This section explains the preparations for using the automatic quarantining function.
In order to use the automatic quarantining function, it is necessary to perform the following configurations.
Antivirus Software
Check "Enable notification via SNMP trap" in the Virus/Malware sections of the SNMP trap notification settings of Administrator Notification Settings, and define the message to be sent as follows.
virus_name:%v,ip_address:%i,file:%p,datetime:%y,result:%a
If it is necessary for email notifications to be sent to the administrator, configure the email notification settings for the administrator so that an email is sent to the email address of the administrator when a virus or malware is detected.
Specify the IP address of the Resource Orchestrator manager in the SNMP trap notification settings of the General Notification Settings.
For details, refer to the manuals of OfficeScan 11.0 server or OfficeScan XG server.
Register the SNMP server of Resource Orchestrator in the McAfee ePolicy Orchestrator server
Open "Registered Servers" in the McAfee ePolicy Orchestrator Web console, then click "New Server", and register the SNMP server of Resource Orchestrator.
Ensure the following items are entered as follows:
Select "IPv4" for the type of the server address, and configure the IP address of the Resource Orchestrator manager.
For the SNMP server version, select "SNMPv1", and specify the community string under "Security".
For details on this operation, refer to "Register SNMP servers" in the product guide of McAfee ePolicy Orchestrator.
The above guide contains the procedure for sending test traps, but as Resource Orchestrator does not support test traps it is not necessary to perform this procedure.
Configure notification settings by adding an automatic response rule for the McAfee ePolicy Orchestrator server
On the McAfee ePolicy Orchestrator server Web console, select "Automatic Responses" > "New Response" and add automatic response rules to enable notification of security risks to the Resource Orchestrator manager using SNMP traps and notification of the administrator using e-mail.
Ensure the following items are entered as follows:
Select "Enable" for "Status".
Select "Threat Category", and configure "Malware" for the "Belongs to" setting.
Notification of security risks using SNMP traps
Select "Send SNMP Trap".
Specify the SNMP server registered in "Registered Servers".
Define the values to be sent in SNMP traps by selecting "Value" for "Available Types" and then adding all values using the [>>] button.
Notification of security risks using email
Select "Send Email".
Click "..." next to "Recipients" and select the recipients for messages.
Specify the subject and the body of the email.
For details, refer to "Setting up automatic responses" in the product guide of McAfee ePolicy Orchestrator.
Install McAfee Agent and deploy McAfee Endpoint Security on virtual PCs and physical servers
Refer to the following in the product guide of McAfee ePolicy Orchestrator:
"Installing the McAfee Agent and licensed software" in "Setting up your McAfee ePO server"
"Deploying products" in "Advanced configuration"
Place the Symantec coordination batch file and script files
The compressed file (SEPMfile.zip) containing the Symantec coordination batch file and script files is stored in the following folder on the Resource Orchestrator manager.
Installation_folder\SVROR\Manager\opt\FJSVrcxmr\sys\SEPMStore SEPMfile.zip in the following folder on the Symantec Endpoint Protection Manager server, and extract its content there.
drive\Symantec\Symantec Endpoint Protection Manager\binThe descriptions, file names, and storage locations of the Symantec coordination batch file and each script file that are extracted are given below. Confirm that all of the files were successfully extracted.
If extraction was successful, delete SEPMfile.zip.
The batch file that is run when the SEP Manager notifies Resource Orchestrator that a virus has been detected.
File name
rcx_quarantine_lserver.bat
File extraction location
drive\Symantec\Symantec Endpoint Protection Manager\binThe PowerShell script file called by rcx_quarantine_lserver.bat.
File name
rcx_quaratine_lserver.ps1
File extraction location
drive\Symantec\Symantec Endpoint Protection Manager\bin\ResourceOrchestrator\binThe script file for registering Resource Orchestrator user information with the Symantec Endpoint Protection Manager.
File name
rcx_register_ror.ps1
File extraction location
drive\Symantec\Symantec Endpoint Protection Manager\bin\ResourceOrchestrator\cmdExecute the script file for registering Resource Orchestrator user information
Change the PowerShell execution policy
On the Symantec Endpoint Protection Manager server, change the PowerShell execution policy to "RemoteSigned".
Start the PowerShell console using administrator privileges and execute the following command.
PS > Set-ExecutionPolicy -ExecutionPolicy RemoteSigned <RETURN>
Execute the following command to change the current directory.
PS > Set-Location -Path 'drive\Symantec\Symantec Endpoint Protection Manager\bin\ResourceOrchestrator\cmd'Execute the following command to register Resource Orchestrator user information.
For the Resource Orchestrator user ID, specify the user account name for logging in as the privileged user that was created during installation of Resource Orchestrator.
PS > ./rcx_register_ror.ps1 create -host IP_address_or_host_name_(FQDN)_of_the_Resource_Orchestrator_manager -user Resource_Orchestrator_user_account_name -password password <RETURN>
If information is already registered, the following message will be output.
If you wish to overwrite the information, enter "y".
INFO:230:Information already exists. Overwrite it? [y/n]
Confirm that the Resource Orchestrator user information has been registered. Execute the following command.
PS > ./rcx_register_ror.ps1 show <RETURN>
Example
PS > ./rcx_register_ror.ps1 show HOST:192.168.10.40 PORT:23461 USER:manage PASSWORD:*******
For details on the script file for registering Resource Orchestrator user information, refer to "4.7 [Symantec] rcx_register_ror.ps1".
Configure the settings for notifying Resource Orchestrator when a security risk is detected
Enable the Symantec Endpoint Protection Manager to notify the Resource Orchestrator manager when it detects a security risk.
To configure the settings, perform the following procedure from the Symantec Endpoint Protection Manager Web console:
Open the [Monitors] > [Notifications] tab on the left pane and click [Notification Conditions] on the lower right.
Click [Add] on the top left and select "Single risk event".
On the window for editing notification conditions, check "Run the batch or executable file:".
Enter the name of the Symantec coordination batch file (rcx_quarantine_lserver.bat) and click "OK".
For details on this operation, refer to "Setting up administrator notifications" in the "Symantec Endpoint Protection 14 Installation and Administration Guide".
Configure settings for calling the Symantec coordination batch file
In order to enable calling of the Symantec coordination batch file, edit the following configuration file.
drive\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\semlaunchsrv.propertiesAdd the following line to the end of the file.
sem.launchsrv.authorized.userdefined.tasks=bin\\notification.bat|bin\\rcx_quarantine_lserver.bat
After editing the configuration file, restarting the following server enables calling of the Symantec coordination batch file.
Symantec Embedded Database
Symantec Endpoint Protection Manager
Symantec Endpoint Protection Launcher
Symantec Endpoint Protection Manager Web Server
Configure email notification settings for the administrator
Configure the email notification settings for the administrator so email is sent to the email address of the administrator whenever a virus or malware is detected.
Virtual PCs
Perform one of the following.
Install the OfficeScan 11.0 agent, and perform configuration so the agent is managed by the OfficeScan 11.0 server.
For details, refer to the manuals of OfficeScan 11.0.
Install the OfficeScan XG agent, and perform configuration so the agent is managed by the OfficeScan XG server.
For details, refer to the manuals of OfficeScan XG.
Install McAfee Agent and perform configuration so the agent is managed from the McAfee ePolicy Orchestrator server, and then deploy McAfee Endpoint Security.
Refer to the following in the product guide of McAfee ePolicy Orchestrator:
"Installing the McAfee Agent and licensed software" in "Setting up your McAfee ePO server"
"Deploying products" in "Advanced configuration"
Install the Symantec Endpoint Protection agent, and perform configuration so the agent is managed by Symantec Endpoint Protection Manager.
For details, refer to the manuals of Symantec Endpoint Protection.
SBC Servers
Perform one of the following.
Install the OfficeScan 11.0 agent, and perform configuration so the agent is managed by the OfficeScan 11.0 server.
For details, refer to the manuals of OfficeScan 11.0.
Install the OfficeScan XG agent, and perform configuration so the agent is managed by the OfficeScan XG server.
For details, refer to the manuals of OfficeScan XG.
Install McAfee Agent and perform configuration so the agent is managed from the McAfee ePolicy Orchestrator server, and then deploy McAfee Endpoint Security.
Refer to the following in the product guide of McAfee ePolicy Orchestrator:
"Installing the McAfee Agent and licensed software" in "Setting up your McAfee ePO server"
"Deploying products" in "Advanced configuration"
Install the Symantec Endpoint Protection agent, and perform configuration so the agent is managed by Symantec Endpoint Protection Manager.
For details, refer to the manuals of Symantec Endpoint Protection.
Resource Orchestrator Manager
Install VMware vSphere PowerCLI 6.0 or later, and confirm that VMware PowerCLI is running.
For details, refer to the manuals of VMware vSphere PowerCLI.
Note
If PowerCLI is installed after the Resource Orchestrator manager, Resource Orchestrator may not be able to properly operate the functions of PowerCLI.
In such cases, restart the Resource Orchestrator manager.
For details on how to stop and restart the manager, refer to "2.1 Starting and Stopping Managers" in the "Operation Guide CE".
If the admin server is not connected to the Internet, Power CLI Snap-ins will take longer to load, which will interfere with network switchover.
Therefore, please connect the admin server to the Internet.
If it is not possible to connect to the Internet, perform corrective actions by disabling the "Microsoft Root Certificate Program" and disabling the settings related to checking for certificate revocation of publishers.
Perform the following two procedures on the admin server:
Disable the "Microsoft Trusted Root Certificate Program"
Open the Local Group Policy Editor.
Select [Computer Configuration]-[Windows Settings]-[Security Settings]-[Public Key Policies].
Double-click [Certificate Path Validation Settings].
Click the [Network Retrieval] tab.
Check the [Define these policy settings] checkbox.
Clear the [Automatically update certificates in the Microsoft Root Certificate Program] checkbox.
Information
Leave the [Allow issuer certificate (AIA) retrieval during path validation] checkbox checked. This item affects how certificate chains are validated.
Validation of certificate chains
If necessary, download CA certificates other than the root certificate (intermediate certificates) based on the path described for authority information access (AIA) of certificates. Construct a certificate chain to the root CA certificate using these intermediate certificates.
Click [OK].
Restart the OS.
Disable the setting for checking certificate revocation
Open the Registry Editor.
Open the following registry key.
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing |
Modify the value of [State (REG_DWORD)] as follows.
Before modification | 0x00023c00: Enabled |
After modification | 0x00023e00: Disabled |