McAfee Agent Flashcards
How does the McAfee Agent fit into the ePO architecture?
It’s the client side component that provides secure communication between ePO and managed products
What are the primary functions that are carried out by the McAfee Agent?
- Installs products and their upgrades on managed systems
- Updates security content such as the V3 DAT files or AMCore Content Package associated with ENS
- Enforces policies and schedules tasks on managed systems
- Gathers information and events from managed systems, and sends them to McAfee ePO
When managing a larger network, how many superagents should be configured?
One in every subnet
Give a high level description of the added functionality that a SuperAgent provides
Acts as an intermediary between the ePO server and other agents in the same network broadcast segment by caching information received from ePO, the master repository, or a mirror distributed repository and distributes it to agents in its network subnet
The Agent is based on what type of architecture? Why is it advantageous?
It’s based on services (messaging) architecture. In messaging-based architecture, the services communicate using a common language, reducing the use of system resources such as number of threads, number of handles, memory, and cpu
What is the Agent’s manifest based policy?
Fetches only the changed policy settings from ePO, using fewer resources for comparing or merging settings.
ePO doesn’t have to compute the changed policy at each agent-server communication, helping to save network bandwidth
Does Agent 5.6.X require multiple TCP connections during a single agent-server communication?
No, previous versions did, requiring more network bandwidth. 5.6.X uses the same TCP connection when performing an agent-server communication
How is the McAfee Agent able to track system events on the client system?
Via sensor services:
User sensors - Detects the logged on users on the client system using operating system APIs and apply the user-based policies accordingly
Network sensors - Detects the network connectivity status using operating system network APIs and determines if the agent functionality such as pulling updates from the repository or communicating to ePO should be performed
How does priority event forwarding work?
Makes it so that events that reach a certain severity threshold are forwarded to the ePO server with greater priority
Deselect “Retrieve all system and product properties (recommended)”.
If unchecked retrieve only a subset of properties. What does it retrieve?
System properties and minimal product properties.
How does agent-server communication work?
During each agent-server communication, McAfee Agent collects its _________ _________ _________, as well as events that have not yet been sent, and sends them to the ______. The server sends new or changed policies and tasks to the _______ _______, and the repository list if it has changed since the last agent-server communication. McAfee Agent enforces the new -________ locally on the managed system and applies any task or repository changes.
current system properties
server
McAfee Agent
policies
How long does it take the Agent to call into the server after it is initially installed?
45 seconds
What events trigger the McAfee agent to call in to the ePO server?
- The agent-server communication interval (ASCI) elapses.
- Wake-up calls are sent from McAfee ePO or Agent Handlers.
- A scheduled wake-up task runs on the client systems.
- Communication is initiated manually from the managed system (using the Agent Status monitor or command line).
- A “Run Immediately” client task runs on the client systems.
What factors can cause the cumulative demand on the network, ePO, or the Agent Handler to be significant?
- Number of systems managed by McAfee ePO
- If your organization has stringent threat response requirements
- If the network or physical location of clients in relation to servers or Agent Handlers is highly distributed
- If there is inadequate available bandwidth
if your environment has a high number of systems managed by ePO, if your organization has stringent threat response requirements, if the network or physical location of clients in relation to server or Agent Handlers is highly distributed, or if there is inadequate available bandwidth, should you do more or less frequent agent server communications?
At the organization level, less frequent. However, for individual clients that perform critical functions, you might want to set a more frequent interval
What are the methods that the McAfee Agent tries to use to establish communication?
- IP Address
- FQDN
- NetBIOS name
- Relay
- Proxy
What happens if the Agent exhausts all of the various connection methods and still fails to establish a connection?
The McAfee Agent will try to connect again during the next ASCI
What does a wake up call do?
Triggers an immediate ASC rather than waiting for the current interval to elapse
What are the two ways to issue a wake up call?
Manually from the server - (Requires an open wake-up communication port)
On a schedule set by the administrator
What are some possible reasons for issuing a wakeup call?
- Making a policy change that you want to enforce immediately, without waiting for the scheduled ASCI
- (ePO On-Premises)You create a task that you want to run immediately. The Run Task Now option creats a task, then assigns it to specififed client systems and sends wake-up calls
- A query generated a report indicating that a client is out of compliance, and you want to test its status as part of a troubleshooting procedure
What is a SuperAgent?
A distributed repository which is designed to reduce the load on the ePO server
Other than acting as a Distributed Repository, what can a SuperAgent do?
Broadcast wake-up calls to other agents on the same network subnet. The SuperAgent receives a wake-up call from ePO, then wakes up the agents in its subnet
What types of systems are best suited to host SuperAgents?
Servers (or systems that are always on)
What is the process of a SuperAgent wake-up call?
Server sends a wake-up call to all SuperAgents
SuperAgents broadcast a wake-up call to McAfee Agent in the same broadcast domain
All notified McAfee Agent (McAfee Agent notified by a SuperAgent and all SuperAgents) exchange data with McAfee ePO or Agent Handler
How does LazyCaching work
Allows the SuperAgent to retrieve data from the configured repositories only when requested by a local agent.
When a client system first requests content, the SuperAgent assigned to that system downloads the request content from its configured repositories and caches that content
The cache is updated when a newer version of the requested package is available in the Master Repository.
How are communication interruptions involving superagents handled?
When a SuperAgent receives a request for content that might be outdated, the SuperAgent tries to contact McAfee ePO to see if new content is available.
If the connection tries time out, the SuperAgent distributes content from its own repository instead. This content transfer is done to make sure that the requester receives content even if that content might be outdated
What is the purpose of the flush interval and the purge interval for LazyCaching
Flush interval is in reference to content in the SuperAgent memory that is outdated
Purge interval is in reference to content that’s no longer in use and needs to be purged
Can you use mobile devices or laptops as SuperAgents? Why
It’s against best practice recommendation to do this. Should enable SuperAgents only on PCs or Virtual Systems. This is so that Distributed Repository can always be available. If the device is not ON, then the Distributed Repository cannot be accessed.
How many requests can a SuperAgent handle concurrently?
1024
Is it okay to set up SuperAgents on systems with poor network connectivity, or that are connected using VPNs? Why?
NO, the system needs to have a reliable connection and always be on.
If you are using a SuperAgent hierarchy for updates, how many levels should there be max?
Three
What function does a SuperAgent that’s configured as a RelayServer perform?
It bridges communications between client machines and the ePO server
How does it work when an agent uses relay to communicate with McAfee ePO?
The connections are established in two parts; first between McAfee Agent and the RelayServer, and second between the RelayServer and McAfee ePO. These connections are maintained during the communication.
How does the peer to peer functionality work with agents?
When an agent requires a content update, it tries to discover peer-to-peer servers with the content update in its broadcast domain. On receiving the request, the agents configured as peer-to-peer servers check if they have the requested content and respond back to the agent. The agent requesting the content downloads it from the peer-to-peer server that responds first.
What protocol do Agents configured as P2P servers use to deliver content?
HTTP
What happens if an Agent can’t discover a p2p server or the content update that it needs amongst its peers in its broadcast domain?
It falls backs to repository, as configured in its policy
What ports are used during P2P communication?
8082 to discover peer servers, and port 8081 to server peer agents with updates
What does it mean to configure an Agent as a Peer to Peer server?
It enables it to provide updates to others in the broadcast domain when requested
What is default cache location and size for a Peer to Peer server? Can it be changed?
\data\mcafeeP2P
512 MB
Yes
Which systems shouldn’t be configured as Peer to Peer servers?
Laptops, mobile devices, systems with poor network connectivity, systems connected with a VPN
How do you configure Agents to be peer to peer servers or clients?
Through the p2p tab in the Agent General Policy
By default, are Agents configured to be Peer to peer clients, peer to peer server, both, or neither?
Both
What does the McAfee Agent Statistics task do?
Collects statistics and network bandwidth from RelayServers, SuperAgent hierarchies, and peer to peer statistics
How can you see the results from a McAfee Agent Statistics task?
Run an Agent Statistics Information query
How to change the language in the agent interface and the event log?
Through the Agent Troubleshooting policy
What constitutes an inactive agent?
One that has not communicated with ePO in a user-specified time.
It is possible for agents to become disabled, or for users to uninstall them. It’s also possible that the system hosting the McAfee Agent might have been removed from the network
What is the McAfee best practice in regards to inactive agents?
Perform regular weekly searches for systems with these inactive agents
What are the two predefined tasks that help manage GUID (Global Unique ID) problems?
- Duplicate Agent GUID - remove systems with potentially duplicated GUIDs
- Duplicate Agent GUID - Clear error count
What are the two modes that the Agent is capable of operating in?
Managed - Agent connects and communicates with ePO to manage McAfee product updates
Unmanaged mode - Agent doesn’t connect or communicate with ePO, but pulls updates from HTTP or FTP servers
What are the ways to change the agent from unmanaged mode to managed mode?
- Use the installer package Framepkg
- Locally provision with maconfig
- Remotely provision with maconfig
How to change the agent from managed to unmanaged mode?
Remove the system from the system tree
When the user selects ‘Update Security’ from the System Tray icon, what contents are updated?
Patch releases Legacy product plug-in (.DLL) files Service Pack releases SuperDAT file (SDAT*.EXE) packages Supplemental DAT (Extra.DAT) files DAT files Antivirus engines Managed product signatures
What is the name of the command line tool for the McAfee Agent
Windows - cmdagent.exe
Non-Windows - cmdagent
Which command line switch will display all of the options for the agent and what they do respectively?
cmdagent.exe -h
Where can you find the Agent Installation logs?
- %TEMP%\McAfeeLogs, if the McAfee Agent is installed or upgraded manually.
- C:\Windows\Temp\McAfeeLogs, if McAfee Agent is installed using push or deployment task on McAfee ePO.
Where can you find the Agent Product logs
ProgramData - McAfee - Agent - Logs
How can you view the McAfee Agent product log from ePO?
From Single System Troubleshooting
What type of content is able to be provided by a peer to peer server
All of the content that’s available in ePO repositories
How many concurrent connections does a peer to peer server support?
10 connections concurrently
What does the McAfee Smart Installer refer to?
The installer that is used by the Agent Deployment URLs that are created by ePO
What ports are used by the McAfee Agent?
8081 TCP
- Inbound connection from ePO or Agent Handler.
- Peer-to-peer server serves content, Relay connections established
8082 UDP
- Inbound connection to McAfee Agent
- Peer-to-peer server discovery, RelayServer discovery
8083 UDP
-RelayServer discovery for previous versions of McAfee Agent
What are the minimum system requirements for the McAfee Agent?
Installed disk space - 50 MB, excluding log files
Memory - 512 MB RAM
Processor Speed - 1GHz
What are the various of methods of deploying the ePO agent?
- Pushing them to systems directly from ePO (selecting many systems can affect network throughput, must specify credential)
- Using FramePkg installer (allows for information such as custom properties to be added on an individual basis)
- Using 3rd party software Like SCCM
- Logon scripts
- Customized McAfee Smart installer (Agent Deployment URL) (Managed system users must have admin rights to install McAfee Agent Manually)
- Deployment Task (only as upgrade, agent must already be present on the target systems)
- Creating an image with McAfee agent (must remove the GUID using the command line switch, otherwise will cause sequencing errors from multiple identical systems
What factors should make you consider having a longer ASCI?
- Number of Systems managed by ePO being large
- Organization has stringent threat response requirements
- If the network or physical location of clients in relation to servers or Agent Handlers is highly distributed
- If there is inadequate available bandwidth
What are some notable features of the Agent that aren’t available on Linux/Mac
- Automatic McAfee Agent Uninstall from ePO
- Cluster node property reporting
- Mirror Task
- UNC repository updating
- Agent Status Monitor
- McTray application support
What agent feature is available on Windows and Macintosh, but not Linux?
User Based Policy
