McAfee ePO Admin Interview Questions & Answers

Q.1  What is McAfee ePO ?

McAfee ePolicy Orchestrator (McAfee ePO) is the most advanced, extensible, and scalable centralized security management software in the industry.

A single console for all your security management.

·         Get a unified view of your security posture with drag-and-drop dashboards that provide security intelligence across endpoints, data, mobile and networks.

·         Simplify security operations with streamlined workflows for proven efficiencies.

·         Flexible security management options allow you to select either a traditional premises-based or a cloud-based management version of McAfee ePO.

·         Leverage your existing third-party IT infrastructure from a single security management console with extensible architecture.

Q.2  Which is latest version of ePO?

The latest version of McAfee products

·           ePolicy Orchestrator Ver 5.3.1

·           Virus Scan Enterprise VSE 8.8 Patch 6

·           McAfee Agent 5.0.1

To determine the ePO version number when you are logged on to ePO:

ePO 5.x: The version number is shown on the left pane of the Menu screen.

You can also determine the version by checking the version information contained within the server.ini file on the ePO server. You can open this file using Notepad.
The default location for the server.ini file is as follows:

…\Program Files\McAfee\ePolicy Orchestrator\DB

Q.3  What are the benefits of ePolicy Orchestrator Software?

ePolicy Orchestrator software is an extensible management platform that enables centralized policy management and enforcement of your security policies.

Using ePolicy Orchestrator software, you can perform these network security tasks:

·         Manage and enforce network security using policy assignments and client tasks.

·         Update the detection definition (DAT) files, anti-virus engines, and other security content required by your security software to ensure that your managed systems are secure.

·         Create reports, using the built-in query system wizard, that display informative user-configured charts and tables containing your network security data.

Q.4 Explain the Important Components of ePolicy Orchestrator Software and what they do ?

These components make up ePolicy Orchestrator software.

·         McAfee ePO server — The Center of your managed environment. The server delivers security policies and tasks, controls updates, and processes events for all managed systems.

·         Database — The central storage component for all data created and used by ePolicy Orchestrator. You can choose whether to house the database on your McAfee ePO server or on a separate system, depending on the specific needs of your organization.

·         McAfee Agent — A vehicle of information and enforcement between the McAfee ePO server and each managed system. The agent retrieves updates, ensures task implementation, enforces policies, and forwards events for each managed system. It uses a separate secure data channel to transfer data to the server. A McAfee Agent can also be configured as a SuperAgent.

·         Master repository — The central location for all McAfee updates and signatures, residing on the McAfee ePO server. The master repository retrieves user-specified updates and signatures from McAfee or from user-defined source sites.

·         Distributed repositories — Local access points strategically placed throughout your environment for agents to receive signatures, product updates, and product installations with minimal bandwidth impact. Depending on how your network is configured, you can set up SuperAgent, HTTP, FTP, or UNC share distributed repositories.

·         Remote Agent Handlers — A server that you can install in various network locations to help manage agent communication, load balancing, and product updates. Remote Agent Handlers are comprised of an Apache server and an event parser. They can help you manage the needs of large or complex network infrastructures by allowing you more control over agent-server communication.

·         Registered servers — Used to register other servers with your McAfee ePO server. Registered server types include:

LDAP server — Used for Policy Assignment Rules and to enable automatic user account creation.

SNMP server — Used to receive an SNMP trap. Add the SNMP server’s information so that ePolicy Orchestrator knows where to send the trap.

Database server — Used to extend the advanced reporting tools provided with ePolicy Orchestrator software.

Q.5  How the ePO software works ?

ePolicy Orchestrator software is designed to be extremely flexible. It can be set up in many different ways, to meet your unique needs.

The software follows the classic client-server model, in which a client system (system) calls into your server for instructions. To facilitate this call to the server, a McAfee Agent is deployed to each system in your network. Once an agent is deployed to a system, the system can be managed by your McAfee ePO server. Secure communication between the server and managed system is the bond that connects all the components of your ePolicy Orchestrator software. The figure below shows an example of how your McAfee ePO server and components inter-relate in your secure network environment.

1 Your McAfee ePO server connects to the McAfee update server to pull down the latest security content.

2 The ePolicy Orchestrator database stores all the data about the managed systems on your network,including:

·         System properties

·         Policy information

·         Directory structure

·         All other relevant data the server needs to keep your systems up-to-date.

3 McAfee Agents are deployed to your systems to facilitate:

·         Policy enforcement

·         Product deployments and updates

·         Reporting on your managed systems

4 Agent-server secure communication (ASSC) occurs at regular intervals between your systems and server. If remote Agent Handlers are installed in your network, agents communicate with the server through their assigned Agent Handlers.

5 Users log onto the ePolicy Orchestrator console to perform security management tasks, such as running queries to report on security status or working with your managed software security policies.

6 The McAfee update server hosts the latest security content, so your ePolicy Orchestrator can pull the content at scheduled intervals.

7 Distributed repositories placed throughout your network host your security content locally, so agents can receive updates more quickly.

8 Remote Agent Handlers help to scale your network to handle more agents with a single McAfee ePO server.

9 Automatic Response notifications are sent to security administrators to notify them that an event has occurred.

Q.6  What is default Console Port of ePO?

Console-to-application server communication port 8443 ( TCP port that the ePO Application Server service uses to allow web browser UI access )

Q.7  What is the default Group policy of ePO?

Until you create additional policies, all computers are assigned the McAfee Default policy.

The McAfee Default policy is configured with settings recommended by McAfee to protect many environments and ensure that all computers can access important websites and applications until you have a chance to create a customized policy.

You cannot rename or modify the McAfee Default policy. When you add computers to your account, the McAfee Default policy is assigned to them. When you delete a policy that is assigned to one or more groups, the McAfee Default policy is assigned to those groups automatically.

The first time you create a new policy, the McAfee Default policy settings appear as a guideline. This enables you to configure only the settings you want to change without having to configure them all.

After you create one or more new policies, you can select a different default policy for your account. In the future, new policies will be prepopulated with these default settings, and the new default policy is assigned to new computers (if no other policy is selected) and groups whose policy is deleted.

Q.8  On which port ePO communicates with client agent?

Agent wake-up communication port SuperAgent repository port: 8081

(TCP port that agents use to receive agent wake-up requests from the ePO server or Agent Handler.
TCP port that the SuperAgents configured as repositories that are used to receive content from the ePO server during repository replication, and to serve content to client machines)

Q.9  What is the purpose of a SuperAgent?

The SuperAgent is an agent with the ability to contact all agents in the same subnet as the SuperAgent, using the SuperAgent wakeup call. Its use is triggered by Global Updating being enabled on the ePolicy Orchestrator (ePO) server, and it provides a bandwidth efficient method of sending agent wakeup calls.

If you operate in a Windows environment and plan to use agent wake-up calls to initiate Agent-server communication, consider converting an agent on each network broadcast segment into a SuperAgent.

SuperAgents distribute the bandwidth load of concurrent wake-up calls. Instead of sending agent wake-up calls from the server to every agent, the server sends the SuperAgent wake-up call to SuperAgents in the selected System Tree segment. When SuperAgents receive this Wake-up call, they send broadcast wake-up calls to all agents in their network broadcast segments.

The process is:

1.      Server sends a wake-up call to all SuperAgents.

2.      SuperAgents broadcast a wake-up call to all agents in the same broadcast segment.

3.      All agents (regular agents and SuperAgents) exchange data with the server.

4.      An agent without an operating SuperAgent on its broadcast segment is not prompted to communicate with the server.

To deploy enough SuperAgents to the appropriate locations, first determine the broadcast segments in your environment and select a system (preferably a server) in each segment to host a SuperAgent. Be aware that agents in broadcast segments without SuperAgents do not receive the broadcast wake-up call, so they do not call in to the server in response to a wake-up call.

Agent and SuperAgent wake-up calls use the same secure channels. Ensure that:

·         The agent wake-up communication port (8081 by default) is not blocked.

·         The agent broadcast communication port (8082 by default) is not blocked.

Q.10  What is McAfee Agent Handler?

Agent handlers are the component of ePolicy Orchestrator that handles communications between agent and server.

Multiple remote handlers can help you address scalability and topology issues in your network, and in some cases using multiple agent handlers can limit or reduce the number of ePO servers in your environment. They can provide fault tolerant and load-balanced communication with a large number of agents including geographically distributed agents.

Q.11  How agent handlers work ?

Agent handlers distribute network traffic generated by agent-to-server communication by assigning managed systems or groups of systems to report to a specific agent handler. Once assigned, a managed system performs regular ASCIs to its agent handler instead of the main ePO server. The handler provides updated site lists, policies, and policy assignment rules just as the ePO server does. The handler also caches the contents of the master repository, so that agents can pull product update packages, DATs, and other necessary information.

NOTE: When an agent checks in with its handler, if the handler does not have the updates needed, the handler retrieves them from the assigned repository and caches them, while passing the update through to the agent.

Q.12  Considerations for scalability ?

How you manage your scalability depends on whether you use multiple McAfee ePO servers, multiple remote Agent Handlers, or both.With ePolicy Orchestrator software, you can scale your network vertically or horizontally.

·         Vertical scalability — Adding and upgrading to bigger, faster hardware to manage larger and larger deployments. Scaling your McAfee ePO server infrastructure vertically is accomplished by upgrading your server hardware, and using multiple McAfee ePO servers throughout your network, each with its own database.

·         Horizontal scalability — Accomplished by increasing the deployment size that a single McAfee ePO server can manage. Scaling your server horizontally is accomplished by installing multiple remote Agent Handlers, each reporting to a single database.

Q.13  When to use multiple McAfee ePO servers ?

Depending on the size and make-up of your organization, using multiple McAfee ePO servers might be required.

Some scenarios in which you might want to use multiple servers include:

·         You want to maintain separate databases for distinct units within your organization.

·         You require separate IT infrastructures, administrative groups, or test environments.

·         Your organization is distributed over a large geographic area, and uses a network connection with relatively low bandwidth such as a WAN, VPN, or other slower connections typically found between remote sites.

Using multiple servers in your network requires that you maintain a separate database for each server.

You can roll up information from each server to your main McAfee ePO server and database.

Q.14  When to use multiple remote Agent Handlers ?

Multiple remote Agent Handlers help you manage large deployments without adding additional McAfee ePO servers to your environment.

The Agent Handler is the component of your server responsible for managing agent requests. Each McAfee ePO server installation includes an Agent Handler by default. Some scenarios in which you might want to use multiple remote Agent Handlers include:

·         You want to allow agents to choose between multiple physical devices, so they can continue to call in and receive policy, task, and product updates; even if the application server is unavailable, and you don’t want to cluster your McAfee ePO server.

·         Your existing ePolicy Orchestrator infrastructure needs to be expanded to handle more agents, more products, or a higher load due to more frequent agent-server communication intervals (ASCI).

·         You want to use your McAfee ePO server to manage disconnected network segments, such as systems that use Network Address Translation (NAT) or in an external network.

Multiple Agent Handlers can provide added scalability and lowered complexity in managing large deployments. However, because Agent Handlers require a very fast network connection, there are some scenarios in which you should not use them, including:

·         To replace distributed repositories. Distributed repositories are local file shares intended to keep agent communication traffic local. While Agent Handlers do have repository functionality built in, they require constant communication with your ePolicy Orchestrator database, and therefore consume a significantly larger amount of bandwidth.

·         To improve repository replication across a WAN connection. The constant communication back to your database required by repository replication can saturate the WAN connection.

·         To connect a disconnected network segment where there is limited or irregular connectivity to the ePolicy Orchestrator database.

Q.15  What is DLP ?

Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.

Q.16  What is Endpoint Encryption for PC?

Endpoint Encryption for PC (EEPC) is a computer security system that prevents data stored on a hard drive from being read or used by an unauthorized person. With EEPC, users are forced to identify themselves to the security system when the computer is started. This is done by requiring up to three authentication methods:

·         Password

·         User ID

·         Token (Loaded on a floppy disk or any ISO 7816 smart card)

If the person accessing the computer fails to enter the correct information, EEPC prevents access to the computer as well as the encrypted data stored within. To gain access to an EEPC protected PC when using a smart card, users must insert their card into the reader when the EEPC authentication screen is displayed, then type their password and optional user ID. After the smart card verifies the password and  EEPC has established that the correct token is used, the user is then granted access to the computer.

 Q.17  Is the Event Parser service running?

On the server side, ePO consists of three separate services:

·         The ePO Server service, responsible for the direct handling of Agent-to-Server communication;

·         The Event Parser service, responsible for the insertion of new client-generated events into the ePO database;

·         The ePO Server Application Server service, where all logic takes place and which also allows you to manage ePO.

Under certain circumstances, particularly when there is a problem with the database, it is possible the Event Parser service stops working. This prevents new events from being added to the database, essentially leaving you blind. Check whether the Event Parser service is running and correct any problems if this is not the case.

 Q.18 Explain Tag and Tags functionality in McAfee ePO?

Tags allow users to create labels that can be applied to systems manually or automatically, based on the criteria assigned to the tag.

Similar to IP sorting criteria, you can use tags for automated sorting into groups. Tags are used to identify systems with similar characteristics. If you organize some of your groups by such characteristics, you can create and assign tags based on such criteria and use these tags as group sorting criteria to ensure these systems are automatically placed within the appropriate groups.

Tag functionality:
You can do the following with tags:

·         Apply one or more tags to one or more systems.

·         Apply tags manually.

·         Apply tags automatically, based on user-defined criteria, when the agent calls in.

·         Exclude systems from tag application.

·         Run queries to group systems with certain tags, then take direct actions on the resulting list of systems.

·         Base System Tree sorting criteria on tags to place systems into the appropriate System Tree groups automatically.

Types of tags

There are two types of tags:

·         Tags without criteria – These tags can be applied only to selected systems in the System Tree (manually) and systems listed in the results of a query (manually or on a scheduled basis).

·         Criteria-based tags – These tags are applied to all non-excluded systems at each agent-server communication. Such tags use criteria based on any properties sent by agent. They can also be applied to all non-excluded systems on-demand.

 Q.19  How agent-server communication works ?

McAfee Agent communicates with the McAfee ePO server periodically to send events and, ensure all settings are up-to-date.

These communications are referred to as agent-server communication. During each agent-server communication, McAfee Agent collects its current system properties, as well as events that have not yet been sent, and sends them to the server. The server sends new or changed policies and tasks to McAfee Agent, and the repository list if it has changed since the last agent-server communication. McAfee Agent enforces the new policies locally on the managed system and applies any task or repository changes.

The McAfee ePO server uses an industry-standard Transport Layer Security (TLS) network protocol for secure network transmissions.

When the McAfee Agent is first installed, it calls in to the server within few seconds. Thereafter, the McAfee Agent calls in whenever one of the following occurs:

·         The agent-server communication interval (ASCI) elapses.

·         McAfee Agent wake-up calls are sent from the McAfee ePO server or Agent Handlers.

·         A scheduled wake-up task runs on the client systems.

·         Communication is initiated manually from the managed system (using Agent Status monitor or command line).

·         McAfee Agent wake-up calls sent from the McAfee ePO server.

 Q.20 How often the McAfee Agent calls into the McAfee ePO server ?

The Agent-to-Server Communication Interval (ASCI) default setting is 60 minutes means that McAfee Agent contacts the McAfee ePO server once every hour.