Intel/Migration Mcafee EPO VSE 8.8 auf Endpoint 10.X First Look and Tips

Migration Mcafee VSE 8.8 auf Endpoint 10.X Migration First Look

Put together by Butsch from all the presentation online, Channel presentations and first lab dives with 10.X

 

Current Release is Mcafee Endpoint Security 10.2

Most of the things we be cleaner (Some things will be merged)

HIPS

 

As example 4 OLD VSE 8.8 POLICY Merged in 1 "ON ACCESS SCAN Policy"

New here:

 

NEU: Workstation und Server NICHT mehr möglich in gleicher Policy (Dropdown)

 

  1. Migration Workstation Automatic
  2. After that, the Servers MANUALLY )OR both manually)
  3. You will have to separate "Workstation" and "Server" in the GUI under an OU (I hope you anyway doo above 100+ endpoints!) (Or use TAG for Policies)

NEW: You will have do a separate POLICY for "Workstation" and "Servers"

Some does not work anymore: Exclusion alt **\WILDCARDS ohne DRIVE LETTER > GEHT nicht mehr in EPS 10.X

There is a Remark in Migration Wizard who will tell you again!

 

What you need before you think to start

 

  • Basis fuer Update für bestehende Umgebungen
  • Base your nee das existing customer running EPO

There is a special Migration Help tool which you can install

You can select which Policy's to migrate and change Policy's during Migration

 

 

Quiz Questions from Butsch

 

When can i do what?

Is there any risk for my environment?

Is the Migration safe?

Before the 10.1 PACKAGE is deployed NOTHING will happen to the CLIENTS. You can migrate POLICYS BEFORE and THAN at the end deploy the VSE 10.

As soon as YOU deploy the VSE 10.1 package the Migration CLIENT side begins. As with a regular PATCH 8 for VSE or 7.5 to 8 migrations you TEST DEPLOY

a few client s for a week or days and THEN you can deploy (Migrate) the other clients. All other clients will KEEEP pulling the VSE 8.x POLICYS.

$

 

Question: We just want Virus Protection; we don't want HIPS or Site Advisor because we have other clients like Fort client or Windows Firewall.

  • There are still 3 parts and modules
  • You can DEPLOY them with separate Deployment Jobs
  • Only what you deploy of that gets on the client and like with other endpoints you don't have 75% Parts of the clients which you don't use because integrated with other brands already

 

 

 

 

 

 

 

See more Infos:

https://www.youtube.com/watch?v=H4vUFnhaHro

https://community.mcafee.com/docs/DOC-8364

https://community.mcafee.com/docs/DOC-8364#jive_content_id_VIDEO__Migrating_from_McAfee_VirusScan_Enterprise_88_to_McAfee_Endpoint_Security

 

Ransomware: High rate dropbox attack Switzerland 24-25.08.2016 to Healthcare

MalwareFortiguard: JS/Nemucod.ARH!tr

We have seen a high rate of 50-100 Attachments per customer with correct E-Mail address with Ransomware sent out from:

no-reply@dropbox.com

Fortiguard and Mcafee did find it around 12:30 to clock 24.08.2016 BUT not before.

The URL's which were listed in the E-Mail content where listed at that time. The E-Mail contains a Link

From a Commerzbank hosted on a Dropbox account.

Second wave contains an attachment rechnung.zip

 

Raw Log from Fortimail

2850,"2016-08-24","12:38:53","Virus Signature","Reject",,"no-reply@dropbox.com","customer01@butsch.ch","Ihre Mahnung vom 23.08.2016","u7OAcqI9021476-u7OAcqIB021476","f3.81.b6.static.xlhost.com [207.182.129.243]","192.168.1.5",17405,"in","mta","0:3:3","butsch.ch","JS/Nemucod.ARH!tr","OK","0200021477",,"statistics"    

2855,"2016-08-24","12:35:31","Grey List","Delay",,"no-reply@dropbox.com","customer01@butsch.ch",,"u7OAZU4S021464-u7OAZU4U021464","133-53-143-63.static.reverse.lstn.net [63.143.53.133]","192.168.1.5",0,"in","mta","0:3:3","butsch.ch",,"FORGED","0200021465",,"statistics"    

"2856,""2016-08-24"",""12:34:24"",""FortiGuard AntiSpam-IP"",""Reject"",,""no-reply@dropbox.com"",""customer01@butsch.ch"",""=?windows-1251?B?RGVubmlzIExlbmcgaGF0IGRpZSBTYW1tbHVu?=    =?windows-1251?B?ZyCEUmVjaG51bmcuemlwkyBmdXIgU2llIGZy?=    =?windows-1251?B?ZWlnZWdlYmVuLg==?="",""u7OAYNrr021457-u7OAYNrt021457"",""6-219-63-74.static.reverse.lstn.net [74.63.219.6]"",""192.168.1.5"",6997,""in"",""mta"",""0:3:3"",""butsch.ch"",,""FORGED"",""0200021458"",,""statistics"""    

2857,"2016-08-24","12:34:09","Grey List","Delay",,"no-reply@dropbox.com","customer01@butsch.ch",,"u7OAY8wv021455-u7OAY8wx021455","131-53-143-63.static.reverse.lstn.net [63.143.53.131]","192.168.1.5",0,"in","mta","0:3:3","butsch.ch",,"FORGED","0200021456",,"statistics"    

"2859,""2016-08-24"",""12:33:14"",""Not Spam"",""Accept"",,""no-reply@dropbox.com"",""customer01@butsch.ch"",""=?windows-1251?B?V2lsbGlhbSBCZXJyeSBoYXQgZGllIFNhbW1s?=    =?windows-1251?B?dW5nIIRSZWNobnVuZy56aXCTIGZ1ciBTaWUg?=    =?windows-1251?B?ZnJlaWdlZ2ViZW4u?="",""u7OAXC7Y021443-u7OAXC7c021443"",""f5.81.b6.static.xlhost.com [207.182.129.245]"",""192.168.1.5"",7035,""in"",""mta"",""0:3:3"",""butsch.ch"",,""OK"",""0200021444"",,""statistics"""    

GPO: WSUS Patches June 2016 disabled security filtered GPO

Important change for all GPO-Admin | Change in way GPO's are applied and filtered.

 

The Windows Updates JUNE 2016 bring up a change in how POLICY GPO (Gruppenrichtlinien) should be filtered to Active Directory Security Groups. You can't anymore JUST remove "Authenticated users" and add a security group under Security Filtering. The Policy will not pull because Microsoft has changed the concept.

German:

GPO welche auf Usergruppen gefiltert sind gehen nach dem Update der Patche nicht mehr wenn Authenticatedusers oder Domaincomputers KEIN read unter Delegation hat.

June 2016 Patches:

KB 3163018

KB 314913

KB 3159398

 

https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398?forum=winserverGP

http://www.gruppenrichtlinien.de/artikel/sicherheitsfilterung-neu-erfunden-ms16-072-patchday-14062016/

This is a normal policy which is not affected by the patches:

Please make a backup of your GPO before changing anything:

Here so see one where we removed the "Authenticated Users" or "Authentifizierte Benutzer" and this needs to get corrected. Leave it as IT IS under security filtering. The place to change it would be under Delegation.

First How NOT to do it (> This would make the POLICY PULL for all!)

Correct way to make it June 2016 Patchday compatible

Make a backup of the GPO before you even think about changing it!

 

Powershell from listed by Stepan Kokhanovskiy on Social MSDN

 

I changed this to a READ only and LIST only version so you can check first if you have SUCH GPO's

$DebugPreference = 'Continue'

 

Write-Debug "Get list of the all group policy objects in the domain."

 

$AllGpo = Get-GPO -All | Sort-Object -Property 'DisplayName'

 

Write-Debug "Select group policies for permissions changing."

 

$ProcessGpo = foreach ($Gpo in $AllGpo)

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

Write-Debug "Get permission for the `"Authenticated Users`" group."

$AuthUsersPermission = $Gpo | Get-GPPermissions -TargetName 'Authenticated Users' -TargetType Group -ErrorAction SilentlyContinue

 

Write-Debug "Get permission for the `"Domain Computers`" group."

$DomainComputersPermission = $Gpo | Get-GPPermissions -TargetName 'Domain Computers' -TargetType Group -ErrorAction SilentlyContinue

 

if (-not ($AuthUsersPermission -or $DomainComputersPermission))

{

Write-Debug "No permissions found."

$Gpo

}

else

{

Write-Debug "Permissions found. Skip group policy."

}

}

 

if ($ProcessGpo)

{

Write-Debug "List of the selected group polices."

$ProcessGpo | Select-Object -ExpandProperty DisplayName | Write-Debug

 

Write-Debug "Change permissions for the selected group polices."

 

foreach ($Gpo in $ProcessGpo)

{

try

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

$Gpo

}

catch

{

$_ | Write-Error

}

}

}

else

{

Write-Debug "No group policy found."

}

 

Above Version which will only LIST / Report / Nur lesen

 

Below Version which will Change / Correct / Aenderung

Change version from Posting in Social adapted to German Active Directory with Domänencomputer

$DebugPreference = 'Continue'

 

Write-Debug "Get list of the all group policy objects in the domain."

 

$AllGpo = Get-GPO -All | Sort-Object -Property 'DisplayName'

 

Write-Debug "Select group policies for permissions changing."

 

$ProcessGpo = foreach ($Gpo in $AllGpo)

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

Write-Debug "Get permission for the `"Authenticated Users`" group."

$AuthUsersPermission = $Gpo | Get-GPPermissions -TargetName 'Authenticated Users' -TargetType Group -ErrorAction SilentlyContinue

 

Write-Debug "Get permission for the `"Domain Computers`" group."

$DomainComputersPermission = $Gpo | Get-GPPermissions -TargetName 'Domain Computers' -TargetType Group -ErrorAction SilentlyContinue

 

if (-not ($AuthUsersPermission -or $DomainComputersPermission))

{

Write-Debug "No permissions found."

$Gpo

}

else

{

Write-Debug "Permissions found. Skip group policy."

}

}

 

if ($ProcessGpo)

{

Write-Debug "List of the selected group polices."

$ProcessGpo | Select-Object -ExpandProperty DisplayName | Write-Debug

 

Write-Debug "Change permissions for the selected group polices."

 

foreach ($Gpo in $ProcessGpo)

{

try

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

Write-Debug "Add the `"Read`" permission for the `"Domänencomputer`" group."

Set-GPPermissions -Guid $Gpo.Id -PermissionLevel GpoRead -TargetName 'Domänencomputer' -TargetType Group -ErrorAction Stop | Out-Null

Write-Debug "Permissions changed successful."

 

$Gpo

}

catch

{

$_ | Write-Error

}

}

}

else

{

Write-Debug "No group policy found."

}

 

Ransomware Schweiz: Mcafee TIE Threat Intelligence Exchange im Einsatz

Ransomware Schweiz, Switzerland, Suisse. Lösungen/Solutions.

Intelligente "Black/White-Listing" Technologie z.B. Mcafee TIE ist die derzeit einzige Lösung nebst ATD-Sandboxen um Ransomware/Epressungstrojaner in den Griff zu bekommen. (http://www.mcafee.com/de/products/threat-intelligence-exchange.aspx). Alles andere ist ein Gebastel und man rennt nur den Problemen nach statt diese zu lösen.

 

 

Proof of Concept soll zeigen wie Mcafee TIE unbekannte Dateien erkennt und soll zeigen, dass Directory welche wir im Virenschutz Modul VSE 8.X ausschliessen nicht vom TIE tangiert sind. Diese Ausnahmen gelten AUCH fuer TIE-Modul.

Proof of concept mit Test Datei welche wir anpassen

 

Wir nehmen ein EXEcutable z.B. Superscan.exe und Machen dies auf um es anzupassen.

 

Wir passen einige unrelevante Sachen mit eine HEX Editor im EXE an und speichern dies unter neuen Namen TIE_superscan.exe (HEX Editor z.B. http://hxd-hex-editor.soft32.com). Einfach die TEXT Partie "not be rund in DOS" anpassen.

 

Die Software superscan.exe ist im Mcafee TIE nicht vorhanden (Obwohl Foundstone von Mcafee/Intel gekauft wurde ;-). Ca. 75-80% Aller Binaries sind aber in der GTI/TIE Datenbank vorhanden. (Durchschnitt Windows 7 64BIT client mit ca. 80 Applikationen Schweiz).

 

Test client virtuel exclusions VSE (Normaler Virenschutz)

Der Folder c:\Geheim_geheim ist exlcuded da sonst z.B. Internet Explorer IEAK9/11 Setups aber auch andere Software beim Setup Probleme machen. Aber auch Driver fuer das Installieren des OS selber sind dort vorhanden. Dieser Folder wird nicht gescannt da man dort zu 100% Vertrauenswürdige Files hat. User hat dort keine Schreibrechte.

 

 

Im Mcafee TIE nicht sichtbar da in c:\geheim_geheim

Update Mcafee > Force senden Infos an EPO

 

Kopieren des Files in c:\temp und ausführen

Directory nicht Exlcuded und VSE > Daher TIE auch Scan

 

Alarm auf client und Block des Files beim Öffnen.

 

 

Umgehend auch OHNE Force Framework Agent sichtbar in Mcafee EPO TIE

 

Neue Datei unbekannt und Rating 50 > DAHER geblockt

 

Die anderen Werte welche zur Einstufung der Reputation heran gezogen werden sind noch nicht ermittelt worden. Da es sich um einen Installer handelt wird dies zudem anders gewichtet.

GTI (mcafee P2P/Cloud Datenbank) kennt das File noch nicht:

 

 

 

Anpassen der Reputation

 

Wir passen die Reputation des Files an da wir dieses File kennen und mit dem PLUGIN in TIE fuer VIRUSTOTAL.COM gescannt haben. Dies kann man durch einen Click auf einen Button automatisch machen lassen!

 

Nach dem Anpassen der Reputation von "Unknown" to "File Known Trusted" PLUS zusätzlich einem Rename des EXE (TIE_superscan.exe zu superscan.exe) wird das File ausgeführt. Damit TIE das Binary intelligent einstufen kann muss es längere Zeit und in mehreren Versionen in der Firma sein ODER die TIE/GTI cloud kennt es.

 

 

Anzeige in MCAFEE EPO Konsole (Enforcement Events)

 

Mcafee EPO Konsole, DASHBOARD

 

Weitere Links von uns:

http://www.butsch.ch/post/RansomwareDeutschlandSchweiz-Healthcare-Deutscher-Bund-warnt-und-reagiert.aspx

http://www.butsch.ch/post/Ransomware-Versions-who-spread-in-network-and-attack-locked-files-from-SQL-Servers-coming-up.aspx

 

Microsoft February 2016 Patchday, Upgrade to Windows 10 Patches

Microsoft February 2016 Patchday, Upgrade to Windows 10 Patches

 

  • Ein RDP Patch wird zwei Reboots machen (Dies ist normal)
  • DENY KB3114717 Office 2013 macht WinWord 2013 langsam (Problem patch)
  • Die Windows 10 Updates Packages sind jetzt im WSUS erschienen (W7 product)

     

     

These updates have come to WSUS-customer even when to W10 product was chosen. They appear under W7 Product category.