ePO Endpoint Deployment Kit – EEDK

Getting started guide

Revision Draft 001, Date 20161101

By Steen Pedersen, Principal Architect, Intel Security

[email protected]

Pa ge |1
Notices
Copyright
Copyright © 2016 Intel Security - All rights reserved.
This document contains proprietary information of Intel Security and is subject to a license agreement
or nondisclosure agreement. No part of this document may be reproduced, transmitted, transcribed,
stored in a retrieval system, or translated into another language, in any form or by any means,
without the prior written consent of Intel Security.

For information, please contact:

Intel Security

Steen Pedersen, Principal Architect, [email protected]

Trademarks
This document may make reference to other software and hardware products by name. In most if
not all cases, the companies that manufacture these other products claim these product names as
trademarks. It is not the intention of Intel Security to claim these names or trademarks as its own.

Disclaimer
The information contained in this document is subject to change without notice.
INTEL SECURITY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. Intel Security shall not be liable for errors contained herein or for incidental
or consequential damages in connection with the furnishing, performance, or use of this material.

Intel Security reserves the right to add, subtract or modify features or functionality, or modify the
product, at its sole discretion, without notice.

Intel Security makes no commitment, implied or otherwise, to support any functionality or technology
discussed or referenced in this document.

Pa ge |2
 Contents
Notices......................................................................................................................................................... 2

Disclaimer .................................................................................................................................................... 2
Contents ...................................................................................................................................................... 3

1 Introduction ............................................................................................................................................5
1.1 WARNING ........................................................................................................................................ 5
1.2 Additional information about Intel Security products ........................................................................ 5

2 What is EEDK ...........................................................................................................................................6

3 Common Use Cases .................................................................................................................................7

4 Build an ePO package ..............................................................................................................................8

4.1 Understand the EEDK GUI ................................................................................................................ 8

5 EEDK - ePO Endpoint Deployment Kit .................................................................................................... 10

5.1 Download EEDK ............................................................................................................................. 10

5.2 McAfee Profiler ePO Package ......................................................................................................... 10

5.3 GetSusp ePO package .................................................................................................................... 10

5.4 Consolidate and migrate to other ePO server ................................................................................. 10

6 Important points and common issues ................................................................................................... 11

6.1 Verify the content placed in the ePO package ................................................................................. 11

6.2 Missing Build directory ................................................................................................................... 11

6.3 Make sure new packages is replicated............................................................................................ 12
6.4 Check the content of the ePO package ........................................................................................... 12
6.5 Windows 10 - EEDK missing some DLL files for performing build ..................................................... 13

7 Examples for Windows .......................................................................................................................... 14

7.1 Example of simple Batch script for EEDK ......................................................................................... 14

7.2 Example of Batch script with parameters for EEDK ......................................................................... 14

7.3 Example of VBScript ....................................................................................................................... 15
7.4 Using AutoIT script and CustomProps ............................................................................................. 15
7.5 Generate an EICAR test file on Windows......................................................................................... 17
7.6 Access Protection rule test ............................................................................................................. 17
7.7 Copy VSE log files to collection point .............................................................................................. 18

7.8 GetSusp with encrypted upload to FTPS server ............................................................................... 18

8 Examples for Linux ................................................................................................................................ 21

Pa ge |3
 8.1 Generate an EICAR test file on Linux ............................................................................................... 21

9 Share for central collection point .......................................................................................................... 22

9.1 Test share with System Account ..................................................................................................... 23

10 Tools...................................................................................................................................................... 24

10.1 Tools for Hash MD5, SH1, SHA256 .................................................................................................. 24

10.2 GetSusp ......................................................................................................................................... 24
10.3 GetClean........................................................................................................................................ 27
10.4 Sigcheck – Sysinternals/Microsoft .................................................................................................. 27

11 Acronyms and Terms ............................................................................................................................. 30

Pa ge |4
 1 Introduction
This document contains getting started information and tip using ePO Endpoint Deployment Kit – EEDK.
With focus on Windows with a few examples for Linux and MacOS.

The EEDK tool, shared EEDK packaged, additional EEDK information and tools can be found at the McAfee
Tool Exchange community: https://community.mcafee.com/community/archives/toolexchange

1.1 WARNING
EEDK is a very powerful tool and packaged created and deployed must be done with care. Deployment
of to 1 or 100.000 systems can be done with very few clicks.

1.2 Additional information about Intel Security products

Please use the Intel Security Expert Center and Communities as source of technical information.

https://community.mcafee.com/community/business/expertcenter

Community: https://community.mcafee.com/community/business

Pa ge |5
2 What is EEDK
The EEDK - ePO Endpoint Deployment Kit is a tool which can build ePO Packages which makes it possible
to deploy tools or applications to any systems managed by ePO. Windows, Mac OS and Linux. The package
can be a single file or collection of files from a “source” folder.

Flow of use:

Command line to
Chose single file or Set software
Start EEDK execute + option for
Folder with files package properties
parameters

Result in build
Specify "Build
folder:
Build Package Folder" in Tools -> Select OS Support
<Product
Options
Name>.ZIP

Create McAfee
Check package into Now task can be
Agent Deployment
ePO Master deployed to all
Task for the
Repository managed systems
package

Pa ge |6
3 Common Use Cases
Common Use Cases:

 Special removal of 3rd part antivirus

 Collection of additional information on endpoint and send it back to ePO in Agent CustomProps which
is searchable in ePO SQL database
 ePO migration or consolidation – Deploy McAfee Agent from new/other ePO server
 Forensic tool
 GetSusp
o Collection on normal fil server
o Upload results and samples to FTPS server
 Deployment of 3rd party agents

Pa ge |7
 4 Build an ePO package
4.1 Understand the EEDK GUI

1. A source file or directory containing files. All files from the directory will be included in the package.
2. Product Name: Must be 8 character product name which can include letters, numbers and
underscores.
3. Product ID: This is a 4 digit number that will be unique to this version of your product
4. Product Version: This will be displayed in the ePO console Master Repository as the product
version number, both major and minor.
5. Product Description: This is the text that will be displayed in the ePO console Master Repository as
the product name.
6. Command to Run: This is the command that will be executed by the agent once the file(s) have
been downloaded. This command should contain the script/executable to be run along with any
command line options. Command line options can also be provided in the McAfee Agent
Deployment Task build in ePO console.
7. Product Detection Key: This is the registry key is used by the agent to determine if a product is
installed. It is combined with the key value.
8. Product Detection Value: This is the registry value is used by the agent to determine if a product is
installed. It is combined with the key value. Note: Leave these with default or some keys and value
which does not exist will make the package execute every time scheduled by the Assignment.
9. The OS Support specify which OS the package will be accepted and executed on.

Pa ge |8
10. Before “Build Package” can be executed the Build (Target) Directory must be specified in the

Pa ge |9
 5 EEDK - ePO Endpoint Deployment Kit
How to get access to EEDK and different tools.

5.1 Download EEDK

EEDK is a great tool to create your own ePO deployable packages:
https://community.mcafee.com/docs/DOC-3401#/
Very useful for packing and deploying McAfee Agents to a new ePO server from an old ePO
server.

5.2 McAfee Profiler ePO Package

Deploy McAfee Profiler using ePO: https://community.mcafee.com/docs/DOC-3891 only
relevant for VirusScan Enterprise 8.8. (VSE).
Now it is easy to deploy and run McAfee Profiler on a few selected systems without being in
front of the system or doing Remote Desktop.

5.3 GetSusp ePO package

It is also good to be aware of the GetSusp ePO package.
http://downloadcenter.mcafee.com/products/mcafee-avert/getsusp/getsusp-ePO.zip
Can be deployed and place the reports and samples on an UNC share using the --zippath=<drive
and path> parameter in the Deploy task.

5.4 Consolidate and migrate to other ePO server

Deploy specific McAfee Agent from other ePO servers. This is often used for migration to other
ePO server and consolidation to a central ePO server

Command line: FramePkg.exe /INSTALL=AGENT /FORCEINSTALL /SILENT

P a g e | 10
 6 Important points and common issues
There are several things which can go wrong when working with ePO deployable content. This section
covers some of the common issues and how to address these.

6.1 Verify the content placed in the ePO package

It is critical to be able to verify and test the content (scripts and executables) before building the ePO
package. As it is rather difficult to test the ePO packaged during deployment so it is important to test and
verify it before building the ePO package.

6.1.1 Test the scripts for EEDK with SYSTEM account

The McAfee Agent is running as a SYSTEM account and will execute the ePO deployment tasks with local
SYSTEM account. This means that all scripts and executables packed by EEDK will be executed on the
endpoint as local SYSTEM account. Therefor it is recommend that the any scripts and executables are
tested running as SYSTEM account before they are being built into an ePO package by EEDK.

Test the script running it as local SYSTEM account:

• Use PSEXEC.exe from Microsoft Sysinternals to open a system prompt (requires local
administrator privileges)
– Start CMD.EXE with “Run as Administrator”
– From this command line run: psexec.exe /s /i cmd.exe
– the command prompt that opens runs as local system
– Verify with the whoami command
– Test script can now be tested in this new command prompt
• SYSTEM account has several limitations
– Cannot interact with the user interface
– It does not have the same User space in registry

6.2 Missing Build directory

The error: Setting Not Validated –Build: “” does not exist.

This is a common mistake where the Build Folder has not been specified or pointing to a directory which
does not exist. Choose Tools and then Options in EEDK GUI and specify a directory where the package
can be build.

P a g e | 11
6.3 Make sure new packages is replicated
When the new ePO package is checked into the Master Repository on the ePO Server it is only available
on the repository on the ePO server and the Agent Handlers.

A common mistake is to start McAfee Agent Deployment tasks right away on some pilot endpoints to
verify the package deployed using ePO is working. Often this deployment is not working and nothing
happens on the endpoints as these endpoints are using other repositories where the new ePO package
is not available yet.

To address this it is important that the Master Repository is replicated to all repositories except
SuperAgent Lazy Cache where replication is not recommended as the Lazy Cache function automatically
will pick up the new content when it is requested by an endpoint. (Note it can take up to 30 min for the
SuperAgent lazy cache to flush and the repository will contain the information about the updated content
in the Master Repository.) For all none Lazy Cache repository make sure to start a repository replication
from ePO to the new ePO package distributed and available on all repositories.

6.4 Check the content of the ePO package

Before checking in the new ePO package into Master Repository it is recommended to verify the content
of the package - the .ZIP file generated in the Build directory by EEDK.

There has been seen situations where the ZIP package has been created but did not contain the files
selected in the EEDK tool.

The ePO package .ZIP file should contain all the files selected by the EEDK tool and a few control files.

Example of a simple ePO package named EICARTES1000.ZIP with a CMD script. The ZIP file contains 3
files.

drop_test_file.cmd (the script)

EICARTES1000-det.mcs (added by EEDK for detection if “your application” is installed)

PkgCatalog.z (details about the files in the package for integrity verification)

P a g e | 12
 The PkgCatalog.z and the <package name>-det.mcs fil is created by EEDK tool. These two files are always
added to the ePO package generated by EEDK.

PkgCatalog.z is encrypted file which contains information about all the files in the package.

<package name>-det.mcs contains information about the registry key which can be used to verify if the
application deployed in the package is installed. IMPORTANT: This is very useful if your package contains
an application installation and you only want the McAfee Agent to download and attempt the installation
if the application is not already installed.

6.5 Windows 10 - EEDK missing some DLL files for performing build
Issue has been seen on Windows 10. When EEDK tool is set to build the package it fails with a missing DLL
file failure needed for ePOSign.exe.

Windows 10 (Please add two runtime files msvcp71.dll and msvcr71.dll to the directory for where
EEDK.EXE and ePOSIgn.EXE is located). These files can be found in the McAfee Agent 4.8 folder or HIPS
8.0 folder.

P a g e | 13
 7 Examples for Windows
7.1 Example of simple Batch script for EEDK
Simple batch script

@echo off
:: Get number of input parameters
set argC=0
for %%x in (%*) do Set /A argC+=1

:: ################################################
:: Set environment to current product folder
pushd "%~dp0"
:: Get software package source directory and set as variable SRCDIR
SET SRCDIR=
for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a

if %argC%==0 GOTO INSTALL

if %1==uninstall GOTO UNINSTALL
:INSTALL
%comspec% /c %systemroot%\system32\msiexec.exe /i "%SRCDIR%\McProfilerSetup.msi" /quiet
GOTO END
:UNINSTALL
%comspec% /c %systemroot%\system32\MsiExec.exe /X{McProfilerSetup.msi} /quiet
:END

goto EOF
:: Exit and pass proper exit to agent
:: ################################################
:EOF
Exit /B 0

7.2 Example of Batch script with parameters for EEDK

Usage of parameters in the command line option in ePO Client Task.

REM McAfee
REM Sets our environment to the current product folder
REM ################################################
pushd "%~dp0"
SET SRCDIR=
for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a

REM Get number of input parameters

set argC=0
for %%x in (%*) do Set /A argC+=1

REM Work goes here

REM ################################################

P a g e | 14
 if %argC%==0 GOTO RUN_DEFAULT
GOTO RUN_WITH_PARAM

:RUN_DEFAULT
REM %COMSPEC% /C ""%ProgramFiles%\McAfee\McAfee Profiler\McProfiler.exe" /Save "C:\\Profiler.mpr"
/Time 5 /Silent
%COMSPEC% /C ""%ProgramFiles%\McAfee\McAfee Profiler\McProfiler.exe" /Silent /Time 10 /Save
""C:\\Profiler_%COMPUTERNAME%.mpr""
GOTO END

:RUN_WITH_PARAM
set cmdstr=%*
%COMSPEC% /C ""%ProgramFiles%\McAfee\McAfee Profiler\McProfiler.exe" /Silent %cmdstr%"
GOTO END

REM Example: %ProgramFiles%\McAfee\McAfee Profiler\McProfiler.exe /Silent /Time 5 /Save

"C:\\Profiler.mpr"

REM Exit with proper exit code for McAfee Agent

REM ################################################
:END
popd
Exit /B 0

7.3 Example of VBScript

Finally managed to create a package using this wonderful tool which will run a executable that will make
a port exception for the ePO agent wake-up call.

Basically, the visual basic script called run_invisible as shown below.

Set WshShell = CreateObject("WScript.Shell")

WshShell.RUN "cmd /c netsh firewall add portopening protocol=TCP port=8081
name=McAfeeAgentWake-UpCalls scope=custom addresses=10.1.2.32", 0

This script creates the firewall exception using cmd running silently.

7.4 Using AutoIT script and CustomProps

AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and
general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control
manipulation in order to automate tasks in a way not possible or reliable with other languages.

https://www.autoitscript.com/site/

Example of autoit script

;=============================================================================
; Author: Steen Pedersen
; AutoIt script written 20150816
; Intel Security Professional Services
; Identify Systems Install Date and write to CustomProps3

P a g e | 15
;=============================================================================
;#include <StringConstants.au3>
;#include <MsgBoxConstants.au3>
#include <Date.au3>

Func DetectInfrastructure()
If @ProcessorArch = "X86" Then
$HKLM = "HKEY_LOCAL_MACHINE"
EndIf
If @ProcessorArch = "X64" Then
$HKLM = "HKEY_LOCAL_MACHINE64"
EndIf
EndFunc

;Temp Strings
Local $HKLM, $CustomProps, $McAfee_reg, $install_date_value, $install_date

DetectInfrastructure()

$CustomProps=$HKLM&"\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\CustomProps"

If @ProcessorArch = "X86" Then
$CustomProps=$HKLM&"\SOFTWARE\Network Associates\ePolicy
Orchestrator\Agent\CustomProps"
$McAfee_reg=$HKLM&"\SOFTWARE\Network Associates\ePolicy Orchestrator"
EndIf
If @ProcessorArch = "X64" Then
$CustomProps=$HKLM&"\SOFTWARE\Wow6432Node\Network Associates\ePolicy
Orchestrator\Agent\CustomProps"
$McAfee_reg=$HKLM&"\SOFTWARE\Wow6432Node\Network
Associates\ePolicy Orchestrator"
EndIf
;MsgBox(4096, "CustomProps", $CustomProps) ;DEBUG

$install_date_value= RegRead($HKLM&"\SOFTWARE\Microsoft\Windows NT\CurrentVersion" ,

"InstallDate")
$install_date = _DateAdd( 's',$install_date_value, "1970/01/01 00:00:00")
;MsgBox(4096, "CustomProps", $install_date) ;DEBUG

;MsgBox($MB_SYSTEMMODAL, "Read", $CustomProps+$TRDLPS)

;MsgBox($MB_SYSTEMMODAL, "Customprops", $CustomProps)

;Clear CustomProps
;RegWrite($CustomProps, "CustomProps1", "REG_SZ", "")
;RegWrite($CustomProps, "CustomProps2", "REG_SZ", "")
RegWrite($CustomProps, "CustomProps3", "REG_SZ", $install_date_value&" - "&$install_date)
;RegWrite($CustomProps, "CustomProps4", "REG_SZ", "")

;Send Communication to ePO

$MAAGENT_PATH = RegRead($McAfee_reg&"\Agent", "Installed Path")
$MAAGENT_CMDAGENT = $MAAGENT_PATH & "\CMDAGENT.EXE"
;MsgBox(4096, "CMDAGENT", $MAAGENT_CMDAGENT) ;DEBUG

Run($MAAGENT_CMDAGENT & " /P")

;if @error then
; MsgBox(4096, "Run CMDAGENT", @error)

P a g e | 16
 ;EndIf

7.5 Generate an EICAR test file on Windows

A very simple example of creating an EICAR test fil on a Window system for test purposes.

Will drop an eicar.com in %TEMP% folder or create an EICAR test file if a path and filename specified as
command line parameter in the McAfee Agent Deployment Task

REM ####################################################################
REM Intel Security - Write eicar test file to specifed location
REM Sets our environment to the current product folder
REM Information about EICAR http://www.eicar.org/86-0-Intended-use.html
REM ####################################################################
pushd "%~dp0"
SET SRCDIR=
for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a

if %*!==! GOTO RUN_DEFAULT

GOTO RUN_WITH_PARAM

:RUN_DEFAULT
SET Target_file=%TEMP%\eicar.com
GOTO WRITE_TARGET_FILE

:RUN_WITH_PARAM
SET Target_file=%*
GOTO WRITE_TARGET_FILE

:WRITE_TARGET_FILE
REM Write the Eicar test file to specified folder
echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-
FILE!$H+H*>%target_file%

REM Exit with proper exit code for McAfee Agent

REM ####################################################################
:END
popd
Exit /B 0

7.6 Access Protection rule test

Script will attempt to write a %ProgramFiles(x86)%\McAfee\VirusScan Enterprise\testfile.txt which will
create an Access Protection event. If a path and filename is added as parameter in the McAfee
Deployment Task it will drop a file in the path and filename specified. This can be used for other test.

REM ####################################################################
REM Intel Security - Write test file to VSE file location
REM Sets our environment to the current product folder
REM ####################################################################

P a g e | 17
 pushd "%~dp0"
SET SRCDIR=
for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a

if %*!==! GOTO RUN_DEFAULT

GOTO RUN_WITH_PARAM

:RUN_DEFAULT
SET Target_file=%ProgramFiles(x86)%\McAfee\VirusScan Enterprise\testfile.txt
GOTO WRITE_TARGET_FILE

:RUN_WITH_PARAM
SET Target_file=%*
GOTO WRITE_TARGET_FILE

:WRITE_TARGET_FILE
REM Write the test file to folder
echo Just some text >"%target_file%"

REM Exit with proper exit code for McAfee Agent

REM ####################################################################
:END
popd
Exit /B 0

7.7 Copy VSE log files to collection point

Simple script which will collect VSE log files to a central collection point. In this example a UNC share.
Later there are examples with FTPS collection points

@echo off
:: Get number of input parameters
set argC=0
for %%x in (%*) do Set /A argC+=1
:: Set environment to current product folder
pushd "%~dp0"
:: Get software package source directory and set as variable SRCDIR
::SET SRCDIR=
::for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a
set cmdstr=%*
MD %cmdstr%\%COMPUTERNAME%
%comspec% /c COPY %PROGRAMDATA%\McAfee\DesktopProtection\*.* %cmdstr%\%COMPUTERNAME%
:END
goto EOF
:: Exit and pass proper exit to agent
:EOF
Exit /B 0

7.8 GetSusp with encrypted upload to FTPS server

Script which will collect VSE log files and FTPS these to a central collection point FTPS server. So this script
would be able to cover multiple domains and external systems (if these are communicating with an
Internet facing Agent Handler and the FTPS server is available on the Internet). McAfee Tool Exchange

P a g e | 18
will contain a ZIP package with ePO Package FTPS_GET100x.zip and information about how to setup a
FTPS server using FileZilla.

@echo off
REM Intel Security 2016 – Steen Pedersen
REM Sets our environment to the current product folder
REM ################################################
REM 1. Parameter = local dir
REM 2. Parameter = IP and port for FTPS server
REM 3. Parameter = FTPS username
REM 4. Parameter = FTPS password
REM 5. Parameter = Folder name for the Files on the FTPS Server
REM
REM Example FTPS_GETSUSP %TEMP% 172.16.214.212:990 ftp_username ftp_password GetSusp_Collector
REM
pushd "%~dp0"
SET SRCDIR=
for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a

REM Work goes here

REM ################################################
if "%*" == "" (EXIT /B 0) Else (set cmdstr=%*)
if "%5" == "" (set dir_group=GetSusp) Else (set dir_group=%5)
if "%4" == "" (EXIT /B 0)
set ftppass=%4
set ftpuser=%3
set ftphost=%2
set localdir=%1

set ZIPPATH=%localdir%\%COMPUTERNAME%

echo ------------------

REM Finalize target FTPS dir

REM set ftpdir=%COMPUTERNAME%/%dir_group%/%current_date_time%
set ftpdir=%COMPUTERNAME%/%dir_group%

setlocal enableDelayedExpansion
REM GOTO EOF

REM Run Getsusp first

ECHO Run GetSusp and save result in %ZIPPATH%
%COMSPEC% /C "%SRCDIR%\getsusp.exe" --SILENT --EPO --ZIPPATH=%ZIPPATH%
ECHO Result = %ERRORLEVEL%
goto upload_result

IF %ERRORLEVEL%=3 DO (
Echo Got returncode 3 run GetSusp
goto upload_result
)
ECHO Nothing collected
GOTO EOF

:upload_result
REM *************COPY Results********************
REM Create Directory

P a g e | 19
ECHO Create Directory on FTPS server
curl --ftp-ssl --insecure ftps://%ftphost%/%ftpdir%/ --user %ftpuser%:%ftppass% --ftp-create-dirs

echo Localdir = %ZIPPATH%

Echo Copy files

for /F %%x in ('dir /B/D /A-D %ZIPPATH%') do (

set FILENAME="%ZIPPATH%\%%x"
echo !FILENAME!
curl -T !FILENAME! --ftp-ssl --insecure ftps://%ftphost%/%ftpdir%/ --user %ftpuser%:%ftppass%
)

REM ****** COPY Logs directiry *********

Set ZIPPATH=%ZIPPATH%\Logs
set ftpdir=%ftpdir%\Logs
curl --ftp-ssl --insecure ftps://%ftphost%/%ftpdir%/ --user %ftpuser%:%ftppass% --ftp-create-dirs

for /F %%x in ('dir /B/D /A-D %ZIPPATH%') do (

set FILENAME="%ZIPPATH%\%%x"
echo !FILENAME!
curl -T !FILENAME! --ftp-ssl --insecure ftps://%ftphost%/%ftpdir%/ --user %ftpuser%:%ftppass%
)

:EOF

REM Exit with proper exit code for McAfee Agent

REM ################################################
popd
Exit /B 0

P a g e | 20
 8 Examples for Linux
A few simple examples for Linux

8.1 Generate an EICAR test file on Linux

A very simple example of creating an EICAR test fil on a Linux system which can generate a virus alert for
test purposes. Test file will be dropped in /tmp/eicar.com

#!/bin/sh
# Intel Security - Steen Pedersen - Write test eicar to /tmp/eicar.com
# Information about eicar got to www.eicar.org
echo 'K5B!C%@NC[4\CMK54(C^)7PP)7}$RVPNE-FGNAQNEQ-NAGVIVEHF-GRFG-SVYR!$U+U*' | tr '[A-
Za-z]' '[N-ZA-Mn-za-m]' > /tmp/eicar.com
echo test2> /tmp/test2.txt
exit 0

P a g e | 21
9 Share for central collection point
A share must be available to collect the reports centrally. The security permission on this share
must be set so it is possible for the SYSTEM account to create, write and modify files in this
share. The scripts are launched as a SYSTEM account, as this is the McAfee Agent handling the
ePO Client Task execution on the endpoint.

The following steps provides information about how to configure a shared folder with the
permission set needed for this to work (Windows 2008 R2)

1. Create a Report folder for the share on the file server

2. Right-click the Report folder and select Properties.

3. Select the Sharing tab and then click Advanced sharing. Select the Sharing this folder option.

4. Add the share name report$ and click Apply. The $ ensures that the share is hidden.

5. Click Permissions and allow Full Control to Everyone. Click OK twice.

6. Click the Security tab and then click Advanced.

7. On the Permissions tab, click Change Permissions and deselect the Include inheritable
permissions from the object’s parent option.

 A confirmation message explains the effect this change will have on the folder.

8. Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows all
permissions eliminated.

9. Click Add to select an object type.

10. In the Enter the object name to select text box, type Domain Computers,
(Click Check Names to verify the name of the object)
then click OK to display the Permission Entry dialog box.

 In the Allow column, select List folder/Read data, Read attributes, Read extended
attributes, Create files/Write data, Write attributes, Write extended attributes,
Create folders/Append data, Delete subfolders and files and Delete.

Verify that the Apply to option says This folder, subfolders and files, then click OK.

The Advanced Security Settings dialog box now includes Domain Computers.

11. Click Add to select an object type.

12. In the Enter the object name to select text box, type Administrators, then click OK to display
the Permission Entry dialog box. Set the Full control permissions.

13. Click OK twice to close the dialog box and then Close to close the File/Folder Properties.

P a g e | 22
 Another option is creating a Null Session Share. For information read:
http://support.microsoft.com/kb/124184

https://www.ibm.com/developerworks/community/wikis/home?lang=en#/wiki/Tivoli%20End
point%20Manager/page/Creating%20a%20Null%20Session%20Share

9.1 Test share with System Account

The ability for the SYSTEM account to write to the share can be tested. This can be done by using PSEXEC.
PSEXEC can be downloaded from this site: http://technet.microsoft.com/en-
us/sysinternals/bb897553.aspx

Run this command line: psexec.exe /s /i cmd.exe

From this new command line running as SYSTEM it is possible to verify the write permission to the
network share. Use command line: echo test >\\win-srv001\report$\t0.txt Then verify that the t0.txt file
is created on the share.

P a g e | 23
 10 Tools
Important tools with notes and links

10.1 Tools for Hash MD5, SH1, SHA256

Download GetSusp http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx

FAQs for GetSusp https://kc.mcafee.com/corporate/index?page=content&id=KB69385

Introduction to GetClean https://kc.mcafee.com/corporate/index?page=content&id=KB73044

1.0

GetClean Product Guide https://kc.mcafee.com/corporate/index?page=content&id=PD23191

SysInternal Sigcheck https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

Use -h

Microsoft tool to collect https://support.microsoft.com/en-us/kb/841290

Get MD5 SHA
File Checksum Integrity
Verifier (FCIV)

10.2 GetSusp
GetSusp is a free tool that helps you find and log undetected malware, and allows you to automatically
submit samples to McAfee Labs. To find suspicious files, GetSusp uses heuristics and compares samples
against the Global Threat Intelligence (GTI) database of known clean files. When you analyze a suspect
computer, use GetSusp first.

Download GetSusp

The build below is for McAfee ePO administrators.

Download GetSusp-ePO

10.2.1 How to use GetSusp

http://www.mcafee.com/us/downloads/free-tools/how-to-use-getsusp.aspx

For a list of Frequently Asked Questions on GetSusp, see article KB69385.

 Features

 Delivered as a single executable file with no installation required.

P a g e | 24
 Option to run in different modes – GUI and command Line.

 Can submit samples or only a MD5 list of the files to McAfee Labs for analysis.

 Leverages GTI File Reputation to determine if the sample is suspicious.

 Records system and installed McAfee product information date of execution and details of suspected
files.

 GetSusp supports Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8.

 How to use McAfee GetSusp

1. Download the latest version of GetSusp. When prompted, choose to save the executable file to a
convenient location on your hard disk. We recommend creating a folder specifically for GetSusp.

2. Once downloaded, launch the GetSusp.exe file.

3. The McAfee GetSusp Interface will be displayed.

4. If necessary, click the preferences to specify your email address to receive an acknowledgement from
McAfee Labs for sample submissions. By default, suspicious files are submitted to McAfee Labs in online
mode.

P a g e | 25
5. Click the Scan Now button to begin scanning the system. A EULA is prompted for user acceptance every
time a scan is initiated. The license agreement must be accepted in order to proceed.

6. A typical GetSusp system scan takes around three to five minutes. A summary is provided at the end of
the scan, and the scan report is launched.

P a g e | 26
 7. Visit the McAfee malware community site or contact McAfee technical support for help in
troubleshooting your machine or removing malware.

10.3 GetClean
GetClean is a McAfee Labs initiative to minimize false-positive detections in the field. The GetClean
program aims to prevent false positives on your COE (Common Operating Environment) image files. To
achieve this, a tool with the same name is executed on COE computers or known clean software
repositories to harvest clean files.

GetClean uses Global Threat Intelligence (GTI) for file reputation lookup and reports only files that are
unknown to McAfee Labs, or falsely classified. You can also submit metadata, or samples and metadata,
to McAfee Labs. This greatly reduces the number of files you need to submit and eliminates duplicate
submissions. The average GetClean scan time on a computer is 60-90 minutes, and the average .zip file
size of samples collected is 200-350 MB. The McAfee Labs dedicated Whitelisting team analyzes,
validates, and processes the files you submit before adding them to the GTI whitelist and to the McAfee
Labs test systems, where they are scanned before each new DAT release.

Introduction to GetClean 1.0: https://kc.mcafee.com/corporate/index?page=content&id=KB73044

GetClean Product Guide: https://kc.mcafee.com/corporate/index?page=content&id=PD23191

10.4 Sigcheck – Sysinternals/Microsoft

Download SigCheck 2.x
http://technet.microsoft.com/en-gb/sysinternals/bb897441.aspx

http://www.ghacks.net/2013/10/28/use-microsofts-sigcheck-2-0-check-files-folder-virustotal/

P a g e | 27
Introduction
Sigcheck is a command-line utility that shows file version number, timestamp information, and
digital signature details, including certificate chains. It also includes an option to check a file’s
status on VirusTotal, a site that performs automated file scanning against over 40 antivirus
engines, and an option to upload a file for scanning.
usage: sigcheck [-a][-h][-i][-e][-n][[-s]|[-c|-ct]|[-m]][-q][-r][-u][-vt][-v[r][n]][-f catalog file]
<file or directory>
-a Show extended version information

-c CSV output with comma delimiter

-ct CSV output with tab delimiter

-e Scan executable images only (regardless of their extension)

-f Look for signature in the specified catalog file

-h Show file hashes

-i Show catalog name and image signers

-m Dump manifest

-n Only show file version number

-q Quiet (no banner)

-r Disable check for certificate revocation

-s Recurse subdirectories

-u If VirusTotal check is enabled, show files that are unknown by VirusTotal or have
non-zero detection, otherwise show only unsigned files.

- Query VirusTotal ( www.virustotal.com) for malware based on file hash. Add 'r'
v[rn] to open reports for files with non-zero detection. Files reported as not previously
scanned will be uploaded to VirusTotal unless the 'n' option is specified. Note
scan results may not be available for five of more minutes.

-vt Before using VirusTotal features, you must accept VirusTotal terms of service.
See: https://www.virustotal.com/en/about/terms-of-service/. If you haven't
accepted the terms and you omit this option, you will be interactively prompted.
One way to use the tool is to check for unsigned files in your \Windows\System32 directories
with this command:
sigcheck -u -e c:\windows\system32
You should investigate the purpose of any files that are not signed.

Pasted from <http://technet.microsoft.com/en-gb/sysinternals/bb897441.aspx>

Skip the EULA license message when running SysInternal tools

-accepteula

P a g e | 28
Pasted from <http://forum.sysinternals.com/eula-prompt-when-running-pstools_topic8783_page7.html>

Example for checking windows systems32 folder. List hashes and Virus total results.

sigcheck -accepteula -h –u -s -e -vt -ct c:\windows\system32 >sig1.csv

P a g e | 29
11 Acronyms and Terms
ePO ePolicy Orchestrator

AH Agent Handler: Component of ePO used to communicate with agents installed on endpoints

MA McAfee Agent

SA McAfee SuperAgent

VSE McAfee VirusScan Enterprise

HIPS Host Intrusion Prevention

EEDK ePO Endpoint Deployment Kit

FIM File Integrity Monitor

MAC McAfee Application Control

MCC McAfee Change Control

MDE McAfee Device Encryption (previously known as EEPC)

EEPC Endpoint Encryption for PC (now named MDE)

MOVE Management for Optimized Virtual Environments

MVM McAfee Vulnerability Manager

DLPE Data Loss Prevention for Endpoints (previously known as HDLP)

HDLP Host Data Loss Prevention (now named DLPE)

NDLP Network Data Loss Prevention

FRP McAfee File and Removable Media Protection (previously known as EEFF)

EEFF McAfee Endpoint Encryption for Files and Folders (now named FRP)

EERM Endpoint Encryption for Removable Media (now named FRP)

NSP Network Security Platform

PA Policy Auditor

RA Risk Advisor

SIEM Security Information and Event Management (Nitro)

Admin: ePO administrator or network administrator (previously Global Admin)

ASCI: Agent-server communication interval

ASSC: Agent-to-server secure communication

Agent: McAfee software used to manage point products on endpoint machines

P a g e | 30
GUID: Globally Unique Identifier; random 64-bit value used specifically by ePO

Policy: Settings and configurations applied to point-products on endpoint machines

Repository: Collection of the software used to deploy and update point-products on endpoint machines

RSD Rogue System Detection Sensor

CEE Complete Protection Enterprise Suite

PBA Pre-Boot Authentication – Small OS loaded before the Windows OS

AD Active Directory

ALDU Add Local Domain User

BIOS Basic Input/Output System

DN Domain Name

DE Drive Encryption

DEAgent Drive Encryption Agent

EFI Extensible Firmware Interface

GPT GUID Partition Table

LDAP Lightweight Directory Access Protocol

MBR Master Boot Record

NIST National Institute of Standards and Technology

OS Operating System

OU Organizational Unit

SSO Single Sign On

UBP User-Based Policy

UEFI Unified Extensible Firmware Interface

P a g e | 31