PD27093

UPGR ADE PROJECT DEPLOYMENT GUIDE
McAfee Endpoint Security 10.x

Table of Contents
3 Introduction 25 Test
3 Audience 26 Recovery
4 Methodology 26 Installation
4 Plan 28 Configuration
5 Planning Checklist 30 Upgrade
5 Project Success 30 Validation
8 Technology Implementation 31 Implement
12 Solution Validation 32 Recovery
15 Ongoing Operations 32 Installation
18 Design 33 Deployment
18 Solution Integration 34 Validation
20 Design Principles 35 Appendix
21 Design Validation 35 Plans and Tracking Sheets
22 Assess 38 Examples
22 Technical Review 43 Technical Information
46 About McAfee
2 McAfee Endpoint Security 10.x

McAfee Endpoint Security 10.x
Introduction
This document serves as a recommended approach to planning and executing an upgrade
from McAfee legacy endpoint security products to McAfee® Endpoint Security 10.x.
It can also serve as a general guide for planning new deployments of McAfee Endpoint
Security 10.x.
This guide is derived from McAfee Professional Services, based on current methodology
incorporated into field engagements for endpoint software upgrades from any or all of the
following McAfee endpoint legacy products: McAfee® VirusScan® Enterprise 8.8, McAfee®
Host Intrusion Prevention 8.0, and McAfee® SiteAdvisor® Enterprise 3.5.
Audience
The intended audience for this outline is administrators who are experienced with McAfee endpoint security
products. It is not intended to be a comprehensive solution document, containing detailed supporting information.
McAfee recommends that project participants refer to this document as supplemental to their own guidelines and
requirements for software deployment within their environment.
Questions or requests for detailed information on steps outlined in this summary should be directed to McAfee
subject matter experts within your organization. You can obtain additional information from the McAfee Knowledge
Center and McAfee Communities. Contact McAfee Technical Support for further assistance.
Connect With Us

Methodology Plan Design Assess Test Implement

This software upgrade project follows a methodology
that includes the following phases: Plan
Successful software deployment projects, including
Plan Design Assess Test Implement upgrades, start with a thorough planning exercise.
Upgrade project plans can differ widely, depending on
Plan: Lay the groundwork for a successful your environment and complexity.
implementation by establishing the teams that will To ensure overall project success, start by identifying
be involved in the upgrade, listing out business and key stakeholders who will provide input during the
technology goals, and capturing all the information project. Project teams should be made up of members
required for a successful upgrade. representing various interests across your organization.
Design: Take all the information that was gathered in Solution validation should be assessed initially in
the Plan phase and use it to create a valid design for the non-production testing environments, and again in
new network infrastructure. production environments using small, manageable
Assess: Evaluate your current production environment pilot groups that are representative of the production
configuration to provide guidance and recommendations environment. This will help ensure that critical business
for the upgrade. operations are not impacted.
Test: Test the newly designed policies and configuration The Planning Checklist identifies a set of initial
to ensure that they work as designed. considerations to assist you with upgrade planning.
The decisions you make should be documented for use
Implement: After successfully validating your design, during the subsequent Design, Assess, Test.
roll out the upgrade across all intended endpoints.
This document is structured to follow these five steps,

to ensure you have a successful upgrade experience.
We also offer a more detailed checklist in the Appendix,
where you can view and check off detailed steps within
each of the five steps.
Note: You can find the complete Upgrade Project

Planning Checklist on page 35 in the Appendix.

Planning Checklist Project Success

Plan Project success can and should be determined by
quantifiable metrics, measuring benefits or impediments
Prepare for: By taking these steps:
to the organization. It is critical that initial planning
■
Identify business applications, determines and outlines the business objectives and
administrators, and application owners intended security requirements for the organization.
■
Determine project and business objectives
Review security requirements Identify business applications and their owners and
Project
■
Success ■
Identify endpoints for the initial pilot administrators
deployment
Project planning discussions should include business
Discuss end user communications
critical application administrators and application
■
Identify additional planning topics

owners to determine how your McAfee security solution
■
■
Discus product features might affect these key stakeholders.
Learn about solution relationships
The project manager should identify enterprise
■
■
Review supported platforms
applications and their owners, and maintain a
Technology ■
Discuss supported McAfee Agent versions
Implementation stakeholder register as necessary. This will help the
■
Consider integration with other McAfee
solutions application owners understand the potential impact
■
Review conflicts with existing products of the migration and validate the functionality of their
■
Determine the implementation process software after McAfee Endpoint Security is deployed.
■
Establish business application testing Note: You can find an Application Owner’s tracking
procedures
sheet on page 38 in the Appendix.
Solution ■
Determine performance testing and baseline
Validation
metrics
■
Plan McAfee application validation testing
■
Identify current security management
practices
■
Review change control processes
■
Develop back-out and recovery plans
Ongoing
Operations
■
Discuss software updates
■
Document McAfee ePolicy Orchestrator
reporting requirements
■
Review corporate security policies and
supporting documentation

Determine project and business objectives Identify endpoints for the initial pilot deployment
Project participants should clearly identify the project Identify a set of endpoints that will be part of the initial
and business objectives. A common business objective pilot deployment. It is recommended that you use a
is to improve security by applying technical safeguards variety of endpoints that are representative of your
that enforce policies. Ensure that your company’s overall environment.
information security strategy aligns with its strategic
■ Determine the operating system platforms to be
objectives.
managed (such as Windows, Mac, Solaris, etc., as
You can get the conversation started by asking the supported by the product).
project participants these questions: ■ Determine groups for type of endpoints: workstations
1. What are our success criteria for the Endpoint or servers, remote users or VPN, etc. The scope of
Security Upgrade Project? your project may be limited to only workstations, only
servers, or both.
2. Have we identified any business risks concerning the
project?
■ Verify that McAfee Agent deployment credentials for
each platform are available.
3. How can the results of this project make our
organization more effective?
■ Record the list of hostnames on a pilot endpoint
planning sheet.
Review security requirements
Note: You can find a Pilot Endpoint Plan tracking sheet
Review specific use cases and core product capabilities
on page 37 in the Appendix.
as needed to ensure policy configurations will meet your
organization’s defined security requirements.
Review different policy configurations:

■ For workstations and servers
■ For server role/function
■ For functional user groups
■ For specific enterprise applications
■ For LAN or remote VPN users

Discuss end user communications Identify additional planning topics

Users, administrators, and internal support personnel Review and identify any additional planning topics
(including help desk staff) will need to understand the that may be unique to the environment, such as the
potential impact of the Endpoint Security modules. network architecture. These topics should focus
It’s likely that this upgrade will introduce new security on project success and related business outcomes.
functionality into the organization. Implementation, solution validation, and operational
topic discussions will happen later in the upgrade
You should determine if:
process.
■ The organization has identified end users for testing
Some additional topics to consider include:
as part of the pilot deployment.
■ End users have been notified about the project and
■ Change control process and lead time to establish
the deployment timeline. change control windows
■ End users have been informed about how to report
■ Training requirements and kick-off for pilot user group
any suspected problems. ■ Network traffic diagrams for critical applications
■ Critical infrastructure servers (such as Active Directory,
SQL and DHCP servers)
■ List of vendor recommended exclusions
Note: Review technical article McAfee KB66909 in the

McAfee Knowledge Center, “Consolidated list of Endpoint
Security/VirusScan Enterprise exclusion articles.”

Technology Implementation
Before starting the technology implementation, Key Resources
you’ll want to confirm you understand the solution’s
capabilities, know which modules you’ll be implementing, McAfee Endpoint Migration Endpoint Upgrade Assistant
and be clear on the features of those modules. Assistant McAfee Endpoint Upgrade Assistant is a
McAfee® Endpoint Migration Assistant is McAfee ePO console extension that simplifies
Discuss product features a McAfee® ePolicy Orchestrator ® (McAfee and automates the tasks required to upgrade
ePO™) console extension that walks you the McAfee products on your managed
Review McAfee Endpoint Security features, capabilities,
through the migration process. You can let endpoint. Endpoint Upgrade Assistant
and operational functionality. Endpoint Migration Assistant migrate all minimizes the number of upgrade tasks and
your settings and assignments automatically, ensures product interoperability.
Determine which modules or core features you will be
based on your current settings and new Refer to McAfee Enterprise Product
implementing for Endpoint Security: Threat Prevention,
product defaults, or you can select and Documentation and McAfee Endpoint
Adaptive Threat Protection, Firewall, and Web Control or configure them manually. Upgrade Assistant Product Guide for
McAfee Client Proxy. Use Endpoint Migration Assistant to migrate guidance on installing Endpoint Upgrade
product settings where a supported legacy Assistant extension to the McAfee ePO
■ Review technical article McAfee KB86704 in the
version of a product module is installed. console and understanding:
McAfee Knowledge Center, “FAQs for Endpoint
Endpoint Migration Assistant ensures that ■
The Overview tab, to assess current
Security.” the settings in your legacy policies are moved endpoints in the environment
■ Review Endpoint Security product, installation, and to the correct policies in Endpoint Security. ■
The Prepare tab, to verify correct
migration guides, plus release notes for further In some cases, they are merged with other prerequisites have been met
Endpoint Security settings, and in others, The Deploy & Track tab, to configure,
information. ■
new default settings are applied to support deploy, and track the status of upgrade
updated technologies. tasks
Refer to the Endpoint Security 10.x
Migration Guide for information on:
■
Installing the Endpoint Migration Assistant
extension to the McAfee ePO console
■
Migrating policies automatically
■
Migrating policies manually
■
Mapping migrated policies (old solution to
Endpoint Security 10.x)

Learn about solution relationships

Review the relationship between the McAfee Endpoint Security 10.x modules and legacy endpoint security solutions.
Endpoint
Security 10.x Replaces Description
Module
Detects threats in real-time, leveraging McAfee® Global Threat Intelligence (GTI)

McAfee® VirusScan®
and AMCore security content files.
Enterprise 8.8, and
Threat
Prevention
McAfee® Host Intrusion Layered protection includes anti-malware scanning, script scanning, Access
Prevention IPS security Protection and Exploit Prevention.
protections Enhanced Remediation and Credential Theft Protection.
Optional Endpoint Security module that analyzes content from your enterprise
Adaptive McAfee® Threat and decides what to do based on file reputation, rules, and reputation
Threat Intelligence thresholds. Includes RealProtect and Dynamic Application Containment.
Protection module for VSE
Story Graph.
Integrated, stateful firewall that dynamically inspects traffic on the network,

blocking malicious or undesired traffic.
McAfee® Host Intrusion
Firewall Policy configuration features include: trusted networks, trusted/untrusted
Prevention Firewall
executables, Location Aware Groups, connection isolation, and timed firewall
groups for end-user VPN connections.
Updated Web Control browser toolbars improve user experience. Integration of

Web Control with Threat Prevention using McAfee® Global Threat Intelligence
Web
Control
McAfee® SiteAdvisor ensures users have safe, reputable, web browsing, and secure browser file
downloads. Web Control notifies users of threats while they search or browse
websites.
McAfee
Client Proxy
Optional component that integrates with McAfee® Web Gateway
For more information on McAfee Endpoint Security components, refer to the product guide.

Discuss supported platforms Consider integration with other McAfee solutions

Review your existing infrastructure and identify McAfee Endpoint Security integrates with McAfee®
endpoints you’re considering for the project. Threat Intelligence Exchange (TIE), Data Exchange Layer
(DXL), and McAfee® MVISION Endpoint Detection and
■ Review technical article McAfee KB82761 in the
Response (EDR) to provide a comprehensive security
McAfee Knowledge Center, “Supported platforms,
solution.
environments, and operating systems for Endpoint
Security.” This article is updated frequently as new ■ When installed and configured, TIE reputations are
operating systems, browsers, and virtualization leveraged by all McAfee Endpoint Security modules
technologies are released. to assist in verifying security threats throughout your
■ Identify which operating systems, virtualization entire infrastructure.
technologies, and internet browsers are in use within ■ TIE reputations are also leveraged directly by McAfee
your environment. Endpoint Security Adaptive Threat Protection/Dynamic
Application Containment to determine whether
Discuss supported McAfee Agent versions containment rules should be triggered.
Supported McAfee Agents include McAfee 5.6.x and
above. It’s recommended that you deploy the most If McAfee Threat Intelligence Exchange is already
recent Update (formerly, patch) version, so determine deployed for legacy products, the upgraded endpoints
if your version McAfee Agent will need to be upgraded. will be upgraded when the McAfee Endpoint Security
You can find information on McAfee Agent versions in 10.x Adaptive Threat Protection 10.x module is installed.
technical article KB51573 in the McAfee Knowledge
Review conflicts with existing products
Center.
Technical article KB85522 in the McAfee Knowledge
Center provides a detailed list of third-party security
products that can be removed by the McAfee Endpoint
Security installer, when McAfee Endpoint Security is
installed. You’ll also want to identify other security
products within your environment and determine if
there are any known uninstall or interoperability issues.

Determine how software will be deployed to managed

Identify if Endpoint Security product removal is supported. clients:
■ Deployment through McAfee ePO console
In a test environment, attempt to install ENS. ■ Deployment through a third-party application (such as
Microsoft SCCM, KACE, Altiris, etc.)
Verify whether or not the other security product was

■ Use of Endpoint Security Package Designer (if desired).
cleanly uninstalled. For information about installing and using Package
Designer, see technical article KB86438 in the McAfee
If remnants of a supported product are present, contact Knowledge Center.
McAfee Technical Support.
McAfee ePolicy Orchestrator repository
Figure 1. Workflow to Identify and Remediate Other Security Products considerations
Review the McAfee ePolicy Orchestrator Distributed
Repositories and methods used to populate
Note: The Endpoint Security 10.x Installer may not able
repositories.
to successfully remove all security products. Refer back
to technical article KB85522. ■ Navigate to Menu > Distributed Repositories
You’ll need to discuss any known operating system

■ Verify that your listed distributed repositories are listed
incompatibilities and review technical article KB82450 in ■ Verify that your repositories are providing access with
the McAfee Knowledge Center, “Endpoint Security 10.x the “Repositories and Percentage Utilization” report in
Known Issues.” Queries & Reports
Determine the implementation process Peer-to-Peer (P2P) updating considerations

Components within the infrastructure will change during Review the Peer-to-Peer updating ability of the McAfee
the McAfee Endpoint Security implementation. Review Agent. This Peer-to-Peer setting is managed in the
processes to successfully recover or revert components McAfee Agent General policy. In nearly all circumstances,
to their prior condition, should any implementation Peer-to-Peer updating reduces the load on the
failures occur. distributed ePolicy Orchestrator repositories and
enables software and content to be distributed more
quickly.

Endpoints that are not good candidates for P2P are: Solution Validation
■ Laptops that spend the majority of their time Prior to installation, determine the application testing
connected via VPN practices for your organization. It’s imperative that
you understand any existing business application
■ Fixed-function machines that have extremely limited
testing that needs to be performed, which may require
spare processing cycles
additional support (such as Exchange, SharePoint,
Endpoints that may be good candidates for P2P are: database applications, VPN, etc.)
■ Physical or virtual machines in the datacenter. These Establish business application testing procedures
machines typically have an extremely high bandwidth Best Practices
connection to a McAfee ePolicy Orchestrator McAfee recommends that:
repository, so bandwidth costs are very low.
1. You perform the initial installation or upgrade in a lab,
■ Physical or virtual machines at a remote site development, or other non-production environment
that is representative of your production environment.
Follow these steps for Peer-to-Peer updating:
2. IT application administrators and business application
1. Review performance metrics, both before and after users perform any existing application tests prior to
P2P is enabled, to establish a baseline and the actual the full production rollout.
load of the P2P process. Work with your network
3. During the technical implementation, you use a
admin and monitor traffic via Wireshark or a similar
phased deployment approach. This typically begins
Trace program to complete this task.
with a series of pilot deployments that bring IT and
2. Enable P2P on a subset of workstations. Document how business units together.
many nodes are in these specific broadcast domains.
4. Your environment’s Service Desk personnel should
3. Review performance metrics. be involved as early as possible to gain valuable
4. Continue deploying P2P to additional sites and review experience needed to provide support for your
their performance. organization.
If your organization hasn’t defined functional application

testing practices, it’s recommended that you create a basic
set of practices, based on current industry standards.

A basic functional application testing process should Before and after installing McAfee Endpoint Security,
include: consider measuring:
■ Organization-specific testing procedures (what testing ■ Average time for endpoint startup
is done for other applications being rolled out to ■ Average time for user logons
users?)
■ Average CPU utilization
■ Basic tests that need to be performed (such as
■ Business application-specific performance metrics
Windows updates, enterprise application use, etc.).
■ A testing methodology or testing scripts to produce The tests and benchmark indicators need to be
repeatable tests consistent for both testing environments.
■ Preparation of your test environment McAfee® Endpoint Security Scan Avoidance is the
■ Installation of the appropriate software most efficient way to ensure optimal performance on
the endpoint. This feature, which is only available in
■ Testing and analysis of the results
McAfee Endpoint Security, leverages the AMCore Trust
■ Resolution of application issues, should any arise
Model to help recognize when a scan is not necessary.
Determine performance testing and This mechanism provides the greatest performance
baseline metrics increase because it not only indicates whether a scan is
necessary early in the scan workflow, but also has longer
Prior to installing McAfee Endpoint Security, determine
term relevance because cached Trusted + Clean results
whether application performance testing baseline metrics
survive an AMCore Content update, whereas Clean
exist for legacy security products within your organization.
results alone will not.
You must be sure you understand existing performance
issues, which should be baselined prior to installing In the new AMCore performance model, the strategy
McAfee Endpoint Security. You also must identify the is based around the notion of an “actor.” An actor is
performance testing benchmarks to be measured before defined as a running process and its state of trust can
and after upgrading to Endpoint Security. be one of three values:
■ Suspicious
■ Normal
■ Trusted

An actor is trusted when it has come from a trusted Plan McAfee application validation testing
origin or is directly related to a trusted package. Discuss and review the high-level activities that will
be performed for your McAfee Endpoint Security
Note: For more information, please review the
deployment and validation testing for your McAfee
white paper, “Understanding Next-Generation
application. These activities are designed to validate
Performance Models.”
that the solution is working as designed, and are not
McAfee Endpoint Security includes a policy setting intended to fulfill or replace existing requirements for
that allows the administrator to trust certain third- the validation of your critical business applications.
party certificates. These certificates are from third-
Endpoint Security validation tests
party software that client endpoints have identified
Validation tests ensure that your McAfee Endpoint Security
and reported back to the McAfee ePolicy Orchestrator
product is capable of blocking/monitoring activity and
software. Once trusted, file access by trusted processes
producing logs/events that are viewable on your client
and of trusted files will benefit from the performance
endpoint and from the McAfee ePolicy Orchestrator
optimization provided through Scan Avoidance.
console. Validation tests should be created for all McAfee
McAfee recommends that you review your legacy Endpoint Security modules and features you plan to deploy.
policies to decide whether they are relevant to the
Tests may include, but are not limited to:
new McAfee Endpoint Security scan optimization
architecture. By default, McAfee Endpoint Security ■ On Access Scanning—EICAR Test
includes an optimized “Let McAfee Decide” option for ■ Viewing the Quarantine Folder
On-Access Scanning. For more information, see technical ■ Exploit Prevention—Hidden PowerShell Detected
article KB88205 in the McAfee Knowledge Center, “How ■ Dynamic Application Containment
to improve performance with Endpoint Security 10.x.” ■ Firewall policy block/allow
■ Web Control
Note: You can view examples of these tests on page 39

and examples of the McAfee ePolicy Orchestrator
reporting formats on page 38 in the Appendix.

Ongoing Operations It is assumed that all changes to non-production

To ensure your ongoing operations will function environments do not need a change control. It is
smoothly, you need to first review your existing assumed that all changes to the production environment
processes and procedures for performing the migration, will need a change control.
as well as for performing future updates. A list of changes that will need to take place include:
Identify current security management practices ■ Installation of McAfee Endpoint Security-related
McAfee recommends that you identify existing extensions on the McAfee ePolicy Orchestrator server.
processes for: ■ Installation of McAfee Endpoint Security-related
■ Event or change management packages on the McAfee ePolicy Orchestrator server.
■ Incident response—What are your procedures for ■ Creation/modification of policies on the McAfee
responding to incidents? ePolicy Orchestrator server.
■ Operations—What portion of your business will be ■ Deployment of software to nodes in the production
responsible for the day-to-day operations of the environment.
McAfee ePolicy Orchestrator application and/or any of
Develop back-out and recovery plans
the applications that the McAfee ePolicy Orchestrator
solution will be managing? This will tie into the users Be sure to develop a back-out and recovery plan in the
and permissions discussion. event of unforeseen issues or installation failures. This
is particularly important when installing on shared file,
■ Maintenance—What are your maintenance windows
application, or database servers.
and how will you coordinate maintenance?
■ Governance and compliance—Which groups within In addition, verify:
your organization are currently addressing compliance ■ Access to the original installation software for
within your environment? operating system, database, and/or other applications
Review change control processes ■ VM snapshots or backups of any existing application
Review and verify the applicable change control server and SQL databases
procedures. Discuss options and impacts to address
existing change control processes and procedures
within your environment.

Discuss software updates Adaptive Threat Protection- Scanner and rules

■ Contains rules to dynamically compute the reputation
You can use the McAfee Support Notification Service
(SNS) to provide alerts regarding Hotfixes, Updates, and of files and processes on the endpoints. McAfee
other notifications relating to Endpoint Security 10.x. releases new Adaptive Threat Protection content files
The Support Notification Service (SNS) delivers valuable every two months.
product news, alerts, and best practices to help you
Real Protect - Engine and content
increase the functionality and protection capabilities of
■ Contains updates to the Real Protect scan engine
your McAfee products.
and signatures based on results of ongoing threat
Note: It is recommended that you review the release research. Real Protect is a component of the optional
notes for the current patch for McAfee Endpoint Security Adaptive Threat Protection module.
10.x and for the current version of McAfee Agent.
Exploit Prevention content package
Discuss and review McAfee Endpoint Security content McAfee Labs releases Endpoint Security Exploit
updates to understand the importance of testing Prevention signature content on the second Tuesday of
updates prior to a full production deployment. Refer to every month. Monthly Exploit Prevention content release
the “How content files work” section of the Endpoint notes can be found here.
Security 10.x Product Guide to review the types of
content McAfee Endpoint Security uses. The Exploit Prevention content package includes:
AMCore content package

■ Memory protection signatures - Generic Buffer
McAfee Labs releases AMCore content packages daily by Overflow Protection (GBOP), caller validation, Generic
7:00 p.m. (GMT/UTC). To receive alerts regarding delays Privilege Escalation Prevention (GPEP), and Targeted
or important notifications, subscribe to the Support API Monitoring.
Notification Service (SNS). See technical article KB67828 ■ Application Protection List - Processes that are
in the McAfee Knowledge Center. protected by Exploit Prevention. Exploit Prevention
content is similar to the McAfee Host IPS content files.
The AMCore content package includes:
Review corporate security policies and supporting
AMCore - Engine and content documentation.
■ Contains updates to the Threat Prevention scan engine
and signatures based on results of ongoing threat

research

Document reporting requirements

Corporate security policies and
During this step of the project, you should clearly supporting documentation
identify and document the reporting requirements of
your business units. Each of your business units should These documents communicate
Policies,
management’s direction for reducing risk
fully document their own reporting requirements. These standards,
and establishing the control framework.
requirements should identify: guidelines,
■
Acceptable use of assets
and related
Access controls
Purpose of the report practices and
■
■
procedures Malware prevention, detection, and correction

Permissions to run reports
■
■
Information and endpoint backup

Access to related data
■
Security logging and monitoring

Scheduling requirements (especially what frequency is
■
■
■
Change control
required for individual reports)
■
Management of technical vulnerabilities
■ Report distribution requirements −
Endpoint Update management
You’ll need to determine if there is an established −

Update testing procedures
process for requesting reports. This process should

■
Secure endpoint engineering principles and
requirements
include a review of the requirement, approval, creation −
Endpoint hardening and configuration
of the reports, and acceptance from the requesting standards
party that the reports will satisfy the requirements. You’ll −
Firewall policy documentation
want to ensure that the solution is reporting on: ■
Endpoint acceptance testing
■
Information security continuity
■ The status of the security solution within the ■
Data retention and disposal policies
environment, for example identifying the versions of
McAfee Security software that are installed, identifying As-built For the security solutions and platforms
the latest policy being enforced, etc. documentation related to the implementation:
Endpoint hardening and configuration standards
Compliance of the enterprise with your security
■
■
Network segmentation and configuration

standards
■
standards
■ Reporting on risk and risk mitigation within the ■
Database server hardening and configuration
enterprise standards
■ Incidents, for example, violations of rules, malware, ■
Network diagrams
etc. ■
End-user computing configuration standards, for
example, gold disk images
■ Incident response, for example providing information
on how the applications reacted to incidents Figure 2. Review corporate security policies and supporting
(quarantined, blocked, would have been prevented, etc.) documentation.

Learn about the McAfee solution architecture

Plan Design Assess Test Implement
Project participants and stakeholders should possess
a high-level understanding of the McAfee Endpoint
Design
Security Platform. Stakeholders should discuss how the
Project participants should discuss the current network total solution addresses their security use cases.
and endpoints architecture to facilitate design and
implementation of your McAfee security solution. How McAfee Endpoint Threat Protection defenses
work together
Design
Use case
Solution
■
Learn about the McAfee solution architecture
Integration Client UI
■
Review the endpoint architecture Download of a malicious file from the web
■
Identify required network infrastructure A file hash is sent from Web Control to Threat
services and McAfee network services Prevention, triggering an ODS
■
Understand the role of registered servers Malicious files are detected and blocked before they Web Control Firewall
have full access to the system McAfee
Design
■
Determine users and groups ePO
Forensics data is captured (Source URL, file hash, Threat
Principles Establish roles and responsibilities
■
etc.) Prevention ATP
■
Review known issues Event data is shared with other modules and McAfee
Design
ePO and is visible in the client UI ENS Collaborative Framework
Validation ■
Verify that the installation environment meets
specifications
■
Confirm pilot endpoints configuration
■
Verify accounts and permissions Project participants can download the Endpoint Threat
Protection data sheet located on https://www.mcafee.
Figure 3. Design Checklist
com/enterprise/en-us/assets/data-sheets/ds-
endpoint-security.pdf. This will provide a high-level
Solution Integration review of McAfee Endpoint Security and its related
During this phase of the migration process, the components.
main goals are to ensure that all project participants
understand the McAfee Endpoint Security platform, how
it connects to the network infrastructure, and confirm
the high-level design of the newly configured network.

Review the endpoint architecture Identify required network infrastructure services

and McAfee network services
Security Management
Besides standard network infrastructure services, it is
McAfee ePO Agent
Client UI important to understand the McAfee network services.
Protocol
McAfee Endpoint Security leverages the existing ports
Adaptive
Threat that have been configured in your McAfee ePolicy
Firewall Web Control Threat
Prevention
Protection Orchestrator environment.
Default
On access Stateful Site ratings File Protocol Traffic Direction
Port
■ ■ ■ ■
scanner firewall reputation

■
Site
Access Adaptive categorization TIE/DXL
Outbound connection to the
■ ■ ■
protection mode integration

■
Browser 80 TCP McAfee ePolicy Orchestrator
■
ScripScan ■
DNS plugin ■
Real server/Agent Handler.
blocking protect
■
Exploit
protection ■
Dynamic
application
Outbound connection to the
■
On-demand 443 TCP McAfee ePolicy Orchestrator
containment
scanner
server/Agent Handler.
■
Enhanced
■
Exploit
Remediation
prevention
■
Story Graph Inbound connection from the
■
Right-click McAfee ePolicy Orchestrator
scan
server/Agent Handler. If
Credential 8081 TCP
the agent is a SuperAgent
■
Theft
Protection
repository, inbound connection
from other McAfee Agents.
Figure 4. McAfee Endpoint Security Platform
Inbound connection to agents.

8082 UDP Inbound/outbound connection
from/to SuperAgents.
Relay server discovery for

8083 UDP
McAfee Agent.
Figure 5. McAfee Agent port reference

Understand the role of registered servers Groups

Registered servers allow for the integration of McAfee To facilitate management of the solution, McAfee
ePolicy Orchestrator software with other, external recommends that you develop a group structure linked
servers. For example, register your LDAP server to to an existing Active Directory or LDAP directory.
connect with the Active Directory server. Registering
For installation and ongoing operation of the solution,
a server can increase the effectiveness of McAfee
consider creating these Active Directory groups (Global/
Endpoint Security.
Universal Groups):
Each type of registered server supports or supplements
the functionality of McAfee Endpoint Security with Group McAfee ePO Permissions
other McAfee solutions. For example, if you have
TIE/DXL deployed in your environment and McAfee Users requiring full access to
ENS_
Administrators
McAfee Endpoint Security policies,
Endpoint Security Adaptive Threat Protection is enabled, queries, and dashboards.
you can leverage reputation information from TIE to
block applications from executing. McAfee ePolicy Users requiring review permissions
Orchestrator users are then able to view TIE server ENS_Reviewers to McAfee Endpoint Security policies,
queries, and dashboards.
information in McAfee ePolicy Orchestrator reports and
dashboards.
Design Principles Establish roles and responsibilities

In this step, you’ll need to determine who your users are, With your project participants, discuss roles and
who your admins are, and what responsibilities you’ll be responsibilities, segregation of duties, and requirements
assigning for administering McAfee Endpoint Security. for access to McAfee ePolicy Orchestrator and other
applications. You’ll need to identify which types of
Determine users and groups
users require access to the endpoint. Then, spend time
Users
understanding their unique roles and responsibilities.
There are two types of users: Global Administrators and
This information can then be used to describe and
users with limited permissions. You’ll need to:
create permission sets that allow users to perform their
■ Decide who Global Admins will be, mapping the Global jobs successfully.
Admins to AD accounts.
■ Identify users requiring access to McAfee ePolicy
Orchestrator and other applications.

Users should be assigned privileges based upon their Review known issues
operational role for the solution. Operational Roles You can find the list of known product incompatibilities
might include: in the McAfee Service Portal; be sure to review this list
during the course of your project. Please reference
■ McAfee ePolicy Orchestrator Global Administration
■ Product Administration
Center, “Endpoint Security 10.x Known Issues.”
■ Global Reviewer
■ Product-level Reviewer Verify that the installation environment meets
specifications
In the production McAfee ePolicy Orchestrator
Compare the endpoints in your environments against
environment, consider providing global administrators
with two accounts:
Center, “Supported platforms, environments, and
■ A Global Administrator account operating systems for Endpoint Security.”
■ A “day-to-day” operations type of account that has
Note: This KB article is updated frequently, as new
more restrictive permissions than the Global Admin
operating systems are released. Your environment
account
will likely have a mix of operating system versions
Typical user permissions include read-access to: and hardware configurations. Pay special attention to
operating systems that are not supported by McAfee
■ Events in McAfee ePolicy Orchestrator
Endpoint Security.
■ Policies in McAfee ePolicy Orchestrator
■ System tree objects in McAfee ePolicy Orchestrator Confirm pilot endpoints configuration
Verify that your pilot endpoints have supported versions
Typical “administrative” permissions (only to be used in a
of the McAfee Agent software installed. Also, ensure that
change control window) include full access to:
pilot endpoints meet the system requirements as listed
■ Policies in technical article KB82761 in the McAfee Knowledge
■ System tree Center, “Supported platforms, environments, and
operating systems for Endpoint Security.”
Design Validation
Validating the design is important in order to confirm You’ll also want to verify that prerequisite software is
that everything is ready for the implementation. installed by using McAfee Endpoint Upgrade Assistant,
and reviewing the product release notes.
Note: You can view a full list of system requirements on
page 43 in the Appendix.

The McAfee Enterprise Product Documentation can McAfee Endpoint Upgrade Assistant. Prior to checking
provide you with compatibility information that is specific in the McAfee Endpoint Upgrade Assistant extension,
to your McAfee ePolicy Orchestrator environment. McAfee recommends that you follow your organization’s
McAfee Endpoint Upgrade Assistant examines the practices for submitting change requests, performing
software packages in your repository and compares endpoint backups, and developing a back-out plan.
that info against the list of compatible software. The
“Overview” and “Prepare” tabs in McAfee Endpoint Assess
Upgrade Assistant provide a visual representation
Prepare for… By performing these activities…
of minimum software versions supported by McAfee
Endpoint Security. Technical ■
Run Endpoint Upgrade Assistant
review
■
Analyze Endpoint Upgrade Assistant results
Verify accounts and permissions
■
Review dashboards and queries
Verify that all your account(s) have the correct ■
Perform McAfee VirusScan Enterprise
permissions. The same account may be used to upgrade policy review
software and deploy solution components on endpoints, ■
Conduct McAfee Host Intrusion policy review
as needed. You’ll want to ensure that you have ■
McAfee Site Advisor Enterprise policy review
permissions set for: ■
Export production policies and tasks
Figure 6. Assessment Checklist

■ McAfee ePolicy Orchestrator administrative account
■ McAfee Agent deployment
■ McAfee Endpoint Security deployment (as needed to Technical Review
perform upgrades) The technical review is where you’ll assess your current
production environment by performing a series of
activities around the upgrade.
Assess Run the McAfee Endpoint Upgrade Assistant

During this phase, your project participants will perform In this phase, you will be running McAfee Endpoint
an assessment of your current production environment Upgrade Assistant so that you can get an idea of what
configuration to provide guidance and recommendations machines in your production environment are currently
for the upgrade. ready for migration to McAfee Endpoint Security 10.x.
Activities performed during the assessment will Refer to Enterprise Product Documentation for an
result in changes to your production environment; explanation of the tool, a video tutorial, and links to
one specific change is checking in the extension for product documentation.

Analyze McAfee Endpoint Upgrade Assistant results Perform McAfee VirusScan Enterprise policy review
Carefully analyze the results from McAfee Endpoint The McAfee Endpoint Migration Assistant can be
Upgrade Assistant and prepare to implement the used to migrate McAfee VirusScan policies and tasks to
recommended upgrade scenarios (after you’ve McAfee Endpoint Security 10.x. In order to streamline
completed testing—See Test phase.) The objective the migration activities, consider consolidating the
of this initial analysis is to understand the upgrade number of On-Access Scanning (OAS) VirusScan policies
readiness of your environment. that are present in your environment. To do this,
first identify the business purpose for each McAfee
Review dashboards and queries
VirusScan policy, paying special attention to On-Access
Next, you’ll want to review the McAfee ePolicy Scanning exclusions within the policies.
Orchestrator dashboards and queries for:
Identify a policy consolidation workflow that works for
■ McAfee VirusScan your environment. You can use the example workflow
■ McAfee Host IPS shown in this figure as a starting point.
■ McAfee Site Advisor
Present the
These dashboards and queries will likely need to Identify policies consolidated
Document the
be ported into their McAfee Endpoint Security 10.x that are very policies and
Review existing consolidated
equivalent. Identify if automated queries and McAfee similar. Consolidate exclusion list to
On-Access policies and
exclusions into the Information
ePolicy Orchestrator reports are configured for Scanning policies. their exclusion
new On-Access Security Office
endpoint security products. Then, document this lists.
Scanning policies. and receive
information and create an action plan to ensure signoff.
operational effectiveness. This review gives you an
Figure 7. OAS – Example Policy Consolidation Workflow
opportunity to introduce additional monitoring insights
into your existing operational processes. Refer to the
McAfee ePolicy Orchestrator product guide on the Track policy consolidation decisions, so that you will
documentation portal for additional information on have a record of why you created new McAfee Endpoint
monitoring and reporting configuration. Security OAS policies.
Note: You can find an example future state dashboard Note: You can find McAfee VirusScan policy and task
on page 38 in the Appendix. tracking sheets on page 37 in the Appendix.

Conduct McAfee Host Intrusion Prevention policy review You can reduce the complexity of firewall rules by
The McAfee Endpoint Migration Assistant can be leveraging McAfee Host IPS Catalog, which contains
used to migrate McAfee Host IPS policies and tasks to reusable items that you can import into firewall policies.
McAfee Endpoint Security 10.x. Consider maintaining a baseline firewall policy that
satisfies most of the security requirements of your
Project participants and stakeholders should review and organization. You can then create additional catalog and
consolidate Host IPS policies, exclusions, and firewall policy items for specific types of users and groups.
rules.
Review any configured McAfee Host IPS product-
Note: McAfee Host Intrusion Prevention, IPS Protection, specific tasks. Task-consolidation decisions need to take
and Rules policies may contain exceptions and/or into consideration whether new or additional McAfee
changes to the severity of a specific signature. Capture Endpoint Security tasks might need to be created to
policy settings that deviate from the McAfee default and mirror specific task goals.
attempt to consolidate the IPS rules policies.
Note: You can find McAfee HIPS IPS Rules Policies and
Exception Rules McAfee Host IPS Firewall Rules Policies tracking sheets
Exception Rules from the IPS Rules policy migrate to on page 37 in the Appendix.
the Access Protection and Exploit Prevention policies as
executables under Exclusions. Run McAfee SiteAdvisor Enterprise policy review
McAfee SiteAdvisor Enterprise and Web Control can
Refer to the McAfee Endpoint Security Product Guide take action on over 100 categories of web content.
for further information on Exception Rules. You’ll need to ensure that your environment has
Exception Rules with signatures an acceptable internet usage policy and block web
IPS Exceptions can include custom signatures. The categories that violate your usage policy. If numerous
executables and parameters from exceptions are McAfee SiteAdvisor Enterprise policies contain similar
appended to the McAfee Endpoint Security Access or identical settings (for example, blocking the same
Protection Rule created during signature migration. If web categories), use the Policy Comparison tool or an
all McAfee-defined signatures are added to a subrule Excel spreadsheet to find identical settings that can be
exception, the exception migrates as a global exclusion consolidated. Identify which web browsers are approved
in the Access Protection and Exploit Prevention policies. for use in your environment. Both McAfee SiteAdvisor
Enterprise and McAfee Endpoint Security Web Control
can be configured to block unsupported internet
browsers.

Determine if you have an established workflow in place Test

for unblocking websites that are incorrectly categorized.
A website’s categorization and reputation are linked to
Recovery Back up the McAfee ePolicy Orchestrator
McAfee’s TrustedSource.org. Next, review any configured
■
application server and database

McAfee SiteAdvisor Enterprise product-specific tasks.
Installation
Consider whether you will need to create McAfee ■
Check in required packages
Endpoint Security product tasks to mirror specific task

■
Install required management extensions
Validate distributed repository replication
goals.
■
■
Run Endpoint Upgrade Assistant and analyze
Export production policies and tasks results
Import production policies and tasks
Export the recently reviewed and consolidated
■
production policies for McAfee VirusScan, McAfee Host Configuration ■

Configure users and permission sets
IPS, and McAfee SiteAdvisor Enterprise. These policies ■
Perform initial validation testing
will be referenced in the Test phase of this project, when ■
Run Endpoint Migration Assistant and analyze
the results
McAfee Endpoint Migration Assistant is used for policy
Configure the baseline policy
and task conversion to McAfee Endpoint Security 10.x.
■
■
Assign the migrated policies and tasks to
endpoints
■
Configure a deployment dashboard
Plan Design Assess Test Implement ■
Configure product deployment tasks
Upgrade ■
Deploy McAfee Agents to pilot endpoints
Test ■
Deploy McAfee Endpoint Security to pilot
During this phase, project participants will install, endpoints
configure, upgrade, and validate the McAfee solution in a Validation ■

Monitor McAfee Agent and McAfee Endpoint
Security deployments
non-production environment.
■
Perform post-upgrade validation testing
■
Export the baseline policy
Figure 8. Test Checklist

Recovery ■ The easiest way to obtain all required extensions

Implementation begins by preparing your test and packages for McAfee Endpoint Security 10.x is to
environment for recovery in the unlikely event of an download the McAfee Endpoint Security 10.x bundle
installation or upgrade failure. Verify your back-out from the McAfee ePolicy Orchestrator Software
and recovery plans with your project participants and Manager. The McAfee Client Proxy package/extension
stakeholders. is included in this bundle.
■ The McAfee Endpoint Migration Assistant and
Back up the McAfee ePolicy Orchestrator application
Endpoint Upgrade Assistant are available for download
server and database
via the Software Manager. Once these tools have been
Verify that snapshots or backups of the production
installed, you can access them through McAfee ePO
McAfee ePolicy Orchestrator server have completed
> Menu > Software > Endpoint Upgrade Assistant or
successfully, and that the McAfee ePolicy Orchestrator
McAfee ePO > Menu > Policy > Migration Assistant.
database was also backed up. If backups of both were
taken, you should verify their integrity before installing The packages for McAfee Endpoint Security 10.x are
the management extensions. listed here:
Installation Component
Once you’ve completed your backups, it’s time to check
McAfee Endpoint Security Web Control
in and install the McAfee Endpoint Security software and
McAfee Endpoint Security Threat Prevention
the supporting components.
McAfee Endpoint Security Platform
McAfee Endpoint Security Firewall
You can obtain the installation software from the McAfee
ePolicy Orchestrator Software Manager (also called the McAfee Client Proxy
Software Catalog) or via the McAfee Products download McAfee Endpoint Security Adaptive Threat Protection
page at https://www.mcafee.com/enterprise/en-us/ Figure 9. McAfee Endpoint Security 10.x Packages
downloads/my-products.html.

Install required management extensions Validate distributed McAfee ePolicy Orchestrator

Management extensions allow you to use McAfee ePolicy repository replication
Orchestrator policies to manage the point products. The Prior to deploying the software, ensure that distributed
Management Extensions are listed here: repositories are working as expected. If lazy caching is
used, perform a deployment task on a single machine
Component Type Version that is pointed to a repository to ensure that the McAfee
McAfee Endpoint
Extension 10.x Endpoint Security packages/content are available. If
Security Web Control
you’ve enabled peer-to-peer, ensure that it is operating
McAfee Endpoint
Security Threat Extension 10.x successfully.
Prevention
Run McAfee Endpoint Upgrade Assistant and
McAfee Endpoint
Extension 10.x
Security Platform analyze results
McAfee Endpoint The McAfee Endpoint Upgrade Assistant will provide
Extension 10.x
Security Firewall
an overview of your environment. This will tell you the
McAfee Endpoint number of endpoints that are ready for an upgrade,
Security Adaptive
Extension 10.x
Threat Protection (if how many are blocked from the upgrade, and which
licensed)
endpoints require additional changes to complete the
McAfee Client Proxy Extension Latest upgrade.
McAfee Common
Catalog Framework
Extension Latest Before you continue with the upgrade, you’ll need to
address the deployment issues identified by McAfee
McAfee Common
Extension Latest Endpoint Upgrade Assistant.
Catalog
Figure 10. Management Extensions Note: For more information on McAfee Endpoint
Upgrade Assistant, see page 8.
Additional extensions that will aid in the policy migration

and upgrade effort are listed here:
Component Type Version
Endpoint Migration Assistant Extension Latest
Endpoint Upgrade Assistant Extension Latest
Figure 11. Additional Extensions

Import production policies and tasks Run McAfee Endpoint Migration Assistant
Next, import the consolidated policies for McAfee Refer to the McAfee Endpoint Security Migration
VirusScan, McAfee Host IPS, and McAfee SiteAdvisor Guide for specific steps required to migrate policies
Enterprise. These policies will be converted to their before installing McAfee Endpoint Security.
McAfee Endpoint Security 10.x counterparts by the
The McAfee Endpoint Migration Assistant can be
McAfee Endpoint Migration Assistant tool.
accessed from Menu > Policy > Endpoint Migration
Configuration Assistant.
You’re almost ready to deploy McAfee Endpoint Security
The McAfee Endpoint Migration Assistant will perform
to your pilot endpoints. You just need to configure users,
a policy and task conversion of your current VSE/HIPS/
permissions, policies, and tasks first.
SAE settings and migrate them to their corresponding
Configure users and permission sets McAfee Endpoint Security counterparts. You can choose
Once you check in the McAfee Endpoint Security 10.x from two migration modes:
extensions, new permissions for McAfee Endpoint ■ Manual Migration—Recommended for environments
Security 10.x will become available. Update your existing that have unnecessary policies and tasks that should
permission sets to include these new products and/ be consolidated for easier administration. This may
or create new permission sets that focus on McAfee need to be run multiple times as different policies are
Endpoint Security 10.x. migrated.
You should update the assigned permission sets of ■ Automatic Migration— Not recommended, since it will
existing McAfee ePolicy Orchestrator users who are migrate unneeded policies.
responsible for McAfee Endpoint Security to reflect the
Note: Remember to configure and assign policies
additional McAfee Endpoint Security 10.x products.
to endpoints and groups prior to deploying McAfee
Existing permission sets will have “no permissions” for
Endpoint Security 10.x.
McAfee Endpoint Security-specific products until you
manually add them. When you use the manual migration option, you have
an opportunity to selectively migrate policies and make
Perform initial validation testing
policy adjustments on the fly. You’ll also want to ensure
Prior to installing McAfee Endpoint Security, collect basic
that you migrate relevant On-Demand Scan Tasks.
performance information from your test machines. This
will give you a simple baseline to measure against. Configure the baseline policy
Configure and assign the baseline policy to endpoint
Note: You can see an example of performance metrics
groups or to individual endpoints.
to measure on page 42 in the Appendix.

Assign the migrated policies and tasks to endpoints Method 1: Deploy the Upgrade Automation Task using
Assign migrated policies and tasks to endpoints in your the McAfee Endpoint Upgrade Assistant
test environment. The package named McAfee Endpoint Upgrade Assistant
can be used to upgrade devices to McAfee Endpoint
Configure your deployment dashboard
Security 10.x. All McAfee Endpoint Security 10.x
Your deployment dashboard will show endpoints that packages and extensions must be checked into McAfee
are in scope for McAfee Endpoint Security 10.x. Consider ePolicy Orchestrator prior to deploying this package.
creating a Boolean pie chart query that contains
matching criteria for McAfee Endpoint Security 10.x The McAfee Endpoint Upgrade Assistant package will
security modules. Endpoints that lack the matching deploy the McAfee Endpoint Security modules you
criteria will appear as “non-compliant.” select. If you do not want to deploy all the modules,
you can create a task in the Client Task Catalog that
A default query named “Endpoint Security: Installation explicitly specifies the modules to be deployed. You
Status Report” displays the total number of endpoints also can select the modules to deploy with Endpoint
that have McAfee Endpoint Security 10.x installed. Upgrade Assistant. Refer to the Enterprise Product
Consider adding this query to your deployment Documentation for further information.
dashboard.
Note: Perform extensive testing prior to using the
Configure product deployment tasks Deploy Upgrade Automation Task.
Review and identify the deployment task method(s)
The workflow for deploying an Upgrade Automation task
you’ll be using to control the scope of your software
is shown here:
deployments.
You can choose from three methods:

START Download Verify Verify MA Harvest
Deployment EUA MA that no and ENS VSE
■ Method 1: Deploy the Upgrade Automation Task using
and ENS conflicting versions policies
McAfee Endpoint Upgrade Assistant. Packages McAfee
products
■ Method 2: Selectively deploy McAfee Endpoint are installed
Security modules via the Client Task Catalog and
system tree assignment.
Deployment Report Install Upgrade Remove
■ Method 3: Create a McAfee Endpoint Security package FINISHED Status to ENS MA legacy
with McAfee Endpoint Upgrade Assistant Package ePO products
Creator for deployment with a third-party tool.
Figure 12. Deploying the Endpoint Upgrade Assistant Package

Method 2: Selectively deploy McAfee Endpoint Deploy McAfee Endpoint Security to pilot endpoints
Security modules via the Client Task Catalog and Deploy McAfee Endpoint Security 10.x using your
system tree assignment planned deployment method.
Create a task in the Client Task Catalog that includes all
or some of the McAfee Endpoint Security Modules.
Validation
During this step, you’ll verify that your technical
Note: You might be more familiar with leveraging implementation meets the security objectives that you
Method 2 as it is the legacy method. previously established and perform tests to ensure that
Method 3: Use the McAfee Endpoint Upgrade everything is operating properly.
Assistant Package Creator to create an Endpoint Monitor McAfee Agent and McAfee Endpoint
Security package Security deployments
The McAfee Endpoint Upgrade Assistant Package
The overwhelming majority of your McAfee Endpoint
Creator will walk you through the creation of a package
Security deployments should be successful. Capture
to be deployed with a third-party deployment tool, and
any reported issues and document the solutions for
will provide options for tailoring the deployment package
those issues. Engage the McAfee Support team when
to various environments.
necessary.
After the package is created, you can use a third-party
Perform post-upgrade validation testing
deployment tool, such as SCCM or Bigfix, to perform the
Verify that your technical implementation meets the
deployment.
security objectives discussed in the Plan and Design
Upgrade phases.
Now you’re ready to deploy McAfee Endpoint Security
These activities will validate the newly created McAfee
to your pilot endpoints and validate the success of that
Endpoint Security 10.x policies configured for your
deployment.
environment. Validate any additional testing criteria that
Deploy McAfee Agents to pilot endpoints may have been defined in the Plan and Design phases,
If the required version of McAfee Agent is not currently for specific use cases.
installed, deploy the required McAfee Agent version for Note: Verify any additional performance and functional
your test environment to your pilot endpoints before testing requirements planned for your critical enterprise
you move on to deploying McAfee Endpoint Security applications. Ensure all applications perform the
10.x. required business tasks that business owners specified
as requirements in the Plan phase.

Validation tests verify that your McAfee products are Activities performed during this phase will result in
blocking and monitoring activity and producing logs and changes to your production environment. McAfee
events that are viewable on client endpoints and from recommends following your organization’s practices
the McAfee ePolicy Orchestrator console. for submitting change requests, performing endpoint
backups, and developing a recovery plan.
Note: You can find example validation tests for features
specific to McAfee Endpoint Security on pages 39-41 in Implement
the Appendix. Prepare for: By taking these steps:
The results of the Application Validation testing should Recovery ■

Prepare for installation
be captured and shared with project participants. ■
Back up the McAfee ePolicy Orchestrator
application server and database
Note: You can find an example of validation testing
results on page 38 in the Appendix. Installation ■
Check in the required client packages
Install required management extensions
Export the baseline policy
■
■
Validate distributed repository replication
If the McAfee Migration Assistant was used to convert
■
Import the baseline policies and tasks
policies to their McAfee Endpoint Security 10.x ■
Configure users and permission sets
equivalents, these newly converted policies are now ■
Configure a deployment dashboard
ready to be exported from your test environment and
imported into your production environment. Run Endpoint Upgrade Assistant
Deployment ■
Note: Ensure you are exporting all of the policies that

■
were validated in your test environment.
■
■
Assign the migrated policies and tasks to
endpoints
■
Deploy McAfee Agents to endpoints, as
Implement
■
needed
During this phase, project participants will install, ■

Deploy McAfee Endpoint Security to
endpoints
configure, upgrade, and validate your McAfee solution in
a production environment. Validation ■
Monitor McAfee Agent and McAfee Endpoint
The activities listed in this phase will closely mirror the ■
Perform validation testing
activities completed in the Test phase.

Recovery Validate distributed McAfee ePolicy Orchestrator

Production implementation begins by preparing the repository replication
environment for recovery in the unlikely event of an Prior to deploying the software, ensure that distributed
installation or upgrade failure. Discuss your back-out repositories are working as expected. If lazy caching is
and recovery plans with your project participants. used, perform a deployment task on a single endpoint
that is pointed to a repository to ensure that the McAfee
Note: For more on installing and backing up the McAfee
Endpoint Security packages and content are available.
ePolicy Orchestrator application server and database,
Refer to the McAfee ePolicy Orchestrator Best Practices
please see page 25.
Guide for additional information.
Installation
Import the baseline policies and tasks
Import the polices that you worked with in the test
Ensure that software versions in your production environment. These policies were from the production
environment are the same as those in your test environment and have undergone a migration to McAfee
environment. Endpoint Security 10.x via the Endpoint Migration
You can obtain the installation software directly from Assistant.
the McAfee ePolicy Orchestrator Software Manager Ensure that policies have been tested and tailored for
or via the McAfee Products download page https:// critical applications. Next, import the baseline tasks, so
www.mcafee.com/enterprise/en-us/downloads/my- that your devices can run the necessary tasks to stay
products.html. protected.
Note: For more on Installation, please see page 38. Configure users and permission sets
Install required management extensions Note: For more on this topic, please see page 28.
Management extensions allow the point products to be Configure a deployment dashboard
managed via McAfee ePolicy Orchestrator using policies.
Ensure that the dashboard is viewable by those tracking
Ensure that the same extensions that were checked in
the deployment.
to your test environment are also checked in to your
production environment. Note: For more on this topic, please see page 29.
Note: For more on installing management extensions,

please see page 27.

Deployment Deploy McAfee Agents to endpoints, as needed

To ensure success, deploy McAfee Endpoint Security to Machines that have a broken McAfee Agent will need
your environment in a phased approach. to be remediated prior to deploying McAfee Endpoint
Security 10.x through McAfee ePolicy Orchestrator.
Run Endpoint Upgrade Assistant
Ensure that you have set Endpoint Upgrade Assistant to Deploy McAfee Endpoint Security to endpoints
focus on a McAfee Endpoint Security 10.x upgrade. Use a phased implementation approach and tightly
control the number of endpoints that receive McAfee
Endpoint Security 10.x.
The upgrade scenarios that are displayed in your
production environment might be different than those in
your test environment. Perform additional testing where
necessary to ensure a smooth McAfee Endpoint Security
upgrade.

Configure and assign the baseline policy to endpoint
groups or individual endpoints.
Assign the migrated policies and tasks to endpoints

Assign migrated policies and tasks to endpoints in your
production environment.

Ensure that the tasks are set to execute in accordance
with the information listed in the change request.
Note: For more on this topic, please see page 29.

Validation In the event that your stakeholders discover

In this phase, you’ll verify that the technical performance issues, refer to the technical article
implementation meets the security objectives laid out in KB86691 in the McAfee Knowledge Center, “Data
the Plan and Design phases. collection steps for troubleshooting McAfee Endpoint
Security issues.” This article provides guidance on
Monitor McAfee Agent and McAfee Endpoint collecting data using:
The overwhelming majority of McAfee Endpoint Security
■ Process Monitor—An advanced monitoring tool for
deployments should be successful. Closely monitor Windows that shows real-time file endpoint, Registry
any failed deployments and identify common scenarios and process/thread activity.
that result in failure. Engage McAfee Support when ■ Windows Performance Recorder—A performance-
necessary. recording tool that is based on Event Tracing for
Windows (ETW). It records endpoint events that you
Perform validation testing
can then analyze by using Windows Performance
Ensure that your stakeholders (especially your Analyzer (WPA).
application owners) are aware of the implementation
■ AMTrace—An internal tool to collect logging data from
timeline. Encourage stakeholders to validate endpoint
McAfee AMCore.
performance once McAfee Endpoint Security 10.x
modules are installed on critical servers. Application Note: For more on this topic, please see page 30.
owners should perform a regression test against
their applications to ensure that McAfee Endpoint
Security 10.x has not introduced a new issue into the
environment.

Appendix Design
Plans and Tracking Sheets [ ] Discuss the McAfee solution architecture overview
Upgrade Project Planning Checklist [ ] Discuss the endpoint architecture

[ ] Discuss the network infrastructure services
Plan
[ ] Discuss McAfee network services
Identify business applications, administrators and
[ ]
application owners [ ] Discuss registered servers
[ ] Discuss project and business objectives [ ] Discuss roles and responsibilities
[ ] Discuss security requirements [ ] Discuss users and groups
[ ] Discuss end user communications [ ] Review release notes
[ ] Discuss additional planning topics [ ] Review known issues Knowledge Base articles
[ ] Discuss product features [ ] Review the product compatibility matrix
[ ] Discuss product feature parity [ ] Verify that the installation environment meets specifications
[ ] Discuss supported platforms [ ] Verify accounts and permissions
[ ] Discuss supported McAfee agents [ ] Verify prerequisite software is installed
[ ] Discuss integration with other McAfee solutions [ ] Verify pilot endpoints configuration
[ ] Discuss conflicts with existing products Assess
[ ] Discuss the implementation process [ ] Prepare for installation
[ ] Identify endpoints for the initial pilot deployment [ ] Backup the McAfee ePO application server and database
[ ] Discuss McAfee application validation testing [ ] Obtain the installation software
[ ] Discuss performance testing and baseline metrics [ ] Install required management extensions
[ ] Discuss business application testing procedures [ ] Run Endpoint Upgrade Assistant
[ ] Discuss current security management practices [ ] Analyze Endpoint Upgrade Assistant results
[ ] Discuss change control processes [ ] Review dashboards and queries
[ ] Discuss back out and recovery plans [ ] Perform McAfee VirusScan Enterprise policy review(s)
[ ] Discuss software updates [ ] Perform McAfee Host Intrusion Prevention policy review(s)
[ ] Discuss signature content testing [ ] Perform SiteAdvisor Enterprise policy review(s)
[ ] Discuss McAfee GetClean [ ] Export production policies
[ ] Discuss reporting requirements [ ] Export production tasks
Review corporate security policies and supporting
[ ]
documentation

Test Implement
[ ] Prepare for installation [ ] Prepare for installation
[ ] Backup the McAfee ePO application server and database [ ] Backup the McAfee ePO application server and database
[ ] Check in required packages [ ] Check in required packages
[ ] Install required management extensions [ ] Install required management extensions
[ ] Validate distributed repository replication [ ] Validate distributed repository replication
[ ] Run Endpoint Upgrade Assistant [ ] Import the baseline policies
[ ] Analyze Endpoint Upgrade Assistant results [ ] Import the baseline tasks
[ ] Import production policies [ ] Configure users and permission sets
[ ] Import production tasks [ ] Configure a deployment dashboard
[ ] Configure users and permission sets [ ] Run the Endpoint Upgrade Assistant
[ ] Perform initial validation testing [ ] Analyze Endpoint Upgrade Assistant results
[ ] Run the Endpoint Migration Assistant [ ] Configure the baseline policy
[ ] Migrate policies [ ] Assign the migrated policies to endpoints
[ ] Migrate tasks [ ] Assign the migrated tasks to endpoints
[ ] Configure the baseline policy [ ] Configure product deployment tasks
[ ] Assign the migrated policies to endpoints [ ] Deploy McAfee Agents to endpoints, as needed
[ ] Assign the migrated tasks to endpoints [ ] Deploy McAfee Endpoint Security to endpoints
[ ] Configure a deployment dashboard [ ] Monitor McAfee Agent and Endpoint Security deployments
[ ] Configure product deployment tasks [ ] Perform validation testing
[ ] Deploy McAfee Agents to pilot endpoints, as needed
[ ] Deploy McAfee Endpoint Security to pilot endpoints
[ ] Monitor McAfee Agent and Endpoint Security deployments
[ ] Perform post-upgrade validation testing
[ ] Export the baseline policy

Pilot Endpoint Plan Tracking Sheet McAfee VirusScan Tasks - Consolidation Tracking
# Pilot Sheet
Application(s) OS App Owner Contact
Devices
McAfee VirusScan Tasks - Consolidation Tracking Sheet
Win
EMC Backup John.doe@contoso. VSE Task Name Description Action Plan
Server 2
Server com
2012 Update All Updates DAT None – This task will be
Win files for VSE used for Endpoint Security
DHCP Server Server kyle.doe@contoso.com 2 content updates
2016 Weekly ODS Performs full Schedule a new Scan task for
Win 7 endpoint scan a Endpoint Security 10.x
Common and 10 weekly basis
Desktop_infra@
Desktop (x86 4
contoso.com
Applications and McAfee HIPS IPS Rules Policies - Consolidation
64bit)
Tracking Sheet
Win
DL-DatabaseTeam@ McAfee HIPS IPS Rules Policies - Consolidation Tracking
[Critical App 1] Server 3
contoso.com
2016 Sheet
HIPS IPS Rules
MacOS Description Action Plan
Mac Desktop macs@contoso.com 1 Policy
10.12
IPS Rules- Contains exceptions
The list of exclusions
Marketing for an app used by
pertaining to these
VirusScan Policies - Consolidation Tracking Sheet Marketing.
applications will be
IPS Rules Contains exceptions consolidated into a new
VirusScan Policies - Consolidation Tracking Sheet Publishing for an app used by policy named IPS Rules-
VSE Policy Marketing. General-Apps
Description Action Plan
Name
Note: The environment may have many firewall policies
Finance.Corp- This policy includes exclusions The list of
OAS Policy Legacy financial applications exclusions
with rules in them that are not currently linked to the
that have known performance for these Host IPS Firewall Catalog.
issues. The exclusions are applications will
recommended by the vendor. be placed into
a new policy
Revenue Cycle- This policy includes exclusions named “Finance-
OAS Policy for the app named Revenue OAS-G1”.
Cycle. The exclusions are
recommended by the vendor.
Note: Repeat the above methodology for all configured

McAfee VirusScan tasks. Task consolidation decisions
need to ensure whether new or additional Endpoint
Security product tasks might need to be created.

McAfee Host IPS Firewall Rules Policies - Example Format for a Validation Test
Consolidation Tracking Sheet Test Name Test ID#
McAfee HIPS Firewall Rules Policies - Consolidation Validation Steps Step 1)
Tracking Sheet Step 2)
HIPS Firewall Step 3)
Rules Policy Expected Results
FW Rules- Firewall rules used by The firewall rules for Actual Results
Coders software coders. these applications will
be placed into a new
FW Rules- Firewall rules used by
firewall policy named Note: The results of validation testing should provide
Programmers Python Programmers.
FW-Rules-Developers.
discussion points for additional policy configurations as
required.
Examples
Example Application Owners Sheet Example Future State Dashboard for Endpoint
Application Owners
Security Products
Application
Purpose Owner/Administrator
Operational Dashboard
Name
Monitor
Example: Pharmacy Workflow, John.doe@company.com Name
Meditech Laboratory
Antivirus This Boolean chart Update the query to
Diagnostics
Installed/ shows machines that include criteria for McAfee
Example: Accounts Receivable, John.doe@company.com Missing have AV installed as Endpoint Security 10.x
Invoice Supreme Recurring Billing well as machines that Threat Prevention.
are missing AV. The
approved antivirus
Note: The Application Owners Sheet is important for software is McAfee
VirusScan.
Endpoint Security-based exclusions, exceptions, and
other policies. Business owners may require a new or HIPS Shows devices running Add a new monitor that
Content up to date HIPS content also shows content
different policy based on the application vendor’s list of Compliance (Signatures). compliance for Exploit
recommended exclusions or other configurations. Prevention.
McAfee Displays the number Add a new monitor that

VirusScan of workstations which shows AMCore Content
Current DAT have recent McAfee (Threat Prevention) within
Adoption VirusScan DATs (Within 2 version versions of the
2 versions of the master Master Repository.
repository).

Example Validation Tests for Endpoint Security- Exploit Prevention - Blocking Hidden PowerShell
specific Features Exploit Prevention -
On Access Scanning - EICAR Test TC-ENS-003
Hidden PowerShell Detected
On Access Scanning – EICAR Test Test Ensure that the browser plugin for McAfee Endpoint
Setup Security Web Control is running
■
Create a new text file
Validation
Validation ■
Open the Google Chrome Browser
Steps ■
Within the text file, enter the following string:
Steps
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR- ■
Navigate to http://www.testingmcafeesites.com/
STANDARD-ANTIVIRUS-TEST-FILE!$H+H* testcat_ph.html
■
Save and close the text file Expected The site is blocked because it has a “red rating” (See
Results screen shot)
■
Attempt to copy the text file
Expected The test file will be deleted and a popup message

Results similar to the one shown below will be produced.
Actual Results Actual

Results
Viewing the Quarantine Folder
Options – Viewing the Quarantine Folder
Validation ■
Navigate to C:\quarantine
Steps ■
Verify that files appear in the quarantine folder
Expected Files that have been quarantined will be in

Results compressed zip format.
Actual Results

Web Control - Blocking Navigation to a Web Control – Blocking Navigation to a

Malicious Website Phishing Page
Web Control – Web Control –

TC-ENS-004 TC-ENS-005
Blocking Navigation to a Phishing Page Blocking Navigation to a Phishing Page
Test Ensure that the browser plugin for McAfee Endpoint Test Ensure that the browser plugin for McAfee Endpoint
Setup Security Web Control is running Setup Security Web Control is running
Validation ■
Open the Google Chrome Browser Validation ■
Open the Google Chrome Browser
Steps Steps
■
Navigate to http://red.test.csm-testcenter.org/ ■
Navigate to http://www.testingmcafeesites.com/
testcat_ph.html
Expected The site is blocked because it has a “red rating” (See
Results screen shot) Expected The phishing webpage is blocked because phishing is
Results a category on the block list” (See screen shot)
Actual
Results
Actual Attachments How to test SiteAdvisor Enterprise 3.x category
Results ratings
Attachments How to test SiteAdvisor Enterprise 3.x category https://kc.mcafee.com/corporate/
ratings index?page=content&id=KB72563
https://kc.mcafee.com/corporate/
index?page=content&id=KB72563

Exploit Prevention – Viewing Aggregated Events Optional TIE/DXL Validation Tests

Exploit Prevention – McAfee Threat Intelligence Exchange – Manually
TC-ENS-006
Viewing Aggregated Events Changing a File’s Reputation to “Most Likely
Validation ■
Open the McAfee ePO console Malicious”
Steps
■
Navigate to Reporting > Exploit Prevention Events McAfee Threat Intelligence Exchange –
■
Aggregate on “Analyzer Rule ID + Threat Target File Manually Changing a File’s Reputation to TC-ENS-007
Path + Action Taken “Most Likely Malicious”
■
Drill into an event with Analyzer ID 6070 Test Setup ■
The TIE and DXL Infrastructure must be up and
■
On the page named “Aggregated Exploit Prevention running in your environment.
Events Details”, click Actions > Add Exclusion” ■
ATP must be enabled
■
In the “Select a destination policy” page, click the ■
The action enforcement setting to Block when
policy named “TEMP-6070_Hidden_Powershell” reputation threshold reaches “Most Likely
and select ok Malicious” must be enabled.
■
Navigate to the policy named “TEMP-6070_Hidden_ ■
Download and install the software named “Putty”.
Powershell” (it can be found at “Endpoint Security It can be downloaded from https://www.chiark.
Threat Prevention: Policy Category > Exploit greenend.org.uk/~sgtatham/putty/latest.html
Prevention > TEMP-6070_Hidden_Powershell”)
■
Note: If you are currently using Putty for business
■
Select “Show Advanced” purposes please select a different .exe to test.
Expected An exclusion for the process “POWERSHELL.EXE” was
Validation ■
Navigate to Menu > Systems > Reputation > Tie
Results created in the policy (See screen shot)
Steps Reputations
■
Using the Quick Find, search for “putty”
■
Select Putty.exe and click Actions > Most Likely
Malicious
■
Attempt to launch putty from your test computer
Expected A McAfee Endpoint Security Alert is produced on

Results your test computer (see screen shot)
Actual
Results
The file is blocked on execute.

Note: Revert Putty’s reputation by setting the
Reputation for Putty to “known trusted”
Actual
Results

Example Performance Metrics Example Endpoint Security Validation Results
Performance Metric Value

Test ID Test Name Results
Average time for endpoint startup
Average time for user login TC- On Access Scanning – EICAR Test Pass
Average CPU utilization (over 24 hr period) ENS-001
[example] application specific performance metrics TC- Options – Viewing the Quarantine Folder Pass
ENS-002
TC- Exploit Prevention - Hidden PowerShell

Pass
ENS-003 Detected
TC- Web Control – Blocking Navigation to a

Pass
ENS-004 Malicious Site
TC- Web Control – Blocking Navigation to a

Pass
ENS-005 Phishing page
TC- Exploit Prevention – Viewing Aggregated

Pass
ENS-006 events
Threat Intelligence Exchange – Manually

TC-
changing a file’s reputation to “most likely Pass
ENS-007
malicious”

Technical Information
Endpoint Requirements
Minimum
Operating System Service Pack 32bit 64bit Processor RAM Hard Disk
Space Free
2 GHz
Windows 10 X X 3 GB 1 GB
or higher
Windows 10 with November 2 GHz

X X 3 GB 1 GB
update or higher
Windows 8.1 2 GHz

X X 3 GB 1 GB
Update 1 or higher
2 GHz
Windows 8.1 X X 3 GB 1 GB
or higher
2 GHz
Windows 8 (Except RT) X X 3 GB 1 GB
or higher
Windows 7 SP1 X X 1.4 GHz or higher 2 GB 1 GB
1 GHz
Windows Embedded Standard 7 X 1 GB 1 GB
or higher
Windows Vista (not supported 1.4 GHz

SP2 X X 2 GB 1 GB
with Endpoint Security 10.5) or higher
Windows XP Pro
(No longer supported by 1 GHz
SP3 X 1 GB 1 GB
Microsoft.) (not supported with or higher
Endpoint Security 10.5)
Windows Embedded for POS

X 1 GHz or higher 1 GB 1 GB
(WEPOS)
Windows Embedded 8 (Pro,

Standard, and Industry)
Windows Server 2016 X 2 GHz or higher 3 GB 1 GB
Windows Server 2012 R2

Update 1

Minimum
Space Free
Windows Server 2012

R2 Essentials, Standard, and
Datacenter (including Server
Core Mode)
Windows Server
2012 Essentials, Standard, and
Datacenter X 2 GHz or higher 3 GB 1 GB
(including Server Core Mode)

Windows Server
2008 Essentials, Standard,
Datacenter, and Enterprise
Web 1.4 GHz or
SP2 X X 2 GB 1 GB
greater
(including Server Core
Mode) (not supported with
Windows Server 2008
R2 Essentials, Standard,
Datacenter, and Enterprise 1.4 GHz or
SP2 X X 2 GB 1 GB
Web greater
(including Server Core Mode)
Windows Storage Server

2008 (not supported with X X 1.4 GHz or higher 2 GB 1 GB
Windows Storage Server 2008

X X 1.4 GHz or higher 2 GB 1 GB
R2
Windows Server 2003, 2003

R2 – All
X 1.4 GHz or higher 2 GB 1 GB
No longer supported by
Microsoft.
Windows Small Business Server

2008 (not supported with X 1.4 GHz or higher 2 GB 1 GB

Minimum
Space Free
Windows Small
X 1.4 GHz or higher 2 GB 1 GB
Business Server 2011
Windows Embedded
Standard 2009
Windows Point
of Service 1.1
Windows Point of
Service Ready 2009

About McAfee
McAfee is the device-to-cloud cybersecurity company.
Inspired by the power of working together, McAfee
creates business and consumer solutions that make
our world a safer place. By building solutions that
work with other companies’ products, McAfee helps
businesses orchestrate cyber environments that are
truly integrated, where protection, detection, and
correction of threats happen simultaneously and
collaboratively. By protecting consumers across all
their devices, McAfee secures their digital lifestyle
at home and away. By working with other security
players, McAfee is leading the effort to unite against
cybercriminals for the benefit of all.
www.mcafee.com.
6220 America Center Drive McAfee and the McAfee logo, ePolicy Orchestrator, McAfee ePO, SiteAdvisor, and VirusScan are trademarks or registered trademarks of
San Jose, CA 95002 McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. Copyright
888.847.8766 © 2020 McAfee, LLC. 4594_0820
AUGUST 2020
www.mcafee.com

PD27093

Uploaded by

Copyright:

Available Formats

You might also like

PD27093

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PD27093

Uploaded by

Copyright:

Available Formats

UPGR ADE PROJECT DEPLOYMENT GUIDE

McAfee Endpoint Security 10.x

2 McAfee Endpoint Security 10.x

McAfee Endpoint Security 10.x

3 McAfee Endpoint Security 10.x

Methodology Plan Design Assess Test Implement

This document is structured to follow these five steps,

Note: You can find the complete Upgrade Project

4 McAfee Endpoint Security 10.x

Planning Checklist Project Success

Identify additional planning topics

5 McAfee Endpoint Security 10.x

Review different policy configurations:

6 McAfee Endpoint Security 10.x

Discuss end user communications Identify additional planning topics

Note: Review technical article McAfee KB66909 in the

7 McAfee Endpoint Security 10.x

8 McAfee Endpoint Security 10.x

Learn about solution relationships

Detects threats in real-time, leveraging McAfee® Global Threat Intelligence (GTI)

Integrated, stateful firewall that dynamically inspects traffic on the network,

Updated Web Control browser toolbars improve user experience. Integration of

9 McAfee Endpoint Security 10.x

Discuss supported platforms Consider integration with other McAfee solutions

10 McAfee Endpoint Security 10.x

Determine how software will be deployed to managed

Verify whether or not the other security product was

You’ll need to discuss any known operating system

Determine the implementation process Peer-to-Peer (P2P) updating considerations

11 McAfee Endpoint Security 10.x

If your organization hasn’t defined functional application

12 McAfee Endpoint Security 10.x

13 McAfee Endpoint Security 10.x

Note: You can view examples of these tests on page 39

14 McAfee Endpoint Security 10.x

Ongoing Operations It is assumed that all changes to non-production

15 McAfee Endpoint Security 10.x

Discuss software updates Adaptive Threat Protection- Scanner and rules

AMCore content package

and signatures based on results of ongoing threat

16 McAfee Endpoint Security 10.x

Document reporting requirements

procedures Malware prevention, detection, and correction

Information and endpoint backup

Security logging and monitoring

You’ll need to determine if there is an established −

process for requesting reports. This process should

Network segmentation and configuration

17 McAfee Endpoint Security 10.x

Learn about the McAfee solution architecture

etc.) Prevention ATP

18 McAfee Endpoint Security 10.x

Review the endpoint architecture Identify required network infrastructure services

scanner firewall reputation

protection mode integration

Inbound connection to agents.

Relay server discovery for

Figure 5. McAfee Agent port reference

19 McAfee Endpoint Security 10.x