ENS Flashcards

Question

Which of the following log files are generated for the ENS Client? a. EndpointSecurityPlatform_Errors.log b. PackageManager_Activity.log c. EndpointSecurityPlatform_Activity.log d. MFEConsole_Debug.log e. SelfProtection_Activity.log

Answer 1

MFEConsole_Debug.log

Answer 2

C:\Windows\TEMP\McAfeeLogs

Answer 3

ePO On-Premises ENS Client User Interface (for self-managed systems) ePO Cloud

Answer 4

Dynamic Application Containment

Answer 5

Right-click Scan Quick Scan Full Scan

Answer 6

Restored Cleaned Rescanned Deleted

Answer 7

Mozilla Firefox (versions 3.0 and later) Microsoft Internet Explorer (versions 8, 9, 10, and 11) Google Chrome (versions 4.0 and later)

Answer 8

Threat Prevention Platform Web Control Firewall

Answer 9

ADDLOCAL=”fw,tp,wc” /unlock /qn or /quiet

Answer 10

General policy Host IPS Catalog Firewall policy

Answer 11

Client tasks Policies

Answer 12

Select Workstation or Server. Migrated one type now and then the other type later

Answer 13

On-Access Scan / View Detections Full Scan / Scan Now Quick Scan / Scan Now

Answer 14

A browser window opens with the McAfee Labs information about this threat

Answer 15

Open the Action Menu and click Help Click on the question mark (?) icon on the Settings page

Answer 16

Configure an exclusion for the process

Answer 17

Signatures are updated when the Exploit Prevention content file is updated

Answer 18

Potentially Unwanted Program Detections

Answer 19

ENS Firewall: Firewall > Rules

Answer 20

ENS Firewall Catalog

Answer 21

Medium Risk

Answer 22

ENS Firewall: Firewall > Options

Answer 23

ENS Web Control: Policy Category > Content Actions

Answer 24

ENS Web Control: Policy Category > Browser Control

Answer 25

Potential Hacking/Computer Crime Malicious Downloads Pornography

Answer 26

Download Tests Web Spam Tests Online Affiliations

Answer 27

Might Be Trusted; Unknown; Might Be Malicious; Most Likely Malicious; Known Malicious

Answer 28

Real Protect Client Scan

Answer 29

Reputation Scan

Answer 30

McAfee_TP_Migration_Plugin.log

Answer 31

Check that you selected the proper data to import. Contact McAfee support if the issue persists

Answer 32

EndpointSecurityPlatform_Errors.log

Answer 33

Subsequent copying of a file identified as high risk file after a malicious file is detected Explorer is used to copy files

Answer 34

Disable if McAfee Client Proxy is detected

Answer 35

Real Protect Cloud Scan

Answer 36

McAfee Default Balanced McAfee Default Security

Answer 37

No. The ENS installer will remove both SAE and VSE no matter which ENS module is selected to install

Answer 38

MFEVTPS MFETP

Answer 39

Allows access control rules for containment Helps defeat “sandbox-aware” malware detection Works without Cloud connection

Answer 40

Real Protect (RP)

Answer 41

McAfee Active Response (MAR)

Answer 42

Threat Prevention

Answer 43

Web Control

Answer 44

Adaptive Threat Protection

Answer 45

Enables access to all features, including: • Enable and disable individual modules and features. • Access the Settings page to view or modify all settings for the Endpoint Security Client. (Default)

Answer 46

Displays protection status and allows access to most features: • Update the content files and software components on your computer (if enabled by the administrator). • Perform a thorough check of all areas of your system, recommended if you suspect your computer is infected. • Run a quick (2-minute) check of the areas of your system most susceptible to infection. • Access the Event Log. • Manage items in the Quarantine. From Standard access interface mode, you can log on as administrator to access all features, including all settings.

Answer 47

Requires a password to access the client. Once you unlock the client interface, you can access all features.

Answer 48

While in Standard Access or Lock Client Interface Mode, you must enter an administrator password, or generate a temporary time-based password for users to use. The time-based password can be generated in the ENS Common Options policy, and it has an expiration date and time.

Answer 49

Any processes that are excluded can access the ENS system resources, which are protected from malicious activity with self-protection. To add processes to exclude in self-protection click add, and then enter the exact resource name, such as scan32.exe. Double click on an item to edit it. Select an item and click delete to delete the item.

Answer 50

%DEFLOGDIR% or C:\ProgramData\McAfee\Endpoint Security\Logs

Answer 51

Common: EndpointSecurityPlatform_Activity.log and EndpointSecurityPlatform_Debug.log Self-Protection: SelfProtection_Activity.log and SelfProtection_Debug.log Updates: PackageManager_Activity.log and PackageManager_Debug.log Errors: EndpointSecurityPlatform_Errors.log which contains error logs for all modules. Endpoint Security Client: MFEConsole_Debug.log

Answer 52

The Update Now Button can be enabled in the Default Client Update section in the policy or the Client settings. Enabling will display the button. Clicking the button will manually check for and download updates on the client system. It can be setup to update Security content, hotfixes, and patches, Security content, or Hotfixes and patches.

Answer 53

AMCore is released daily by 7pm. Exploit Prevention content files are released as needed. DATs are released at 3pm daily. Two previous versions are stored in the Program Files\Common Files\McAfee\Engine\content folder. required, you can revert to a previous version.

Answer 54

Click Roll Back AMCore Content from the action menu on the client. In ePO you can create an ENS Threat Prevention client task to Roll Back AMCore Content. You may want to roll back a DAT due to a problem with the DAT, or the DAT is not compatible with your environment. Exploit Prevention content updates cannot be rolled back.

Answer 55

C:\Quarantine for Windows and /quarantine for Linux

Answer 56

Do not block

Answer 57

Protection Options

Answer 58

Top-to-bottom

Answer 59

Connection isolation

Answer 60

Threat Prevention: ThreatPrevention_Activity.log and ThreatPrevention_Debug.log -Enabling debug for any Threat Prevention technology enables debug logging for the Endpoint Security Client Access Protection: AccessProtection_Activity.log and AccessProtection_Debug.log Exploit Prevention: ExploitPrevention_Activity.log and ExploitPrevention_Debug.log On-Access Scan: OnAccessScan_Activity.log and OnAccessScan_Debug.log On-Demand Scan: OnDemandScan_Activity.log and OnDemandScan_Debug.log

Answer 61

? – Single character - The number of characters must match * - Multiple characters, except backslash (\) - *\ not valid for the beginning of file path use **\ ** - Zero or more characters, including backslash (\) -Root level use **\ for C:\

Answer 62

ENS Threat Prevention Options policy > Exclusion by Detection Name > Program (test.exe)

Answer 63

The scanner uses heuristics to check for suspicious files. The scanner submits fingerprints of samples, or hashes, to a central database server hosted by McAfee Labs to determine if they are malware. By submitting hashes, detection might be made available sooner than the next content file update, when McAfee Labs publishes the update. You can configure the sensitivity level that McAfee GTI uses when it determines if a detected sample is malware. The higher the sensitivity level, the higher the number of malware detections. But, allowing more detections can result in more false positive results. The McAfee GTI sensitivity level is set to Medium by default.

Answer 64

Firewall: Firewall_Activity.log and Firewall_Debug.log Firewall: FirewallEventMonitor.log -Logs blocked and allowed traffic events, if configured

Answer 65

Enables scanning JavaScript and VBScript in Internet Explorer to prevent unwanted scripts from executing

Answer 66

In the Firewall options policy you can check allow only outgoing traffic until firewall services have started. - Allows outgoing traffic but no incoming traffic until the Firewall service starts - If this is disabled, Firewall allows all traffic before services are started, potentially leaving the system vulnerable

Answer 67

Creates client side rules automatically to allow traffic

Answer 68

Firewall enables you to make a group and its rules location-aware and to create connection isolation. Enabling connection isolation prevents undesirable traffic from accessing a designated network and blocks traffic on network adapters that don't match the group when an adapter is present that does match the group.

Answer 69

In the Firewall Rule policy or Firewall Catalog add a rule, select block or allow, choose the network protocol, choose the transport protocol, and/or add a port.

Answer 70

Are executables that are safe in any environment and have no known vulnerabilities. These executables are allowed to perform all operations except operations that suggest that the executables have been compromised. Configuring a trusted executable creates a bi-directional Allow rule for that executable at the top of the Firewall rules list.

Answer 71

Web Control: WebControl_Activity.log and WebControl_Debug.log

Answer 72

Green Secure – site is tested daily and certified safe Green – site is safe Yellow – site might have some issues Red – site has some serious issues Grey – no rating available for this site Orange – communication error with McAfee GTI Blue – Internal site. McAfee GTI not queried Black – phishing site White – site allowed by policy or setting Grey faded – web control disabled by policy or setting

Answer 73

Secure Search automatically filters the malicious sites in the search result based on their safety rating. Web Control uses Yahoo as the default search engine and supports Secure Search on Internet Explorer only.

Answer 74

Red – block Yellow – warn Unrated – allow

Answer 75

Adaptive Threat Protection: AdaptiveThreatProtection_Activity.log and AdaptiveThreatProtection_Debug.log Dynamic Application Containment: DynamicApplicationContainment_Activity.log and DynamicApplicationContainment_Debug.log

Answer 76

Adaptive Threat Protection uses an application's reputation to determine whether to request that Dynamic Application Containment run the application with restrictions. Adaptive Threat Protection uses TIE server, if it is available, for the application reputation. If TIE server isn't available, Adaptive Threat Protection uses McAfee GTI for reputation information. If the reputation isn't known and the Real Protect cloud-based and client-based scanners are enabled, Adaptive Threat Protection queries Real Protect for the reputation. As applications trigger containment block rules, Dynamic Application Containment uses this information to contribute to the overall reputation of contained applications. Dynamically generates the reputation for the application based on DAC rule violations

Answer 77

The Real Protect scanner inspects suspicious files and activities on an endpoint to detect malicious patterns using machine-learning techniques. Using this information, the scanner can detect zero-day malware.

Answer 78

Post- execution scan. Cloud-based Real Protect collects and sends file attributes and behavioral information to the machine-learning system in the cloud for malware analysis. This option requires Internet connectivity to mitigate false positives using McAfee GTI reputation.

Answer 79

Pre-execution scan. Client-based Real Protect uses machine-learning on the client system to determine whether the file matches known malware. If the client system is connected to the Internet, Real Protect sends telemetry information to the cloud, but doesn't use the cloud for analysis. If the client system is using TIE for reputations, it doesn't require Internet connectivity to mitigate false positives.

Answer 80

Run Adaptive Threat Protection in Observe mode to build file prevalence and see what Adaptive Threat Protection detects in your environment. Adaptive Threat Protection generates Would Block, Would Clean, and Would Contain events to show what actions it would take. File prevalence indicates how often a file is seen in your environment.

Answer 81

A server that stores information about file and certificate reputations, then passes that information to other systems. If TIE server and Data Exchange Layer are present, Adaptive Threat Protection and the server communicate file reputation information. The Data Exchange Layer framework immediately passes that information to managed endpoints. It also shares information with other McAfee products that access the Data Exchange Layer

Answer 82

Clients and brokers that enable bidirectional communication between the Adaptive Threat Protection module on the managed system and the TIE server. Data Exchange Layer is optional, but it is required for communication with TIE server.

Answer 83

The logo is grey with a red exclamation point

Answer 84

Use this group for high-change systems with frequent installations and updates of trusted software. Examples of these systems are computers used in development environments. This group uses the least number of rules. Users experience minimum prompts and blocks when new files are detected. Contain at Most Likely Malicious Block at Known Malicious

Answer 85

Use this group for typical business systems with infrequent new software and changes. This group uses more rules — and users experience more prompts and blocks — than the Productivity group. Contain Might Be Malicious Block Most Likely Malicious Clean Known Malicious

Answer 86

Use this group for low-change systems, such as IT-managed systems and servers with tight control. Examples are systems that access critical or sensitive information in a financial or government environment. Users experience more prompts and blocks than with the Balanced group. Contain Unknown Block Might Be Malicious Clean Known Malicious

Answer 87

Scans for and lets you take action on detected malware and unwanted programs. With exploit prevention signatures and exploit management (HIPS), exploit prevention capabilities and McAfee Global Threat Intelligence capabilities

Answer 88

Acts as a filter between computer and network or internet

Answer 89

Protection while browsing or searching websites (Site Advisor)

Answer 90

Anti-Malware Engine Core (AMCore) technology with built-in intelligence strategy to only scan items that really need to be scanned, instead of scanning all items equally. Migration tool to migrate policies and client tasks and remove McAfee products that are no longer needed

Answer 91

Optional ENS Adaptive Threat Protection module with Dynamic Application Containment and Real Protect, as well as optional integration with McAfee Data Exchange Layer(DXL) and McAfee Threat Intelligence Exchange(TIE) solutions. (DXL and TIE are acquired and deployed separately.)

Answer 92

The common module gets deployed automatically, even if you only want to deploy just one of the four modules

Answer 93

On-Access Scan: Examines files as they are accessed for continuous and real-time detection. On-demand scan: Allows user-initiated scan at any time, including quick or full scan. Threat detection: Saves detections for further action such as Clean, Delete, or Remove Entry. Quarantine: Quarantines items for further actions, such as Delete, Restore, Rescan, or Learn more.

Answer 94

Stateful firewall that acts as filter between computer and network or internet. Scans all incoming and outgoing traffic. Acts based on define rules (set of criteria), such as allow or block. Rule groups organize firewall rules for easy management. Location-aware firewall groups and firewall rules allow you to control specific processes.

Answer 95

Links to McAfee Global Threat Intelligence and rate possible threats. Provides color coded safety rating, such as green (secure or safe), yellow (possible issues), red (serious issues), gray (no rating), black (phishing), and so on. Delivers site reports from McAfee GTI ratings server for threat detail. Supports customized protection, blocking based on web categories and logging. Integrates with Threat Prevention module for automatic scanning of downloaded files.

Answer 96

Allows Dynamic application containment, based on defined rules. Supports exclusion of safe applications, allow them to run normally. Optionally integrates with McAfee DXL and TIE for communication between systems and devices. (TIE and DXL acquired and deployed separately.)

Answer 97

Endpoint Suite Installer: Provides easy install of ePO and automated check in of ENS components (Endpoint security platform, threat prevention, web control, and firewall). To install, extract all files and run installer executable. Do not use if you plan to deploy extensions and packages individually. Endpoint Security Package Designer: Creates install package containing pre-configured custom policies. Deployed on unmanaged systems. Endpoint Security Standalone installer: Provides stand-alone install for local installs. Not deployable from ePO.

Answer 98

Extension added to McAfee ePO Server. Facilitates migration of policy and settings from legacy products.

Answer 99

Extension added to McAfee ePO server. Helps you asses your environment’s deployment readiness and ensure product interoperability. It analyzes the environment to identify deployment readiness. Determines if required software is installed in appropriate branches or if updates are required. It does not alter ePO environment. Requires ePO 5.1.2 or later. Does not support third-party provisioning.

Answer 100

Automatic: Less than 250 managed systems. Little Customization. Plan to edit settings later. Supervision not required. Manual: More than 250 managed systems. Complex or multiple custom policy settings. Want to fine tune or customize settings during migration. Want to supervise and approve steps.

Answer 101

It is not necessary to uninstall existing virus-detection and firewall before installing ENS. The wizard detects and resolves most conflicts automatically. If Windows firewall is enabled, the wizard disables the firewall automatically to prevent conflicts. If incompatible software is installed, the wizard attempts to uninstall it. If it cannot, you are prompted to cancel the installation, uninstall the incompatible software manually. The installation resumes where it left off.

Answer 102

The Language fabric that McAfee uses to speak to third party software

Answer 103

First, (Optional) At the prompt, enter a message to send to the administrator. Second click allow or block. Then to instruct Adaptive Threat Protection not to prompt for the file again, select Remember this decision

Answer 104

Right-click the McAfee system tray icon

Answer 105

Windows 8 and 10 — If the scanner detects a threat in the path of an installed Windows Store app, the scanner marks it as tampered. Windows adds the tampered flag to the tile for the app. When you attempt to run it, Windows notifies you of the problem and directs you to the Windows Store to reinstall.