mcafee cloud workload security 5.0 · 1 overview of cloud workload security mcafee® cloud workload...

Product GuideRevision B

McAfee Cloud Workload Security 5.0.0

COPYRIGHT

Copyright © 2018 McAfee, LLC

TRADEMARK ATTRIBUTIONSMcAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THEGENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASECONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVERECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOUDOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IFAPPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

2 McAfee Cloud Workload Security 5.0.0 Product Guide

Contents

1 Overview of Cloud Workload Security 5Key features of Cloud Workload Security . . . . . . . . . . . . . . . . . . . . . . . . . . 5How Cloud Workload Security works . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 Managing policies with McAfee ePO 9Cloud Workload Security policies on McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . 9Finding policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Create an assessment policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Create a firewall policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Assign custom policies to systems in your network . . . . . . . . . . . . . . . . . . . . . . 12

3 Visualization of your cloud accounts 13Viewing Cloud Workload Security and Workload properties . . . . . . . . . . . . . . . . . . . 13Viewing information about traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Viewing traffic flow logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16View information about Security Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 17Viewing information about Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . 19Viewing information about Application Control software . . . . . . . . . . . . . . . . . . . . 19Viewing information about Change Control software . . . . . . . . . . . . . . . . . . . . . 20Viewing information about volume encryption . . . . . . . . . . . . . . . . . . . . . . . . 20Assign assessment policy for your workload . . . . . . . . . . . . . . . . . . . . . . . . 20Automatic responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Set up automatic responses . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Manage responses to trigger actions for threat events . . . . . . . . . . . . . . . . . . 22

4 Remediation 23Install McAfee Agent on your instances . . . . . . . . . . . . . . . . . . . . . . . . . . 23Installing Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Install McAfee Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . 24Install Application Control on your instances . . . . . . . . . . . . . . . . . . . . . . . . 24Install Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Install Network Intrusion Prevention System on your instances . . . . . . . . . . . . . . . . . 25Install Adaptive Threat Protection on your instances . . . . . . . . . . . . . . . . . . . . . 26Remediate firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Edit the security group rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Detach the security group from an instance . . . . . . . . . . . . . . . . . . . . . . 28

Shut down workload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Tag workloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5 Queries and reports 31Predefined queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

View default queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Create custom queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Dashboards and monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

McAfee Cloud Workload Security 5.0.0 Product Guide 3

6 Best Practices for using McAfee ePO and Cloud Workload Security with AWS 39How McAfee ePO server and clients communicate . . . . . . . . . . . . . . . . . . . . . . 39Scaling McAfee ePO installed on AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Considerations for scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Managing and remediating workloads using Chef . . . . . . . . . . . . . . . . . . . . . . 41Managing and remediating workloads using Puppet . . . . . . . . . . . . . . . . . . . . . 42Managing AWS clients using McAfee ePO installed on AWS . . . . . . . . . . . . . . . . . . . 43

Managing instances in one geographic region . . . . . . . . . . . . . . . . . . . . . 43Managing instances in one geographic region with one VPC . . . . . . . . . . . . . . . . 44One geographic region deployment with multiple VPCs . . . . . . . . . . . . . . . . . 44Multiple geographic region deployment . . . . . . . . . . . . . . . . . . . . . . . 45Set up McAfee ePO and client communication . . . . . . . . . . . . . . . . . . . . . 46

Managing AWS clients using McAfee ePO installed on-premise . . . . . . . . . . . . . . . . . . 47Using McAfee Agent deployment URL feature . . . . . . . . . . . . . . . . . . . . . 48Set up McAfee ePO and client communication . . . . . . . . . . . . . . . . . . . . . 48

Using Cloud Workload Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Deploying McAfee security products on AWS cloud . . . . . . . . . . . . . . . . . . . . . . 49

Deploy McAfee security products on AWS instances using AMIs . . . . . . . . . . . . . . 49Deploying McAfee security products on AWS using Cloud Workload Security . . . . . . . . . . 50

7 Frequently asked questions 53

Index 57

Contents


1 Overview of Cloud Workload Security

McAfee® Cloud Workload Security helps you discover, import, manage, and secure your Amazon Web Services(AWS), Microsoft Azure, and VMware vCenter virtual infrastructure using McAfee

®

ePolicy Orchestrator®

(McAfee®

ePO™

) .

Cloud Workload Security offers improved visibility and control to address the unique requirements of publiccloud server security. It detects and imports virtual infrastructure details, security groups, and virtual networksto the McAfee ePO server. It provides control over cloud infrastructure and insight into the threat informationacross clouds. It also offers infrastructure visibility and security alerts so that you can quickly assess securityissues and take immediate actions.

Contents Key features of Cloud Workload Security How Cloud Workload Security works

Key features of Cloud Workload SecurityCloud Workload Security integrates the management feature of McAfee ePO with the configured cloud, whichhosts and manages VMs and synchronizes periodically with the cloud accounts, and imports the virtualinfrastructure details to McAfee ePO. It has an innovative dashboard to view and monitor security complianceof your cloud assets. You can flag systems at risk and take corrective actions. You can deploy McAfee Agent andinstall other McAfee Agent products on the discovered instances.

Visualization of your cloud workloads

The user interface gives you a complete view into your cloud accounts and their assets with security status. Youcan view your virtual workload group list, security risk and threat details, other security product installationstatus, firewall (security group), and other system information of your virtual machines (VM).

You can discover your VMs and network traffic even if the machine is inactive or turned off.

Compliance and security posture assessment

You can view potential threats and unsafe settings so that you can take appropriate actions. You can definecompliance policies for security assessment. You can view all high and low compliance events in the CloudWorkload Security dashboard.

You can view these details in your network configuration.

• Security settings that include unsafe firewall settings for AWS and Microsoft Azure accounts.

• Systems without Threat Prevention, Change Control, Application Control, or Adaptive Threat Protectionproducts installed.

1


Security group managementYou can view security group information of your virtual instances across your cloud accounts. You can see howmany instances are associated with any firewall (security group) or network security. You can also manage thesefirewall (security groups) by adding, editing, or deleting rules. You can detach a firewall (security group) from aninstance.

Network visualization and anomaly detectionCloud Workload Security assesses your cloud configuration and flags systems, which are at risk. You canimmediately take appropriate actions and secure your assets.

Easy activation of missing protection with a few clicksAfter visualizing your cloud account structure, and seeing which systems are at risk, you can secure yourinstances with a few clicks.

1 Manage your instances by installing McAfee®

Agent.

2 After installing the agent, you can install these McAfee products on your instances.

• McAfee® Endpoint Security

• McAfee® Endpoint Security for Linux

• McAfee® Host Intrusion Prevention for Linux

• McAfee® Application Control

• McAfee® Change Control

• McAfee® Endpoint Security Adaptive Threat Protection (ATP)

Support for VMware vCenter cloud instancesView your VMware vCenter cloud infrastructure details. You can secure your instances by installing McAfeesecurity products on them.

Volume discovery for AWS instancesView the encryption status of your AWS volumes.

Support for Microsoft Azure Resource ManagerDiscover, manage, and secure the Microsoft Azure Resource Manager virtual infrastructure with McAfee ePO.

Cloud usage meteringYou can track the usage of AWS and Microsoft Azure running cloud VMs with the metering feature. The usage ofVMs is tracked in the sum of CPU hours that an account uses on a monthly basis.

How Cloud Workload Security worksCloud Workload Security has a variety of components that perform specific functions to discover, manage, andsecure your cloud assets.

Amazon Web Services (AWS) — Collection of web services that make up the cloud computing solution offeredby Amazon.

Microsoft Azure — Cloud computing platform and infrastructure for building, deploying, and managingapplications and services through a global network of Microsoft-managed datacenters.

1 Overview of Cloud Workload SecurityHow Cloud Workload Security works


Virtual Machines (VMs) — An isolated guest operating system installation in a normal host operating systemthat supports both virtual desktops and virtual servers.

Security Groups — A virtual firewall for your instances to control inbound and outbound traffic.

Network Security Groups — A list of rules in Microsoft Azure cloud network that allow or deny network trafficto your instances.

Azure Virtual Network — A logical isolation of your Azure cloud dedicated to your subscription.

AWS Virtual Private Cloud — A logically isolated section of Amazon Web Services cloud to launch your AWSresources in a virtual network.

McAfee ePO — Management software that allows you to register a cloud account, so that you can import yourVMs and view them.

McAfee Agent — The client-side component providing secure communication between McAfee ePO andmanaged products.

Hypervisor (ESXi) — A virtual operating platform that manages the execution of the guest operating systems.They allow multiple operating systems to run concurrently on a hosted system. ESXi are embedded hypervisorsfor servers that run directly on server hardware, without requiring another underlying operating system.

VMware vCenter — Console that manages the ESXi servers, which host the guest VMs that require protection.

Overview of Cloud Workload SecurityHow Cloud Workload Security works 1


1 Overview of Cloud Workload SecurityHow Cloud Workload Security works


2 Managing policies with McAfee ePO

You can integrate and manage assessment policies using McAfee ePO.

McAfee ePO provides centralized policy management and enforcement of your McAfee security products andthe systems where they are installed. It also provides comprehensive reporting and product deploymentcapabilities through a single point of control.

Contents Cloud Workload Security policies on McAfee ePO Finding policies Create an assessment policy Create a firewall policy Assign custom policies to systems in your network

Cloud Workload Security policies on McAfee ePOThe default policies fit the broadest set of customer environments. You can tune these policies to fit yourenvironment.

Cloud Workload Security adds these categories in the Policy Catalog.

Category Description

Assessment Rules —Firewall

This policy defines the firewall settings for the systems. You can set inboundrules for the systems. It also defines how the systems are flagged if they violatethe specified rules.

Assessment Rules —General

This policy defines how the systems are flagged if the products aren't installed.

Assessment Rules — General, has Core Protection, Full Compliance, McAfee Default, and My Default policies.

Assessment Rules — Firewall, has McAfee Default and My Default policies.

You can use these policies as is or you can edit My Default policies.

Policy Description

McAfee Default Defines the out-of-the-box policy that takes effect if no other policy is applied. You canduplicate this policy, but you can't delete or change it.

My Default Defines the customizable default policy for your environment.

Modify this policy to create your own customized default policy.

Core Protection Defines the core or important protection that you can have in your environment.

Full Compliance Defines the strongest protection that you can have in your environment.

2


Finding policiesView and manage your firewall policies from three locations in the McAfee ePO console.

You can assign policies to your cloud accounts using the Assigned Policies tab (Systems | System Tree | AssignedPolicies for a selected group in the System Tree), and the Policy Catalog tab (Systems | Policy Catalog). You can alsoassign policies from Cloud Workload Security user interface when you register your cloud accounts.

Use the Policy Catalog to:

• Create policies.

• View and edit policy information.

• View where a policy is assigned.

• View the settings and owner of a policy.

• View assignments where policy enforcement is disabled.

• Import and export policies.

• Duplicate policies.

• Share policies.

Use the Assigned Policies tab to:

• View the available policies of a particular feature of the product.

• View details of the policy.

• View inheritance information.

• Edit policy assignment.

• Edit custom policies.

Create an assessment policyCreate a custom assessment policy to suit your environment.

Task1 Log on to McAfee ePO as an administrator.

2 Select Menu | Policy | Policy Catalog, then from the Product list, select Cloud Workload Security.

3 From the Category list, select Assessment Rules - General.

4 Click the name of an editable policy.

You can edit the My Default policies, or any policies that you create. McAfee Default policies aren't editable.

2 Managing policies with McAfee ePOFinding policies


5 Set the product flags to Must Have, Good to Have, or Optional.

If Must Have products are missing, critical alerts (red) are flagged.

If Good to Have products are missing, warnings (yellow) are flagged.

If Optional products are missing, no alerts are flagged.

You can set these flags for Strong Security Groups, Volume Encryption, Intrusion Prevention, Threat Prevention,Application Control, Change Control (FIM), and Adaptive Threat Prevention.

Strong Security Groups are always set as Must Have for your AWS and Microsoft Azure accounts. You cannotchange this setting for AWS and Microsoft Azure accounts.

6 Click Save.

The new policy appears in the Policy Catalog.

Create a firewall policyCreate a custom firewall policy to suit your environment.

Task1 Log on to the McAfee ePO server as an administrator.

2 Select Menu | Policy | Policy Catalog, then from the Product list, select Cloud Workload Security.

3 From the Category list, select Assessment Rules - Firewall.

4 Select New Policy, type a name for the policy, then click OK.

5 Click the name of an editable policy.

You can edit the My Default policies, or any policies that you create. McAfee Default policies aren't editable.

Managing policies with McAfee ePOCreate a firewall policy 2


6 Specify which inbound firewall rules can come from which IP addresses and their severities.

Option Severity

If inbound firewall rule to port Select the inbound port from the list.

Then flag as Select the flag value from Safe or Critical.

If you don't specify a rule for a port, it is flagged as Warning. Critical alerts are flagged for unrestricted IPaddresses (with suffix /0) only.

For example, a firewall policy is set in Cloud Workload Security.

3389 (RDP) Critical

80 SAFE

These are the assessment results.

3389 Anywhere RED

3389 <Custom IP> SAFE

80 Anywhere SAFE

80 <Custom IP> SAFE

8082 Anywhere YELLOW

8082 <Custom IP> YELLOW

7 Click Save.

The new policy appears in the Policy Catalog.

Assign custom policies to systems in your networkWhen you assign custom policies to a set of systems, they are effective after the next synchronization. If youwant them to be effective immediately, schedule a manual sync.


2 Select Menu | Systems | System Tree, then select your group of systems from the hierarchy.

You can go to the Policy Catalog page from the Register Cloud Account pane of Cloud Workload Security userinterface

3 From the Assigned Policies, you can see policies assigned to these systems. Click Edit Assignment.

4 Select Break inheritance and assign the policy and settings below for Inherit from.

5 Select your custom policy from the Assigned Policy list, then specify the values for other fields.

6 Click Save.

2 Managing policies with McAfee ePOAssign custom policies to systems in your network


3 Visualization of your cloud accounts

Cloud Workload Security enables you to see your cloud infrastructure assets and their hierarchy.

Configure and register the cloud accounts with McAfee ePO using Menu | Systems | Cloud Workload Security. Youcan view your cloud account information, security issues, risks, and other threat details.

Contents Viewing Cloud Workload Security and Workload properties Viewing information about traffic View information about Security Groups Viewing information about Threat Prevention Viewing information about Application Control software Viewing information about Change Control software Viewing information about volume encryption Assign assessment policy for your workload Automatic responses

Viewing Cloud Workload Security and Workload propertiesThe new Cloud Workload Security dashboard gives a detailed view of your cloud account and all its aspects.

The Cloud Workload Security panels display Total Workloads, Compliance Events, and Threat Events.

Compliance Events displays the compliance summary of all powered-on instances.

Threat Events displays the threat summary of powered-on and powered-off instances. You can see the threats inyour environment irrespective of the machine status.

You can view:

• Total Workloads • Accounts

• Compliance Events • Workload Details

3


• Threat Events • Event Details

• Systems

All account properties are color-coded to reflect their security status. Events and workloads are classified ascritical or warning if they violate the security policies. The policy definitions in the McAfee ePO Policy Catalogdetermine the severity of the threat.

• Red — Critical

• Yellow — Warning

Cloud accounts

The Accounts panel lists the cloud vendor accounts registered in McAfee ePO.

• Select your account and you can see list of virtual networks in your account. For a VMware vCenter account,you can see the list of datacenters or clusters in the account.

• Select the virtual network and you can see the workloads under that virtual network.

• Select a datacenter or cluster to see the list of hypervisors in it. Select a hypervisor to see the list ofworkloads in the hypervisor.

• If you select the VM, you can see the security status, management status, and system properties for that VM.

• If you have any VMs which aren't grouped under any VPC, they are placed under Ungrouped VMs for AWSinstances.

• You can see if the VM is managed. If it isn't managed, you can install McAfee Agent.

Network security accounts

The Network Security panel lists the Network Security Manager (NSM) accounts registered in McAfee ePO.

You must install McAfee License extension to register the NSM account.

3 Visualization of your cloud accountsViewing Cloud Workload Security and Workload properties


Viewing information about trafficYou can view a number of blocked internal connections, and the accepted suspicious and malicious externalconnections to and from your AWS and Azure instances. The internal and external traffic is captured asEast-West and North-South traffic respectively

You can view traffic details of your instances under the Threat Events pane. A number of products are deployed inCloud Workload Security to detect threat events. The traffic displayed is the data accumulated for a maximumof seven days.

You must install McAfee License extension to view the traffic details of your cloud accounts.

Product Issues

Traffic Anomalies Detection • Malicious Connection

• Risk Port Assessment

• Suspicious Connection

• Blocked Connection

Threat Protection • Malware Detected

• Exploit Prevention

Adaptive Threat Protection • Malicious Behavior Detected

• Advanced Malware Detected

Network Intrusion Prevention Network Prevention Alerts

Traffic discovery

After you register your cloud accounts, you can discover traffic details for your instances. You must set therequired privileges and rules for your AWS account and Microsoft Azure account to enable network traffic flowlogs at VPC levels and to discover Network Security Group traffic discovery respectively. These policies and rulesallow Cloud Workload Security to discover network traffic logs.

Traffic assessment

Global Threat Intelligence (GTI) — Detects malicious and suspicious North-South connections. CloudWorkload Security performs IP/connection reputation to determine the severity of the risk. The malicious andsuspicious connections are categorized to high and medium risks, and color-coded in red and yellowrespectively.

Risk port assessment — Identifies the ports with security risks based on the firewall policies. Your connectionsare classified in to malicious and suspicious connections based on risk port assessment.

For example, The port 3389 is identified as a risk port based on firewall (security group) policies. A North-Southinbound traffic trying to approach your workload through port 3389 is assessed as a malicious connection.

You can set the safe and critical ports in your firewall (security group) policy for to remediate workloads.

Visualization of your cloud accountsViewing information about traffic 3


Network prevention alerts — You can view the network prevention alerts for your instances from yourregistered Network Security Manager (NSM) account.

When you enable traffic discovery for your Azure account, Cloud Workload Security create storage accounts foreach geographical location. You can only create 200 storage accounts for one subscription. Azure traffic sync failsif the storage account number exceeds 200 per subscription. You will be charged when a storage account iscreated. For more information about the pricing, see Azure pricing for storage accounts.

For one traffic sync, you can view only 8000 records.

Viewing traffic flow logsYou can view the graphical representation of your traffic in the Traffic pane when you click the Graph button. Youcan view the East-West and North-South traffic on your workload using the filters present in the Traffic pane.

The Cloud Workload Security traffic card has filters to view the flow logs based on time intervals. The traffic cardhas filters to display inbound traffic, outbound traffic, and blocked connections. Inbound connections are trafficflowing towards the workload whereas, outbound connections are traffic flowing from the workload. Blockedconnections are blocked inbound and outbound connections.

• Time — Displays the date and time of occurrence of the selected event.

• Time Range(+/-) — Filters the issues based on time intervals.

• 1 minute — Filter issues occurred a minute before and after the time of occurrence of the selected event.

• 5 minutes —Filter issues occurred 5 minutes before and after the time of occurrence of the selectedevent.

• 15 minutes — Filter issues occurred 15 minutes before and after the time of occurrence of the selectedevent.

• 30 minutes — Filter issues occurred 20 minutes before and after the time of occurrence of the selectedevent.

• Show — Filter inbound, outbound, and blocked connections based on traffic flow.

By default, the inbound and outbound connections are selected.

3 Visualization of your cloud accountsViewing information about traffic


In addition to the filters, you can view the direction of traffic flow by selecting any issue under the Traffic pane.The direction of flow is highlighted for the selected issue.

You can view information about the security groups associated with your instance by selecting the Show SecurityGroups option from the menu in the Workload block. You can shut down your workload as a remediation measureby selecting the Shut Down Workload option from the menu in the Workload block.

The Table button will take you back to the instance details.

View information about Security GroupsYou can view all security groups associated with your instances. Based on the enterprise rules set, the securitygroup status is either red or yellow.

Select an instance from the Compliance Events or Threat Events pane to view more information about the securitygroups under Workload Details or Event Details respectively.


2 Select Menu | Systems | Cloud Workload Security.

3 Select your workload from Systems.

• Select an instance from the instance list under Compliance Events.

• Select an instance from the instance list under Threat Events.

4 To view more information of your security groups.

• For instances under Compliance Events, select Show Security Groups from the Take Action combo box.

• For instances under Threat Events:

• Click Graph.

• Click the menu icon in the Workload block.

• Select Show Security Groups.

Visualization of your cloud accountsView information about Security Groups 3


Table 3-1 Security Groups

Property Definition

Security Groups Displays the name of the security or network security group.

ID Displays the ID of the security or network security group.

Association Displays the number of instances associated with this security group or the networksecurity group.

Some VMs in Microsoft Azure accounts might not be associated with any security groups.

5 Click Edit Rules or double-click the security group to view the rules in each security group.

For threat events, you can edit the security group rules by clicking the workload name under Edit InboundRules for under the Event Details.

Table 3-2 Rules

Property Definition

Security Group Name of the security group rule. For Azure instances, every security group rule has aname. Not applicable to AWS instances.

Associated Workloads Displays other instances that are associated with this security group (firewall).

Type Displays the Protocol type, which you can change.

Protocol Displays the protocol allowed.

Port Range Displays the port range allowed.

Priority Displays the priority of this rule in the security group.

Priority applies only to Microsoft Azure Network Security Groups.

3 Visualization of your cloud accountsView information about Security Groups


Table 3-2 Rules (continued)

Property Definition

Access Displays if this is allow rule or deny rule for Microsoft Azure instances. You can't editdeny rules. Deny rules aren't assessed.

Source Displays the source IP address. You can choose Anywhere to allow connections from alltraffic or Custom IP to provide an IP address that you want to allow. For AWS instances,you can also provide the security group for which you want to allow traffic.

Viewing information about Threat PreventionTo protect your instances from attacks, make sure that you install and configure the appropriate McAfeeanti-malware software such as McAfee VirusScan Enterprise and McAfee Endpoint Security.

Your instance is color-coded and classified according to the anti-malware policy that you set in the McAfee ePOPolicy Catalog.

When checking for the presence of anti-malware software, the results depend on the cloud environment andoperating system. Install McAfee Endpoint Security on your Windows instances and McAfee Endpoint Securityfor Linux on your Linux instances.

Depending on the Threat Prevention products installed, you can view these product properties.

Product Properties

McAfee Endpoint Security for Windows On-Access General

On-Access ScriptScan

Access Protection

Exploit Prevention

DAT

McAfee Endpoint Security for Linux On-Access General

On-Access ScriptScan

DAT

You can:

• See if any properties are enabled or disabled. For details, see the product guides for the anti-malwareproducts.

• Install McAfee Endpoint Security on your instances.

• Tag this system with the McAfee ePO tags related to product deployment tasks. See the product guide foryour version of McAfee ePO.

All Threat Prevention properties should be enabled, and DAT should not be older than 7 days. If the DAT for anyworkload is older than 7 days, then the Threat Prevention status is noncompliant.

Viewing information about Application Control softwareInstall McAfee Application Control to protect your system from unauthorized applications. You can see if yourinstance has McAfee Application Control software installed.

Your instance is color-coded and classified according to the policy that you set in the McAfee ePO Policy Catalog.

Visualization of your cloud accountsViewing information about Threat Prevention 3


You can see if McAfee Application Control is installed and enabled on the instance. For details, see the productguide for McAfee Application Control.

Viewing information about Change Control softwareInstall McAfee Change Control file integrity monitoring solution to prevent any changes made in yourenvironment that may lead to a security breach. You can see if your instance has McAfee Change Controlsoftware installed.

Your instance is color-coded and classified according to the policy that you set in the McAfee ePO Policy Catalog.

You can see if Change Control is installed and enabled on the instance. For details, see the product guide forMcAfee Change Control.

Viewing information about volume encryptionYou can view if your AWS volumes encrypted or not. You can view the number of root and data volumes foryour instances.

Though both root and data volumes are shown, only data volumes are assessed for your AWS instances.

Your instances are color-coded and classified according to the policy that you set in the McAfee ePO PolicyCatalog for volume encryption.

You can view these details for your volumes.

Property Definition

Status The encryption status of the volumes.

Type The type of the volume (root or data volume).

ID The volume ID.

Assign assessment policy for your workloadSelect or create an assessment policy from the Workload Details pane to assign policy to the selected workload.



3 Select Workload Group or Account from the Systems pane, then select any category from the Event list.

4 Select the workload for which you have to assign the assessment policy.

5 Select a policy from the Assessment Policy drop-down list.

You can create your own policy or select an existing policy from the Workload Details pane. Click next toPolicy Catalog to go to the Policy Catalog page to create or select a policy.

6 Click Save.

3 Visualization of your cloud accountsViewing information about Change Control software


Automatic responsesConfigure your McAfee ePO server to trigger an action in response to critical or warning issues.

Set automatic responses from Menu | Automation | Automatic Responses if you want a notification sent to you.

The standard templates for Cloud Workload Security are:

• Noncompliant critical workloads for AWS and Azure

• Noncompliant warning workloads for AWS and Azure

• Noncompliant critical workloads for vSphere

• Noncompliant warning workloads for vSphere

You can set up responses for other events also as needed.

Set up automatic responsesConfigure McAfee ePO server to receive automatic responses through email.

Before you beginSpecify the SMTP server name and the SMTP server port in Email Server from Menu | Configuration | ServerSettings.

For details about automatic responses and specifying the email server, see the product guide for your versionof McAfee ePO.

Task

1 Click Menu | Automation | Automatic Responses.

2 Select Preset as Cloud Workload Security.

3 Click New Response or click Edit next to an existing template.

4 On the Description page, type a unique name and any notes for the rule, if you are creating a template.

5 In the Event field, select:

• Event Group — Cloud Workload Security

• Event Type — Critical Issues or Warning Issues

6 Click Next.

7 On the Filter page, select:

• Account Name — Filter the cloud account name.

• Datacenter — Filter the datacenter name. This is applicable for vSphere.

• ePO Tags — Filter McAfee ePO tags assigned to instances.

• Instance ID — Filter AWS or Azure workload ID.

• Issue Subtype — Select any option from the drop-down list.

• Issue Type — Select any option from the drop-down list.

• Platform — Filter the operating system running on the instance.

• Region — Filter the region. Type the name of the region or the location of the instance. For example, ifyou want instances in the ap-southeast-1 location, type ap-southeast-1/Asia Pacific (Singapore).

Visualization of your cloud accountsAutomatic responses 3


• UUID — Filter UUID of the vSphere workload.

• Vendor Type — Filter the cloud service provider. Type AWS, Azure, or vSphere.

8 Click Next.

9 Define when the event triggers the rule on the Aggregation page. For details, see Set thresholds for the rule inthe McAfee ePolicy Orchestrator Product Guide.

10 Click Next.

11 On the Actions page, compose the email and select the recipients. For details, see Configure the action forAutomatic Response rules in the McAfee ePolicy Orchestrator Product Guide.

12 On the Summary page, verify the information, then click Save.

The new response template for Cloud Workload Security appears in the Automatic Responses list.

Manage responses to trigger actions for threat eventsYou can set up an automatic response in McAfee ePO that is triggered for every ENS/ENSL event. This responseupdates the threat count in the Cloud Workload Security console. The threat count displays the number of threatinstances discovered in the last 7 days. The threat instances are categorized based on the virtual private cloudon the Workload Group List. The threat instance details of the selected workload group appears in the WorkloadGroups Overview pane.

Before you beginYou installed the Cloud Workload Security extension on McAfee ePO. You downloaded the Rule_ThreatEventTriggerforENS_ENSL file.

TaskBy default, the threat event response for ENS/ENSL is configured. The administrator can configure theautomatic responses, if it is configured incorrectly.

1 Select Menu | Automation | Automatic Responses.

2 Click Import Response.

3 Click Choose File on the Automatic Responses page.

4 Select Rule_ThreatEventTriggerforENS_ENSL and click OK.

5 Click Enable Response in the Import Response Details dialog box, then click OK.

The new response template for ePO Notification Events appears in the Automatic Responses list.

The previous threat event response also appears in the Automatic Responses list. You must disable or delete theduplicate response.

6 To disable or delete a response:

• Select the response

• Click Actions drop-down list

• Select Disable Responses to disable the response

• Select Delete Responses to delete the response

3 Visualization of your cloud accountsAutomatic responses


4 Remediation

After viewing the details of your cloud accounts, and seeing which systems are at risk, activate missingprotection by installing McAfee products and correcting firewall settings.

You can manage your instances by installing McAfee Agent. You can install other McAfee products afterinstalling McAfee Agent.

Contents Install McAfee Agent on your instances Installing Threat Prevention Install Application Control on your instances Install Change Control Install Network Intrusion Prevention System on your instances Install Adaptive Threat Protection on your instances Remediate firewall rules Shut down workload Tag workloads

Install McAfee Agent on your instancesTo manage your unmanaged instances with McAfee ePO, install McAfee Agent.



3 Select your workload from Systems pane, then select an instance from the instance list under ComplianceEvents.

4 Select Install McAfee Agent from the Take Action combo box.

See KB85233 for details to install McAfee Agent on your instances using deployment URL.

5 Do one of the following:

• Enter the logon credentials, then click Install.

• Run the deployment Script.

You can see the installation status on the Systems page. If your McAfee ePO server doesn't receiveinstallation status, it times out after 60 minutes.

4


https://kc.mcafee.com/corporate/index?page=content&id=KB85233

Installing Threat PreventionProtect your instance by installing appropriate McAfee anti-malware software based on your operating systemand cloud environment.

You can install Endpoint Security on your Windows instances and Endpoint Security for Linux on your Linuxinstances.

Install McAfee Endpoint SecurityProtect your instance by installing Endpoint Security or Endpoint Security for Linux.

Before you beginInstall McAfee Agent on your unmanaged instances to manage them with McAfee ePO.

You cannot install Endpoint Security from Cloud Workload Security if McAfee Host Intrusion Prevention, McAfeeVirusScan Enterprise, or McAfee MOVE AntiVirus is installed on your instances. If Host Intrusion Prevention andEndpoint Security are installed, Cloud Workload Security checks for the presence of Endpoint Security and itsproperties.

Task

1 Log on to McAfee ePO as an administrator.


3 Select your workload from the Systems pane, then select an instance from the systems list under ComplianceEvents.

4 Select Install Threat Prevention from the Take Action combo box, then click Install.

Endpoint Security is installed on Windows Workloads, and Endpoint Security for Linux is installed on Linuxworkloads.

You can see the installation status on the Systems page. If your McAfee ePO server doesn't receive installationstatus, it is timed out after 60 minutes.

Install Application Control on your instancesProtect your instance by installing McAfee Application Control.

Before you begin

• Install McAfee Agent on your unmanaged instances to manage them with McAfee ePO.

• Make sure you have the appropriate license before installing this product.

• See the product guide for Application Control before installing this product.

Task




4 Select Install Application Control from the Take Action combo box, then click Install.

4 RemediationInstalling Threat Prevention


You can see the installation status on the Systems page. If your McAfee ePO server doesn't receive installationstatus, it times out after 60 minutes.

Application Control is activated in Observe Mode for your windows workloads.

The Windows workloads aren't restarted and all features except Memory Protection are available. Memoryprotection is available after restarting your instance.

Install Change ControlProtect your instance by installing McAfee Change Control.

Before you begin• Install McAfee Agent on your unmanaged instances to manage them with McAfee ePO.

• Make sure that you have appropriate license before installing this product.

• See the product guide for McAfee Change Control before installing this product.

Task




4 Select Install Change Control (FIM) from the Take Action combo box, then click Install.


Install Network Intrusion Prevention System on your instancesProtect your instances from sophisticated threats by installing Network Intrusion Prevention.

Before you begin



• Make sure that the Network Security Manager (NSM) server details are registered under Accounts| Network security.

• Make sure that the vNSP prerequisites like controller and cluster are deployed for the VPC andsubnet of the selected instance.

• See the product guide for Network Security Platform before installing this product.

For information about vNSP integration, see KB90068.

Task



RemediationInstall Change Control 4




4 Select Install Network IPS from the Take Action combo box, then click Install.


Install Adaptive Threat Protection on your instancesAdaptive Threat Protection analyzes content from your enterprise and decides what to do based on filereputation, rules, and reputation thresholds.

Before you begin• Install Adaptive Threat Protection policies to configure queries, reports, and dashboards to

monitor threat activity within your environment.



• See the product guide for Adaptive Threat Protection before installing this product.



3 Select your workload from the Systems pane, then select an instance from the instance list under ComplianceEvents.

4 Select Install Adaptive Threat Protection from the Take Action combo box, then click Install.


The Adaptive Threat Protection module is supported on Windows systems only.

Remediate firewall rulesTo protect and secure your cloud instances that are classified as red, correct the firewall rules.

You can correct the firewall settings from Policy Catalog: See Where to find policies.

Task1 Select Menu | Systems | Cloud Workload Security.

2 Select your workload from Systems.



4 RemediationInstall Adaptive Threat Protection on your instances


3 To view more information of your security groups.



• Click Graph.



4 Click Edit Rules or double-click the security group to view and correct the firewall rules in each security group.

5 Edit or add new rules and click Apply Changes.

Tasks

• Edit the security group rules on page 27Change the rules in your security group policy and secure your critical instances.

• Detach the security group from an instance on page 28To secure your critical systems, remove the association of the security group to your AWS instance.

Edit the security group rulesChange the rules in your security group policy and secure your critical instances.

Task


2 Select the critical system and its security group policy from:

• Select Menu | Systems | Cloud Workload Security.

• Select your workload from the Systems pane.



3 To view more information of your security groups:



• Click Graph.



A red dot highlights the noncompliant rules.

4 Click Edit Rules or double-click the security group to view the rules in each security group.

For threat events, you can edit the security group rules by clicking on the workload name under Edit InboundRules for under the Event Details.

Changes made to the security group will be applied to all other instances that are associated with thesecurity group. Make sure that you review other server instances that are associated with the security group.

5 Edit the security group rules by changing Type, Protocol, Port range, or Source. For Microsoft Azure instances,you cannot edit rules that have Access as Deny.

RemediationRemediate firewall rules 4


6 While editing Source, you can choose Anywhere to allow connections from all traffic or Custom IP to provide anIP address that you want to allow. For AWS instances, you can also provide the security group for which youwant to allow traffic.

7 To add a rule, select Add New Rule and type in the values.

8 To delete a non-complaint rule, click the delete icon.

9 Click Apply Changes.

You can see the action details for edit, delete, update, or add in Menu | User Management | Audit Log.

Detach the security group from an instanceTo secure your critical systems, remove the association of the security group to your AWS instance.

• If your workload has only one security group associated with it, you can't detach it.

• A security group which is associated with this workload can also be associated with many NICs.

• You can't detach a security group if it is the only security group associated with a NIC.

• You can detach a security group only from your AWS instances.


2 Select the critical system and its security group policy from:

• Select Menu | Systems | Cloud Workload Security.

• Select your workload from the Systems pane.

• Select an instance from the instance list under Compliance Events


3 To view security groups:



• Click Graph.



A red dot highlights the noncompliant rules.

4 Select one of them and click Detach to detach the security group policy from this instance.

You can see the detach failure or success details in the Detached Status window.

Shut down workloadThe malicious East-West traffic trying to approach your workload creates security risk. As a remediationmeasure, you can shut down the affected workload.

You can shut down AWS and Microsoft Azure instances only.

4 RemediationShut down workload




3 Select your workload from the Systems pane, then select an instance.

4 Shut down the workload using these three methods.

• Select an instance under Compliance Events, then select Shut Down Workload under the Take Action combo box.

• Select an instance under Threat Events, then click the Shut Down Workload button in the Event Details pane.

• Click Graph, then select Shut Down Workload from the menu in the Workload or East-West blocks.

You can shut down only one workload at a time.

5 Click OK.

The shut down workload under Compliance Events will be removed from the Cloud Workload Security userinterface only after performing a sync. The shut down workload under Threat Events will appear in the CloudWorkload Security user interface even after the shut down.

Tag workloadsTag your instances with McAfee ePO tags related to product deployment tasks. You can create auto tags foryour instances based on account name and platform. You can also bulk tag selected instances.



3 Select your workload from the Systems pane, then select an instance or multiple instances from the instancelist under Compliance Events.

RemediationTag workloads 4


4 Select Tag from the Take Action combo box.

5 Enter a tag name and click Add.

6 Click Save.

You can see the tag details of your instances on the Workload Details pane.

4 RemediationTag workloads


5 Queries and reports

With Cloud Workload Security, you can quickly generate a summary view of all registered datacenters.

The predefined queries and dashboards provide out of the box functionality, because they are added to yourMcAfee ePO server when the software is installed. You can configure these queries to display results in chartsor tables, which you can use as dashboard monitors. Query results can be exported to several formats, whichyou can download or send as an attachment to an email message.

You can view the list of predefined queries for the datacenters from Queries and reports | McAfee Groups | DataCenter.

You can view the list of predefined queries for the public cloud accounts from Queries and reports | McAfee Groups |Public Cloud.

Contents Predefined queries Create custom queries Dashboards and monitors

Predefined queriesYou can use predefined queries as is, edit them, or create queries from events and properties stored in theMcAfee ePO database.

To create custom queries, your assigned permission set must include the ability to create and edit privatequeries.

Data center provides these predefined queries.

5


Query Definition

Anti-Malware Status Specifies whether the system is in one of these states:• Application Control Enabled — These VMs have McAfee® Application Control installed and

enabled.

• Only Anti-Virus Enabled — These VMs have a McAfee anti-malware product installed andenabled.

• Unprotected — These VMs don't have any McAfee anti-malware product enabled.

ApplicationReputation

Categorizes the applications based on McAfee® Global Threat Intelligence™ (McAfee GTI) filereputation:• Good

• Bad

• Unclassified

For details about file reputation, see the product documentation for McAfee ApplicationControl.

AV Protection byProduct

Displays the anti-virus protection status of McAfee products.

Security Incidents(last 14 days)

Displays the events reported for these components on the VMs in the last 14 days.• Antivirus

• Firewall

• Memory Protection

Data Centers Displays all registered datacenters.

File IntegrityMonitoring Status

Displays the number of VMs with File Integrity Monitoring (FIM) installed and enabled.For details about FIM, see the product documentation for McAfee® Change Control.

Host Firewall Status Specifies whether the system is in one of these states:• Firewall Enabled — These VMs have McAfee® Host Intrusion Prevention (McAfee

Agent-based) installed.

• Not in use — These VMs don't have McAfee Host Intrusion Prevention (McAfeeAgent-based) installed.

OS Distribution The OS Type shows the template value selected while creating the VMs. But, it might not bethe actual operating system installed on the VM.

Usage MeteringReport

Displays the usage of cloud accounts in number of hours per month.• CPU cores | Usage Month — Specifies if the CPU cores used are single, dual, or quad core

plus, and the usage month.

• Sum of Hours used — Specifies the sum of usage hours.

5 Queries and reportsPredefined queries


Query Definition

Endpoint ScanReport

Displays the details of the last scan of the endpoints.

Best Practice: To get accurate data in this report, first run the Data Center: Compute EndpointReports server task from Menu | Automation | Server Tasks.

• Endpoint — The name of the endpoint.

• IP Address — The IP address of the endpoint.

• Category — The group/resource pool/host of the endpoint.

• Operating System — The operating system details.

• Last Scan — The last on-demand scan time for an endpoint with anti-virus software.

Endpoint SecurityReport

Displays the protection status of the endpoints.

Best Practice: To get accurate data in this report, first run the Data Center: Compute EndpointReports server task from Menu | Automation | Server Tasks.



• Virtual — Specifies whether the endpoint is a virtual system.

• VM Classification — Specifies if the VM is a part of public (Cloud Machine) or private (VirtualMachine) cloud.

• Vendor — The name of the cloud service provider of the endpoint.

• Power Status — Specifies the power status of the endpoint.



• AntiVirus/Antimalware — The name of the McAfee anti-virus and anti-malware softwareinstalled on the endpoint.

• Firewall — The name of the McAfee software with the firewall protection active on theendpoint.

• Whitelisting — Specifies whether the whitelisting feature is enabled.

• Access Protection — The name of the McAfee software that provides access protection.

• Memory Protection — The name of the McAfee software that provides memory protection.

• Last Communication — The time details of the last server-client communication.

InstanceAssessment Status

The number of instances that are classified as critical and the number of instances that areclassified as warning.

Data Protection perCloud VM

The number of VMs that are encrypted and not encrypted.

View default queriesTo generate reports based on datacenter components, run the predefined queries .


2 Select Menu | Reporting | Queries & Reports.

Queries and reportsPredefined queries 5


3 From the Groups pane, select Data Center to display the queries for the selected group. Reports are groupedunder McAfee Groups.

4 From the Queries list, select a query, then click Run.

5 In the query results page, click any item in the results to drill down.

6 Click Close when finished.

Create custom queriesYou can create custom queries that retrieve and display the details related to the Usage Metering Report andnetwork traffic reports. With this wizard, you can configure which data is retrieved and displayed, and how it isdisplayed.

Before you beginMake sure that you have administrator rights to perform this task.


2 Select Menu | Reporting | Queries & Reports, then click Actions | New to open the Query Builder wizard.

3 To view Usage Metering records, select Public Cloud on the Feature Group list and on the Result Type page, selectUsage Metering records, then click Next.

If you upgraded from 3.6.1 to this version, you can also see Usage Metering Report- Legacy to view the old usagemetering reports.

4 To view network traffic reports for your AWS instances, select Data Center on the Feature Group list, and on theResult Type page, select Amazon Network Traffic Logs, then click Next.

5 Select the type of chart or table to display the primary results of the query, then click Next to open theColumns page.

If you select Boolean Pie Chart, you must configure the criteria to include in the query.

6 Select the columns to include in the query, then click Next to open the Filter page.

If you had selected Table on the Chart page, the columns you select here are the columns of that table.Otherwise, these are the columns that make up the query details table.

7 Select properties to narrow the search results, then click Run.

The Unsaved Query page displays the results of the query, which is actionable. You can take any availableactions on items in any tables or drill-down tables. Selected properties appear in the content pane withoperators that can specify criteria to narrow the data that is returned for that property.

• If the query doesn't return the expected results, click Edit Query to go back to the Query Builder and editthe details of this query.

• If you don’t want to save the query, click Close.

• If this is a query you want to use again, click Save and continue to the next step.

5 Queries and reportsCreate custom queries


8 On the Save Query page, type a name for the query, add any notes, and select one of these options:

• New Group — Type the new group name and select whether the group is private or public.

• Existing Group — Select the group from the list of Shared Groups.

9 Click Save.

Dashboards and monitorsDashboards, which are made up of monitors, help you track key metrics from all data center products.

Reports are grouped under McAfee Dashboards at Menu | Queries and reports | Groups.

• The Data Center dashboard displays a collection of monitors based on the results of the default datacenterqueries.

• The Public Cloud dashboard displays the collection of monitors for default public cloud account queries.

The data in these monitors on the dashboard is refreshed every 15 minutes.

The default monitors that appear under these dashboards are:

• Data Centers — Displays all registered datacenters.

• OS Distribution — Displays the operating system type. It shows the template value selected while creating theVMs. But, it might not be the actual operating system installed on the VM.

• Security Incidents (last 14 days) — Specifies events reported for these components on the VMs in the last 14days.

• Application Control

• Antivirus

• Firewall

• Memory Protection

• Anti-Malware Status — Displays the state of the VM.

• Application Control Enabled — These VMs have McAfee Application Control installed and enabled.

• Only Anti-Virus Enabled — These VMs have a McAfee anti-virus product installed and enabled.

• Unprotected — These VMs don't have any McAfee anti-malware product enabled.

• Host Firewall Status — Displays the state of the system.

• Firewall Enabled — These VMs have McAfee Host Intrusion Prevention installed.

• Not in use — These VMs don't have McAfee Host Intrusion Prevention installed.

• File Integrity Monitoring Status — Displays the number of VMs with File Integrity Monitoring (FIM) installed andenabled.

• Enabled — File Integrity Monitoring is enabled on these VMs.

• Not enabled — File Integrity Monitoring is disabled on these VMs.

• Not installed — File Integrity Monitoring isn't installed on these VMs.

• Instance Assessment status — Displays the number of instances that are classified as critical and the numberthat are classified as warning.

Queries and reportsDashboards and monitors 5


• Data protection per Cloud VM — Displays the number of VMs that are encrypted versus the number of VMs thataren't encrypted.

• Encrypted — These VMs are encrypted.

• Not Encrypted — These VMs aren't encrypted.

• Usage Metering Report — Displays the usage of running AWS and Microsoft Azure cloud instances, in number ofhours per month.

You can see how many hours are used by your single core, dual core, and your quad-core instances for everymonth.

• Application Reputation — Categorizes the applications based on McAfee Global Threat Intelligence filereputation.

• Good

• Bad

• Unclassified

This dashboard retrieves data from the McAfee Application Control extension.

For details about file reputation, see the product documentation for McAfee Application Control.

• Endpoint Scan Report — Displays the last scan details of the endpoints. This report is run every eight hours.




• Operating System — Displays operating system details.

• Last Scan — Displays the last on-demand scan time for an endpoint with different anti-virus software.

Best Practice: To get accurate data in this report, first run the Data Center: Compute Endpoint Reports server taskfrom Menu | Automation | Server Tasks.

• Endpoint Security Report — Displays the protection status of the endpoints. This report is run every eight hours.



• Virtual — Specifies whether the endpoint is a virtual system.

• VM Classification — Specifies if the VM is a part of public (Cloud Machine) or private (Virtual Machine) cloud.

• Vendor — The name of the cloud service provider of the endpoint.

• Power Status — Specifies the power status of the endpoint.



• AntiVirus/Antimalware — The name of the McAfee anti-virus and anti-malware software that is installed onthe endpoint.

• Firewall — The name of the McAfee software with the firewall protection active on the endpoint.

• Whitelisting — Specifies whether the whitelisting feature is enabled.

5 Queries and reportsDashboards and monitors


• Access Protection — The name of the McAfee software that provides access protection.

• Memory Protection — The name of the McAfee software that provides memory protection.

• Last Communication — The time details of the last server-client communication.

Best Practice: To get accurate data in this report, first run the Data Center: Compute Endpoint Reports server taskfrom Menu | Automation | Server Tasks.

Queries and reportsDashboards and monitors 5


5 Queries and reportsDashboards and monitors


6 Best Practices for using McAfee ePO and CloudWorkload Security with AWS

Contents How McAfee ePO server and clients communicate Scaling McAfee ePO installed on AWS Managing and remediating workloads using Chef Managing and remediating workloads using Puppet Managing AWS clients using McAfee ePO installed on AWS Managing AWS clients using McAfee ePO installed on-premise Using Cloud Workload Security Deploying McAfee security products on AWS cloud

How McAfee ePO server and clients communicateMcAfee ePO is deployed on-premise or in the cloud.

McAfee ePO communicates with client systems across networks in these ways:

• Client-initiated communication — McAfee Agent is installed on each client system. It periodically connects tothe McAfee ePO server to check for updates such as new policy information, assigned tasks, and productupdates. For client systems to connect to McAfee ePO:

• Client systems must have outbound access to McAfee ePO.

• McAfee ePO server must have inbound access on TCP ports 80 and 443.

TCP ports 80 and 443 are the default ports used for communication between McAfee ePO and the McAfee Agent.You can change the ports while installing McAfee ePO.

• McAfee ePO server-initiated communication — McAfee ePO can wake up and force client systems to pulldown the latest security content. For McAfee ePO to connect to the client systems:

• McAfee ePO must have outbound access to client systems.

• Client instances must have inbound access on port 8081.

The AWS Security Group must allow this communication. For details about port requirements, see KB66797.

6



Scaling McAfee ePO installed on AWSCloud Workload Security for AWS discovers and imports the inventory details of your Amazon EC2 instancesfrom AWS in to McAfee ePO. With this feature, McAfee ePO recognizes elastic scaling of EC2 instances.

As your managed network grows, distributed repositories and Agent Handlers can help improve performanceand network protection.

Distributed repositories work as file shares that store and distribute security content for your managed clientsystems. Agent Handlers allow you to move McAfee Agent requests and added management logic closer to thesystems making these requests.

Agent Handlers also allow you to scale your network infrastructure horizontally, reduce the load on yourMcAfee ePO server, and save bandwidth.

If McAfee ePO is installed on an AWS server:

• Enable termination protection for McAfee ePO server to avoid accidental termination.

• Use elastic IP on McAfee ePO server for public IP.

• McAfee ePO supports SSD only. Magnetic disks are not supported.

• Configure ports and security group rules for McAfee ePO server appropriately. For more information, seeKB66797.

Considerations for scalabilityYour ability to manage growth on your network depends on whether you install McAfee ePO on multipleservers, use multiple remote Agent Handlers, or both.

With McAfee ePO software, you can scale your network vertically or horizontally.

• Vertical scalability — Adding and upgrading to bigger, faster hardware to manage larger and largerdeployments. Scaling vertically is accomplished by upgrading your server hardware, and installing McAfeeePO on multiple servers throughout your network, each with its own database.

• Horizontal scalability — Increasing the deployment size that one McAfee ePO server can manage. Scalinghorizontally is accomplished by installing multiple remote Agent Handlers, each reporting to one database.

Managed systems and servers

The number of systems your McAfee ePO server manages dictates the number of servers installed on yournetwork. The number of managed systems also dictates the recommended server hardware needed to managethese systems.

Option < 1,500systems

1,500–10,000systems

10,000–25,000systems

25,000–75,000systems

> 75,000systems

Virtual McAfee ePO server anddatabase

Yes

Windows Server and SQLdatabase in the same server

Yes

Windows Server and separateSQL database

Yes Yes Yes

Add distributed repositories Yes Yes

Add agent handlers Yes

6 Best Practices for using McAfee ePO and Cloud Workload Security with AWSScaling McAfee ePO installed on AWS



Managing and remediating workloads using ChefThe cookbook allows installation and management of McAfee Agent, Endpoint Security for Windows and Linux,and Adaptive Threat Protection. It creates and assigns tags to systems after product installation. To manageworkload/node on McAfee ePO using Chef, you must configure Chef server and node, and define the attributes.

Prerequisites

• Configure chef server and workstation, and bootstrap the node to the server where McAfee products are tobe installed. Fore more information, see https://docs.chef.io/.

• Check-in Cloud Workload Security 5.0.0 in McAfee ePO, and register AWS or Azure cloud accounts.

• Check-in McAfee Agent 5.0.5 or later.

• Check-in Endpoint Security package.

Chef workstation settings

Download the cookbook from the external repository, and configure the chef attributes in the attributes/default.rb attributes file.

The recipe cook book requires a connection to McAfee ePO to install the security products. Hence, the McAfeeePO credentials needs to be encrypted in the recipe cook book. To encrypt the McAfee ePO credentials, run theruby EncryptPassword.rb USERNAME PASSWORD command.

You need to have Ruby installed in your chef workstation to run this command.

Table 6-1 Attributes for cookbook

Attribute Description

default[:epo][:address] The McAfee ePO IP address and port number.

default[:epo][:username] The McAfee ePO user name. Cookbook retrieves the user name from theencrypted file if this field is blank.

default[:epo][:password] The McAfee ePO password. Cookbook retrieves the password from theencrypted file if this field is blank.

default[:cloud][:accountname] The name of the registered cloud account.

default[:tag] The name of the tag to be assigned to the node. The default tag name isCWS_DEVOPS.

default[:products] The name of the products to be installed.• ENS

• ATP

default[:policy][:ENS] (optionalfield)

The name of the ENS/ENSL On-Access Scan policy to be assigned to node/client.

default[:policy][:ATP] (optionalfield)

The name of the ATP policy to be assigned to node/client.

Best Practices for using McAfee ePO and Cloud Workload Security with AWSManaging and remediating workloads using Chef 6


https://docs.chef.io/

After defining the attributes, upload the modified cookbook in the Chef server.

The default.rb recipe is mcafeeagent. To ensure that McAfee Agent is installed, include mcafeeagent inyour node's run_list.

{"name":"my_node","run_list":[ "recipe[mcafeeagent]" ]}

To trigger the installation of McAfee products on the client, run chef-client on the client node. You can also addrecipe to the node run list when bootstrapping it from the workstation.

Managing and remediating workloads using PuppetThe module allows installation and management of McAfee Agent, Endpoint Security for Windows and Linux,and Adaptive Threat Protection to a node. It creates a tag based policy assignment rule for on-access scan. Onthe next agent-to-server communication, this policy is enforced to the client system. To manage a node withMcAfee ePO using Puppet, you must configure Puppet server and define the attributes.

Prerequisites

• Configure puppet server and workstation, and bootstrap the node to the server where McAfee products areto be installed. For more information, see https://docs.puppet.com/puppet.

• Check-in Cloud Workload Security 5.0.0 in McAfee ePO, and register AWS or Azure cloud accounts.

• Check-in McAfee Agent 5.0 or later.

• Check-in Endpoint Security package.

• Register AWS or Azure cloud accounts

Puppet server settings

Download the module from the external repository and configure puppet attributes in the modules/facts/lib/facter/config.yaml attribute file. Copy modules and manifests to the /etc/puppetslab/code/environments/production folder in the puppet-server system.

The module connects to McAfee ePO to install the security products. Hence, the McAfee ePO credentials needsto be encrypted in the module. To encrypt the McAfee ePO credentials, run the ruby EncryptPassword.rbUSERNAME PASSWORD command.

You need to have Ruby installed in your puppet server to run this command.

For immediate execution on a particular agent node, check for a particular agent node manually by runningthe /opt/puppetlabs/bin/puppet agent –test command for Linux and puppet agent –testcommand for Windows.

Table 6-2 Attributes for module


[epo_address] The McAfee ePO IP address and port number.

[epo_username] The McAfee ePO user name. Module retrieves the user name from the encryptedfile if this field is blank.

6 Best Practices for using McAfee ePO and Cloud Workload Security with AWSManaging and remediating workloads using Puppet


https://docs.puppet.com/puppet

Table 6-2 Attributes for module (continued)


[epo_password] The McAfee ePO password. Module retrieves the password from the encryptedfile if this field is blank.

[cloud_account_name] The name of the registered cloud account.

[tag_name] The name of the tag to be assigned to the node. The default tag name isCWS_DEVOPS.

[install_products] The name of the product to be installed.• ENS

• ATP

[policy_ENS] (optional field) Name of the ENS/ENSL On-Access Scan policy to be assigned to node/client.

[policy_ATP] (optional field) Name of the ATP policy to be assigned to node/client

Managing AWS clients using McAfee ePO installed on AWSTo manage client systems outside your organization's network, install McAfee ePO on an AWS instance with acompatible operating system.

For information about compatible operating systems, see KB51569.

To manage client instances in AWS cloud, McAfee ePO can be deployed:

• In one geographic region

• In one geographic region with one Amazon Virtual Private Cloud (VPC)

• In one geographic region with multiple Amazon VPCs

• In multiple geographic regions

Managing instances in one geographic regionMcAfee ePO can be installed to manage instances in one geographic region with multiple availability zones.

This type of deployment supports client-initiated and McAfee ePO server-initiated communication. You mustcreate a separate AWS security group for McAfee ePO that allows outbound connections to client instances(server-initiated communication) and inbound connections (agent-initiated communication). Once you deployMcAfee ePO, you can view the available systems in the System Tree under AWS.

Best Practices for using McAfee ePO and Cloud Workload Security with AWSManaging AWS clients using McAfee ePO installed on AWS 6



Managing instances in one geographic region with one VPCA virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated fromother virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances,into your VPC.

In one geographic region with a single VPC, each instance that you launch in a non-default subnet has a privateIP address. When you install McAfee ePO in the VPC, client instances in the same VPC communicate with theMcAfee ePO server or with other instances across the private network. For information about VPCs andsubnets, see AWS documentation.

One geographic region deployment with multiple VPCsWhen multiple VPCs are present in one geographic region, you can use VPC peering to connect the VPCs.

For information about VPC peering and setting one VPC as private and another VPC as public, see AWSdocumentation.

When you configure VPC peering, McAfee ePO server and client instances communicate via the private network.VPC peering supports client-initiated and McAfee ePO server-initiated communication.

Configure a virtual Agent Handler on your McAfee ePO server to enable communication through public andprivate IP addresses. For more information about configuring a virtual Agent Handler, see Set up McAfee ePO andClient Communication.

6 Best Practices for using McAfee ePO and Cloud Workload Security with AWSManaging AWS clients using McAfee ePO installed on AWS


You can configure VPC routes to restrict communication between VPCs only to McAfee ePO and client instancesif other applications do not require VPC peering on the same infrastructure. For more information, see theproduct documentation for your version of McAfee ePO.

Set up VPC peering for McAfee ePO server and client communication wherever possible.

Multiple geographic region deploymentIn multiple geographic region deployment, you can use an architecture where client instances connect toMcAfee ePO using a public IP address using the internet.

Use this architecture if:

• Your organization uses multiple regions with multiple VPCs.

• You can't use VPC peering to connect multiple VPCs in a region.

This architecture supports only client-initiated communication. To use this architecture:

• All client instances must have outbound access to McAfee ePO. Configure the AWS security groupsaccordingly.

• The AWS security group of the McAfee ePO server must be configured to accept communication from theclient instances.

For more information, see the product documentation for your version of McAfee ePO.

Set the agent-server communication interval to 60 minutes so that client instances can get product, policy, andtask updates frequently without affecting performance.

Best Practices for using McAfee ePO and Cloud Workload Security with AWSManaging AWS clients using McAfee ePO installed on AWS 6


Configure a virtual Agent Handler on your McAfee ePO server to enable communication with client instancesthrough public IP address. For more information about configuring a virtual Agent Handler, see Set up McAfeeePO and Client Communication.

Set up McAfee ePO and client communicationConfigure McAfee ePO and Agent Handler to set up communication for McAfee ePO and the client on AWS.

Task1 Install McAfee ePO in the region with the highest number of instances.

This ensures optimized communication between McAfee ePO and client instances.

2 Assign an elastic IP address to the McAfee ePO instance.

This ensures that the public IP address of the McAfee ePO instance does not change.

For details about assigning an elastic IP address, see AWS documentation.

3 Configure a virtual Agent Handler on the McAfee ePO server for your managed client instances to connect tothe McAfee ePO server.

a Open the Agent Handlers page: Menu | Configuration | Agent Handlers, then in Handler Groups, click New Group toopen the Add/Edit Group.

b Specify a virtual Agent Handler group name.

6 Best Practices for using McAfee ePO and Cloud Workload Security with AWSManaging AWS clients using McAfee ePO installed on AWS


c In the Included Handlers section, select Use load balancer and specify the details.

• Virtual DNS Name — Type the DNS name assigned to the static public IP address associated with thisAWS server.

• Virtual IP Address — Type the static public IP address associated with this AWS server.

4 Enable the new virtual Agent Handler.

a Select Menu | Configuration | Agent Handlers, then click the Handler Groups monitor.

b Find the new virtual Agent Handler, then click Actions | Enable.

5 Assign the virtual Agent Handler group.

a Select Menu | Configuration | Agent Handlers, then click New Assignment.

b Specify a unique name for this assignment.

c In the Agent Criteria section, browse to and select My Organization from the System Tree location.

d In the Handler Priority section, click Use custom handler list and select the new virtual Agent Handler.

Use + to add additional Agent Handlers to the list.

The created virtual Agent Handler publishes McAfee ePO on its public IP address and all client instancescommunicate using this address.

Managing AWS clients using McAfee ePO installed on-premiseInstall McAfee ePO on an on-premise server and the Agent Handler in the DMZ with a public IP address for easyconnectivity and scalability.

This architecture is best if:

• You use McAfee ePO in a hybrid cloud environment.

• Your organization requires McAfee ePO to be installed on-premise rather than in the cloud.

To use this architecture:

Best Practices for using McAfee ePO and Cloud Workload Security with AWSManaging AWS clients using McAfee ePO installed on-premise 6


• Install McAfee ePO on an on-premise server to manage systems on-premise. Assign an internal private IPaddress to McAfee ePO.

• Install Agent Handler on an on-premise server in the DMZ to manage instances on AWS. You must assign apublic IP address to the Agent Handler.

• You must connect McAfee ePO server and the Agent Handler through a low latency and high-bandwidthnetwork.

This architecture supports client-initiated communication, but McAfee ePO can't wake up the McAfee Agent ona managed AWS instance. To use McAfee ePO initiated communication (wake up agent) feature, AWS instancesmust use a VPN to connect to the on-premise network.

For information about the ports required for McAfee ePO and client instance communication, see KB66797. Forinformation about port guidelines, see the McAfee ePolicy Orchestrator Product Guide.

Using McAfee Agent deployment URL featureThe McAfee Agent deployment URL contains a link to an installer. The installer downloads and installs McAfeeAgent and deploys McAfee products to AWS instances.

For instructions about deploying McAfee Agent on AWS instances, see KB85233.

Set up McAfee ePO and client communicationConfigure McAfee ePO and the Agent Handler to set up communication between McAfee ePO and the client.

Task1 Install McAfee ePO on an on-premise server.

2 Install the Agent Handler on another on-premise server in the DMZ.

3 Configure the Agent Handler.

a Open the Agent Handlers page: Menu | Configuration | Agent Handlers, then in Handler Status, click Agent Handler.

b From the Handler List, click the Agent Handler that is installed in the DMZ.

c Specify the public IP address of the Agent Handler to connect to AWS EC2 instances in the Published IPAddress field.

6 Best Practices for using McAfee ePO and Cloud Workload Security with AWSManaging AWS clients using McAfee ePO installed on-premise



https://kc.mcafee.com/corporate/index?page=content&id=KB85233&locale=en_GB&viewlocale=en_GB

Using Cloud Workload SecurityConsider these best practices to set up Cloud Workload Security to monitor and manage AWS EC2 resources.

Task1 Install McAfee ePO based on your infrastructure requirements.

2 Install the Cloud Workload Security extension on the McAfee ePO server.

3 Make sure that you set up a user on AWS with read-write privileges on EC2 and traffic flow-logs for allregions that requires management.

4 Register your AWS cloud account with McAfee ePO, so that McAfee ePO discovers, imports, assesses anddisplays your cloud account information.

5 Specify the sync interval for McAfee ePO to AWS synchronization.

Sync interval determines how often new instances are discovered.

6 While deploying McAfee Agent, select Auto deploy Mcafee Agent on VMs when all your EC2 instances and trafficflow-logs are in the same region and support Active Directory based deployment.

Deploying McAfee security products on AWS cloudTo deploy McAfee security products on AWS instances, deploy a McAfee Agent on each of the AWS instances.

Once you deploy McAfee Agent, you can use McAfee ePO to manage product installation and network securityof the AWS instances.

You must have credentials for each of the AWS instances. Currently, only password-based authentication issupported on Windows and Linux.

To deploy McAfee security products easily and efficiently:

• Use Active Directory-based authentication.

• Create secure client Amazon Machine Image (AMIs) with the McAfee Agent and products installed.

Deploy McAfee security products on AWS instances using AMIsTo ensure security of the AWS instances as they start, create secure client Amazon Machine Images (AMIs) usingstandard AMIs. The AMI contains McAfee Agent and McAfee Endpoint Security.

Before you begin• If you are using Amazon Elastic Compute Cloud (Amazon EC2), start a Windows or Linux

instance.

• Install the McAfee Agent and Endpoint Security extensions in the McAfee ePO server. EndpointSecurity protects instances from malware.

• Check in the client packages.

• Make sure that you don't have duplicate McAfee Agent GUIDs, which can affect productinstallation, policy enforcement, and prevent properties from being recorded correctly.

• We recommend that you access your AWS instances from McAfee ePO until the AWS instancesare compliant with the organization's IT security standards.

Best Practices for using McAfee ePO and Cloud Workload Security with AWSUsing Cloud Workload Security 6


Tasks• Create secure client AMIs on page 50

Start a secure client AMI on a Windows EC2 or Linux instance.

Using McAfee Agent deployment URL featureThe McAfee Agent deployment URL contains a link to an installer. The installer downloads and installs McAfeeAgent and deploys McAfee products to AWS instances.

For instructions about deploying McAfee Agent on AWS instances, see KB85233.

Create secure client AMIsStart a secure client AMI on a Windows EC2 or Linux instance.

Task1 Depending on the operating system that you use, start a Windows EC2 or a Linux instance on the AWS

console.

2 Log on to the instance.

3 Deploy McAfee Agent on the instance using Cloud Workload Security.

• Download the deployment script under McAfee ePO Management on the Cloud Workload Security userinterface.

• Select Install McAfee Agent from the Take Action combo box on the Cloud Workload Security user interface.

4 Install Endpoint Security on the instance using the Take Action combo box on the Cloud Workload Securityinterface.

5 Delete Agent GUID details to avoid duplicate GUID's. For more information, see KB84356.

6 DeleteAMcore GUID details. For more information, see KB89849.

7 On the AWS console:

• Use EC2Config or windows tools to sysprep the server with shutdown option.

• Select the AMI and click Launch.

This starts a new secure client AMI with McAfee Agent and Endpoint Security installed on it.

Deploying McAfee security products on AWS using Cloud WorkloadSecurityYou can deploy McAfee security products on the AWS instances from the Cloud Workload Security user interfaceusing the Take Action combo box.

Consider these best practices when you deploy McAfee security products using Cloud Workload Security on theAWS instances.

6 Best Practices for using McAfee ePO and Cloud Workload Security with AWSDeploying McAfee security products on AWS cloud


https://kc.mcafee.com/corporate/index?page=content&id=KB85233&locale=en_GB&viewlocale=en_GB



• By default, the secure AMIs ensure protection of your instances. It is recommended that you create yourserver instances from the secured AMIs.

• You can install Threat Prevention on the AWS instances in batches. The number of systems per batch is 25.You can increase the number of systems per batch if you have distributed repositories.

• You can set threat alert notifications for Cloud Workload Security in the Automatic Responses page. The defaultvalue of Threat Event Trigger for ENS/ENSL for Cloud Workload Security is 1 minute. It is recommended that youset the notification time to a higher value if the number of events per aggregation time is more.

Selecting the Trigger this response for every event option is not recommended as it causes significant performanceissues in McAfee ePO.

Best Practices for using McAfee ePO and Cloud Workload Security with AWSDeploying McAfee security products on AWS cloud 6


6 Best Practices for using McAfee ePO and Cloud Workload Security with AWSDeploying McAfee security products on AWS cloud


7 Frequently asked questions

Here are answers to frequently asked questions.

See KB90063 for more questions and answers.

Installation

Can I install McAfee Agent on AWS instances using the Agent Deployment URL feature and Amazon UserData?

Yes. For details, see KB85233.

Can I use scripts for Puppet, Chef, or Amazon OpsWorks to install and configure security solutionsoffered by Intel Security?

Yes.• For Puppet sample scripts, see KB82585.

• For Chef sample scripts, see KB82584.

• For Amazon OpsWorks scripts, see KB82586.

What happens to my policies when I upgrade from Cloud Workload Security 4.5.1 to 5.0.0?

When upgrading from 4.5.1 to 5.0.0, since the policy structure has changed in the latest version, yourprevious policies, policy settings, and policy assignments are lost.

Configuration

How do I troubleshoot AWS instance connectivity issues?

See AWS documentation.

How many cloud accounts can I register under one McAfee ePO server?

There is no limit to the number of cloud accounts that can be registered under one McAfee ePO server.

How do I get the subscription ID, tenant ID, and client ID?

You can get your client ID, tenant ID, and subscription ID after creating an application. You need toconfigure your client key. You can create application by following steps listed in Create an application in theMicrosoft Azure console. You can also run PowerShell scripts, which automate this process. For details, seeKB87316.

What ports are included when I select port as Any when configuring inbound firewall rule?

All ports (0-65535) are included.

Functionality

When AWS instances are switched off, are they reported "powered off" in McAfee ePO?

Yes. If the computers are managed, they aren't deleted, even on termination. Unmanaged systems, whenterminated, are no longer seen in the McAfee ePO System Tree.

How long until a new instance is discovered by Cloud Workload Security?

7







http://aws.amazon.com/vpc/faqs/


After the synchronization occurs, the new instance is discovered. Synchronization depends on the SyncInterval that you specified. If you specify the sync interval as 5 minutes, the next sync is scheduled 5minutes after the completion of the current sync. You can also schedule a manual sync and thesynchronization starts immediately.

What happens when an instance is terminated in EC2?

After the instance is terminated (and a synchronization occurs), the instance is no longer displayed in theMcAfee ePO System Tree. But, any events from this instance are still present.

What are the reasons for my cloud account synchronization to fail?

• Check your cloud account details. Your access key and secret key pair might have been disabled.

• Check if your network is connected.

• Check if your McAfee ePO system date and time are synchronized with the internet date and time.

• Check if you are registering the same AWS account again in McAfee ePO.

Visualization of your cloud accounts

VirusScan Enterprise is installed on my instance, but the instance is still color-coded as red.

If your instance isn't managed with this McAfee ePO, then the status is shown as red. For assessment toshow correct result, the instance must be managed by the same McAfee ePO.

Detaching the security group from an AWS instance fails.

• If there is one NIC associated with an instance, and you are trying to detach a security group.

• If your instance is associated with multiple NICs and you are trying to detach a security group, whichis associated with another NIC.

I can't see the virtual networks when I click Accounts.

If you installed the Cloud Workload Security extension and completed registering your accounts, you cansee your virtual networks in your accounts when synchronization and assessment is complete.

I can't see all virtual networks in my account.

By default, you can see all virtual networks that have at least one running workload. If your virtualnetwork has no running workloads, it isn't shown. Select Show All on the Accounts panel to see all virtualnetworks.

I can see some names and some IDs under Virtual Networks and Workloads.

By default, you can see the names of your virtual networks and workloads. If they don't have a name, youcan see their IDs.

Which vendor cloud accounts are supported in the Cloud Workload Security dashboard.

Currently, we support AWS and Microsoft Azure cloud accounts. Microsoft Azure classic accounts aren'tshown here.

I can't see network traffic for some workloads on the Cloud Workload Security dashboard.

• Network traffic records are available only for AWS workloads.

• If you can't view traffic for your AWS workloads, make sure that you selected Enable Traffic Discovery foryour AWS account.

• When creating the IAM role for flow logs for your AWS account, make sure that the name of your roleis McAfeeFlowLogger.

My traffic discovery is disabled, but I can still see traffic details for AWS instances.

Data retention period for AWS traffic data is seven days. So you might still see some traffic details untilthe retention period.



How long is the AWS traffic data stored in McAfee ePO?

Data retention period for AWS traffic data is seven days.

Sometimes the Cloud Workload Security screen remains collapsed.

Do a browser refresh using F5.

Can I get a detailed server log file if McAfee Agent deployment fails?

Yes.• From Menu | Automation | Server Task Log, look for Data Center: Auto Deploy McAfee Agent.

• Select the task with the start date of your deployment task.

• Select a subtask with your system IP address.

Can I get a detailed server log file if any product installation fails?

Yes.• From Menu | Automation | Server Task Log, search for "wake up" task that has details about the feature.

• Select the task with the start date of your deployment task.

• Select a subtask with your system IP address.

Does the installation of McAfee Agent or any of the products times out?

If your McAfee ePO server doesn't receive the installation status of McAfee Agent or any of the products,it times out after 60 minutes.

What number is displayed in the tooltip of datacenter, cluster, hypervisor, or workloads?

The corresponding ID of the datacenter, cluster, hypervisor, or the workload is displayed in the tooltip.

Frequently asked questions 7


Index

Aaccess protection 31

Amazon Machine Imagedeploying McAfee Agent 49

application control 31

auto responsessetting up 21

Cchange control

file integrity monitoring status 31

Ddefault queries, displaying 33

deployment methodsMcAfee Agent 49

EEndpoint Security

installing 24

Ffirewall

policies, overview 9frequently asked questions 53

HHost Intrusion Prevention

host firewall status 31

Iinstallation

Endpoint Security 24

installingMcAfee Agent 23

Mmanage AWS clients

McAfee ePO installed on AWS 43

manage AWS clients (continued)McAfee ePO installed on-premise 43

McAfee Agentinstallation 23

McAfee ePO-Agent communicationport access 39

Ppolicies, firewall

overview 9policy

where to find 10

protection status, displaying 33

Qqueries, Data Center

default, viewing 33

pie charts 33

viewing default queries 33

queries, datacenterpredefined 31

queries, public cloudcreating 34

Rreports, datacenter 31

requirementsother requirements 31

reports, Data Center 31

responsesmanaging 22

Sscalability 40

Tthreat count

updating 22


mcafee cloud workload security 5.0 · 1 overview of cloud workload security mcafee® cloud workload...

Documents