Collecting McAfee ePO threat data using AlienVault OSSIM

If you are using AlienVault OSSIM you can collect ePO Threat Data and add it to your SIEM Security Events.

AlienVault have already development a database plugin to connect to the ePO Database, collect and parse the data into the OSSIM Database, but I have struggled to get this to work with our MS-SQL Database cluster, resulting in 'ParserDatabase [INFO]: Can't connect to MS-SQL database' errors.

The steps for enabling the plugin and collecting the data are:

• Enabling the Plugin
• Creating a local configuration file
• Configuring the database connection
• Troubleshooting connection errors

VirusScan 8.8 P8 release - Windows 10 Anniversary Edition

After some issues with VSE 8.8 not being compatible with Windows 10 Anniversary edition, Intel Security have now release Patch 8 which adds compatibility for the current build of Windows 10.

Patch 8 (build 8.8.0.1588) has been released to the update site, and if you are running ePO 5.1.1 or later the Software Manager will be able to pull this update into your Master Repository.

Full details for this release can be found in the release notes PD26631 and the supported platforms, environments and operating systems can be found in KB51111

ePolicy Orchestrator update fixes multiple Oracle Java vulnerabilities - May 2016

ePO is vulnerable to multiple CVEs reported in Oracle's April 2016 Java SE update. Collectively, these vulnerabilities affect confidentiality, integrity, and availability of the server.

McAfee ePolicy Orchestrator Vulnerability patched

ePolicy Orchestrator (ePO) is packaged with Apache Commons Collections library version 3.2.1 (commons-collections-3.2.1.jar) which is vulnerable to insecure deserialization of data, which may result in arbitrary code execution.

CERT/CC Vulnerability Note VU#576313
The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.

Remediation

This issue is remediated with ePO 5.x Hotfix 1106041. These fixes will be included in the next ePO patch release.

• Users of ePO 4.6.x are recommended to upgrade to ePO 5.1.3 or 5.3.1 and then apply hotfix EPO5xHF1106041.zip.
• Users of ePO 5.0.x and 5.1.x should upgrade to ePO 5.1.3 or 5.3.1 and then apply hotfix EPO5xHF1106041.zip.
• Users of ePO 5.3.0 should upgrade to ePO 5.3.1 and then apply hotfix EPO5xHF1106041.zip.

Product	Type	File Name	Release Date
ePO 5.3.1	Hotfix	ePO5xHF1106041.zip	December 30, 2015
ePO 5.1.4	Patch	TBD	Q2 2016
ePO 5.1.3	Hotfix	ePO5xHF1106041.zip	December 30, 2015

Recommendation

Intel Security recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see the Knowledge Base article SB10144

See the ePolicy Orchestrator 5.x Hotfix 1106041 Release Notes for further details at:

McAfee ePolicy Orchestrator 5.3 Now Available

ePolicy Orchestrator 5.3 is now available. This release includes new features, fixes and enhancements including:

• Affected systems warning
• Simplified dashboard
• Automatic product installation
• Third party component versions at a glance
• Option to save policy and task information prior to removing an extension
• Improved upgrade behaviour

To download ePO 5.3 go to the McAfee downloads site using your Grant Number.

Full release notes can be view at:

https://kc.mcafee.com/corporate/index?page=content&id=PD25505

This information was provided by the Intel Security Support Notification Service. To sign up for alerts vist the SNS Subscription Centre

McAfee SNS Product Digest (January 2015)

McAfee has released it's newest member of the SNS family, the Product Digest.

At first glance it looks like just another Email newsletter, but it is jam packed full of Product specific Technical Product Updates, Cyber Facts and a Product Spotlight.

If you are an ePO user you will also find a link to the next webcast titled "ePO Remote Agent Handler — Use Cases, How They Work and Troubleshooting"

Check out the January 2015 issue here.

McAfee ePO 5.0.1 and later — Update on POODLE (CVE-2014-3566) OpenSSL Vulnerability

McAfee has determined that customers who upgraded to ePO 5.0.1 and later FROM ePO 4.x version may be vulnerable to the POODLE OpenSSL 3.0 vulnerability (CVE-2014-3566) due to a Java security setting migration issue. SSL protocol 3.0, as used in Tomcat 5.5.x and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain clear text data via a padding-Oracle attack, such as the POODLE issue. The security configuration for ePO 5.0.0 and later disables the SSLv3 protocol by default for clean installations of ePO. However, ePO 5.0.1 and later versions may be vulnerable if they have been upgraded from a previous ePO 4.x version. For more information on resolution please visit the ePolicy Orchestrator Sustaining Engineering Statement (SSC1410161) provided by McAfee

McAfee Product Specialist - ePO

After much procrastination I finally took the Certified McAfee product specialist - ePO exam and passed!

McAfee Threat Intelligence Exchange RC available to download

McAfee have annouced that the 'Release Candidate for their new Threat Intelligence Exchange Architecture and Endpoint enabled products is now available to download frrom the TIE Beta Community.

ePolicy Orchestrator 5.1.0 Revised Documentation Now Available

Revised versions of the McAfee ePolicy Orchestrator 5.1.0 Product Guide and the McAfee ePolicy Orchestrator 5.1.0 Installation Guide are now available.

The revised documents include information about these commonly-accessed Knowledge Centre topics:

• Required SQL permissions
• Changing SQL credentials for connecting McAfee ePO to the database
• Supported user name and password formats
• Ports needed for communication through a firewall
• Changing the Agent-Server Communication Port
• Changing the Console-Application Server Communication Port
• Changing the Client-Server Authenticated Communication Port

PD24807 - ePolicy Orchestrator 5.1.0 Installation Guide
PD24808 - ePolicy Orchestrator 5.1.0 Product Guide

This information was provided by the McAfee Support Notification Service (SNS). The sign up for SNS alerts visit here.

Upgrading to ePO 5.1.1 - Where is the Patch file?

After receiving the much awaited SNS Notice announcing that (ePO) 5.1.1 is now available...... where do I get it from.

I looks like we have been struck by the usual issues from McAfee with different product teams uploading the patches to different places.

After visiting the 'Product and Solutions' page, entering my Grant number, visiting the ePO 5.1 Management Solutions page and browsing the 'Patches' tab.... its not there. So where have McAfee put the ZIP file?

After some digging, and vaguely remember I have had this issue in the past, lets try logging into my Support Portal (which you have to sign up for independently of receiving your grant letter). Lets go to Patches and Downloads, same place as logging in with my Grant number right? Nope Wrong!

This takes you to the 'Full Products Downloads and Updates'. Under the Patches Section, filter the list to ePolicy Orchestrator, and Ta Dah, the ePO 5.1.1 patch can be downloaded.