Deep Dive into McAfee ePolicy Orchestrator 4.5

Using a security management platform to lower costs and strengthen security across the IT infrastructure

Corporate KnowledgeBase

Printer Friendly

Rate this Page

https://kc.mcafee.com/corporate/index?page=content&id=KB59903

“This is the largest and most sophisticated cyberattack we have seen in years targeted at specific corporations,” said McAfee Worldwide Chief Technology Officer George Kurtz. “It is a watershed moment in cybersecurity because of the targeted and coordinated nature of the attack. As a result, the world has changed; organizations globally will have to change their threat models to account for this new class of highly sophisticated attack that goes after high value intellectual property.”

 “Operation Aurora” was a coordinated attack which included a piece of computer code that exploits a vulnerability in Internet Explorer to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious Web page (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, according to Google, additionally gain access to user accounts.

Here's the Microsoft Security Advisory:
http://www.microsoft.com/technet/security/advisory/979352.mspx

Detailed guidance from McAfee is available at:
http://www.mcafee.com/us/threat_center/operation_aurora.html

How can I tell if my systems were infected?

If you are a McAfee VirusScan Engine customer, verify that you are using .DAT 5862 released on January 15, 2010 and perform a full scan on all machines within your enterprise, starting with most sensitive servers. If you detect the following signatures triggered: Exploit-Cornele, Roarur.dr or Roarur.dll, you very likely have an infected Aurora host

You can also check for outbound past or present Web communication or DNS resolutions of the following domains* known to be associated with the malware activity:

ftpaccess[dot]cc
google[dot]homeunix[dot]com
tyuqwer[dot]dyndns[dot]org
blogspot[dot]blogsite[dot]org
voanews[dot]ath[dot]cx
360[dot]homeunix[dot]com
ymail[dot]ath[dot]cx
yahoo[dot]8866[dot]org
sl1[dot]homelinux[dot]org
members[dot]linode[dot]com
ftp2[dot]homeunix[dot]com
update[dot]ourhobby[dot]com
filoups[dot]info

*In the names above, “[dot]” is substituted for “.” to protect users from accidentally clicking and launching malicious domains.

Yesterday I had a machine that was giving communication problems and needed to manually remove the agent.  I found these little gems while searching the KB for a solution (search terms: manual removal agent):

How to manually remove McAfee Agent 3.5.x (CMA) (KB66055)
https://kc.mcafee.com/corporate/index?page=content&id=KB66055

How to manually remove McAfee Agent 3.6.0 (CMA) (KB65863)
https://kc.mcafee.com/corporate/index?page=content&id=KB65863

How to manually remove McAfee Agent 4.x (KB57061)
https://kc.mcafee.com/corporate/index?page=content&id=KB57061

How to manually remove VirusScan Enterprise 7.0 and 7.1 (KB66055)
https://kc.mcafee.com/corporate/index?page=content&id=KB66055

How to manually remove VirusScan Enterprise 8.0i (KB58597)
https://kc.mcafee.com/corporate/index?page=content&id=KB58597

How to manually remove VirusScan Enterprise 8.5i (KB50602)
https://kc.mcafee.com/corporate/index?page=content&id=KB50602

How to manually remove VirusScan Enterprise 8.7i (KB59996)
https://kc.mcafee.com/corporate/index?page=content&id=KB59996

McAfee Secure Alerting Service (MSAS) is being replaced by McAfee Support Notification Service (SNS). 

McAfee SNS is a FREE opt-in email service that will alert you regarding:

- Patch, upgrade and DAT notifications
- End-of-support notices
- Threat reports
- Critical alerts

Those of you using MSAS will need to set up  a new subscription to SNS as existing MSAS subscriptions will not be migrated over.  Here's the link:

http://my.mcafee.com/content/SNS_Subscription_Center/

There's also a FAQ for SNS:

https://kc.mcafee.com/corporate/index?page=content&id=KB6782

I've been a user of VirusTotal (http://www.virustotal.com) for quite some time and recommend the service to my customers.

VirusTotal is an online service that allows you to analyze suspicious files against multiple AV engines (I last counted 39) for viruses, trojans, worms, etc.

VirusTotal now as an Uploader tool for windows that adds an item to your right-click 'Send To' menu.  This allows you to send the hash of the file to VirusTotal instead of having to upload the whole file.  Nice!

Get the VirusTotal uploader at http://www.virustotal.com/metodos.html.

You can download the patch at http://www.mcafee.com/us/downloads.

Details about the patch and release notes are at https://kc.mcafee.com/corporate/index?page=content&id=KB67611.

There's some good info in the release notes about which characters are not allowed to be used within the ePO and SQL username / passwords.  Specifically, if you use certain characters, the installer will run but then fail and roll back the install / upgrade.  

There are nearly 100 fixes and enhancements, including expanded support for Windows Server 2008 R2.

After installation, your build number should show as 851.