McAfee ePO Admin Interview Questions & Answers

Q.1  What is McAfee ePO ?

McAfee ePolicy Orchestrator (McAfee ePO) is the most advanced, extensible, and scalable centralized security management software in the industry.

A single console for all your security management.

  • Get a unified view of your security posture with drag-and-drop dashboards that provide security intelligence across endpoints, data, mobile and networks.
  • Simplify security operations with streamlined workflows for proven efficiencies.
  • Flexible security management options allow you to select either a traditional premises-based or a cloud-based management version of McAfee ePO.
  • Leverage your existing third-party IT infrastructure from a single security management console with extensible architecture.

Q.2  Which is latest version of ePO?

The latest version of McAfee products

  •   ePolicy Orchestrator Ver 5.3.1
  •   Virus Scan Enterprise VSE 8.8 Patch 6
  •   McAfee Agent 5.0.1

To determine the ePO version number when you are logged on to ePO:

ePO 5.x: The version number is shown on the left pane of the Menu screen.

You can also determine the version by checking the version information contained within the server.ini file on the ePO server. You can open this file using Notepad.
The default location for the server.ini file is as follows:

…\Program Files\McAfee\ePolicy Orchestrator\DB

Q.3  What are the benefits of ePolicy Orchestrator Software?

ePolicy Orchestrator software is an extensible management platform that enables centralized policy management and enforcement of your security policies.

Using ePolicy Orchestrator software, you can perform these network security tasks:

  • Manage and enforce network security using policy assignments and client tasks.
  • Update the detection definition (DAT) files, anti-virus engines, and other security content required by your security software to ensure that your managed systems are secure.
  • Create reports, using the built-in query system wizard, that display informative user-configured charts and tables containing your network security data.

Q.4 Explain the Important Components of ePolicy Orchestrator Software and what they do ?

These components make up ePolicy Orchestrator software.

  • McAfee ePO server — The Center of your managed environment. The server delivers security policies and tasks, controls updates, and processes events for all managed systems.
  • Database — The central storage component for all data created and used by ePolicy Orchestrator. You can choose whether to house the database on your McAfee ePO server or on a separate system, depending on the specific needs of your organization.
  • McAfee Agent — A vehicle of information and enforcement between the McAfee ePO server and each managed system. The agent retrieves updates, ensures task implementation, enforces policies, and forwards events for each managed system. It uses a separate secure data channel to transfer data to the server. A McAfee Agent can also be configured as a SuperAgent.
  • Master repository — The central location for all McAfee updates and signatures, residing on the McAfee ePO server. The master repository retrieves user-specified updates and signatures from McAfee or from user-defined source sites.
  • Distributed repositories — Local access points strategically placed throughout your environment for agents to receive signatures, product updates, and product installations with minimal bandwidth impact. Depending on how your network is configured, you can set up SuperAgent, HTTP, FTP, or UNC share distributed repositories.
  • Remote Agent Handlers — A server that you can install in various network locations to help manage agent communication, load balancing, and product updates. Remote Agent Handlers are comprised of an Apache server and an event parser. They can help you manage the needs of large or complex network infrastructures by allowing you more control over agent-server communication.
  • Registered servers — Used to register other servers with your McAfee ePO server. Registered server types include:

LDAP server — Used for Policy Assignment Rules and to enable automatic user account creation.

SNMP server — Used to receive an SNMP trap. Add the SNMP server’s information so that ePolicy Orchestrator knows where to send the trap.

Database server — Used to extend the advanced reporting tools provided with ePolicy Orchestrator software.

Q.5  How the ePO software works ?

ePolicy Orchestrator software is designed to be extremely flexible. It can be set up in many different ways, to meet your unique needs.

The software follows the classic client-server model, in which a client system (system) calls into your server for instructions. To facilitate this call to the server, a McAfee Agent is deployed to each system in your network. Once an agent is deployed to a system, the system can be managed by your McAfee ePO server. Secure communication between the server and managed system is the bond that connects all the components of your ePolicy Orchestrator software. The figure below shows an example of how your McAfee ePO server and components inter-relate in your secure network environment.

ePO server components

1 Your McAfee ePO server connects to the McAfee update server to pull down the latest security content.

2 The ePolicy Orchestrator database stores all the data about the managed systems on your network,including:

  • System properties
  • Policy information
  • Directory structure
  • All other relevant data the server needs to keep your systems up-to-date.

3 McAfee Agents are deployed to your systems to facilitate:

  • Policy enforcement
  • Product deployments and updates
  • Reporting on your managed systems

4 Agent-server secure communication (ASSC) occurs at regular intervals between your systems and server. If remote Agent Handlers are installed in your network, agents communicate with the server through their assigned Agent Handlers.

5 Users log onto the ePolicy Orchestrator console to perform security management tasks, such as running queries to report on security status or working with your managed software security policies.

6 The McAfee update server hosts the latest security content, so your ePolicy Orchestrator can pull the content at scheduled intervals.

7 Distributed repositories placed throughout your network host your security content locally, so agents can receive updates more quickly.

8 Remote Agent Handlers help to scale your network to handle more agents with a single McAfee ePO server.

9 Automatic Response notifications are sent to security administrators to notify them that an event has occurred.

Q.6  What is default Console Port of ePO?

Console-to-application server communication port 8443 ( TCP port that the ePO Application Server service uses to allow web browser UI access )

Q.7  What is the default Group policy of ePO?

Until you create additional policies, all computers are assigned the McAfee Default policy.

The McAfee Default policy is configured with settings recommended by McAfee to protect many environments and ensure that all computers can access important websites and applications until you have a chance to create a customized policy.

You cannot rename or modify the McAfee Default policy. When you add computers to your account, the McAfee Default policy is assigned to them. When you delete a policy that is assigned to one or more groups, the McAfee Default policy is assigned to those groups automatically.

The first time you create a new policy, the McAfee Default policy settings appear as a guideline. This enables you to configure only the settings you want to change without having to configure them all.

After you create one or more new policies, you can select a different default policy for your account. In the future, new policies will be prepopulated with these default settings, and the new default policy is assigned to new computers (if no other policy is selected) and groups whose policy is deleted.

Q.8  On which port ePO communicates with client agent?

Agent wake-up communication port SuperAgent repository port: 8081

(TCP port that agents use to receive agent wake-up requests from the ePO server or Agent Handler.
TCP port that the SuperAgents configured as repositories that are used to receive content from the ePO server during repository replication, and to serve content to client machines)

Q.9  What is the purpose of a SuperAgent?

The SuperAgent is an agent with the ability to contact all agents in the same subnet as the SuperAgent, using the SuperAgent wakeup call. Its use is triggered by Global Updating being enabled on the ePolicy Orchestrator (ePO) server, and it provides a bandwidth efficient method of sending agent wakeup calls.

If you operate in a Windows environment and plan to use agent wake-up calls to initiate Agent-server communication, consider converting an agent on each network broadcast segment into a SuperAgent.

SuperAgents distribute the bandwidth load of concurrent wake-up calls. Instead of sending agent wake-up calls from the server to every agent, the server sends the SuperAgent wake-up call to SuperAgents in the selected System Tree segment. When SuperAgents receive this Wake-up call, they send broadcast wake-up calls to all agents in their network broadcast segments.

The process is:

  1. Server sends a wake-up call to all SuperAgents.
  2. SuperAgents broadcast a wake-up call to all agents in the same broadcast segment.
  3. All agents (regular agents and SuperAgents) exchange data with the server.
  4. An agent without an operating SuperAgent on its broadcast segment is not prompted to communicate with the server.

To deploy enough SuperAgents to the appropriate locations, first determine the broadcast segments in your environment and select a system (preferably a server) in each segment to host a SuperAgent. Be aware that agents in broadcast segments without SuperAgents do not receive the broadcast wake-up call, so they do not call in to the server in response to a wake-up call.

Agent and SuperAgent wake-up calls use the same secure channels. Ensure that:

  • The agent wake-up communication port (8081 by default) is not blocked.
  • The agent broadcast communication port (8082 by default) is not blocked.

Q.10  What is McAfee Agent Handler?

Agent handlers are the component of ePolicy Orchestrator that handles communications between agent and server.

Multiple remote handlers can help you address scalability and topology issues in your network, and in some cases using multiple agent handlers can limit or reduce the number of ePO servers in your environment. They can provide fault tolerant and load-balanced communication with a large number of agents including geographically distributed agents.

Q.11  How agent handlers work ?

Agent handlers distribute network traffic generated by agent-to-server communication by assigning managed systems or groups of systems to report to a specific agent handler. Once assigned, a managed system performs regular ASCIs to its agent handler instead of the main ePO server. The handler provides updated site lists, policies, and policy assignment rules just as the ePO server does. The handler also caches the contents of the master repository, so that agents can pull product update packages, DATs, and other necessary information.

NOTE: When an agent checks in with its handler, if the handler does not have the updates needed, the handler retrieves them from the assigned repository and caches them, while passing the update through to the agent.

Q.12  Considerations for scalability ?

How you manage your scalability depends on whether you use multiple McAfee ePO servers, multiple remote Agent Handlers, or both.With ePolicy Orchestrator software, you can scale your network vertically or horizontally.

  • Vertical scalability — Adding and upgrading to bigger, faster hardware to manage larger and larger deployments. Scaling your McAfee ePO server infrastructure vertically is accomplished by upgrading your server hardware, and using multiple McAfee ePO servers throughout your network, each with its own database.
  • Horizontal scalability — Accomplished by increasing the deployment size that a single McAfee ePO server can manage. Scaling your server horizontally is accomplished by installing multiple remote Agent Handlers, each reporting to a single database.

Q.13  When to use multiple McAfee ePO servers ?

Depending on the size and make-up of your organization, using multiple McAfee ePO servers might be required.

Some scenarios in which you might want to use multiple servers include:

  • You want to maintain separate databases for distinct units within your organization.
  • You require separate IT infrastructures, administrative groups, or test environments.
  • Your organization is distributed over a large geographic area, and uses a network connection with relatively low bandwidth such as a WAN, VPN, or other slower connections typically found between remote sites.

Using multiple servers in your network requires that you maintain a separate database for each server.

You can roll up information from each server to your main McAfee ePO server and database.

Q.14  When to use multiple remote Agent Handlers ?

Multiple remote Agent Handlers help you manage large deployments without adding additional McAfee ePO servers to your environment.

The Agent Handler is the component of your server responsible for managing agent requests. Each McAfee ePO server installation includes an Agent Handler by default. Some scenarios in which you might want to use multiple remote Agent Handlers include:

  • You want to allow agents to choose between multiple physical devices, so they can continue to call in and receive policy, task, and product updates; even if the application server is unavailable, and you don’t want to cluster your McAfee ePO server.
  • Your existing ePolicy Orchestrator infrastructure needs to be expanded to handle more agents, more products, or a higher load due to more frequent agent-server communication intervals (ASCI).
  • You want to use your McAfee ePO server to manage disconnected network segments, such as systems that use Network Address Translation (NAT) or in an external network.

Multiple Agent Handlers can provide added scalability and lowered complexity in managing large deployments. However, because Agent Handlers require a very fast network connection, there are some scenarios in which you should not use them, including:

  • To replace distributed repositories. Distributed repositories are local file shares intended to keep agent communication traffic local. While Agent Handlers do have repository functionality built in, they require constant communication with your ePolicy Orchestrator database, and therefore consume a significantly larger amount of bandwidth.
  • To improve repository replication across a WAN connection. The constant communication back to your database required by repository replication can saturate the WAN connection.
  • To connect a disconnected network segment where there is limited or irregular connectivity to the ePolicy Orchestrator database.

Q.15  What is DLP ?

Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.

Q.16  What is Endpoint Encryption for PC?

Endpoint Encryption for PC (EEPC) is a computer security system that prevents data stored on a hard drive from being read or used by an unauthorized person. With EEPC, users are forced to identify themselves to the security system when the computer is started. This is done by requiring up to three authentication methods:

  • Password
  • User ID
  • Token (Loaded on a floppy disk or any ISO 7816 smart card)

If the person accessing the computer fails to enter the correct information, EEPC prevents access to the computer as well as the encrypted data stored within. To gain access to an EEPC protected PC when using a smart card, users must insert their card into the reader when the EEPC authentication screen is displayed, then type their password and optional user ID. After the smart card verifies the password and  EEPC has established that the correct token is used, the user is then granted access to the computer.

 Q.17  Is the Event Parser service running?

On the server side, ePO consists of three separate services:

  • The ePO Server service, responsible for the direct handling of Agent-to-Server communication;
  • The Event Parser service, responsible for the insertion of new client-generated events into the ePO database;
  • The ePO Server Application Server service, where all logic takes place and which also allows you to manage ePO.

Under certain circumstances, particularly when there is a problem with the database, it is possible the Event Parser service stops working. This prevents new events from being added to the database, essentially leaving you blind. Check whether the Event Parser service is running and correct any problems if this is not the case.

 Q.18 Explain Tag and Tags functionality in McAfee ePO?

Tags allow users to create labels that can be applied to systems manually or automatically, based on the criteria assigned to the tag.

Similar to IP sorting criteria, you can use tags for automated sorting into groups. Tags are used to identify systems with similar characteristics. If you organize some of your groups by such characteristics, you can create and assign tags based on such criteria and use these tags as group sorting criteria to ensure these systems are automatically placed within the appropriate groups.

Tag functionality:
You can do the following with tags:

  • Apply one or more tags to one or more systems.
  • Apply tags manually.
  • Apply tags automatically, based on user-defined criteria, when the agent calls in.
  • Exclude systems from tag application.
  • Run queries to group systems with certain tags, then take direct actions on the resulting list of systems.
  • Base System Tree sorting criteria on tags to place systems into the appropriate System Tree groups automatically.

Types of tags

There are two types of tags:

  • Tags without criteria – These tags can be applied only to selected systems in the System Tree (manually) and systems listed in the results of a query (manually or on a scheduled basis).
  • Criteria-based tags – These tags are applied to all non-excluded systems at each agent-server communication. Such tags use criteria based on any properties sent by agent. They can also be applied to all non-excluded systems on-demand.

 Q.19  How agent-server communication works ?

McAfee Agent communicates with the McAfee ePO server periodically to send events and, ensure all settings are up-to-date.

These communications are referred to as agent-server communication. During each agent-server communication, McAfee Agent collects its current system properties, as well as events that have not yet been sent, and sends them to the server. The server sends new or changed policies and tasks to McAfee Agent, and the repository list if it has changed since the last agent-server communication. McAfee Agent enforces the new policies locally on the managed system and applies any task or repository changes.

The McAfee ePO server uses an industry-standard Transport Layer Security (TLS) network protocol for secure network transmissions.

When the McAfee Agent is first installed, it calls in to the server within few seconds. Thereafter, the McAfee Agent calls in whenever one of the following occurs:

  • The agent-server communication interval (ASCI) elapses.
  • McAfee Agent wake-up calls are sent from the McAfee ePO server or Agent Handlers.
  • A scheduled wake-up task runs on the client systems.
  • Communication is initiated manually from the managed system (using Agent Status monitor or command line).
  • McAfee Agent wake-up calls sent from the McAfee ePO server.

 Q.20 How often the McAfee Agent calls into the McAfee ePO server ?

The Agent-to-Server Communication Interval (ASCI) default setting is 60 minutes means that McAfee Agent contacts the McAfee ePO server once every hour.

 

Source: McAfee,  dearbytes

37 thoughts on “McAfee ePO Admin Interview Questions & Answers

  1. Hi Madhu.

    This is what exactly I was looking for in the google. Everyone failed to provide the informations I was looking for but this blog gave me everything in one shot. I am looking towards changing the work domain to EPO and getting prepard for the interview. your blog helped me to get my basics right.
    I will be thankful to you if you can share some more informations on this topic which helps me to clear the technical round.

    Thanks

  2. Hi Madhu

    Very happy to get this question from your blog, You know I have also almost 7 years of Exp in this field but I didn’t think like you. Its help People who want to move or change whether they exp or fresher, If you have more question about epo then Please share it. Thank u very much for this blog.

  3. Hi Lakki ,

    Thanks for the crispy information of all the question.. This is totally useful for me looking forward for even more information.. One request please post some more information regarding policies..

    Thanks in advance 🙂
    Subbu

  4. This link is really helpful. Just wanted you to jot down points of difference between super agent and agent handler. That will be highly appreciably. Thank you!!

  5. Hi Good article please add few more

    What is HIPS and how it works ?
    What is FIM and how it works ?
    How MOVE works and how it is different from VSE ?

  6. Hi Mandhu,

    Fantastic!!
    It may helpful if you can include below questions as well
    1. Explain about distributed repositories
    2.If there is any virus outbreak which rule will you create in the ePO to block the spreading the virus in the network
    3.Different scan option available in the McAfee ePO
    4. What is access protection ? What & all can you block in the access protection
    5. Little about disaster recovery?
    6. What are the new features included in the new ePO ver. 5.3
    7.What are the different DB that can support ePO

  7. Hello,
    It is very informative basics,thank you for such an effort.Can you provide more detailed questions about logs, services, ports used in ePO? It will be very helpful

  8. ePolicy Orchestrator supports four (4) types of distributed repositories.

    Consider your environment and needs when determining which type of distributed repository to use. You are not limited to using one type, and may need several, depending on your network.

    Use systems hosting SuperAgents as distributed repositories. SuperAgent repositories have several advantages over other types of distributed repositories:

    FTP repositories

    If you are unable to use SuperAgent repositories, use an existing FTP server to host a distributed
    repository. Use your existing FTP server software such as Microsoft Internet Information Services
    (IIS) to create a new folder and site location for the distributed repository. See your web server
    documentation for details.
    HTTP repositories

    If you are unable to use SuperAgent repositories, use an existing HTTP server to host a distributed repository. Use your existing HTTP server software such as Microsoft Internet Information Services (IIS) to create a new folder and site location for the distributed repository. See your web server documentation for details.
    UNC share repositories

    If you are unable to use SuperAgent repositories, create a UNC shared folder to host a distributed repository on an existing server. Be sure to enable sharing across the network for the folder so that the ePolicy Orchestrator server can copy files to it and agents can access it for updates.
    Unmanaged repositories

    If you are unable to use managed distributed repositories, ePolicy Orchestrator administrators can create and maintain distributed repositories that are not managed by ePolicy Orchestrator. If a distributed repository is not managed, a local administrator must keep it up-to-date manually. Once the distributed repository is created, use ePolicy Orchestrator to configure managed systems of a specific System Tree group to update from it.

    TIP: McAfee recommends that you manage all distributed repositories through ePolicy Orchestrator. This and using global updating, or scheduled replication tasks frequently, ensures your managed environment is up-to-date. Use unmanaged distributed repositories only if your network or organizational policy do not allow managed distributed repositories.

    • Folder locations are created automatically on the host system before adding the repository to the repository list.
    • File sharing is enabled automatically on the SuperAgent repository folder.
    • SuperAgent repositories don’t require additional replication or updating credentials — its account permissions are created when the agent is converted to a SuperAgent.
    TIP: Although SuperAgent broadcast wake-up call functionality requires a SuperAgent in each broadcast segment, this is not a requirement for SuperAgent repository functionality.
    Managed systems only need to “see” the system hosting the repository.
    • SuperAgents and global updating use a proprietary network protocol, SPIPE.
    TIP: McAfee recommends combining SuperAgent repositories and global updating to ensure
    your managed environment is up-to-date.

    1. FAQs for Anti-Virus Scanning Engine 5.x.00
      Technical Articles ID: KB78037
      Last Modified: 1/14/2016
      Rated:

      Environment
      McAfee Anti-Virus (AV) Scanning Engine 5.x.00
      Summary
      This article is a consolidated list of common questions and answers and is mainly intended for users who are new to the product, but can be of use to all users.

      Contents
      General For product information covering miscellaneous topics, troubleshooting.
      Compatibility Interaction between other products, software, or hardware.
      Installation/Upgrade For information about installing, upgrading, or rolling back.
      Functionality Product features and functions.
      New Features Information about new features added to the AV Scanning Engine with the 5.7.00 release.

      General
      What is the AV Scanning Engine?
      The AV Scanning Engine is central to McAfee antivirus software. The AV Scanning Engine uses information contained in the DAT files to identify and take action against viruses. To view FAQs about the daily DAT files, see KB55986.
      It is updated frequently to implement new advances in anti-virus technology and to provide the greatest level of protection against virus threats. The Scan Engine consists of a single file (mcscan32.dll) that contains the program logic to do the following:

      Scan files at particular points
      Process and pattern-match virus definitions with data it finds within scanned files
      Decrypt and run virus code in an emulated environment
      Apply heuristic techniques to recognize new viruses
      Remove infectious code from legitimate files

      Where can I download the latest Engine-only or Engine/DAT SuperDAT?

      To download a DAT, Engine, XDAT, or Stinger, go to http://www.mcafee.com/apps/downloads/security-updates/security-updates.aspx.

      You might need to download these if your automated update fails or if you want to use an ExtraDAT on an infected system.

      Where are the minimum specifications published?
      The minimum specifications are published as part of the readme.txt shipped within the Engine packages.
      NOTE: These are minimum specifications for the Engine only and do not include any allowance for the point product.

      How can I verify the Engine’s VeriSign certificate?
      For steps to complete this task, and to learn more about the AV Scanning Engine and its digital signature, see KB52425.

      When a new Engine is released, how long before the previous Engine End of Life (EOL) is set?
      Support for the existing AV Scanning Engine is continued for a limited period before the AV Scanning Engine End of Life (EOL) is determined. For information on the End of Life policy and the currently supported Engines, see:
      http://www.mcafee.com/us/support/support-eol-scan-engine.aspx

      Is it important to keep my Engine and DAT files up-to-date?
      Updating your DAT files on a daily basis is essential to the security of your environment. Keeping your Scan Engine up-to-date is just as important. Architectural changes to the way the AV Scanning Engine and DAT files work together make it critical for you to update your AV Scanning Engine. An old Engine will not be able to detect some threats.

      Back to Contents

      Compatibility

      What products use the AV Scanning Engine?
      The following products use the AV Scanning Engine and DAT files:

      AntiSpyware Enterprise
      Anti-Virus Scanning Engine
      Email and Web Security Appliance Software
      GroupShield for Exchange
      LinuxShield
      PortalShield
      SaaS Endpoint Protection
      Security for Lotus Domino
      Security for Mac
      Security Service for Exchange
      Security for SharePoint
      SuperDAT Manager
      VirusScan Command Line Scanner
      VirusScan Enterprise
      VirusScan Enterprise for Linux
      VirusScan Enterprise for Offline Virtual Images
      VirusScan Enterprise for SAP
      VirusScan for Mac
      VirusScan for UNIX
      Back to Contents

      Installation/Upgrades
      When a new Engine release occurs, how do I prevent the AutoUpdate of the Engine for my products to allow me to test this first on a limited number of systems?
      Each product is handled differently. To learn how to prevent a product from automatically updating to the latest posted Engine, see KB66741.

      An update to the latest Engine update has failed, leading to no virus detections. How do I roll back the Engine to the previous supported version?
      Each product is handled differently. For a list of articles that cover how to roll back the AV Scanning Engine, see KB66741.

      Why are the Anti-Malware Incremental Engine updates first available for manual download before being posted for products to AutoUpdate?
      McAfee Labs first releases the Anti-Malware Incremental Engine updates for elective download. This allows you to download Engine packages for manual installation over a period of three months. In this period, the daily SuperDAT files (SDAT and XDAT) continue to update the old Engine version. After the three-month period, the Engine is put on an AutoUpdate posting. This means that your point product will automatically update to the new release. The old Engine reaches end of life six months after elective downloads begin.

      Back to Contents

      Functionality
      Why does the Engine require TCP/IP support?
      The Engine requires TCP/IP support to enable Global Threat Intelligence and other technologies.

      How do I determine if a Hardware/Software combination is a supported configuration, if the details of all of the components is not information I have?
      If the device has a networking adapter supported by the OS, the minimum component configuration will have been met. The other hardware-related components must meet the minimum retail configurations as published by the AV Scanning Engine team.

      Are any of the standard templates supported?
      If the standard template includes support for TCP/IP and its dependencies, it will be a supported configuration. The following is a list of XP Embedded templates that are supported:

      Advanced Set Top Box – With a minimum of options to include: TCP/IP Networking with File Sharing and Client For MS Networks
      Home Gateway – With a minimum of options to include: TCP/IP Networking with File Sharing and Client For MS Networks
      Information Appliance – With a minimum of options to include: TCP/IP Networking with Client For MS Networks
      Kiosk/Gaming Console – With a minimum of options to include: Basic TCP/IP Networking
      Network Attached Storage – With a minimum of options to include: TCP/IP Networking with File Sharing and Client For MS

      Back to Contents

      New Features
      5800 Release information:
      RTW (for elective download) on September 3, 2015
      Auto-update January 20, 2016

      Introduced in 5.8.00
      The 5800 Anti-Malware Engine will succeed the current 5700 Engine and includes the following improvements:
      Detection and Performance enhancements
      Enhancements to Portable Document Format (PDF) format to improve exploit detection capabilities
      Improved handling of Windows Executable format
      Improved unpacking of .NET, Shockwave Flash, Visual Basic for Applications, and generic unpacking improvements to detect more threats
      Enhancements to live memory scanning in Windows for detecting and removing malicious processes, threads, and files
      Performance optimizations around initialization and scanning
      Platform enhancements
      Supported platforms: Windows 10, FreeBSD 10.x, Solaris 11 for SPARC
      End of Life (EOL) platforms: IBM AIX 5.3, FreeBSD 7.x, Solaris 8 on SPARC, and Linux Kernel 2.4
      System requirements disk space and memory
      At least 512 MB of free hard disk space
      At least an additional 512 MB of free hard disk space reserved for temporary files
      At least 512 MB of RAM for scanning operations (1024 MB recommended)
      At least 1024 MB of RAM for updating operations
      NOTE: VSE 8.7i endpoints must have VSE 8.7i Patch 5 + Hotfix 1038699 or later to install the 5800 Anti-Malware Engine. For details, see the readme file in the zip attached to this article, VSE87_P5_HF1038699.

      Introduced in 5.7.00
      NOTE: This engine reaches EOL on February 29, 2016.

      The 5.7.00 AV Scanning Engine release introduced the MXRay (Memory-Xray) Scan functionality. MXRay Scan provides live memory scanning on Windows (X32 and X64) for detecting and removing malicious processes, threads, and files.
      What does the MXRay Scan do?
      This new Engine technology allows both On-Access and On-Demand products to perform complex, specific, and advanced searches for malware that is currently active as a process in memory. In addition, the Engine looks for traces or parts of the malware in other areas, such as on the disk or in the registry. This integrated approach allows the Engine to remove infected threads from all affected processes, limiting the effectiveness of malicious process-injection techniques.

      How does the MXRay Scan work?
      Most malware today uses packers/compressors/encryption techniques to evade AV product detection, but in memory, all malware runs as unpacked objects. The malicious component can be identified easily.

      VirusScan has a “Running Processes” scan option, but it only runs On-Demand. The MXRay Scan can be triggered at any point through the DATs, and runs on both On-Demand and On-Access scans. The MXRay creates memory objects which can be used when authoring a signature. These memory objects are scanned with specific detection patterns to identify the malicious or infected strings within a defined memory range.

      Based on the detection triggered, appropriate cleaning action is taken on the infected system. The cleaning actions include Thread, Malicious memory modules, and files on disk.

      Are detections from MXRay Scans reported differently than normal detections?
      Yes. MXRay-based detection will have !mxr appended to the detection name, e.g. PWS-Zbot!mxr.

      Existing memory signatures traditionally have !mem appended to the detection name, e.g. PWS-Zbot!mem.

      Does the 5700 scan engine support Windows 10?
      Yes. The 5700 scan engine supports Windows 10, provided the product using the scan engine supports Windows 10. For example, VirusScan Enterprise 8.8 with the 5700 scan engine supports Windows 10 if patch 6 is also installed.

  9. Hello Subesh, the questions you listed below are awesome, I was kindly asking if you can also post their consecutive answers to. I might be asking for a lot but the little help will be greatly appreciated so much. Or if anyone who wants to help- feel free to do so too.

    It may helpful if you can include below questions as well
    1. Explain about distributed repositories
    2.If there is any virus outbreak which rule will you create in the ePO to block the spreading the virus in the network
    3.Different scan option available in the McAfee ePO
    4. What is access protection ? What & all can you block in the access protection
    5. Little about disaster recovery?
    6. What are the new features included in the new ePO ver. 5.3
    7.What are the different DB that can support ePO

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s