI Proxy Appliance extension and plug‑in on McAfee ePO.

3 Deploy the McAfee GTI Proxy Appliance plug‑in on to the McAfee GTI Proxy Appliance that youcreated.

4 Configure McAfee GTI Proxy Appliance access to the cloud.

Tasks• Upgrade the VirusScan Enterprise system on page 35

The McAfee GTI Proxy Agent plug‑in is updated in McAfee GTI Proxy 2.0 so you will have toupgrade it on the VirusScan Enterprise System.

• Remove McAfee GTI Proxy 1.1 after upgrade on page 36After all VirusScan Enterprise endpoints have been updated with the new agent, you canremove McAfee GTI Proxy 1.1.

See also Install McAfee GTI Proxy on page 16Install the McAfee GTI Proxy package on page 25Deploy the Global Threat Intelligence Proxy Appliance plug-in on page 26Configure the proxy appliance for lookup requests on page 43

Upgrade the VirusScan Enterprise systemThe McAfee GTI Proxy Agent plug‑in is updated in McAfee GTI Proxy 2.0 so you will have to upgrade iton the VirusScan Enterprise System.

Before you beginUpgrade the McAfee GTI Proxy Appliance.


1 Update the McAfee GTI Proxy Agent policy to use the IP address for the McAfee GTI ProxyAppliance:

• If you are performing this step incrementally, that is adding a new proxy appliance one at atime, replace the IP address of the McAfee GTI Proxy 1.1 proxy appliance with the IP address ofthe McAfee GTI Proxy 2.0 proxy appliance.

• If you are commissioning all new McAfee GTI Proxy Appliances at the same time, replace all theIP addresses with the IP addresses of the McAfee GTI Proxy Appliance 2.0 proxy appliance .

2 Upgrade the McAfee GTI Proxy Agent plug‑in on the VirusScan Enterprise system.



3 Confirm the upgrade completed successfully.

4 Send a wake‑up call to the VirusScan Enterprise systems to ensure that the policy is updated.

If you do not wake up the VirusScan Enterprise systems, file reputation does not use the proxyappliance until the next policy enforcement task takes place.

Remove McAfee GTI Proxy 1.1 after upgradeAfter all VirusScan Enterprise endpoints have been updated with the new agent, you can removeMcAfee GTI Proxy 1.1.

Before you beginEnsure that all VirusScan Enterprise endpoints have the McAfee GTI Proxy 2.0 agentinstalled.

Ensure that the McAfee GTI Proxy agent policy has been updated and enforced on allVirusScan Enterprise systems.


1 Remove the IP address for the McAfee GTI Proxy 1.1 proxy appliance from the McAfee GTI Proxyagent policy (if applicable).

2 Remove McAfee GTI Proxy 1.1 from the System Tree (Menu | System | System Tree).

See the McAfee ePO documentation for instructions to complete this task.

3 In your virtual environment, switch off McAfee GTI Proxy 1.1, and remove it from the VMwareinfrastructure.

See the VMware documentation for your virtual environment for instructions to complete this task.

Apply a patch to the proxy applianceApply a patch upgrade to a managed McAfee GTI Proxy Appliance.

Before you beginDownload the McAfee GTI Proxy Appliance patch package from the McAfee downloads site,and install it onto McAfee ePO.

You can create tasks to deploy a patch or upgrade to a single node, or to groups of the System Tree.When you have more than one instance of McAfee GTI Proxy Appliance installed, McAfee recommendsthat you upgrade a single instance first, before you deploy the patch or upgrade to the remaininginstances.





2 Install McAfee GTI ProxyApply a patch to the proxy appliance




5 On the Description page, enter the following information, then click Create New Task.

• Product — Select McAfee Agent

• Task Type — Select Product Update




• Package selection — Select selected packages

• Package types — Select GTI Proxy appliances from the Patches and Service Packs section












The Wake Up McAfee Agent page appears.



11 Verify that the patch is deployed.




b Type the command rpm ‑q mfegtiproxy and press Enter.






Install McAfee GTI ProxyApply a patch to the proxy appliance 2






h Scroll down to verify the proxy appliance version and patch version.

Confirm VirusScan Enterprise can process file reputation lookuprequests

Use the ArtemisTest.zip file to verify that VirusScan Enterprise can process file reputation lookuprequests using McAfee GTI Proxy.

Only perform this task after you have verified that the proxy appliance plug‑in and the agent plug‑inhave been deployed as a second wake‑up call to the agent is needed before the system is configuredcorrectly.

Task

1 Log on to the VirusScan Enterprise system and download the ArtemisTest.zip file from KB53733.

2 Extract the contents of the ArtemisTest.zip file and enter the password provided in theKnowledgeBase article.

This automatically generates a file reputation lookup request from the VirusScan Enterprise to theproxy appliance. The On‑Access Scan Messages window appears and displays the results of the filereputation lookup request.

Uninstall the McAfee GTI Proxy plug-insThis section describes how to uninstall the McAfee GTI Proxy plug‑ins from the managed VirusScanEnterprise endpoints and McAfee GTI Proxy Appliance.To use this section effectively, you need to be familiar with McAfee ePO and basic UNIX shellinteraction.

Tasks• Uninstall the McAfee GTI Proxy Agent plug-in from VirusScan Enterprise on page 38

Use this task to uninstall the McAfee GTI Proxy Agent plug‑in from the managed VirusScanEnterprise endpoint.

Uninstall the McAfee GTI Proxy Agent plug-in from VirusScanEnterprise Use this task to uninstall the McAfee GTI Proxy Agent plug‑in from the managed VirusScan Enterpriseendpoint.




2 Install McAfee GTI ProxyConfirm VirusScan Enterprise can process file reputation lookup requests



3 Select the appropriate group in the System Tree, then click New Client Task Assignment


4 On the Description page, enter the following information, then click Create New Task.

• Product — Select McAfee Agent






• Products and components — Select GTI Proxy Agent

• Action — Select Remove





6 Review the summary of the task, then click Save.

7 On the New Client Task Assignment page, select the newly created task and click Next.







10 Wake up the VirusScan Enterprise system to complete the task.




d On the Wake up McAfee Agent page, select Force Complete Policy and Task Update, then click OK.


11 Verify that the proxy agent plug‑in is uninstalled.




c Verify that McAfee GTI Proxy Agent is not listed.

Install McAfee GTI ProxyUninstall the McAfee GTI Proxy plug-ins 2



a Send a second wake‑up call to the agent to update the system details.

b To view the updated details, select Menu | Systems | System Tree | Systems.

c Select your VirusScan Enterprise system and click the Products tab.

The System Details page appears and no information appears for the McAfee GTI Proxy Agent,which verifies the plug‑in is uninstalled.

Remove the McAfee GTI Proxy package from McAfee ePOThis section describes how to remove McAfee GTI Proxy components (extensions and uninstalledplug‑ins) from McAfee ePO.

Before you beginYou must uninstall the plug‑ins from the VirusScan Enterprise endpoints and the McAfeeGTI Proxy Appliance before completing the tasks in this section.

Tasks• Delete plug-in client tasks from McAfee ePO on page 40

Remove all client tasks in McAfee ePO that are associated with the Global ThreatIntelligence Proxy plug‑ins.

• Remove the McAfee GTI Proxy Appliance plug-in from McAfee ePO on page 41Use this task to remove the McAfee GTI Proxy Appliance plug‑in from the McAfee ePO.

• Remove the McAfee GTI Proxy Agent plug-in from McAfee ePO on page 41Use this task to remove the McAfee GTI Proxy Agent plug‑in from the McAfee ePO.

• Remove the McAfee GTI Proxy Appliance extension from McAfee ePO on page 41Use this task to remove the McAfee GTI Proxy Appliance extension from McAfee ePO.

• Remove the McAfee GTI Proxy Agent extension from McAfee ePO on page 42Use this task to remove the McAfee GTI Proxy Agent extension from McAfee ePO.

Delete plug-in client tasks from McAfee ePO Remove all client tasks in McAfee ePO that are associated with the Global Threat Intelligence Proxyplug‑ins.

You must delete all plug‑in client tasks before removing the entire proxy package from McAfee ePO.




3 Select the appropriate group in the System Tree, then delete all tasks associated with the plug‑ins.

4 Select Menu | Policy | Client Task catalog to remove the client task completely.

2 Install McAfee GTI ProxyRemove the McAfee GTI Proxy package from McAfee ePO


Remove the McAfee GTI Proxy Appliance plug-in from McAfeeePOUse this task to remove the McAfee GTI Proxy Appliance plug‑in from the McAfee ePO.

This task does not remove the McAfee GTI Proxy Appliance extension from McAfee ePO.



2 Select Menu | Software | Master Repository.

3 Click the Delete link for the proxy appliance.

4 Click OK on the Delete Package page.

Remove the McAfee GTI Proxy Agent plug-in from McAfee ePOUse this task to remove the McAfee GTI Proxy Agent plug‑in from the McAfee ePO.

This task does not remove the McAfee GTI Agent extension from McAfee ePO.



2 Select Menu | Software | Master Repository.

3 Click the Delete link on the proxy agent.

4 Click OK on the Delete Package page.

Remove the McAfee GTI Proxy Appliance extension fromMcAfee ePOUse this task to remove the McAfee GTI Proxy Appliance extension from McAfee ePO.

This task does not remove the McAfee GTI Proxy Appliance plug‑in from the master repository.



2 Select Menu | Software | Extensions.

3 Select GTI Proxy.

Two extensions are listed — GTI Proxy Agent and GTI Proxy Appliance.

4 Click Remove for the GTI Proxy Appliance.

5 Select Force removal, bypassing any checks or errors, then click OK.

Install McAfee GTI ProxyRemove the McAfee GTI Proxy package from McAfee ePO 2


Remove the McAfee GTI Proxy Agent extension from McAfeeePOUse this task to remove the McAfee GTI Proxy Agent extension from McAfee ePO.

This task does not remove the McAfee GTI Proxy Agent plug‑in from the master repository.



2 Select Menu | Software | Extensions.

3 Select GTI Proxy.

Two extensions are listed — GTI Proxy Agent and GTI Proxy Appliance.

4 Click Remove for the GTI Proxy Agent.

5 Select Force removal, bypassing any checks or errors, then click OK.

Remove the virtual image of McAfee GTI Proxy Remove any previous versions of the virtual image of the McAfee GTI Proxy.

Task1 Log on to the system where the virtual image of the McAfee GTI Proxy is deployed.

2 Delete any previous versions of the virtual image of the McAfee GTI Proxy from the VMwareconsole.

For instructions about removing an image, see the VMware product documentation.

2 Install McAfee GTI ProxyRemove the virtual image of McAfee GTI Proxy


3 Configure the McAfee GTI ProxyAppliance

Configure McAfee GTI Proxy Appliance using either McAfee ePO for configuration, or the VMwareconsole for command line access to the proxy appliance.

Use the tasks in this section to configure the following:

• Monitoring the proxy appliance through McAfee ePO

• Resolving file reputation lookup requests

• Accessing the proxy appliance using a public/private key pair for SSH

• Permissions for users accessing the proxy appliance in McAfee ePO

• Performance data settings

Completing the tasks in this section changes any previous configuration applied to the McAfee GTI ProxyAppliance. You might need to restart the gtiproxy and syncd processes for the changes to take effect.

Contents Configure the proxy appliance for lookup requests Set up access to the proxy appliance using authentication keys Configure permissions for users accessing the proxy appliance in McAfee ePO Configure performance data settings for the proxy appliance

Configure the proxy appliance for lookup requests Use these tasks to set up the McAfee GTI Proxy Appliance so that it can perform file reputation lookuprequests.

Configuring the proxy appliance for file reputation lookup requests involves:

• Setting up communication between the proxy appliance and the McAfee Global Threat Intelligenceservice

• Specifying which instances of the proxy appliance that the VirusScan Enterprise uses for the filereputation lookup requests (fallback servers)

• Configuring tiered appliance access when you want another instance of the proxy appliance toresolve the file reputation lookup requests

3


Tasks• Configure communication between the proxy appliance and Global Threat Intelligence

service on page 44Use this task to configure access to and communication with the Global Threat Intelligenceservice that contains the file reputation information.

• Configure fallback servers on the McAfee GTI Proxy Agent on page 45Specify which instances of the McAfee GTI Proxy Appliance that VirusScan Enterprise usesfor file reputation lookup requests.

• Configure tiered proxy appliance access on page 49Use this task to configure the McAfee GTI Proxy Appliance to use another device to resolvefile reputation lookup requests. The other device can be a McAfee GTI Proxy Appliance oranother system capable of acting as a proxy for file reputation lookup requests.

Configure communication between the proxy appliance andGlobal Threat Intelligence service Use this task to configure access to and communication with the Global Threat Intelligence servicethat contains the file reputation information.Before the McAfee GTI Proxy Appliance can obtain file reputation information from the Global ThreatIntelligence service, you need to allow access to the service and configure communication between theservice and the proxy appliance.



2 Select Menu | Systems | GTI Proxy Appliance Management.

This step assumes that McAfee GTI Proxy Appliance is already managed through McAfee ePO.

3 Select the proxy appliance. When more than one McAfee GTI Proxy Appliance is set up, from thelist on the left, select the proxy appliance that you want for this task.

4 Click the Configuration tab.

If the proxy appliance is already configured, the last configuration is shown.

5 Click the McAfee GTI Proxy Appliance.

6 Enable the SSL Option to use a secured SSL layer over the UDP protocol to access the McAfee GTIservice. If SSL is not required, leave this option disabled.

7 Select how you want to get the Forwarder IP addresses for the Use one of the options to getForwarder Server IP's setting.

8 Click OK to save and close the configuration settings and update the McAfee GTI Proxy Applianceconfiguration file.

9 Click Configure to update the proxy appliance.

If the IP address field is blank, the Configure option remains unavailable.

10 Verify that the forwarder IP addresses are set up:


b Select the appropriate McAfee GTI Proxy Appliance and click Wake Up the Agents.

3 Configure the McAfee GTI Proxy ApplianceConfigure the proxy appliance for lookup requests



d Double‑click the McAfee GTI Proxy Appliance.


f In the Product list, select the McAfee GTI Proxy Appliance.

g Scroll down to verify the IP addresses for the Forwarder server IP addresses.

11 Verify that file reputation lookup requests perform successfully:



b Type the command dig @127.0.0.1 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com, thenpress Enter.

On successful completion, the response from the command will contain status:NOERROR.

c Type logout, then press Enter. The user gtip is logged off the proxy appliance.

If you receive the message "Error: Could not get IP list", run a diagnostics check to verify that youhave access to the Global Threat Intelligence cloud.

Configure fallback servers on the McAfee GTI Proxy Agent Specify which instances of the McAfee GTI Proxy Appliance that VirusScan Enterprise uses for filereputation lookup requests.These tasks involve making configuration changes to the fallback server settings on the McAfee GTIProxy Agent.

Configure the McAfee GTI Proxy ApplianceConfigure the proxy appliance for lookup requests 3


If... Then...

Your organization has a single set ofVirusScan Enterprise endpoints

Configure the same proxy appliance instances(fallback servers) for all of the endpoints

Your organization has multiple groups ofVirusScan Enterprise endpoints

Configure different proxy appliance instances(fallback servers) for each group of endpoints

To perform the tasks in this section, you need to be familiar with McAfee ePO and basic UNIX shellinteraction.

Consider the following before completing the tasks:

• Following these tasks will change any previous configuration applied to McAfee GTI Proxy Agent.

• If the IP address for the proxy appliance instances change, you must perform these steps again.

• If you re‑install the proxy agent extension, you must perform these steps again.

• If the host name of the proxy appliance changes, and the host name is in the IP address of thefallback server, then the fallback server settings must be changed.

Tasks• Configure common fallback servers for all VirusScan Enterprise endpoints on page 46

Use this task to configure fallback servers on the Global Threat Intelligence Proxy Agentwhen all the VirusScan Enterprise endpoints use the same list of McAfee GTI ProxyAppliances for file reputation lookup requests.

• Configure different fallback servers for groups of VirusScan Enterprise endpoints on page48Use this task to configure fallback servers on the Global Threat Intelligence Proxy Agentwhen you have groups of VirusScan Enterprise endpoints that need to use different lists ofMcAfee GTI Proxy Appliances for file reputation lookup requests.

Configure common fallback servers for all VirusScan Enterprise endpointsUse this task to configure fallback servers on the Global Threat Intelligence Proxy Agent when all theVirusScan Enterprise endpoints use the same list of McAfee GTI Proxy Appliances for file reputationlookup requests.

Before you begin• The proxy appliance must be monitored by McAfee ePO and setup completed.

• The Global Threat Intelligence Proxy Agent plug‑in must be installed.

• Gather the proxy appliance IPv4 addresses, host names, or alias names.

When McAfee GTI Proxy Appliance is unavailable because the endpoint is away from the enterprisenetwork (on a laptop at the airport for example), the VirusScan Enterprise endpoint reverts back tothe Global Threat Intelligence service to process its file reputation requests to ensure no loss ofprotection.

Enter IP addresses in decimal format only and avoid using the following IP addresses:

• Loopback addresses (such as 127.0.0.1)

• Broadcast addresses (such as 255.255.255.0 or 192.168.254.200)

• Reserved IP addresses (such as 0.0.0.0 or 192.168.254.240)





2 Select Menu | Policy | Policy Catalog.

3 From the Product drop‑down list, select your Global Threat Intelligence Proxy Agent.

4 Select the policy that you want to edit.

5 In the Fallback Server field, enter the IPv4 addresses or host names of the fallback server, then clickAdd to IP/hostname List. Enter one IP address at a time.

The VirusScan Enterprise endpoints allow you to configure up to five fallback servers to resolve filereputation lookup requests.

This step assumes that the proxy appliance is monitored through McAfee ePO, that setup iscompleted, and that the McAfee GTI Proxy Agent plug‑in is installed. Before adding host names,verify that they are resolvable by the VirusScan Enterprise endpoints you are using.

When host names are used in the Fallback Server field, the host names must be resolvable by theVirusScan Enterprise endpoints you are using. If the host name is not resolvable then the policy willfail to be enforced on the VirusScan Enterprise endpoints.

• Use the up and down arrows to put the list of IP addresses in the order you want them used.

• To delete a value, select it from the list and click the delete button (red X).

• To edit a value in the list, select it from the list and click Edit Selected IP/hostname. Make thenecessary changes to the IP address or host name and click Add to IP/hostname List to re‑add theedited IP address to the end of the list.

6 Click Save to save the changes.

7 Wake up the VirusScan Enterprise endpoints to complete the task:


b Select the VirusScan Enterprise system from the systems list.






Configure different fallback servers for groups of VirusScan EnterpriseendpointsUse this task to configure fallback servers on the Global Threat Intelligence Proxy Agent when youhave groups of VirusScan Enterprise endpoints that need to use different lists of McAfee GTI ProxyAppliances for file reputation lookup requests.

Before you begin• The proxy appliance must be monitored by McAfee ePO and setup completed.

• The Global Threat Intelligence Proxy Agent plug‑in must be installed.

• Gather the proxy appliance IPv4 addresses, host names, or alias names.








2 Select Menu | Systems | System Tree.

3 Select the group of VirusScan Enterprise endpoints that you want to configure the fallback serversfor.

All the systems in that group appear in the Systems tab.

4 Click the Assigned Policies tab.

5 For Product, select your Global Threat Intelligence Proxy Agent.

The policy detail for the proxy agent is shown.

6 In the GTI Enterprise Settings category, select any assigned policy link from the Policy column.

The policy page for setting fallback servers appears.

7 In the Fallback Server field, enter the IPv4 addresses or host names of the fallback server, then clickAdd to IP/hostname List. Enter one IP address at a time.




This step assumes that the proxy appliance is monitored through McAfee ePO, that setup iscompleted, and that the McAfee GTI Proxy Agent plug‑in is installed. Before adding host names,verify that they are resolvable by the VirusScan Enterprise endpoints you are using.

When host names are used in the Fallback Server field, the host names must be resolvable by theVirusScan Enterprise endpoints you are using. If the host name is not resolvable then the policy willfail to be enforced on the VirusScan Enterprise endpoints.


• To delete a value, select it from the list and click the delete button (red X).

• To edit a value in the list, select it from the list and click Edit Selected IP/hostname. Make thenecessary changes to the IP address or host name and click Add to IP/hostname List to re‑add theedited IP address to the end of the list.


9 Wake up the McAfee GTI Proxy Agent system to complete the task:


b Select your McAfee GTI Proxy Agent system from the systems list.




Configure tiered proxy appliance access Use this task to configure the McAfee GTI Proxy Appliance to use another device to resolve filereputation lookup requests. The other device can be a McAfee GTI Proxy Appliance or another systemcapable of acting as a proxy for file reputation lookup requests.

Before you beginGet the IPv4 address of the additional device you will use to resolve file reputation lookuprequests.





• IP address of the proxy appliance itself

When using a tiered appliance setup, at least one of the top level devices must be capableof resolving file reputation lookup requests by using the Global Threat Intelligence service.If you do not configure at least one of the devices to use the service, all file reputationlookup requests will fail.






This step assumes that the McAfee GTI Proxy Appliance is already monitored through McAfee ePOand that setup is completed.



If the proxy appliance is already configured, the last configuration is shown.

5 Click Edit for information regarding the McAfee GTI Proxy Appliance configuration.

6 For the SSL Option, select Disabled.

7 For Use one of the options to get Forwarder Server IP's, select Enter Forwarder IP. This option allows you tomanually specify the proxy appliance IP addresses.

8 In the Forwarder IP List field, enter the IPv4 address of the device that this appliance will use toresolve file reputation lookup requests, then click Add to IP List. Enter one IP address at a time.


• To delete an IP address from the list, select the IP address and click delete (red X).

• To edit an IP address, select it from the list and click Edit Selected IP. Make the necessary changesto the IP address and click Add to IP List to add the edited IP address to the list.

9 Click OK to save and close the configuration settings and update the McAfee GTI Proxy Applianceconfiguration file.

10 Wake up the McAfee GTI Proxy Appliance system to complete the task:


b Select your GTI Proxy Appliance system from the systems list.




11 Verify that the forwarder IP addresses are set up:

a Click the Systems tab.

b Double‑click your McAfee GTI Proxy Appliance.

c Click the Products tab.

d In the Product list, select GTI Proxy Appliance.

e Scroll down to verify the IP addresses for the Forwarder Server IPs.



12 Verify that lookups perform successfully:



b Type the command dig @127.0.0.1 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com, thenpress Enter.

On successful completion, the response from the command will contain status:NOERROR.

c Type logout, then press Enter. The user gtip is logged off the proxy appliance.

Set up access to the proxy appliance using authentication keysThe McAfee GTI Proxy Appliance is accessible through SSH using a user name and passwordauthentication. However, you can set up SSH access to use public/private key pair authentication thatdoesn't require the user to enter a password.

You should have already completed installation and configuration successfully.

Tasks• Set up SSH using an existing public/private key pair on page 51

Use this task to set up an SSH authentication key using an existing public/private key pair.

• Set up SSH using a new public/private key pair on page 52Use this task to set up an SSH authentication key by generating a new public/private keypair using the McAfee GTI Proxy Appliance.

Set up SSH using an existing public/private key pair Use this task to set up an SSH authentication key using an existing public/private key pair.

Before you beginMake sure of the following:

• You generated the public/private key and the administrator knows the public key.

You must have both the public and private keys for SSH setup.

• The computer on which the public/private key file resides must have secure copy (SCP)capability and the administrator knows how to use it.

• The administrator knows the IPv4 address of the proxy appliance.

Task1 Log on to the computer containing the public key file.

2 Use SCP to copy the public key file to the destination gtip@[GTI Proxy Appliance IPv4Address]:~/tmp_pub_key.

3 Log off the computer containing the public key file.

Configure the McAfee GTI Proxy ApplianceSet up access to the proxy appliance using authentication keys 3




5 Type the command touch .ssh/authorized_keys, then press Enter.

6 Type the command cat tmp_pub_key >> .ssh/authorized_keys, then press Enter.

7 Type the command chmod 0600 .ssh/authorized_keys, then press Enter.

8 Type the command rm tmp_pub_key, then press Enter.


Set up SSH using a new public/private key pair Use this task to set up an SSH authentication key by generating a new public/private key pair usingthe McAfee GTI Proxy Appliance.

Before you beginMake sure of the following:

• A computer exists on the network that has SCP capability and the administrator knowshow to use it.

• The administrator knows the IPv4 address of the proxy appliance.

You must generate both a public and private key for SSH setup.




2 Type the command ssh‑keygen –f ~/.ssh/id_dsa –t dsa –N “”, then press Enter.

3 Type the command touch .ssh/authorized_keys, then press Enter.

4 Type the command cat .ssh/id_dsa.pub >> .ssh/authorized_keys, then press Enter.

5 Type the command chmod 0600 .ssh/authorized_keys, then press Enter.


7 Log on to the computer with SCP capability.

8 Use SCP to copy the public key file to the computer from the source gtip@[GTI Proxy ApplianceIPv4 Address]:~/.ssh/id_dsa.pub.

9 Use SCP to copy the private key file to the computer from the source gtip@[GTI Proxy ApplianceIPv4 Address]:~/.ssh/id_dsa.

Store the private and public keys so that only the administrator can access them.

10 Log off the computer with SCP capability.

3 Configure the McAfee GTI Proxy ApplianceSet up access to the proxy appliance using authentication keys




12 Type the command rm .ssh/id_dsa.pub .ssh/id_dsa, then press Enter.


Configure permissions for users accessing the proxy appliancein McAfee ePO

Use this task to configure the level of permission that users who belong to permission sets need toaccess the McAfee GTI Proxy Appliance through McAfee ePO.When you configure permissions for users, you are granting the level of access for a permission set.For example, you might grant any users who are members of the Group Admin permission set viewand take actions permission. Make sure you understand permission sets, the users who belong topermission sets, and levels of permission before making changes.



2 Select Menu | User Management | Permission Sets.

3 Select a set from the list on the Permission Sets page.

4 Scroll down to GTI Proxy Appliance and click Edit.

5 Select the appropriate permission from the options and click Save.

The permissions are set and the Permission Sets page re‑appears.

6 Scroll down to System Tree access and click Edit.

7 Select the appropriate permission from the options and click Save.

You must enable System Tree access so the user can view reports.

Configure performance data settings for the proxy applianceUse these tasks to configure performance data collection and log settings for the McAfee GTI ProxyAppliance. Performance data is used in the proxy appliance's performance report.

Tasks• Configure performance data collection interval on page 54

Use this task to configure how often performance data is collected from the McAfee GTIProxy Appliance.

• Configure performance log purging and archiving on page 54Use this task to set up automatic purging and archiving of the McAfee GTI Proxy Applianceperformance logs at regular intervals from the McAfee ePO system.

Configure the McAfee GTI Proxy ApplianceConfigure permissions for users accessing the proxy appliance in McAfee ePO 3


Configure performance data collection interval Use this task to configure how often performance data is collected from the McAfee GTI ProxyAppliance.

Before you beginWhen configuring this setting, you must take into account that McAfee ePO has its ownsetting that specifies how often it communicates with the McAfee Agent. For example, if theinterval is configured to collect performance data every 10 minutes, but McAfee ePO isconfigured to communicate with the McAfee Agent every hour, then the data is sent toMcAfee ePO only on an hourly basis.

The McAfee Agent sends performance data from the proxy appliance to McAfee ePO so that this data isviewable in the performance report.




3 Select GTI Proxy Appliance.

4 Click the name of the policy assigned to the proxy appliance.

5 In the Performance Data collection Interval (secs) field, enter the number of seconds that you want tospecify for the interval. The number must be between 60 (1 minute) to 600 (10 minutes).


7 Wake up the McAfee GTI Proxy Appliance system to complete the task:a Select System Tree and click the Systems tab.

b Select your GTI Proxy Appliance system from the systems list.




Configure performance log purging and archiving Use this task to set up automatic purging and archiving of the McAfee GTI Proxy Applianceperformance logs at regular intervals from the McAfee ePO system.You should periodically purge and archive report information from McAfee ePO.





3 Click the Report tab.

4 Select Actions | Automate Purge/Archive.

3 Configure the McAfee GTI Proxy ApplianceConfigure performance data settings for the proxy appliance


5 For Automation Status, select Enabled (this option is disabled by default).

6 Configure the Automate Type, Specifications, and Actions settings.

The Specifications and Actions options depend on which Automate Type you select.

7 Click OK to save the configuration.

Configure the McAfee GTI Proxy ApplianceConfigure performance data settings for the proxy appliance 3


3 Configure the McAfee GTI Proxy ApplianceConfigure performance data settings for the proxy appliance


4 Custom GTI file reputation scores

Use custom GTI file reputation scores to set the score regardless of the existing reputation in theGlobal Threat Intelligence service.

Although many different scores exist for file reputation in the Global Threat Intelligence service,custom GTI file reputation scores can only be set to one of two values: Clean or Bad.

• Clean — Set a clean reputation score on a file when you do not want VirusScan Enterprise todetect it during file reputation lookup requests.

• Bad — Set a bad reputation score on a file so that VirusScan Enterprise will detect it and take thenecessary action during file reputation lookup requests. The action that the VirusScan Enterprisetakes on files with a bad reputation depends on the actions it is configured to take. For example, itmight either delete or quarantine the file.

Using this feature, you can view and add custom GTI file reputation scores, which are populated bycollection either manually or in a batch. Scores are contained in one or more collections, which aredeployed to one or multiple McAfee GTI Proxy Appliances.

For custom scores, first set up secure authentication so that the VirusScan Enterprise endpoint canverify the file reputation lookup response from the McAfee GTI Proxy Appliance. Then, create thecustom score collection, add the collection to McAfee ePO, and then apply the collections to the proxyappliances.

Contents Set up secure authentication for custom GTI file reputation scores Configure custom GTI file reputation scores Verify custom GTI file reputation score setup Resolve custom GTI file reputation score conflicts Export a custom GTI file reputation scores collection Export a command file containing the custom GTI file reputation scores Import a command file to a proxy appliance Display custom GTI file reputation score collection details

Set up secure authentication for custom GTI file reputationscores

Use McAfee ePO to set up public/private key pairs to provide secure authentication and verification forcustom GTI file reputation scores. Then deploy the keys using the appropriate policies in McAfee ePO.

Before you begin• Store the public/private keys that came with the McAfee GTI Proxy package in a location

accessible by McAfee ePO.

4


When VirusScan Enterprise receives a bad file reputation score, it needs to verify it by sending anauthentication query to the McAfee GTI Proxy Appliance. The response is signed using the private key,and VirusScan Enterprise uses the public key to verify the signature.

You must have at least one public/private key pair set up, but multiple key pairs are allowed within thefollowing guidelines:

• Each proxy appliance can have only one private key.

• You can use the same private key on more than one proxy appliance, or you can use a differentprivate key for each appliance.

• A VirusScan Enterprise endpoint can have multiple public keys so that it can communicate withmore than one proxy appliance.

Task1 Log on to the McAfee ePO server as an administrator.

2 Add the public/private keys to McAfee ePO:

a Select Menu | Systems | GTI Proxy Appliance Management.

b Select Actions | Manage Keys.

c Click Add New Key Pair.

d Enter a name for the key pair and browse to the public and private key files, then click OK.

The keys are added to McAfee ePO and ready for deployment to the proxy appliance and VirusScanEnterprise endpoints.

3 Deploy the public/private keys to McAfee GTI Proxy Appliance and VirusScan Enterprise.

4 Custom GTI file reputation scoresSet up secure authentication for custom GTI file reputation scores


Table 4-1 Deploy public/private key pairs

To deploy... Follow these steps...

Private key toa proxyappliance


2 Select the proxy appliance. When more than one McAfee GTI Proxy Appliance isset up, from the list on the left, select the proxy appliance that you want forthis task.

3 Click the Assign Key link.

4 Select Configure a Private Key checkbox.

5 Select a private key and click OK. The private key appears in the Assigned Keysection.

6 Click Configure to update the proxy appliance.

7 Verify using McAfee ePO:

a Send a second wake‑up call to the proxy appliance to update the systemdetails.

b To view the updated details, select Menu | Systems | System Tree.

c Select the McAfee GTI Proxy Appliance system.

d Click the Products tab.

e In the Products list, select the McAfee GTI Proxy Appliance.

f Scroll down to verify the key name is displayed in Private Key in the propertiesfor that proxy appliance.

Public keys toVirusScanEnterprise


2 Select GTI Proxy Agent from the Product drop‑down list.

3 Select Configure Public Keys from the Category drop‑down list.

4 Click the name of the policy you want to edit, select one or more public keys,and click Save.

5 Send an agent wake‑up call to VirusScan Enterprise to apply the settings.

For VirusScan Enterprise systems, you will need to wake up the agent twice;once to apply the settings to VirusScan Enterprise system, and again to retrievethe settings from the VirusScan Enterprise and display them in the VirusScanEnterprise system properties in the System Tree.

6 Verify using McAfee ePO:

a Send a second wake‑up call to the VirusScan Enterprise system to update thesystem details.

b To view the updated details, select Menu | Systems | System Tree.

c Select the VirusScan Enterprise system.

d Click the Products tab.

e In the Products list, select the McAfee GTI Proxy Agent.

f Scroll down to verify that the key name in the selected policy is displayed inPublic Keys in the properties for the McAfee GTI Proxy Agent.

Custom GTI file reputation scoresSet up secure authentication for custom GTI file reputation scores 4


Configure custom GTI file reputation scores Create the custom GTI file reputation scores by assigning the custom score (clean or bad) to an MD5checksum of a file. Then use McAfee ePO to manage and apply the custom GTI file reputation scoresto a McAfee GTI Proxy Appliance.

Before you begin• Set up secure authentication between VirusScan Enterprise and the proxy appliance.

• You need the MD5 checksum value for any file that you want to apply a custom GTI filereputation score to.

Add scores to one collection at a time using the McAfee ePO custom GTI file reputation score interface,or create a comma‑separated file with multiple entries to add the scores in a batch.

Tasks• Add custom GTI file reputation scores in a batch on page 60

Upload a comma‑separated file containing all of the MD5 checksum values and custom GTIfile reputation scores to add custom GTI file reputation scores in a batch.

• Add custom GTI file reputation scores manually on page 61Use interactive mode in the McAfee ePO GTI Proxy Appliance Custom File Reputation Scoresinterface to add custom GTI file reputation scores for one MD5 checksum at a time.

• Apply custom GTI file reputation score collections to a proxy appliance on page 62After you create custom GTI file reputation score collections and add custom GTI filereputation scores, you need to apply the collections to one or more McAfee GTI ProxyAppliances to make them active.

• Edit custom GTI file reputation scores on page 63Change, delete, copy, and add new custom GTI file reputation scores.

• Delete a custom GTI file reputation score collection on page 64Deleting a custom GTI file reputation score collection removes it from the McAfee ePOsystem.

• Remove assigned custom GTI file reputation score collections on page 65When a custom GTI file reputation score collection is no longer required on a McAfee GTIProxy Appliance, you need to remove the collection from the proxy appliance.

Add custom GTI file reputation scores in a batch Upload a comma‑separated file containing all of the MD5 checksum values and custom GTI filereputation scores to add custom GTI file reputation scores in a batch.Custom GTI file reputation score collections can contain both clean or bad custom GTI file reputationscores, and you do not need to place the entries in any specific order.

When creating a comma‑separated value (CSV) file to process custom GTI file reputation scores in abatch, you can:

• Create a new collection

• Append to an existing collection

• Update an existing collection

Example of a custom GTI file reputation score CSV file where the first entry is a clean custom GTI filereputation score and the second entry is a bad custom GTI file reputation score:

4 Custom GTI file reputation scoresConfigure custom GTI file reputation scores


Task1 Create a CSV file with the MD5 checksums and custom GTI file reputation scores you want applied.

To avoid custom GTI file reputation score conflicts within a single collection, ensure multiple identicalchecksums do not exist.


3 Select Menu | Systems | GTI Proxy Appliance management.

4 Select Actions | Custom Reputation.

5 Select All Collections.

6 Select Actions | Create Collection.

7 Enter a collection name and description, and upload a CSV file for processing.

You can also upload a file for batch processing at a later time using the Batch Mode feature in theCustom Reputation Console interface. To do so, select a collection and click Edit, select Add Hash,then click Batch Mode.

8 Click OK.

On the Custom Reputation Console page, the new collection appears with an Available status against theavailable proxy appliances.

9 To edit the collection or upload a new file, select All Collections and click Edit.

10 Select Actions | Add Hash.

11 Select Batch Mode, and choose a CSV file.

12 Resolve any conflicts and click Next.

13 Click Next to view a summary and click Save.

14 Click Close to exit the edit collection interface.

15 Apply the custom GTI file reputation score collection to a McAfee GTI Proxy Appliance to make thescore collection active.

See also Apply custom GTI file reputation score collections to a proxy appliance on page 62

Add custom GTI file reputation scores manually Use interactive mode in the McAfee ePO GTI Proxy Appliance Custom File Reputation Scores interfaceto add custom GTI file reputation scores for one MD5 checksum at a time.

When manually configuring and adding custom GTI file reputation scores to one collection at a time inMcAfee ePO, you can:

• Create and delete custom GTI file reputation scores

• Add, edit, and remove entries within a custom GTI file reputation score collection

• Apply custom GTI file reputation score collections

Custom GTI file reputation scoresConfigure custom GTI file reputation scores 4




3 Click Actions | Custom Reputation.

4 On the Custom Reputation Collections page, select Actions | Create Collection.

5 Enter a custom GTI file reputation score collection name and description.

6 Click OK.

7 Select a custom GTI file reputation score collection and select Actions | Edit.

8 Click Add Hash.

9 Select Interactive Mode, enter one MD5 checksum at a time, and select the custom GTI file reputationscore.

10 Click Add hash to collection and click Next.

The collection is checked for conflicts.

11 Click Next to view a summary and click Save.

12 Click Close to exit the edit custom GTI file reputation score collection interface.

13 Apply the collection to a McAfee GTI Proxy Appliance to make the score collection active.


Apply custom GTI file reputation score collections to a proxyapplianceAfter you create custom GTI file reputation score collections and add custom GTI file reputationscores, you need to apply the collections to one or more McAfee GTI Proxy Appliances to make themactive.

Before you begin• Custom GTI file reputation score collections must be created and contain custom GTI file

reputation scores for MD5 checksum values of files.

• Both of the proxy appliance processes — gtiproxy and syncd — must be in the"Running" state before applying a custom file reputation collection.

• Secure authentication keys must be set up.







5 Click Add/Remove Collections.

6 Select the collection(s), and, if you want to flush the proxy appliance cache, select that option.

Flushing the cache removes all existing entries from the cache before applying the new entries. Inthis case, the entire collection is sent to the proxy appliance instead of the difference between thelast collection and the new collection.

7 Click Next

If conflicts are detected, they are shown. Conflicts can occur when a custom GTI file reputationscore is not the same in all collections that are being applied or already applied to a proxyappliance.

8 Click Next to view a summary, then click Apply.

The process of applying the collections to proxy appliances is started. The time it takes to completeapplying the collections depends on the number of entries in a collection. Adding appears in theStatus column of the Custom Reputation Console, and the percentage complete appears in the header ofthe panel. You can click Refresh to update the status during the process of applying the collections.If there is an error when loading the collection, McAfee recommends flushing the cache, andreloading the collections.

There is a limit on the number of custom GTI file reputation scores that can be applied to a McAfeeGTI Proxy Appliance. This limit is enforced by McAfee ePO and is approximately five million entries.A custom GTI file reputation score collection will not be applied if applying the collection would causethe limit to be exceeded, and McAfee ePO displays a message warning of the cache limit. CustomGTI file reputation score collections will not be applied to the McAfee GTI Proxy Appliance when thelimit on the number of custom GTI file reputation scores has been reached. To change the customGTI file reputation scores on the McAfee GTI Proxy Appliance after the limit is reached, the customGTI file reputation scores must first be deleted.

McAfee recommends that you wait approximately five minutes after deleting entries before trying toadd collections. McAfee GTI Proxy Appliance maintains an approximate count of the number of customGTI file reputation score entries which can be inaccurate if entries are duplicated during add or deleteoperations. Collections are re‑indexed approximately every five minutes after which the count isaccurate again.

Edit custom GTI file reputation scores Change, delete, copy, and add new custom GTI file reputation scores.



3 SelectActions | Custom Reputation.

4 Click Edit next to the collection that you want to edit.

5 Make the necessary changes.

Custom GTI file reputation scoresConfigure custom GTI file reputation scores 4


Table 4-2 Edit custom GTI file reputation scores

To... Follow these steps...

Change the custom GTI filereputation score for a checksum

1 Select Actions | Change Flag.

2 Complete the changes.

Delete a checksum for a custom GTIfile reputation score

1 Select Actions | Delete Hash.


Copy a checksum for a custom GTIfile reputation score

1 Select Actions | Copy Hash.


Add a new checksum for a customGTI file reputation score

1 Click Add Hash.

2 Add scores:

• Select Interactive Mode to add a single custom GTI filereputation score at a time.

• Select Batch Mode to upload a file to add custom GTI filereputation scores in a batch.


6 Add the custom GTI file reputation score collection to a McAfee GTI Proxy Appliance to make thescore collection active.


Delete a custom GTI file reputation score collection Deleting a custom GTI file reputation score collection removes it from the McAfee ePO system.





4 Click Delete next to the collection that you want to remove.

5 Click Yes to delete the collection.

Click No to cancel the action and leave the collection in McAfee ePO.

6 To permanently delete the collection from McAfee ePO, remove it from the proxy appliances forwhich that collection is active.




Remove assigned custom GTI file reputation score collectionsWhen a custom GTI file reputation score collection is no longer required on a McAfee GTI ProxyAppliance, you need to remove the collection from the proxy appliance.

Before you beginBoth of the proxy appliance processes ‑ gtiproxy and syncd ‑ must be in the "Running" statebefore collections that have been added and applied can be removed.

This task will mean the collection is no longer added to the proxy appliance. However, the collectionremains available within McAfee ePO.





5 Click Add/Remove Collections.

6 From the Actions column next to the collection that you want to delete, click Remove.

7 Click Next.

8 Resolve any conflicts.

9 Review the summary, and click Next.

10 Click Apply.

11 Apply the custom GTI file reputation score to a McAfee GTI Proxy Appliance to remove thecollection.


Verify custom GTI file reputation score setup After you have configured at least one custom GTI file reputation score collection, verify that thescores you configured and applied to the McAfee GTI Proxy Appliance are working as expected.

Before you beginGather the following:

• IP address of the proxy appliance

• MD5 checksum of a file for which you added a custom GTI file reputation score

Custom GTI file reputation scoresVerify custom GTI file reputation score setup 4


Task1 Log on to the VirusScan Enterprise system.

2 Use the nslookup utility from a command prompt to verify a custom GTI file reputation score.

a Open a command prompt.

b Type nslookup and press Enter.

c Type server [IP address of the proxy appliance] and press Enter.

d Enter [MD5checksumvalue].avqs.mcafee.com, where [MD5checksumvalue] is the MD5 whosecustom score you want to verify.

The IP address returned in the response that indicates which custom GTI file reputation score isassigned to the McAfee GTI file reputation:

• 127.0.0.128 — This IP address always indicates the score is clean.

• 127.0.4.8 — This IP address always indicates the score is bad.

Resolve custom GTI file reputation score conflicts A custom GTI file reputation score conflict occurs when a custom GTI file reputation score is not thesame in all collections.

Before you begin• Use this task when you are already working with custom GTI file reputation score

collections in McAfee ePO and a custom GTI file reputation score conflict is detected.

When you apply two collections that have the same file MD5 checksum with different custom GTI filereputation scores, the conflict is automatically detected and a Resolve Conflict page appears.

Task1 On the Resolve Conflict page, select the collection that you want to remove the duplicate MD5

checksum from.

2 Click Next.

The conflicting MD5 checksum appears with a corresponding collection of custom GTI file reputationscores configured for that MD5 checksum.

3 In the Resolve Conflict for selected MD5 checksum pane, select the custom GTI file reputation score youwant removed.

4 Click Save Conflict.

Modified appears in the Status column of the Custom Reputation Console. If the collections wereapplied to only one proxy appliance, an "All conflicts are resolved" message appears. Continueresolving conflicts until all conflicts are resolved. The action of resolving conflicts will makepermanent changes to the content of the collection(s).

4 Custom GTI file reputation scoresResolve custom GTI file reputation score conflicts


Export a custom GTI file reputation scores collectionExport a collection of custom file reputation scores from McAfee ePO to preserve an external backupcopy, to transfer the collection to another McAfee ePO system, or to review the collection manuallywhen there are a number of conflicts.





4 Select Export next to the collection that you want to export.

5 Save the file.

The collection is saved on the local system as a CSV file named "Content_[list name].csv."

The format of the contents in the custom GTI file reputation score collection is the same as the formatspecified when you import batch scores.

Export a command file containing the custom GTI filereputation scores

Export the scores from McAfee ePO into a command file when you want to get custom GTI filereputation scores directly on to a McAfee GTI Proxy Appliance instead of using McAfee ePO to applythem.You can export the custom GTI file reputation scores into a command file to create a single file thatyou can then import directly on to your McAfee GTI Proxy Appliance. By using this alternative option,you can get custom GTI file reputation scores onto the proxy appliance without using McAfee ePO tocreate the scores, and then apply them. However, McAfee recommends you use McAfee ePO to createand apply custom GTI file reputation scores.





4 Select All Collections | Actions | Export Command File.

5 Select a collection, and click Next.

6 Resolve any conflicts and click Next.

7 Click Export Command File.

8 Save the file and click Close to exit the window.

The collection is saved on the local system and is ready for importing directly on a McAfee GTIProxy Appliance without using McAfee ePO. McAfee GTI Proxy Appliance only supports importingcollections that were exported using McAfee ePO.

Custom GTI file reputation scoresExport a custom GTI file reputation scores collection 4


Import a command file to a proxy appliance You can import the contents of one or more collections from a single command file directly on to theMcAfee GTI Proxy Appliance.Only command files that were exported using McAfee ePO can be imported on to McAfee GTI ProxyAppliance.

When completing this procedure, the entire contents of the custom GTI file reputation scores areflushed on the proxy appliance and the new values from the command file are imported.

Task1 Use SCP to copy the command file you exported to /acs/gtip/custom_list.cache on the proxy

appliance.

The name of the file is always custom_list.cache.



3 Verify that the gtiproxy and syncd processes are running and start them if necessary.

4 Type sudo /usr/local/sbin/load_custom_reputation_data.sh load and press Enter.

The collection begins to load immediately, or directly after any other collections finish loading. Youcan type sudo /usr/local/sbin/load_custom_reputation_data.sh query and press Enter todisplay the status of collections being processed.

Existing custom GTI file reputation scores are deleted from the proxy appliance and the scorescontained in the command file are imported.

The limit on the number of custom GTI file reputation scores is not enforced by theload_custom_reputation_data.sh script. It is the responsibility of the user to ensure no more than 5million custom GTI file reputation scores are added to the cache. All custom GTI file reputation scoresshould be entered in a single file that begins with a flush command.

Display custom GTI file reputation score collection details Display collection details to see which McAfee GTI Proxy Appliances are added to the collection.The collection details also displays the following information:

• The proxy appliances that have the collection already added

• A summary about the last attempt to add the collection

• Whether the collection is still waiting to be added to a proxy appliance





4 Click the collection name of the collection for which you want to view the properties.

4 Custom GTI file reputation scoresImport a command file to a proxy appliance


5 Review the properties of the selected collection.

6 Click Close to exit the window.

Custom GTI file reputation scoresDisplay custom GTI file reputation score collection details 4


4 Custom GTI file reputation scoresDisplay custom GTI file reputation score collection details


5 Update the McAfee Linux OperatingSystem

Understand the tasks needed to update the McAfee Linux Operating System (MLOS) on the McAfeeGTI Proxy Appliance.

Contents Configure the proxy appliance to get MLOS updates from a server Apply the McAfee Linux Operating System Updates

Configure the proxy appliance to get MLOS updates from aserver

Configure your McAfee GTI Proxy Appliance to download MLOS updates from a server.

Before you beginIf the McAfee GTI Proxy Appliance obtains its MLOS updates from another McAfee GTIProxy Appliance on the same internal network obtain the IP address/host name of the otherinternal server, from which this McAfee GTI Proxy Appliance retrieves its MLOS updates.




2 Type the command mlos‑config and press Enter.

The following prompt is displayed: Download from 'mcafee', 'internal' or 'localmedia':

3 Make the appropriate entry.

• If this McAfee GTI Proxy Appliance has direct access to the external McAfee SFTP server, typemcafee and press Enter.

• If this McAfee GTI Proxy Appliance will retrieve its MLOS updates from another McAfee GTIProxy Appliance, type internal and press Enter.

The localmedia option is not supported.

5


4 When the following prompt is displayed, choose yes by typing 1 and pressing Enter if this McAfeeGTI Proxy Appliance will be used as an intermediate server for distributing MLOS RPMS to otherMcAfee GTI Proxy Appliances. Type 2 if you do not want this McAfee GTI Proxy Appliance to be usedas an intermediate server.

Will this server act as an intermediate server for distributing MLOS RPMs to other GTI servers? 1) yes 2) no

5 If the internal option was specified, a prompt will appear to enter the IP address/host name of theinternal server from which this McAfee GTI Proxy Appliance will retrieve its MLOS updates. PressEnter after typing the IP address/host name.

Example output:

Local update server hostname/IPv4 address: 192.168.1.1 Config complete

In the event that the host name/IP address cannot be resolved, the utility will prompt you to proceedwith the configuration setting entered.

Local update server hostname/IPv4 address: proxy_name Cannot resolve 'proxy_name' The IPv4 Address/Hostname that was entered was either invalid or could not be resolved. Do you wish to proceed with this configuration option? 1) yes 2) no

Apply the McAfee Linux Operating System UpdatesApply the McAfee Linux Operating System (MLOS) updates for the McAfee GTI Proxy Appliance.

Before you begin• Run the mlos‑config utility as outlined in the previous section to configure MLOS

updates.

• If you have configured the McAfee GTI Proxy Appliance to retrieve its MLOS updatesfrom another McAfee GTI Proxy Appliance within the same network the MLOS updateutility must have already been run on the source McAfee GTI Proxy Appliance.

If a kernel update is required, the update process notifies you prior to performing any update, and youare given the option to proceed or quit at this stage. If you proceed with the update and a kernelupdate is performed, at the end of the update process you are informed that a reboot of the McAfeeGTI Proxy Appliance is required. You are then given the option to reboot immediately or you canchoose to perform the reboot manually at a later time.




5 Update the McAfee Linux Operating SystemApply the McAfee Linux Operating System Updates


2 In order to apply the MLOS updates from the McAfee SFTP server or another internal McAfee GTIProxy Appliance, run the following command: mlos‑apply‑updates then press Enter.

If this is the first time connecting to another server then you will be prompted to add the server tothe list of known hosts on the McAfee GTI Proxy Appliance.

Once the update utility has retrieved the MLOS RPMs from the other server, it will determine if a kernelRPM update is required. If a kernel RPM update is required then you can choose to proceed or notbefore any update occurs. If you choose to proceed then the scripts will proceed to install/upgrade/remove the necessary MLOS RPMs. If a kernel RPM update occurred then you are prompted to rebootnow or later. Choosing now results in the McAfee GTI Proxy Appliance being rebooted. Choosing the lateroption requires you to perform a manual reboot of the McAfee GTI Proxy Appliance at some futuretime in order to complete the update of the server.

Example output from the process:

Mon Aug 11 10:03:55 UTC 2011 ‑‑‑‑‑‑‑‑‑‑‑‑McAfee Linux RPM Update UtilityConnecting to internalgti...The authenticity of host ‘192.168.1.1 (192.168.1.1)' can't be established.RSA key fingerprint is 1f:d4:50:34:1e:c6:05:e0:12:f7:97:b4:32:79:aa:64.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.

The McAfee Linux Kernel is to be upgraded. A server reboot will be required. If you proceed with the install the server reboot can be deferred until a later time. Do you wish to proceed with the McAfee Linux RPM upgrade? 1) yes2) no#? 1Mon Jul 11 10:03:57 UTC 2011 Proceeding with McAfee Linux upgradeMon Jul 11 10:03:59 UTC 2011 audit‑libs‑1.7.18‑2.mlos1.x86_64.rpm is upgraded……………Mon Jul 11 10:05:37 UTC 2011 util‑linux‑2.13‑5.mlos1.x86_64.rpm is upgradedMon Jul 11 10:05:42 UTC 2011 kernel‑2.6.32‑18.mlos1.x86_64.rpm is installed

Mon Jul 11 10:05:37 UTC 2011 Upgrade of McAfee Linux completeThe McAfee Linux Kernel has been upgraded. A server reboot is required. Do you wish to reboot the server now or perform a manual reboot at a later time? 1) now2) later#? 1

Update the McAfee Linux Operating SystemApply the McAfee Linux Operating System Updates 5


5 Update the McAfee Linux Operating SystemApply the McAfee Linux Operating System Updates


6 McAfee GTI Proxy diagnostics

The tasks in this section are for diagnosing and troubleshooting services, status, lookups, installation,and configuration on the McAfee GTI Proxy Appliance and in McAfee ePO.

Contents Diagnostics on the proxy appliance Diagnostics in McAfee ePO

Diagnostics on the proxy applianceYou can use the McAfee GTI Proxy Appliance itself to diagnose and troubleshoot issues on the proxyappliance.

Tasks

• Check proxy appliance status on page 75Use this task to check the status of the McAfee GTI Proxy Appliance.

• How to restart or shut down the proxy appliance on page 76This task describes how to restart and shut down McAfee GTI Proxy Appliance.

• Check the keyboard settings are configured correctly on page 76Use this task to check that the keyboard setting on the McAfee GTI Proxy Appliance isconfigured correctly.

• Lookup request diagnostics on page 77Use the tasks in this section to verify that the appliance can perform all tasks related to filereputation lookup requests.

• Plug-in diagnostics on page 80Use the tasks in this section to verify that the McAfee GTI Proxy Appliance plug‑in isworking correctly.

• McAfee Agent diagnostics on page 82Use the tasks in this section to verify that the McAfee Agent is working correctly.

• McAfee Linux Operating System (MLOS) diagnostics on page 84Use the tasks in this section to verify that MLOS is working correctly.

Check proxy appliance statusUse this task to check the status of the McAfee GTI Proxy Appliance.

Task



6


2 Type the command gtiproxy.init status or syncd.init status, then press Enter. The statusappears.


How to restart or shut down the proxy appliance This task describes how to restart and shut down McAfee GTI Proxy Appliance.




2 Restart or shut down the proxy appliance:

• Restart — Type in the command sudo /sbin/shutdown –r now, then press Enter. The proxyappliance will restart.

• Shut down — Type in the command sudo /sbin/shutdown –h now, then press Enter. Theproxy appliance will shut down and turn off.

See also Configure communication between the proxy appliance and Global Threat Intelligence serviceon page 44

Check the keyboard settings are configured correctlyUse this task to check that the keyboard setting on the McAfee GTI Proxy Appliance is configuredcorrectly.




2 Type the command cat /etc/sysconfig/keyboard and then press Enter.

The following configuration file will be displayed.

KEYBOARDTYPE="pc" KEYTABLE="us"

where the configured keyboard setting will be represented by the code in the KEYTABLE setting.

3 Confirm that this value (shown above) is correct.

4 Type logout, then press Enter.


6 McAfee GTI Proxy diagnosticsDiagnostics on the proxy appliance


Lookup request diagnostics Use the tasks in this section to verify that the appliance can perform all tasks related to file reputationlookup requests.

Tasks

• Confirm VirusScan Enterprise can process file reputation lookup requests on page 38Use the ArtemisTest.zip file to verify that VirusScan Enterprise can process file reputationlookup requests using McAfee GTI Proxy.

• Check general DNS access on page 77Use this task to ensure McAfee GTI Proxy instance general resolver can resolve generalDNS queries. DNS queries are required from the proxy appliance to resolve file reputationlookup requests.

• Check access to the Global Threat Intelligence service on page 78Use this task to ensure the McAfee GTI Proxy Appliance can resolve the Global ThreatIntelligence service host names. Resolving host names for the Global Threat Intelligenceservice is required for the proxy appliance to operate and resolve file reputation lookups forVirusScan Enterprise managed endpoints.

• Check file reputation lookups from the proxy appliance on page 79Use this task to confirm that the McAfee GTI Proxy Appliance can forward queries to theGlobal Threat Intelligence service. The ability to forward queries to the service is requiredso that the proxy appliance can resolve file reputation lookups.

• Check file reputation lookups on the proxy appliance on page 80Use this task to confirm the McAfee GTI Proxy Appliance is performing file reputationlookups successfully.

• Check the Global Threat Intelligence service configuration on page 80Use this task to check that the Global Threat Intelligence service is correctly configured onthe McAfee GTI Proxy Appliance.

Confirm VirusScan Enterprise can process file reputation lookup requestsUse the ArtemisTest.zip file to verify that VirusScan Enterprise can process file reputation lookuprequests using McAfee GTI Proxy.

Only perform this task after you have verified that the proxy appliance plug‑in and the agent plug‑inhave been deployed as a second wake‑up call to the agent is needed before the system is configuredcorrectly.

Task

1 Log on to the VirusScan Enterprise system and download the ArtemisTest.zip file from KB53733.

2 Extract the contents of the ArtemisTest.zip file and enter the password provided in theKnowledgeBase article.

This automatically generates a file reputation lookup request from the VirusScan Enterprise to theproxy appliance. The On‑Access Scan Messages window appears and displays the results of the filereputation lookup request.

Check general DNS access Use this task to ensure McAfee GTI Proxy instance general resolver can resolve general DNS queries.DNS queries are required from the proxy appliance to resolve file reputation lookup requests.

Before you beginYou must have an accessible and functioning DNS server on the network where McAfee GTIProxy Appliance is installed.

McAfee GTI Proxy diagnosticsDiagnostics on the proxy appliance 6






2 Type the command dig mcafee.com, then press Enter.

A successful response contains status: NOERROR.


Check access to the Global Threat Intelligence serviceUse this task to ensure the McAfee GTI Proxy Appliance can resolve the Global Threat Intelligenceservice host names. Resolving host names for the Global Threat Intelligence service is required for theproxy appliance to operate and resolve file reputation lookups for VirusScan Enterprise managedendpoints.




2 Type the command dig @ns1.mcafee.com local.cloud.mcafee.com, then press Enter.

A successful response contains status:NOERROR and a list of host names appears in the AUTHORITYSECTION. A successful response example is below.

dig @ns1.mcafee.com local.cloud.mcafee.com

; <<>> DiG 9.3.4‑P1 <<>> @ns1.mcafee.com local.cloud.mcafee.com; (1 server found);; global options: printcmd;; Got answer:;; ‑>>HEADER<<‑ opcode: QUERY, status: NOERROR, id: 4260;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:;local.cloud.mcafee.com. IN A

;; AUTHORITY SECTION:cloud.mcafee.com. 86400 IN NS geo4.mcafee.com.cloud.mcafee.com. 86400 IN NS geo1.mcafee.com.cloud.mcafee.com. 86400 IN NS geo3.mcafee.com.

;; ADDITIONAL SECTION:geo1.mcafee.com. 1800 IN A 192.168.254.200geo3.mcafee.com. 1800 IN A 192.168.254.211geo4.mcafee.com. 1800 IN A 192.168.254.237

;; Query time: 186 msec;; SERVER: 192.168.254.240;; WHEN: Fri Apr 29 08:39:50 2011;; MSG SIZE rcvd: 145




Check file reputation lookups from the proxy appliance Use this task to confirm that the McAfee GTI Proxy Appliance can forward queries to the Global ThreatIntelligence service. The ability to forward queries to the service is required so that the proxyappliance can resolve file reputation lookups.




2 Type the command dig @ns1.mcafee.com local.cloud.mcafee.com, then press Enter.

A successful response contains status:NOERROR and a list of service IP addresses appears in theADDITIONAL SECTION. A successful response example is below.

dig @ns1.mcafee.com local.cloud.mcafee.com

; <<>> DiG 9.3.4‑P1 <<>> @ns1.mcafee.com local.cloud.mcafee.com; (1 server found);; global options: printcmd;; Got answer:;; ‑>>HEADER<<‑ opcode: QUERY, status: NOERROR, id: 4260;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:;local.cloud.mcafee.com. IN A

;; AUTHORITY SECTION:cloud.mcafee.com. 86400 IN NS geo4.mcafee.com.cloud.mcafee.com. 86400 IN NS geo1.mcafee.com.cloud.mcafee.com. 86400 IN NS geo3.mcafee.com.

;; ADDITIONAL SECTION:geo1.mcafee.com. 1800 IN A 192.168.254.200geo3.mcafee.com. 1800 IN A 192.168.254.211geo4.mcafee.com. 1800 IN A 192.168.254.237

;; Query time: 186 msec;; SERVER: 192.168.254.240;; WHEN: Fri Apr 29 08:39:50 2011;; MSG SIZE rcvd: 145

3 Using a geo server name from the ADDITIONAL SECTION, type the command dig @[geo servername] local.cloud.mcafee.com, then press Enter.

For example: dig @geo1.mcafee.com local.cloud.mcafee.com

A successful response contains status:NOERROR and a list of service IP addresses appears in theANSWER SECTION.

4 Using an address from the ANSWER SECTION, type the command dig @[ip address from ANSWERSECTION] 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com, then press Enter.

A successful response contains status:NOERROR.


See also Configure tiered proxy appliance access on page 49



Check file reputation lookups on the proxy appliance Use this task to confirm the McAfee GTI Proxy Appliance is performing file reputation lookupssuccessfully.




2 Type the command dig @127.0.0.1 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com, then pressEnter.

A successful response contains status:NOERROR.


See also Configure tiered proxy appliance access on page 49

Check the Global Threat Intelligence service configuration Use this task to check that the Global Threat Intelligence service is correctly configured on the McAfeeGTI Proxy Appliance.

Before you beginMake a list of IPv4 addresses specified when you configured communication between theproxy appliance and the Global Threat Intelligence service.




2 Go to the /acs/gtip/gtiproxy/current/etc directory.

3 Open the gtiproxy.cfg file. This contains the Global Threat Intelligence service configurations.

4 Verify that the IP addresses and cloud access mode are the same as specified in McAfee ePO.



Plug-in diagnostics Use the tasks in this section to verify that the McAfee GTI Proxy Appliance plug‑in is working correctly.

Tasks• Check Global Threat Intelligence Proxy Appliance plug-in status on page 81

Use this task to check the status of Global Threat Intelligence Proxy Appliance plug‑in.

• Start the Global Threat Intelligence Proxy Appliance plug-in on page 81Use this task to start the Global Threat Intelligence Proxy Appliance plug‑in when it hasstopped.



Check Global Threat Intelligence Proxy Appliance plug-in status Use this task to check the status of Global Threat Intelligence Proxy Appliance plug‑in.




2 Type the command ps –C gtipa, then press Enter.

If the plug‑in is running, the process ID appears.

3 If the process ID does not appear, restart the process.


See also Start the Global Threat Intelligence Proxy Appliance plug-in on page 81

Start the Global Threat Intelligence Proxy Appliance plug-in Use this task to start the Global Threat Intelligence Proxy Appliance plug‑in when it has stopped.





3 Type N when prompted "Do you want to reinstall McAfee Agent[y/n]," and press Enter.

4 Type Y when prompted "McAfee GTI Proxy Appliance plug‑in is not running. Do you want to start[y/n]," and press Enter.

5 If the "Firewall is off. Do you want to turn it on?" message appears, type Y, then press Enter.


The appliance plug‑in starts.

6 When prompted, "Enter new port if it is different on McAfee ePO," press Enter.


See also Check Global Threat Intelligence Proxy Appliance plug-in status on page 81



McAfee Agent diagnostics Use the tasks in this section to verify that the McAfee Agent is working correctly.

Tasks• Check the McAfee Agent status on page 82

Use this task to check the McAfee Agent status on the McAfee GTI Proxy Appliance.

• Start the McAfee Agent when it is stopped on page 82Use this task to start the McAfee Agent on the McAfee GTI Proxy Appliance when it hasstopped.

• Re-install McAfee Agent on the proxy appliance on page 83Use this task to re‑install McAfee Agent on an already managed McAfee GTI ProxyAppliance.

Check the McAfee Agent status Use this task to check the McAfee Agent status on the McAfee GTI Proxy Appliance.

Task



2 Type the command ps –C cma, then press Enter.

If the process is running, the process ID appears.

3 If no process ID appears, restart the process.


See also Start the McAfee Agent when it is stopped on page 82

Start the McAfee Agent when it is stoppedUse this task to start the McAfee Agent on the McAfee GTI Proxy Appliance when it has stopped.

Task




3 Type y when prompted "McAfee Agent is not running. Do you want to start[y/n]," then pressEnter.

The McAfee Agent starts.



5 When prompted, "Enter new port if it is different on McAfee ePO," press Enter.




See also Check the McAfee Agent status on page 82

Re-install McAfee Agent on the proxy appliance Use this task to re‑install McAfee Agent on an already managed McAfee GTI Proxy Appliance.

Before you beginMake sure you have the following:

• IPv4 address of the McAfee ePO server

• Agent‑to‑server communication port of the McAfee ePO server

• Agent wake‑up communication port of the McAfee ePO server

• McAfee Agent for Linux 4.6 should be present in the McAfee ePO master repository





3 Type y when prompted "Do you want to reinstall McAfee Agent[y/n]," and press Enter.

4 When prompted, "Provide IP Address and port of ePO server," type the McAfee ePO server IPaddress and the Agent‑to‑server communication port separated with a colon (IP:port), then pressEnter.

The McAfee Agent installer is downloaded from the McAfee ePO server and the Global ThreatIntelligence Agent plug‑in is deployed on the proxy appliance.



6 When prompted, "Enter new port if it is different on McAfee ePO," enter the Agent wake‑upcommunication port if it is different than the port displayed in the prompt. If there is no difference,press Enter.

7 Wait for the first Agent‑server communication interval (ASCI) to complete.

To verify that the ASCI is complete, view the Server Task Log (select Menu | Automation | Server TaskLog.)

The port is configured and the proxy appliance is now managed through McAfee ePO.

8 To verify the McAfee Agent installation and version:


If you changed the password, type the new password instead.

b Type the command rpm ‑q MFErt, then press Enter.

MFErt and the version appear.



c Type the command rpm ‑q MFEcma, then press Enter.

MFEcma and the version appear.


McAfee Linux Operating System (MLOS) diagnosticsUse the tasks in this section to verify that MLOS is working correctly.

Tasks• Check that MLOS updates are configured for secure communication protocol on page 84

Check that the McAfee GTI Proxy Appliance is configured correctly to retrieve its MLOSupdates from another internal McAfee GTI Proxy Appliance.

• Check the proxy appliance can get MLOS updates from the McAfee SFTP server or internalproxy appliance on page 85Check that the McAfee GTI Proxy Appliance is configured correctly to retrieve its MLOSupdates from either the McAfee SFTP Server or another internal McAfee GTI ProxyAppliance.

• Check the proxy appliance communicates with the McAfee SFTP server or an internal proxyappliance on page 86Use this task to check that the McAfee GTI Proxy Appliance can communicate successfullywith either the McAfee SFTP Server or another internal McAfee GTI Proxy Appliance to getthe MLOS updates.

• Check McAfee GTI Proxy Appliance communicates with McAfee SFTP Server or internalproxy appliance on page 87Verify the McAfee GTI Proxy Appliance can communicate successfully with the McAfee SFTPServer or another internal McAfee GTI Proxy Appliance to retrieve the MLOS updates wherethe host name is used for the configuration.

• Check that MLOS RPM updates have downloaded to the internal proxy appliance on page88Check that the MLOS updates have downloaded to the internal server when the McAfee GTIProxy Appliance is configured to retrieve its MLOS RPM updates from another internalMcAfee GTI Proxy Appliance.

Check that MLOS updates are configured for secure communicationprotocolCheck that the McAfee GTI Proxy Appliance is configured correctly to retrieve its MLOS updates fromanother internal McAfee GTI Proxy Appliance.






2 Type the command cat /acs/gtip/.ssh/mlos_ssh.config, then press Enter.

The following configuration file will be displayed.

Host internalgtiHostname 192.168.1.1Port 22User mlosIdentityFile /acs/gtip/.ssh/internal_id_rsa

Host mcafeesftpHostname gtiproxy2.mcafee.comPort 22User mcafeemlosIdentityFile /acs/gtip/.ssh/mcafee_server_id_rsa

3 In the section that begins with Host internalgti, check that the Hostname value is either a validIP Address or valid host name for another internal McAfee GTI Proxy Appliance server where theMcAfee GTI Proxy Appliance will retrieve its MLOS updates.


See also Configure the proxy appliance to get MLOS updates from a server on page 71

Check the proxy appliance can get MLOS updates from the McAfee SFTPserver or internal proxy applianceCheck that the McAfee GTI Proxy Appliance is configured correctly to retrieve its MLOS updates fromeither the McAfee SFTP Server or another internal McAfee GTI Proxy Appliance.If you have several McAfee GTI Proxy Appliance installations, you can choose to use one of theinternal appliances as the download source for the rest of the appliances so that the update only hasto be downloaded once. It also means that only one of the McAfee GTI Proxy Appliances needs aconnection to the Global Threat Intelligence cloud.






2 Type the command cat /etc/gti/mlos.conf, then press Enter.

The following configuration file will be displayed if this McAfee GTI Proxy Appliance has beenconfigured to download from McAfee SFTP Server.

MLOS_DOWNLOAD_TYPE=sftp MLOS_DOWNLOAD_HOST=mcafeesftp MLOS_DOWNLOAD_SERVER_PATH=updates MLOS_DOWNLOAD_PRODUCT=gtiproxy MLOS_UPDATE_DOWNLOAD_PRODUCT=gtiproxy MLOS_UPDATE_DOWNLOAD_TYPE=sftp MLOS_UPDATE_DOWNLOAD_HOST=mcafeesftp MLOS_INTERMEDIATE_HOST=no MLOS_DOWNLOAD_DIR=/acs/mlos/mlos_downloads

The following configuration file will be displayed if this McAfee GTI Proxy Appliance has beenconfigured to download from another internal McAfee GTI Proxy Appliance.

MLOS_DOWNLOAD_TYPE=sftp MLOS_DOWNLOAD_HOST=internalgti MLOS_DOWNLOAD_SERVER_PATH=/acs/mlos/mlos_downloads MLOS_DOWNLOAD_PRODUCT=gtiproxy MLOS_UPDATE_DOWNLOAD_PRODUCT=gtiproxy MLOS_UPDATE_DOWNLOAD_TYPE=sftp MLOS_UPDATE_DOWNLOAD_HOST=internalgti MLOS_UPDATE_DOWNLOAD_SERVER_PAT H=/acs/mlos/mlos_downloads MLOS_INTERMEDIATE_HOST=no MLOS_DOWNLOAD_DIR=/acs/mlos/mlos_downloads

3 Check that the configuration file output matches the output in the previous step.

The value of the MLOS_INTERMEDIATE_HOST will depend on the option chose during theconfiguration.




Check the proxy appliance communicates with the McAfee SFTP server oran internal proxy applianceUse this task to check that the McAfee GTI Proxy Appliance can communicate successfully with eitherthe McAfee SFTP Server or another internal McAfee GTI Proxy Appliance to get the MLOS updates.

Before you beginEnsure that you have executed the previous diagnostic steps to ensure that MLOS updatesare configured correctly.



If you changed the password, use the new one instead.



2 Depending on your chosen configuration:

• For the case where this McAfee GTI Proxy Appliance is configured to retrieve its MLOS updatesfrom another internal McAfee GTI Proxy Appliance, type the command, then press Enter:

ssh mlos@internalgti ‑F /acs/gtip/.ssh/mlos_ssh.config "pwd"

• Where this McAfee GTI Proxy Appliance is configured to retrieve its MLOS updates from theMcAfee SFTP server, type the command, then press Enter:

sftp ‑F /acs/gtip/.ssh/mlos_ssh.config mcafeemlos@mcafeesftp

Type the command pwd, then press Enter.

Type the command exit

3 If this is the first time that the McAfee GTI Proxy Appliance has connected to the internal serveryou will see the following output. Type yes.

The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA key fingerprint is 1f:d4:50:34:1e:c6:05:e0:12:f7:97:b4:32:79:aa:64. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.

The following output from an internal McAfee GTI Proxy Appliance is expected:

/acs/mlos

The following output from the McAfee SFTP server is expected:

THIS IS A PRIVATE COMPUTER SYSTEM FOR THE USE OF AUTHORIZED USERS ONLY.Company resources are provided to employees for the sole purpose of conductingcompany business. Personal use, especially inappropriate personal use will notbe tolerated. The company can and will monitor the use of company resources. Anyunauthorized use of company resources for non‑company activities may result indisciplinary action up to and including termination. Company resources coveredby this policy include but are not limited to computer hardware and software,faxes, supplies, electronic mail, internet access and building facilities.sftp> pwdRemote working directory: /sftp> exit




Check McAfee GTI Proxy Appliance communicates with McAfee SFTP Serveror internal proxy applianceVerify the McAfee GTI Proxy Appliance can communicate successfully with the McAfee SFTP Server oranother internal McAfee GTI Proxy Appliance to retrieve the MLOS updates where the host name isused for the configuration.

Before you beginEnsure that you have executed the previous diagnostic steps to ensure that the McAfee GTIProxy Appliance can communicate successfully with either the McAfee SFTP server or aninternal McAfee GTI Proxy Appliance where it will retrieve its MLOS updates.



This task only applies if you have configured MLOS updates based on a host name. If you haveconfigured MLOS updates based on an IP Address and the previous task has failed, contact yournetwork administrator to resolve a connectivity issue between the McAfee GTI Proxy Appliance andeither the McAfee SFTP Server or the internal McAfee GTI Proxy Appliance from which it will retrieveits MLOS updates.




2 Type the command cat /etc/resolv.conf then press Enter.

3 A list of DNS nameservers will be displayed as follows:

; generated by /sbin/dhclient‑script search mydomain nameserver 192.168.1.2 nameserver 192.168.1.3

4 Choose one of the nameserver IP addresses and execute the following command substituting thenameserver as appropriate.

dig @<NameServer IP Address> <hostname of GTI Proxy Appliance Server>

for example:

dig @192.168.1.2 gtiproxyappliance

where:

192.168.1.2 should be replaced with your nameserver IP address

and gtiproxyappliance should be replaced with the host name of the internal McAfee GTI ProxyAppliance

The response from this command should display status: NOERROR

If status: NOERROR is not displayed then please contact your network administrator to resolve aconnectivity issue between the McAfee GTI Proxy Appliance and the internal McAfee GTI ProxyAppliance from which it will retrieve its MLOS updates



Check that MLOS RPM updates have downloaded to the internal proxyapplianceCheck that the MLOS updates have downloaded to the internal server when the McAfee GTI ProxyAppliance is configured to retrieve its MLOS RPM updates from another internal McAfee GTI ProxyAppliance.






2 Type the command mlos‑apply‑updates, then press Enter.

If the following error is observed, the MLOS RPM updates have not been downloaded to the McAfeeGTI Proxy Appliance that is the internal download server.

Wed Sep 21 15:58:00 Error: Failed during status check on Internal Download Server




Diagnostics in McAfee ePOThe tasks in this section are for diagnosing and troubleshooting the McAfee GTI Proxy Appliance inMcAfee ePO.

Proxy agent diagnostics Use the tasks in this section to check the installation and configuration of the Global ThreatIntelligence Proxy Agent in McAfee ePO.

Tasks• Check the McAfee GTI Proxy Agent installation on VirusScan Enterprise on page 89

Use this task to check which managed nodes have the McAfee GTI Proxy Agent installed.

• Check McAfee GTI Proxy Agent configuration on VirusScan Enterprise on page 90Use this task to confirm that the McAfee GTI Proxy Agent is correctly configured on theVirusScan Enterprise.

• Check the McAfee GTI Proxy Agent systems authenticate securely for custom GTI filereputation scores on page 90Use this task to check that managed nodes have been set up with the correct secureauthentication for custom GTI file reputation scores.

Check the McAfee GTI Proxy Agent installation on VirusScan Enterprise Use this task to check which managed nodes have the McAfee GTI Proxy Agent installed.






The GTI Proxy Agent Coverage Report and GTI Proxy Appliance Performance Report appear. Whenmore than one McAfee GTI Proxy Appliance is set up for monitoring, from the list on the left, selectthe proxy appliance that you want for this task.

McAfee GTI Proxy diagnosticsDiagnostics in McAfee ePO 6


4 Click the green section of the pie to display a list of VirusScan Enterprise endpoints where theMcAfee GTI Proxy Agent is installed. The endpoints with the agent installed are enabled for filereputation lookup requests.

5 Click the red section of the pie to display a list of VirusScan Enterprise endpoints where the McAfeeGTI Proxy Agent is not installed. The endpoints without the agent installed are not enabled for filereputation lookup requests.

Check McAfee GTI Proxy Agent configuration on VirusScan Enterprise Use this task to confirm that the McAfee GTI Proxy Agent is correctly configured on the VirusScanEnterprise.

Before you beginMake a list of the appliance instances you specified when configuring the fallback servers.

For this version of McAfee GTI Proxy Agent, only the Microsoft Windows platform is supported.







4 Click the green section of the pie to display a list of VirusScan Enterprise endpoints where theMcAfee GTI Proxy Agent is installed. The endpoints with the agent installed are enabled for filereputation lookup requests.

5 Click a row to open the System Details page for a particular node.

6 Verify there are fallback servers configured by clicking on the GTI Proxy Agent section of the Productstab on the System Details page.

The values in the Fallback Server field identifies the configured appliance IP addresses (commaseparated) for that particular node.

Check the McAfee GTI Proxy Agent systems authenticate securely forcustom GTI file reputation scoresUse this task to check that managed nodes have been set up with the correct secure authentication forcustom GTI file reputation scores.



2 Select Menu | Dashboard.

6 McAfee GTI Proxy diagnosticsDiagnostics in McAfee ePO


3 Click Dashboard Actions and select New.

4 Enter a name for the dashboard and who you want to see the dashboard, and click OK.

5 Click Add Monitor.

6 Click View and select GTI Proxy dashboard.

7 Select Key Monitor as Monitor and click Save.

8 Click the new Dashboard tab.

The GTI Proxy Key Dashboard is displayed. The number of nodes with mismatching or incorrectkeys is displayed. Click on the number to list the managed nodes that need to be addressed.

Check the managed Global Threat Intelligence Proxy Applianceplug-in installationUse this task to check which managed McAfee GTI Proxy Appliances have the Global ThreatIntelligence Proxy Appliance plug‑in installed.



2 Select Menu | Systems | System Tree.

3 Select the appropriate system group from the System Tree.

4 Click Advanced Filter.

5 In the Available Properties list, click Installed Path (GTI Proxy Appliance).

6 In the Comparison list, click Value is not blank.

7 Click Update Filter. The list of McAfee GTI Proxy Appliances is filtered to those with the applianceplug‑in installed.

Check the proxy appliance status in McAfee ePOUse this task to check the status of a McAfee GTI Proxy Appliance in McAfee ePO.








The Configuration tab appears. When more than one McAfee GTI Proxy Appliance is set up formonitoring, from the list on the left, select the proxy appliance that you want for this task.

The Process Name and the Status column appear with the initial status of the proxy appliance.

4 Click the Refresh Status link to get the current McAfee GTI Proxy Appliance (gtiproxy process) status.

The Status column shows the current appliance status with Command ‘Status’ : Running as the Resultvalue.

How to start and stop the proxy appliance in McAfee ePOThis section describes how to start, stop, restart, and force‑stop the McAfee GTI Proxy Appliance usingMcAfee ePO.

Tasks• Start the proxy appliance on page 92

Use this task to start the McAfee GTI Proxy Appliance when it is not running.

• Stop the proxy appliance on page 93Use this task to stop the McAfee GTI Proxy Appliance when it is running.

• Restart the proxy appliance on page 93Use this task to restart the McAfee GTI Proxy Appliance when it is running.

• Force-stop the proxy appliance on page 94Use this task to force‑stop the McAfee GTI Proxy Appliance when it is running.


Start the proxy appliance Use this task to start the McAfee GTI Proxy Appliance when it is not running.










4 Click the green Refresh Status link for the McAfee GTI Proxy Appliance to get the current status.

The Status columns show the current appliance statuses.

5 Select Actions | Start.

The Start button is available only when the status is Not running.

If the appliance starts successfully, then the status is Running and the Result value displays Command‘Start’ <process name>: Successful.

Stop the proxy appliance Use this task to stop the McAfee GTI Proxy Appliance when it is running.



2 Select Menu | Systems | GTI Proxy Appliance Control and Monitoring.







5 Select Actions | Stop.

The Stop button is available only when the status is Running.

If the appliance stops successfully, then the status is Not running and the Result value displaysCommand ‘Stop’ <process name>: Successful.

Restart the proxy appliance Use this task to restart the McAfee GTI Proxy Appliance when it is running.












5 Select Actions | Restart.

The Restart button is available only when the status is Running.

If the appliance restarts successfully, then the status is Running and the Result value displaysCommand ‘Restart’ <process name>: Successful.

Force-stop the proxy appliance Use this task to force‑stop the McAfee GTI Proxy Appliance when it is running.










5 Select Actions | Force‑Stop.

The Force‑Stop button is available only when the status is Running.

If the appliance stops successfully, then the status is Running and the Result value displays Command‘Force‑Stop’ <process name>: Successful.



7 McAfee GTI Proxy Appliance logs

McAfee GTI Proxy Appliance provides logs that can be used for analyzing and debugging.

Contents Pulling proxy appliance logs Purging proxy appliance logs Proxy appliance logs for debugging

Pulling proxy appliance logsPull logs from the McAfee GTI Proxy Appliance when you need to review information about the proxyappliance or plug‑ins.

Tasks

• How to pull a log that exceeds the size limit on page 95Use this task when you need to pull a log file that exceeds the size limit.

• Pull system logs on page 95Use this task to pull system‑level logs from the McAfee GTI Proxy Appliance.

• Pull proxy appliance logs on page 96Use this task to pull appliance logs from the McAfee GTI Proxy Appliance.

• Pull plug-in logs on page 97Use this task to pull appliance plug‑in logs from the McAfee GTI Proxy Appliance.

How to pull a log that exceeds the size limit Use this task when you need to pull a log file that exceeds the size limit.The appliance has a size limit of 10 MB for pulling log files. If the archive file you get from theappliance exceeds that limit, an error message appears. To fix this problem, set up the archive file sothat it falls within the size limit using guidelines in the following table.

Table 7-1 Guidelines to pull log files that exceed the size limit

If... Then...

An archive file contains multiple log files thatexceed the limit

Create a new archive file by selecting fewer log filesthat will equal less than 10 MB total.

A single log file exceeds the limit Specify the number of lines to pull from the end of thelog file.

You must pull a file that exceeds the limit Use secure copy to retrieve it.

Pull system logs Use this task to pull system‑level logs from the McAfee GTI Proxy Appliance.

7






3 Click the Logs tab.

4 Select the proxy appliance. When more than one McAfee GTI Proxy Appliance is set up, select theproxy appliance that you want for this task.

5 For Log Action, verify Pull (the default) is selected.

6 For Logs, verify System Log (the default) is selected.

7 Click Get File List to get the list of the system log files in the appliance.

• The system log file list appears with file sizes; only 10 files are listed per page.

• Click the Next and Previous links to move through the list of system log files.

8 Select the checkbox for the file name that you want to pull. Alternatively, use the Select all option toselect all the files.

9 In the No. of Lines field, specify the number of lines of the log file to be pulled.

Specify a number between 1 and 10000. The default value of 0 results in pulling the complete logfile. This option is available only when pulling a single log file.

10 In the Location to store logs field, specify a valid Microsoft Windows file directory path that is on theMcAfee ePO server.

After the archive file is pulled from the proxy appliance, it is stored in the location you specify.

11 Click Pull to pull the selected log files from McAfee GTI Proxy Appliance.

A success message is shown on successful completion of the pull operation.

12 To download the log archive file to the local system, click Download.

Pull proxy appliance logs Use this task to pull appliance logs from the McAfee GTI Proxy Appliance.







7 McAfee GTI Proxy Appliance logsPulling proxy appliance logs



6 For Logs, select GTI Proxy Appliance Log or GTI Proxy Appliance SyncD Log.

7 Click Get File List to get the list of the appliance log files from the appliance.

• The appliance log file list appears with file sizes; only 10 files are listed per page.










Pull plug-in logs Use this task to pull appliance plug‑in logs from the McAfee GTI Proxy Appliance.








6 For Logs, select GTI Proxy Appliance Plugin Log.

7 Click Get File List to get the list of the plug‑in log files from the appliance.

• The plug‑in log file list appears with file sizes; only 10 files are listed per page.





McAfee GTI Proxy Appliance logsPulling proxy appliance logs 7







Purging proxy appliance logsThis section describes purging log files from the McAfee GTI Proxy Appliance.

Tasks• Purge proxy appliance logs on page 98

Use this task to purge proxy appliance logs from the McAfee GTI Proxy Appliance.

• Purge performance logs on page 99Use this task to purge performance logs from the McAfee GTI Proxy Appliance.

• Purge proxy appliance syncd logs on page 99Use this task to purge appliance syncd logs from the McAfee GTI Proxy Appliance.

Purge proxy appliance logs Use this task to purge proxy appliance logs from the McAfee GTI Proxy Appliance.







5 For Log Action, select Purge.

6 For Logs, select GTI Proxy Appliance Log.




8 Select the checkbox for the file name that you want to purge. Alternatively, use the Select all optionto select all the files.

9 Click Purge.

7 McAfee GTI Proxy Appliance logsPurging proxy appliance logs


10 Click OK to purge the selected log files from the McAfee GTI Proxy Appliance.

When the purge operation completes successfully, a confirmation message appears.

11 Click Purge to purge the selected log files from McAfee GTI Proxy Appliance.

Purge performance logs Use this task to purge performance logs from the McAfee GTI Proxy Appliance.








6 For Logs, select GTI Proxy Appliance Performance Log.

7 Click Get File List to get the list of the performance log files from the appliance.

• The performance log file list appears with file sizes; only 10 files are listed per page.


8 Select the checkbox for the file name that you want to purge.

9 Click Purge.



Purge proxy appliance syncd logs Use this task to purge appliance syncd logs from the McAfee GTI Proxy Appliance.







McAfee GTI Proxy Appliance logsPurging proxy appliance logs 7



6 For Logs, select GTI Proxy Appliance SyncD Log.





9 Click Purge.



11 Click Purge to purge the selected log files from McAfee GTI Proxy Appliance.

Proxy appliance logs for debuggingThis section describes some of the logs that are created by various components of the McAfee GTIProxy Appliance. These logs can be used to help debug issues, such as communication errors betweenMcAfee ePO and the proxy appliance.

Tasks• View CMA logs on page 100

Use this task to view the CMA logs on the McAfee GTI Proxy Appliance. The CMA logs allMcAfee Agent activity that happens on the McAfee GTI Proxy Appliance.

• View plug-in logs on page 101Use this task to view plug‑in logs on the McAfee GTI Proxy Appliance.

View CMA logs Use this task to view the CMA logs on the McAfee GTI Proxy Appliance. The CMA logs all McAfee Agentactivity that happens on the McAfee GTI Proxy Appliance.




2 Go to the directory /opt/McAfee/cma/scratch/etc. This is where the CMA logs are stored. The CMAlog file name is log.[iteration], such as log.1, log.2, and so on.

3 View a log to see McAfee Agent activity that has taken place on the appliance.


7 McAfee GTI Proxy Appliance logsProxy appliance logs for debugging


View plug-in logs Use this task to view plug‑in logs on the McAfee GTI Proxy Appliance.

Plug‑in logs are created by the McAfee GTI Proxy Appliance plug‑in (the gtipa process), which logsactivities performed by McAfee ePO on the McAfee GTI Proxy Appliance, such as checking status,starting or stopping the appliance, and pulling or purging logs. This log helps debug any issues relatedto these activities.




2 Go to the directory /opt/McAfee/gtipa. This is where the plug‑in logs are stored. The plug‑in log filename is gtipa.log.[iteration], such as gtipa.log.1, gtipa.log.2, and so on.

3 View a log to see McAfee GTI Proxy Appliance plug‑in activity that has taken place on the appliance.


McAfee GTI Proxy Appliance logsProxy appliance logs for debugging 7


7 McAfee GTI Proxy Appliance logsProxy appliance logs for debugging


8 McAfee GTI Proxy Appliance reports

McAfee ePO provides reports showing details such as configuration, coverage, performance andresponse time for your McAfee GTI Proxy Appliances.

Contents About reports View the McAfee GTI Proxy Agent coverage and performance reports View the proxy appliance average response time report Create a dashboard for the proxy appliance Create a dashboard for the custom GTI file reputation score key pair mapping

About reports There are various reports that show specific details about the McAfee GTI Proxy Appliance anddifferent ways to view the reports.

McAfee ePO provides queries for its reports, which you can view on the Queries page.

If you edit a default query, you must save it using a different name before you can re‑install or upgradethe extension.

File reputation reporting is also provided in the existing VirusScan Enterprise reports sent to McAfeeePO. McAfee GTI Proxy Appliance itself provides reports on coverage, response time, performance,and load average.

The reports show incorrect information if there are two McAfee GTI Proxy Appliances registered inMcAfee ePO that have the same host name. To avoid this situation, McAfee recommends that you do nothave two proxy appliances with the same host name.

Table 8-1 McAfee GTI Proxy Appliance reports in McAfee ePO

Reports Description

GTI Proxy Agent CoverageReport

Provides a pie chart that shows how many VirusScan Enterpriseendpoints the agent is installed on and how many it is not installedon. You can click on sections of the pie to view details for the nodes.

GTI Proxy Appliance AverageResponse Time Report

Provides a graph of the appliance's average response time inmilliseconds that it takes to complete a file reputation lookuprequest. The response time is shown against the time at which thedata was captured.

GTI Proxy Appliance LoadAverage Report

Provides a graph showing the average load in percentage that theappliance has on the operating system.

GTI Proxy AppliancePerformance Report

Provides a table showing the load average and average responsetime for each record time.

8


You can view the reports from the Query tab in the Queries & Reports page, or Menu | Systems | GTI ProxySystem Management , or create a custom dashboard to see all of the reports at one time. Use the tasks inthis section to view the various reports or create a custom dashboard so all the reports are accessiblein one place.

For more information about queries and how to create them, see the McAfee ePO productdocumentation or Help system.

View the McAfee GTI Proxy Agent coverage and performancereports

The coverage report provides where the McAfee GTI Proxy Agent is installed and the performancereport provides details about the appliance.This task uses the GTI Proxy Appliance Management page in McAfee ePO for viewing the coverage andperformance reports. However, you can also view these reports by running them from the Queries |Shared Groups page.







4 Use the GTI Proxy Agent Coverage report in the top pane to view which VirusScan Enterprise nodeshave the McAfee GTI Proxy Agent installed or not installed.

• Click the green section of the pie to display a list of VirusScan Enterprise nodes where theMcAfee GTI Proxy Agent is installed. The nodes with the agent installed are enabled for lookups.

• Click the red section of the pie to display a list of VirusScan Enterprise nodes where the McAfeeGTI Proxy Agent is not installed. The nodes without the agent installed are not enabled forlookups.

5 Use the GTI Proxy Appliance Performance Report in the bottom pane to view details about recordtime, load average, and average response time. Select any row to get additional details.

• Record Time — This is the time at which the data is captured. By default, data is captured everyfive minutes. However, you can change this frequency in the policy for the appliance in McAfeeePO (Performance Data collection Interval option).

• Load Average (%) — This is the average load that the appliance has on the operating system (inpercentage).

• Average Response Time (ms) — This is the average response time it takes to complete a filereputation lookup request (in milliseconds).

8 McAfee GTI Proxy Appliance reportsView the McAfee GTI Proxy Agent coverage and performance reports


Tasks• Archive proxy appliance performance report records on page 105

Use this task to archive the McAfee GTI Proxy Appliance performance report records fromthe database. Archive reports when you want to make space available in the database, butkeep the report data.

• Delete the proxy appliance performance report records on page 105Use this task to delete the McAfee GTI Proxy Appliance performance report records fromthe database.

Archive proxy appliance performance report records Use this task to archive the McAfee GTI Proxy Appliance performance report records from thedatabase. Archive reports when you want to make space available in the database, but keep thereport data.






4 Select the checkbox in front of the record you want to archive.

5 Click Actions and select Archive.

6 In the Location for archive of Performance Logs field, specify the location where you want to store thearchive file.

7 Click OK to archive the selected records.

Report records are archived in the specified location.

Delete the proxy appliance performance report records Use this task to delete the McAfee GTI Proxy Appliance performance report records from the database.






4 Select the checkbox in front of the record that you want to purge.

5 Click Actions and select Purge.

6 Click Yes on the confirmation message to purge the selected records.

McAfee GTI Proxy Appliance reportsView the McAfee GTI Proxy Agent coverage and performance reports 8


The report records are deleted. A message displays at the bottom‑right of the page that reports on thesuccess or failure of the operation.

View the proxy appliance average response time report This graph report shows the average response time that it takes the McAfee GTI Proxy Appliance tocomplete a file reputation lookup request (in milliseconds) for each recorded time period.



2 Select Menu | Reporting | Queries & Reports.

3 In the Groups column, expand the Shared Groups list and select GTI Proxy Appliance.

The proxy appliance's registered queries appear.

4 In the Actions column for the GTI Proxy Appliance Average Response Time Report, click Run.

A graph showing the proxy appliance's average response time appears.

5 Click a row in the System Name ‑> Record Time column to view more details about that data interval.

Create a dashboard for the proxy applianceCreate a custom dashboard in McAfee ePO when you want the McAfee GTI Proxy Appliance reports inone place. Using a dashboard, you can easily monitor the appliance by viewing all of the importantreports in one place.



2 Select Menu | Reporting | Dashboards.

The default system dashboard appears.

3 Click Dashboard Actions, then click New.

4 Enter the name for the dashboard and select the desired visibility options.

5 Click OK to save the changes.


7 In the Monitor Gallery, select Queries from the View menu, then drag queries to the empty area of thepage.

A monitor list appears listing all the reports you can add to the dashboard.

8 Select a report from the list that you want to view on the dashboard.

8 McAfee GTI Proxy Appliance reportsView the proxy appliance average response time report


9 Click OK to add the report.

• The selected report gets added to the new dashboard for monitoring.

• Click Remove Monitor on the top‑left of the monitor to remove the report from the new dashboard.

10 Click Save to save the dashboard.

11 Click Close to close the Monitor Gallery.

Create a dashboard for the custom GTI file reputation score keypair mapping

Create a dashboard in McAfee ePO to display details about the public/private key pairs you set up forthe custom GTI file reputation scores.

Before you beginFor this dashboard, the following must be set up:

• The VirusScan Enterprise endpoints have the McAfee GTI Proxy Agent plug‑in installed.

• McAfee GTI Proxy Appliances have the Global Threat Intelligence Appliance and McAfeeAgent plug‑in installed and monitored.

• Public keys are present on the VirusScan Enterprise endpoints.

• Private keys are present on the McAfee GTI Proxy Appliances.

• Fallback server IP addresses are configured on the VirusScan Enterprise endpoints.



2 Select Menu | Reporting | Dashboard.

3 Click Dashboard Actions and select New.

4 Enter a name for the dashboard and select the desired visibility options.

5 Click OK to save the changes.


7 From the View drop‑down menu, select GTI Proxy dashboard, select Key Monitor from the Monitor list, dragthe Key Monitor to the empty area of the page, and click OK.

8 Click Save to save the new dashboard.

The new dashboard is now on its own tab in McAfee ePO.

9 Click Close to return to the main dashboard area in McAfee ePO.

10 To access the new Key Monitor dashboard, click the tab with the name you provided for thisdashboard.

Click the hyperlinked numbers to navigate to a page where you can drill down to more informationfor systems in the group.

McAfee GTI Proxy Appliance reportsCreate a dashboard for the custom GTI file reputation score key pair mapping 8


Table 8-2 Key Dashboard elements

Categories Category subsections

VSE Nodes (TheVirusScan Enterpriseendpoints that have theMcAfee GTI Agentplug‑in installed)

• Matching Keys — The number of VirusScan Enterprise endpoints thathave matching public keys. A public key matches when all of thefallback server's private key is paired with a public key.

• Mismatching Keys — The number of VirusScan Enterprise endpoints thatdo not have matching public keys. A public key does not have matcheswhen any of the fallback server's private keys are not paired with apublic key.

• No Public Key — The number of VirusScan Enterprise endpoints that donot have public keys.

• No Fallback Server — The number of VirusScan Enterprise endpoints thatdo not have fallback servers.

GTI Proxy ApplianceNodes(The McAfee GTIProxy Appliances thathave the Global ThreatIntelligence Applianceand McAfee Agentplug‑in installed)

• Correct state — The number of proxy appliances that have a private keydeployed and the gtiproxy process has been restarted after the privatekey was deployed.

• Incorrect state — The number of proxy appliances that have a private keydeployed, but the gtiproxy process was not restarted after the privatekey was deployed.

• No Private Key — The number of proxy appliances that do not have aprivate key.

8 McAfee GTI Proxy Appliance reportsCreate a dashboard for the custom GTI file reputation score key pair mapping


A Frequently asked questions

Here are answers to frequently asked questions.

How can we test that the proxy appliance is receiving queries rather than the Global ThreatIntelligence cloud?

Use network capturing software on a test system to see the DNS request going to the IP addressof the McAfee GTI Proxy Appliance. See KB53782 in the McAfee KnowledgeBase.

What is the expected network traffic generated by custom GTI file reputation queries?

The network traffic generated by file reputation queries is nominal, even when the custom GTIfile reputation scores are set to High. The use of a local McAfee GTI Proxy Appliance cache alsohelps to reduce the number of queries sent to the Global Threat Intelligence cloud.

How can I use McAfee GTI Proxy Appliance without installing the GTI Proxy agent onto theVirusScan Enterprise endpoints?

You can enable the VirusScan Enterprise endpoints to use McAfee GTI Proxy Appliance by addingthe following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\GTI Enterprise Server] "AEServer"=<IP address>,<IP address>,<IP address>

where the AE server string value is the list of IP addresses for each McAfee GTI Proxy Appliancesthat the endpoints will use. The list is a comma‑delimited list of IPv4 addresses. McAfeerecommends that you enter three to five IP addresses in the list. If your environment has lessthan three McAfee GTI Proxy Appliances, you can repeat values in the list.

Will the number of file reputation requests stored on the McAfee GTI Proxy Appliance causeit to run out of memory?

The appliance uses a Most Recently Used algorithm to ensure free slots are available in memoryfor the new data it retries from the cloud. As these slots fill up when it reaches a threshold theproxy appliance will move out older data that is not being accessed to make way for the newdata from the cloud

Will the number of requests generated by the VirusScan Enterprise endpoints cause theproxy appliance to run out of memory?

The proxy appliance manages its memory usage so that it has enough memory to servicerequests and store the data it retries from the cloud. If the proxy appliance receives morerequests than it can handle without going outside the 2 GB memory threshold it will deal withthe requests it can handle within the limits on a first come first served basis.

What happens to the VirusScan Enterprise endpoint if the proxy appliance cannot manage arequest?

The VirusScan Enterprise endpoint goes into retry mode and queries the appliance again.

What happens if McAfee GTI Proxy Appliance is unavailable?

If the proxy appliance is unavailable because, for example, a mobile device is away from theenterprise network, the endpoint reverts to sending its queries to the Global Threat Intelligencecloud.

How can I configure the McAfee GTI Proxy Appliance to be in my network and access thecloud using an internal DNS system as a proxy?



Follow the steps in 'Configure tiered proxy appliance access' in the Install the McAfee GTI ProxyAppliance chapter. While following this section use the address of your internal DNS servers forthe prerequisites.

How is DNS related to file reputation and the McAfee GTI Proxy Appliance?

File reputation leverages DNS to make requests for a file's reputation with the Global ThreatIntelligence cloud. The response comes back in the form of an IP address with the resultsencoded in bits in the IP address. The addition of the proxy appliance does not fundamentallychange this request response.

Troubleshooting tips

The proxy appliance displays a message on bootup: Determining IP information for Eth0..failed. No link Present Check Cable

The virtual image's network settings need to be set up in bridged mode and the ConfigureNetwork Settings section of the Install McAfee GTI Proxy chapter need to be applied.

The MA agent on the proxy appliance fails to install when I run the configure_ma.sh script

Check that the ePO Event Parser service is running on the McAfee ePO server. Check that theApache service is running on the McAfee ePO server. Check that the port specified for the ePOserver in the configure_ma.sh dialogue is correct and that the McAfee ePO server's operatingsystem firewall allows access to this port.

When setting up UDP access mode using the MA option I get an error message "Error:Could not get IP list."

The proxy appliance needs access to the cloud to perform file reputation lookups. See theMcAfee GTI Proxy Diagnostics chapter.

A Frequently asked questions


Index

Aabout Global Threat Intelligence Proxy 10

about proxy appliance 11

about this guide 7agent communication port 23

agent extension 10

appliancefallback servers 43

instances used by VirusScan Enterprise 45

restart and shutdown 76

tiered access 43

appliance extension 10

Artemis 9ArtemisTest.zip 38, 77

authenticationcustom file reputation scores 57

SSH 51, 52

authentication keys 51

average response time report 103, 106

Ccache 11

client tasks, delete from McAfee ePO 40

cloud access 78–80

communicationproxy appliance and Global Threat Intelligence service 44

communication port, McAfee ePO 23

components 10

conventions and icons used in this guide 7coverage report 103, 104

custom file reputation scores 60

apply 62

batch process 60

command file, export 67

command file, import 68

dashboard for public/private keys 107

delete 64

details 68

edit 63

export 67

manual process 61

resolve conflicts 66

secure authentication 57

custom file reputation scores 60 (continued)verify setup 65

Ddashboard

proxy appliance 106

public/private keys for custom scores 107

data interval recordspurge 105

date and time settings 22

deploy VMware image 16

DHCPconfigure 18

default 17

diagnosticsaccess to Global Threat Intelligence service 78

file reputation lookup requests 77

McAfee Agent 82, 83

McAfee ePO 89

McAfee Linux Operating System 84

plug-in 80

proxy agent 89, 90

VirusScan Enterprise 89

VMware 78

DNS, diagnostics 77

documentationaudience for this guide 7product-specific, finding 8typographical conventions and icons 7

EePolicy Orchestrator 10

See also McAfee ePO

extensions 10

install 24, 25, 31

remove from McAfee ePO 41, 42

upgrade 25, 31

verify installation 25, 31

extract VMware image 16


Ffallback servers 43, 45, 46

verify configuration 90

VirusScan Enterprise groups 48

file reputation 9file reputation lookups 11

check lookups from 79

check lookups to 80

cloud configuration 80

communication settings 44

DNS diagnostics 77

requests and responses 11

tiered proxy appliances 49

verify on VirusScan Enterprise 38, 77

force-stop proxy appliance 94

forwarder server IPs 44

frequently asked questions 109

GGlobal Threat Intelligence Proxy

about 10

Global Threat Intelligence service 44

Global Threat Intelligence, about 9GTI Proxy Agent coverage report 103, 104

GTI Proxy Appliancecoverage report 104

load average report 103

performance report 103–105

response time report 103, 106

GTI Proxy.zip 24, 25, 31

gtiproxy 11

Hhosts file, update 18, 19

Iimage for proxy appliance 11

installationabout 16

system requirements 13

IP addressesforwarder servers 44

Kkeys

authentication 51

Lload average report 103

logsCMA 100

communication 100

McAfee Agent 100

logs (continued)performance, pull 99

plug-ins, pull 97

plug-ins, purge 98

plug-ins, view 101

proxy appliance, pull 96

size limit 95

system, pull 95

MMcAfee Agent

data collection interval 54

install 23

log purging and archiving 54

performance data settings 54

re-install 83

restart/start 82

setup 23

verify installation 23

version 13

McAfee ePO 10

average response time report 106

communication port 23

components for 10

dashboard 106

dashboard for public/private keys 107

delete client tasks 40

fallback servers 46

performance log purge and archive 54

performance report, archive 105

permission for access 53

plug-ins, deploy 26, 27, 31, 33

proxy appliance time zone 21

remove extensions 41, 42

remove plug-ins 41

reports 103

reports, view 104

use with proxy appliance 10

version 13

McAfee ePO, install components for proxy applianceextensions, install 24

plug-ins, install 24

McAfee GTI Proxy components 10

McAfee ServicePortal, accessing 8message reputation 9MLOS 11

Nnetwork reputation 9network settings

about 17

DHCP 18

DNS diagnostics 77

static addressing 19

Index


OOVF, VMware image 16

Ppackage

install 25, 31

remove from McAfee ePO 40

performance data settings 53

data collection interval 54

log purging and archiving 54

performance logspurge 99

performance report 103–105

plug-inscheck-in 25, 31

delete client tasks from McAfee ePO 40

deploy 26, 27, 31, 33

install 24

logs, view 101

proxy appliance installation, verify 91

proxy appliance status 81

pull logs 97

purge logs 98

purge syncd logs 99

remove from McAfee ePO 41

start proxy appliance 81

uninstall 38

verify check-in 25, 31

verify deployment 26, 27, 31, 33

plugins 10

processes 11

proxy agentdiagnostics 89, 90

fallback servers 45

install 25, 31

plug-in, deploy 27, 33

remove extension 42

remove plug-in 41

reports 103, 104

uninstall plug-ins 38

uprade 25, 31

VirusScan Enterprise installation 89

proxy applianceabout 11

cloud access 78

cloud configuration 80

communication with Global Threat Intelligence service 44

configuration, first steps 17

date and time 22

file reputation lookups, from 79

file reputation lookups, to 80

force-stop 94

Global Threat Intelligence service access 78

Global Threat Intelligence service configuration 80

proxy appliance (continued)image 11

install, about 16

log files, pull 96

manage proxy appliance 10

McAfee Agent 23

McAfee Agent re-install 83

McAfee Agent status 82

McAfee Agent, install 23

McAfee ePO, install components 24

MLOS 11

overview 10

package, install 25, 31

performance logs, pull 99

permission for access 53

plug-in installation, verify 91

plug-in status 81

plug-in, deploy 26, 31

plug-in, start 81

plug-ins, pull logs 97

plug-ins, view logs 101

processes 11

purge logs 98

purge syncd logs 99

remove extension 41

remove plug-in 41

remove VMware 42

reports 103, 105, 106

restart 93

start 92

status 75

stop 93


tiered access 49

time zone 21


upgrade 25, 31

virtual appliance 10

VMware 11

public/private keys 51

custom file reputation scores 57

dashboard 107

existing keys 51

new keys 52

pull log filesexceed size limit 95

proxy appliance logs 96

system logs 95

Rrecorded time records

purge 105

removeplug-ins 38

Index


remove (continued)VMware 42

reportsabout 103

archive 105

average response time 106

coverage report 104

dashboard 106

delete 105

delete records 105

performance report 104

reputations 9restart 76

restart proxy appliance 93

SSCP 51, 52

ServicePortal, finding product documentation 8services 11

shut down 76

size limitlogs 95

SSH authenticationexisting keys 51

new keys 52

start proxy appliance 92

static addressing, configure 19

statusproxy appliance 75

stop proxy appliance 93

syncd 11

syncd logspurge 99

system log files, pull 95


TTechnical Support, finding product information 8

technologies 9tiered access 43

tiered access, proxy appliance 49

time zone setting 21

TrustedSource 9

UUDP 44

Vvirtual appliance

restart and shutdown 76

VirusScan Enterprisefallback servers 46

fallback servers for groups 48

in file reputation lookup requests 11

proxy agent configuration 90


verify 38, 77

version 13

VMwaredeploy image 16

diagnostics 78

install, about 16

McAfee Agent, install 23

remove 42

verify installation 16

version 13

Wweb reputation 9

Index


TP000004A00

global threat intelligence proxy 2.0.0 product guide · pdf fileproduct guide revision a...

Documents