McAfee Agent

Question 1

How does the McAfee Agent fit into the ePO architecture?

Answer 1

It’s the client side component that provides secure communication between ePO and managed products

Question 2

What are the primary functions that are carried out by the McAfee Agent?

Answer 2

• Installs products and their upgrades on managed systems
• Updates security content such as the V3 DAT files or AMCore Content Package associated with ENS
• Enforces policies and schedules tasks on managed systems
• Gathers information and events from managed systems, and sends them to McAfee ePO

Question 3

When managing a larger network, how many superagents should be configured?

Answer 3

One in every subnet

Question 4

Give a high level description of the added functionality that a SuperAgent provides

Answer 4

Acts as an intermediary between the ePO server and other agents in the same network broadcast segment by caching information received from ePO, the master repository, or a mirror distributed repository and distributes it to agents in its network subnet

Question 5

The Agent is based on what type of architecture? Why is it advantageous?

Answer 5

It’s based on services (messaging) architecture. In messaging-based architecture, the services communicate using a common language, reducing the use of system resources such as number of threads, number of handles, memory, and cpu

Question 6

What is the Agent’s manifest based policy?

Answer 6

Fetches only the changed policy settings from ePO, using fewer resources for comparing or merging settings.

ePO doesn’t have to compute the changed policy at each agent-server communication, helping to save network bandwidth

Question 7

Does Agent 5.6.X require multiple TCP connections during a single agent-server communication?

Answer 7

No, previous versions did, requiring more network bandwidth. 5.6.X uses the same TCP connection when performing an agent-server communication

Question 8

How is the McAfee Agent able to track system events on the client system?

Answer 8

Via sensor services:

User sensors - Detects the logged on users on the client system using operating system APIs and apply the user-based policies accordingly

Network sensors - Detects the network connectivity status using operating system network APIs and determines if the agent functionality such as pulling updates from the repository or communicating to ePO should be performed

Question 9

How does priority event forwarding work?

Answer 9

Makes it so that events that reach a certain severity threshold are forwarded to the ePO server with greater priority

Question 10

Deselect “Retrieve all system and product properties (recommended)”.
If unchecked retrieve only a subset of properties. What does it retrieve?

Answer 10

System properties and minimal product properties.

Question 11

How does agent-server communication work?
During each agent-server communication, McAfee Agent collects its _________ _________ _________, as well as events that have not yet been sent, and sends them to the ______. The server sends new or changed policies and tasks to the _______ _______, and the repository list if it has changed since the last agent-server communication. McAfee Agent enforces the new -________ locally on the managed system and applies any task or repository changes.

Answer 11

current system properties
server
McAfee Agent
policies

Question 12

How long does it take the Agent to call into the server after it is initially installed?

Answer 12

45 seconds

Question 13

What events trigger the McAfee agent to call in to the ePO server?

Answer 13

• The agent-server communication interval (ASCI) elapses.
• Wake-up calls are sent from McAfee ePO or Agent Handlers.
• A scheduled wake-up task runs on the client systems.
• Communication is initiated manually from the managed system (using the Agent Status monitor or command line).
• A “Run Immediately” client task runs on the client systems.

Question 14

What factors can cause the cumulative demand on the network, ePO, or the Agent Handler to be significant?

Answer 14

• Number of systems managed by McAfee ePO
• If your organization has stringent threat response requirements
• If the network or physical location of clients in relation to servers or Agent Handlers is highly distributed
• If there is inadequate available bandwidth

Question 15

if your environment has a high number of systems managed by ePO, if your organization has stringent threat response requirements, if the network or physical location of clients in relation to server or Agent Handlers is highly distributed, or if there is inadequate available bandwidth, should you do more or less frequent agent server communications?

Answer 15

At the organization level, less frequent. However, for individual clients that perform critical functions, you might want to set a more frequent interval

Question 16

What are the methods that the McAfee Agent tries to use to establish communication?

Answer 16

• IP Address
• FQDN
• NetBIOS name
• Relay
• Proxy

Question 17

What happens if the Agent exhausts all of the various connection methods and still fails to establish a connection?

Answer 17

The McAfee Agent will try to connect again during the next ASCI

Question 18

What does a wake up call do?

Answer 18

Triggers an immediate ASC rather than waiting for the current interval to elapse

Question 19

What are the two ways to issue a wake up call?

Answer 19

Manually from the server - (Requires an open wake-up communication port)

On a schedule set by the administrator

Question 20

What are some possible reasons for issuing a wakeup call?

Answer 20

• Making a policy change that you want to enforce immediately, without waiting for the scheduled ASCI
• (ePO On-Premises)You create a task that you want to run immediately. The Run Task Now option creats a task, then assigns it to specififed client systems and sends wake-up calls
• A query generated a report indicating that a client is out of compliance, and you want to test its status as part of a troubleshooting procedure

Question 21

What is a SuperAgent?

Answer 21

A distributed repository which is designed to reduce the load on the ePO server

Question 22

Other than acting as a Distributed Repository, what can a SuperAgent do?

Answer 22

Broadcast wake-up calls to other agents on the same network subnet. The SuperAgent receives a wake-up call from ePO, then wakes up the agents in its subnet

Question 23

What types of systems are best suited to host SuperAgents?

Answer 23

Servers (or systems that are always on)

Question 24

What is the process of a SuperAgent wake-up call?

Answer 24

Server sends a wake-up call to all SuperAgents

SuperAgents broadcast a wake-up call to McAfee Agent in the same broadcast domain

All notified McAfee Agent (McAfee Agent notified by a SuperAgent and all SuperAgents) exchange data with McAfee ePO or Agent Handler

Question 25

How does LazyCaching work

Answer 25

Allows the SuperAgent to retrieve data from the configured repositories only when requested by a local agent.

When a client system first requests content, the SuperAgent assigned to that system downloads the request content from its configured repositories and caches that content

The cache is updated when a newer version of the requested package is available in the Master Repository.

Question 26

How are communication interruptions involving superagents handled?

Answer 26

When a SuperAgent receives a request for content that might be outdated, the SuperAgent tries to contact McAfee ePO to see if new content is available.

If the connection tries time out, the SuperAgent distributes content from its own repository instead. This content transfer is done to make sure that the requester receives content even if that content might be outdated

Question 27

What is the purpose of the flush interval and the purge interval for LazyCaching

Answer 27

Flush interval is in reference to content in the SuperAgent memory that is outdated

Purge interval is in reference to content that’s no longer in use and needs to be purged

Question 28

Can you use mobile devices or laptops as SuperAgents? Why

Answer 28

It’s against best practice recommendation to do this. Should enable SuperAgents only on PCs or Virtual Systems. This is so that Distributed Repository can always be available. If the device is not ON, then the Distributed Repository cannot be accessed.

Question 29

How many requests can a SuperAgent handle concurrently?

Answer 29

1024

Question 30

Is it okay to set up SuperAgents on systems with poor network connectivity, or that are connected using VPNs? Why?

Answer 30

NO, the system needs to have a reliable connection and always be on.

Question 31

If you are using a SuperAgent hierarchy for updates, how many levels should there be max?

Answer 31

Three

Question 32

What function does a SuperAgent that’s configured as a RelayServer perform?

Answer 32

It bridges communications between client machines and the ePO server

Question 33

How does it work when an agent uses relay to communicate with McAfee ePO?

Answer 33

The connections are established in two parts; first between McAfee Agent and the RelayServer, and second between the RelayServer and McAfee ePO. These connections are maintained during the communication.

Question 34

How does the peer to peer functionality work with agents?

Answer 34

When an agent requires a content update, it tries to discover peer-to-peer servers with the content update in its broadcast domain. On receiving the request, the agents configured as peer-to-peer servers check if they have the requested content and respond back to the agent. The agent requesting the content downloads it from the peer-to-peer server that responds first.

Question 35

What protocol do Agents configured as P2P servers use to deliver content?

Answer 35

HTTP

Question 36

What happens if an Agent can’t discover a p2p server or the content update that it needs amongst its peers in its broadcast domain?

Answer 36

It falls backs to repository, as configured in its policy

Question 37

What ports are used during P2P communication?

Answer 37

8082 to discover peer servers, and port 8081 to server peer agents with updates

Question 38

What does it mean to configure an Agent as a Peer to Peer server?

Answer 38

It enables it to provide updates to others in the broadcast domain when requested

Question 39

What is default cache location and size for a Peer to Peer server? Can it be changed?

Answer 39

\data\mcafeeP2P
512 MB
Yes

Question 40

Which systems shouldn’t be configured as Peer to Peer servers?

Answer 40

Laptops, mobile devices, systems with poor network connectivity, systems connected with a VPN

Question 41

How do you configure Agents to be peer to peer servers or clients?

Answer 41

Through the p2p tab in the Agent General Policy

Question 42

By default, are Agents configured to be Peer to peer clients, peer to peer server, both, or neither?

Answer 42

Both

Question 43

What does the McAfee Agent Statistics task do?

Answer 43

Collects statistics and network bandwidth from RelayServers, SuperAgent hierarchies, and peer to peer statistics

Question 44

How can you see the results from a McAfee Agent Statistics task?

Answer 44

Run an Agent Statistics Information query

Question 45

How to change the language in the agent interface and the event log?

Answer 45

Through the Agent Troubleshooting policy

Question 46

What constitutes an inactive agent?

Answer 46

One that has not communicated with ePO in a user-specified time.

It is possible for agents to become disabled, or for users to uninstall them. It’s also possible that the system hosting the McAfee Agent might have been removed from the network

Question 47

What is the McAfee best practice in regards to inactive agents?

Answer 47

Perform regular weekly searches for systems with these inactive agents

Question 48

What are the two predefined tasks that help manage GUID (Global Unique ID) problems?

Answer 48

• Duplicate Agent GUID - remove systems with potentially duplicated GUIDs
• Duplicate Agent GUID - Clear error count

Question 49

What are the two modes that the Agent is capable of operating in?

Answer 49

Managed - Agent connects and communicates with ePO to manage McAfee product updates

Unmanaged mode - Agent doesn’t connect or communicate with ePO, but pulls updates from HTTP or FTP servers

Question 50

What are the ways to change the agent from unmanaged mode to managed mode?

Answer 50

• Use the installer package Framepkg
• Locally provision with maconfig
• Remotely provision with maconfig

Question 51

How to change the agent from managed to unmanaged mode?

Answer 51

Remove the system from the system tree

Question 52

When the user selects ‘Update Security’ from the System Tray icon, what contents are updated?

Answer 52

Patch releases
Legacy product plug-in (.DLL) files
Service Pack releases
SuperDAT file (SDAT*.EXE) packages
Supplemental DAT (Extra.DAT) files
DAT files
Antivirus engines
Managed product signatures

Question 53

What is the name of the command line tool for the McAfee Agent

Answer 53

Windows - cmdagent.exe

Non-Windows - cmdagent

Question 54

Which command line switch will display all of the options for the agent and what they do respectively?

Answer 54

cmdagent.exe -h

Question 55

Where can you find the Agent Installation logs?

Answer 55

• %TEMP%\McAfeeLogs, if the McAfee Agent is installed or upgraded manually.
• C:\Windows\Temp\McAfeeLogs, if McAfee Agent is installed using push or deployment task on McAfee ePO.

Question 56

Where can you find the Agent Product logs

Answer 56

ProgramData - McAfee - Agent - Logs

Question 57

How can you view the McAfee Agent product log from ePO?

Answer 57

From Single System Troubleshooting

Question 58

What type of content is able to be provided by a peer to peer server

Answer 58

All of the content that’s available in ePO repositories

Question 59

How many concurrent connections does a peer to peer server support?

Answer 59

10 connections concurrently

Question 60

What does the McAfee Smart Installer refer to?

Answer 60

The installer that is used by the Agent Deployment URLs that are created by ePO

Question 61

What ports are used by the McAfee Agent?

Answer 61

8081 TCP

• Inbound connection from ePO or Agent Handler.
• Peer-to-peer server serves content, Relay connections established

8082 UDP

• Inbound connection to McAfee Agent
• Peer-to-peer server discovery, RelayServer discovery

8083 UDP
-RelayServer discovery for previous versions of McAfee Agent

Question 62

What are the minimum system requirements for the McAfee Agent?

Answer 62

Installed disk space - 50 MB, excluding log files

Memory - 512 MB RAM

Processor Speed - 1GHz

Question 63

What are the various of methods of deploying the ePO agent?

Answer 63

• Pushing them to systems directly from ePO (selecting many systems can affect network throughput, must specify credential)
• Using FramePkg installer (allows for information such as custom properties to be added on an individual basis)
• Using 3rd party software Like SCCM
• Logon scripts
• Customized McAfee Smart installer (Agent Deployment URL) (Managed system users must have admin rights to install McAfee Agent Manually)
• Deployment Task (only as upgrade, agent must already be present on the target systems)
• Creating an image with McAfee agent (must remove the GUID using the command line switch, otherwise will cause sequencing errors from multiple identical systems

Question 64

What factors should make you consider having a longer ASCI?

Answer 64

• Number of Systems managed by ePO being large
• Organization has stringent threat response requirements
• If the network or physical location of clients in relation to servers or Agent Handlers is highly distributed
• If there is inadequate available bandwidth

Question 65

What are some notable features of the Agent that aren’t available on Linux/Mac

Answer 65

• Automatic McAfee Agent Uninstall from ePO
• Cluster node property reporting
• Mirror Task
• UNC repository updating
• Agent Status Monitor
• McTray application support

Question 66

What agent feature is available on Windows and Macintosh, but not Linux?

Answer 66

User Based Policy