Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
McAfee Vulnerability Manager 7.5.0Product Guide - For use with McAfee ePO
COPYRIGHT
Copyright © 2012 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE,ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfeeNetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder,SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq aretrademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other namesand brands may be claimed as the property of others.
LICENSE INFORMATION
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOUPURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IFYOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATEDLICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVERECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ONTHE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMSSET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TOMCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
McAfee Vulnerability Manager2
ContentsIntroducing McAfee Vulnerability Manager for ePolicy Orchestrator. . . . . . . . . . . . . . . .5
System requirements for McAfee Vulnerability Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Installation and setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Install or upgrade the extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Uninstall the extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Set up a McAfee Vulnerability Manager registered server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Asset filter options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Using the extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Create an update server task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Set up Single-Sign On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Synchronize data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Adding a McAfee ePO data source from McAfee Policy Auditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Creating a McAfee ePO data source in McAfee Vulnerability Manager. . . . . . . . . . . . . . . . . . . . . . . . 13
Maintain association between McAfee Vulnerability Manager and McAfee ePO data. . . . . . . . . . . . . . . . . . . . 14
Change the maintenance schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Run the maintenance task manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Update the Foundstone Configuration Agent settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
McAfee Vulnerability Manager dashboard monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Foundscore overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Detected system details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Detected system interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Foundscore history details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
McAfee Vulnerability Manager system detail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
McAfee Vulnerability Manager systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
McAfee Vulnerability Manager vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
McAfee Vulnerability Manager web assets details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
McAfee Vulnerability Manager web asset pages information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
McAfee Vulnerability Manager web asset page vulnerabilities information. . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
McAfee Vulnerability Manager sitemap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Query type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Service information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3McAfee Vulnerability Manager
Vulnerability details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
McAfee Vulnerability Manager4
Contents
Introducing McAfee Vulnerability Manager forePolicy Orchestrator
The McAfee®Vulnerability Manager ePO extension allows you to import your McAfee
Vulnerability Manager data into your ePolicy Orchestrator®database, and then view
that data through an ePolicy Orchestrator dashboard.
McAfee Vulnerability Manager is also known as Foundstone.
NOTE: McAfee Vulnerability Manager is a separate product from ePolicy Orchestratorand the McAfee Vulnerability Manager ePO extension. You must have an existingMcAfee Vulnerability Manager database, with scanned asset data, in order to usethe McAfee Vulnerability Manager ePO extension.
System requirements for McAfee VulnerabilityManager
The extension requires:
• McAfee ePolicy Orchestrator 4.5 or later, or McAfee ePolicy Orchestrator 4.6 orlater
• Microsoft Windows Server
• Microsoft Windows Server 2003
• Microsoft Windows Server 2008
NOTE: The McAfee Vulnerability Manager ePO extension supports WindowsServer 2008. The McAfee Vulnerability Manager 7.5 software only supportsMicrosoft Windows Server 2008 R2. After installation, if you view the extensionin the McAfee Vulnerability Manager Configuration Manager, a message statesthat the version of Microsoft Windows running on the system is not supported.This message can be ignored.
• Microsoft Windows Server 2008 R2 (ePolicy Orchestrator 4.5 patch 4 or later,or 4.6)
• Microsoft SQL Server
• Microsoft SQL Server 2005
• Microsoft SQL Server 2005 Express
• Microsoft SQL Server 2008
• Microsoft SQL Server 2008 Express
• Run a task that imports McAfee Vulnerability Manager data into the ePolicyOrchestrator database
5McAfee Vulnerability Manager
• McAfee Vulnerability Manager 7.5 (separate from the ePolicy Orchestratorextension)
• (Optional) McAfee Policy Auditor 5.3
NOTE: Previous versions of McAfee Vulnerability Manager/Foundstone and McAfeePolicy Auditor are not compatible with the McAfee Vulnerability Manager 7.5 ePOextension.
Introducing McAfee Vulnerability Manager for ePolicy OrchestratorSystem requirements for McAfee Vulnerability Manager
McAfee Vulnerability Manager6
Installation and setup
To properly integrate McAfee Vulnerability Manager and ePolicy Orchestratorinformation, use the following setup order:
1 Install ePolicy Orchestrator 4.5 or 4.6.
2 Install McAfee Vulnerability Manager ePO extension. This includes installing aconfiguration manager agent (FC Agent) for communication with the McAfeeVulnerability Manager Configuration Manager.
3 Register the McAfee Vulnerability Manager 7.5 server in ePolicy Orchestrator.
4 Create an McAfee Vulnerability Manager Data Import server task.
5 (Optional) If you are integrating McAfee Vulnerability Manager with McAfeePolicy Auditor, or if you want to export your ePolicy Orchestrator assets toMcAfee Vulnerability Manager, then create an ePolicy Orchestrator data sourceusing the McAfee Vulnerability Manager web portal.
6 Run a McAfee Vulnerability Manager scan to scan your network.
7 After the scan is complete, run the McAfee Vulnerability Manager Data Importserver task.
Install or upgrade the extensionUse this task to install the McAfee Vulnerability Manager ePO extension.
NOTE: In McAfee Vulnerability Manager 7.5, the FSAssetVulnView.MultipleCVE columnhas been removed from the extension. Any custom queries that refer to this columnneed to be modified or deleted.
Before you begin
You must have installed ePolicy Orchestrator 4.5 or 4.6 on your McAfee ePO server.
Task
For option definitions, click ? in the interface.
1 Download and uncompress the McAfee Vulnerability Manager file on your McAfeeePO server. The file is available from the McAfee product download site.
2 Open the McAfee Vulnerability Manager folder and run Setup.exe. The SetupRequirements appears. If any requirement is not met, exit the installer andresolve any issues. Some applications must be installed for Vulnerability ManagerePO extension to function properly. These applications will be installed whenyou go to the next step in the installation.
7McAfee Vulnerability Manager
3 Click Next. Any required applications are installed. You might need to selectYes to continue the installation. After the required applications are installed,the Welcome to McAfee step appears.
4 Click Next. The End User License Agreement appears.
5 Select a location from the Select location where purchased and used drop-downlist.
6 Select I accept the terms in the license agreement. If you do not acceptthe terms in the license agreement, click Cancel to exit.
7 Click OK. The Choose Destination Folder step appears. You can accept thedefault location or change the location by clicking the Browse button.
8 Click Next. The Set Administrator Information step appears.
9 Type the ePolicy Orchestrator global administrator user name and password.
10 Click Next. The Set Vulnerability Manager Configuration Manager Settings stepappears.
11 Type the server name or IP address for the system running the McAfeeVulnerability Manager Configuration Manager.
12 Type the port number the McAfee Vulnerability Manager Configuration Managerlistens on. The default port number is 3801.
13 Click Next. The Start Copying Files step appears. You can review your options.To make changes, click Back.
14 Click Next. The setup process runs and completes.
15 Click Finish.
Uninstall the extensionWhen uninstalling McAfee Vulnerability Manager ePO extension 7.5, use the WindowsAdd/Remove programs window. Uninstalling McAfee Vulnerability Manager usingthe ePolicy Orchestrator extension user-interface will not remove all of the McAfeeVulnerability Manager components from your system.
If you installed the McAfee Risk Advisor and the McAfee Vulnerability Manager ePOextensions, the McAfee Vulnerability Manager ePO extension cannot be deleted solong as McAfee Risk Advisor remains installed. This is due to a dependency of McAfeeRisk Advisor on McAfee Vulnerability Manager. Once McAfee Risk Advisor isuninstalled, you can then uninstall McAfee Vulnerability Manager.
Set up a McAfee Vulnerability Manager registeredserver
Once the McAfee Vulnerability Manager ePO extension is installed, you must set upyour McAfee Vulnerability Manager database as a registered server.
Task
For option definitions, click ? in the interface.
Installation and setupUninstall the extension
McAfee Vulnerability Manager8
1 Select Menu | Configuration | Registered Servers.
2 Click New Server.
3 Select Vulnerability Manager from the Server type list.
4 Type a name for this registered server. The Notes section is optional.
5 Click Next.
6 Type in the McAfee Vulnerability Manager database server host name or IPaddress. Examples: myhost or 123.45.67.89.
7 Select a server instance for the McAfee Vulnerability Manager database.
• Default – Select Default if Microsoft SQL was installed with the defaultsettings.
• Instance name – Select Instance name if the Microsoft SQL name waschanged. Type the name in the Instance name field.
• Port number – Select Port number if you must specify a port number forthe IP address. Type the port number in the port number field.
8 Allowed to use SSL to connect is enabled by default. Disabling this function willnot allow a SSL connection when communicating with the Vulnerability Managerdatabase. Microsoft SQL requires a SSL connection.
9 Type in your McAfee Vulnerability Manager database name in the Databasename field. The default McAfee Vulnerability Manager database name isfaultline.
10 Select an authentication type.
• Windows authentication – Select Windows authentication to enter aWindows user name and password to access the Vulnerability Managerdatabase. The user name for Windows authentication must include the domain(domain\user).
NOTE: If the Windows authentication user name does not include a domain,the Test Connection button is unavailable.
• SQL authentication – Select SQL authentication to enter a SQL user nameand password to access the McAfee Vulnerability Manager database.
11 Type in an organization name to only import data for that McAfee VulnerabilityManager organization.You can type only one organization name in this field. If you need the data frommore than one McAfee Vulnerability Manager organization, you must create aseparate registered server and type the name of the other McAfee VulnerabilityManager organization. If this field is left blank, the data from all McAfeeVulnerability Manager organizations is imported.
NOTE: You can import the data for all of your McAfee Vulnerability Managerorganizations or import data for specific McAfee Vulnerability Managerorganizations, but not both. Importing the data for all McAfee VulnerabilityManager organizations and importing data for specific McAfee VulnerabilityManager organizations can cause duplicate data in your ePO database.
12 Click Test Connection to check if ePolicy Orchestrator can connect to theMcAfee Vulnerability Manager database.
Installation and setupSet up a McAfee Vulnerability Manager registered server
9McAfee Vulnerability Manager
The test connection could fail for several reasons. An error message will displaywith some information about why the test connection failed.
NOTE: If the McAfee Vulnerability Manager database is inaccessible (like beingoffline), the test connection will fail. A successful test connection is not requiredfor saving your Registered Server information.
Asset filter optionsSelecting different asset filter options results in different asset data being importedinto McAfee ePO.
• No filter options selected – Imports all McAfee Vulnerability Manager assetdata.
• Organization name – Imports all asset data for the organization.
• Import assets from ePO data source – Imports assets from a given McAfeeePO data source, which can include assets with tags and assets without tags.
• Import assets from asset tag – Imports assets with the given tag from theselected organization, including assets from other McAfee ePO data sources.
• Import only the tagged assets that are unrelated to ePO data sources –Imports assets with the given tag that are not part of any McAfee ePO datasource.
• Import assets from ePO data source and Import assets from asset tag –Imports assets from the selected McAfee ePO data source and all assets with thegiven tag, including assets from other McAfee ePO data sources.
• Import assets from ePO data source, Import assets from asset tag, andImport only the tagged assets that are unrelated to ePO data sources –Imports assets from the selected McAfee ePO data source and assets with thegiven tag, that are not part of any other McAfee ePO data source.
Installation and setupSet up a McAfee Vulnerability Manager registered server
McAfee Vulnerability Manager10
Using the extensionThe McAfee Vulnerability Manager ePO extension allows you to import your McAfeeVulnerability Manager data into your ePolicy Orchestrator database. You can viewthat data through an ePolicy Orchestrator dashboard.
Once the McAfee Vulnerability Manager ePO extension is installed and your McAfeeVulnerability Manager server is registered in ePolicy Orchestrator, you must populateyour ePO database by importing asset data from your McAfee Vulnerability Managerdatabase by creating a server task.
Create an update server taskWhen you create the McAfee Vulnerability Manager Update server task, you can setthe time and intervals for when and how often your McAfee Vulnerability Managerdata is imported or updated.
Task
For option definitions, click ? in the interface.
1 Select Menu | Automation | Server Tasks.
2 Select New Task. The Server Task Builder page appears.
3 Type a name for this new server task. The Notes section is optional.
4 Select Enabled.
5 Click Next.
6 From the query drop-down list, select Vulnerability Manager Data Import.
7 From the Server name drop-down list, select the McAfee Vulnerability Managerserver to import data from.
8 Select which data to import, then click Next.
• Delta – Imports only new or updated McAfee Vulnerability Manager datasince the last time you ran the server task. The first time you run the McAfeeVulnerability Manager server task, there is no McAfee Vulnerability Managerdata in your ePO database, so the Delta setting will import all of your McAfeeVulnerability Manager data.
NOTE: It is recommended to select Delta for importing and updating yourdata.
• All – Overwrites all existing McAfee Vulnerability Manager data in your ePOdatabase every time the server task runs. If there is a lot of McAfeeVulnerability Manager data to import, using the All data import takes a longtime. Use the All data option if there are issues with the McAfee VulnerabilityManager data in your ePO database and you want to start over.
11McAfee Vulnerability Manager
9 Schedule the frequency, then click Next. Select start and end dates, and thetime you want this server task to run. You can schedule multiple times for thistask to run by selecting the "+" (Add) icon. You can also set a window of timeby selecting Between instead of At.
10 Review the server task summary, then click Save. If you want to run the servertask now, select Run for this server task from the Server Tasks page.
Set up Single-Sign OnThe McAfee Vulnerability Manager Single-Sign On feature allows McAfee PolicyAuditor users access to their McAfee Vulnerability Manager web portal to accessscan configurations.
Using Single-Sign On requires the creation of a McAfee Vulnerability ManagerWorkgroup with credentials that will allow a McAfee Policy Auditor user access tothe McAfee Vulnerability Manager web portal. This needs to be done by your McAfeeVulnerability Manager administrator. Setting up a McAfee Vulnerability ManagerWorkgroup cannot be done from ePolicy Orchestrator.
Task
For option definitions, click ? in the interface.
1 Select Menu | Configuration | Server Settings.
2 Select Vulnerability Manager API Server.
3 Click Edit.
4 Type the Organization, User Name, and Password for the McAfee VulnerabilityManager Workgroup setup for ePolicy Orchestrator.
5 Select Enable Policy Auditor to use these server settings to enableSingle-Sign On through the ePolicy Orchestrator user-interface.
6 Click Save. The Organization and User Name display on the Server Settingstab for the Vulnerability Manager API Server.
Synchronize dataFrom the McAfee Vulnerability Manager web portal, a data synchronization can bedone with the ePO server. This data synchronization allows McAfee VulnerabilityManager to properly label ePolicy Orchestrator systems that have an ePO agentinstalled.
If you are having your McAfee Vulnerability Manager administrator create your ePOdata source, provide the following ePO database information:
• Server Address
• Database Name
• User name and password
Using the extensionSet up Single-Sign On
McAfee Vulnerability Manager12
Adding a McAfee ePO data source from McAfee Policy AuditorUse this task to add a McAfee ePO data source from McAfee Policy Auditor.
Task
For option definitions, click ? in the interface.
1 Click Menu, then select Risk & Compliance.
2 Click Audits.
3 Click Manage Foundstone Data Source.
A separate window appears with the McAfee Vulnerability Manager Data Sourcepage. Follow the Creating a McAfee ePO data source in McAfee VulnerabilityManager procedure.
Creating a McAfee ePO data source in McAfee VulnerabilityManager
To get here, you must be logged into the McAfee Vulnerability Manager web portal.
Task
For option definitions, click ? in the interface.
1 Click Add Data Source.
2 Type a name for this data source.
3 Select ePO from the Data Source Type list.
4 Type the server address of the McAfee ePO database.
5 Type the name of the McAfee ePO database.
6 Type the user name and password.If your user name includes a domain, then you need to enter domain@username(example: admin@foundstone).
NOTE: The user name must have at least read-access to the McAfee ePOdatabase.
7 For McAfee ePO/Policy Auditor integration, select Enable Audit Request. TheMcAfee Vulnerability Manager Organization/Workgroup list becomes available.
8 Select the McAfee ePO/Policy Auditor workgroup from the drop-down list.
9 Select Active or Inactive for the Scheduler.
10 Select either a Schedule Type (Immediate or One Time) or a Recurring (Daily,Weekly, or Monthly).
NOTE: If you select Daily, Weekly, or Monthly, also select the appropriateSchedule options for this data source.
11 Click Save, then close the McAfee Vulnerability Manager window.
Using the extensionSynchronize data
13McAfee Vulnerability Manager
Maintain association betweenMcAfee VulnerabilityManager and McAfee ePO data
As you add and delete systems from the System Tree, the system data associatedbetween McAfee Vulnerability Manager and McAfee ePO might no longer match.The MVM: Maintain links between MVM and ePO systems task checks forchanges between system data in McAfee ePO and system data in McAfee VulnerabilityManager and updates the system data, as needed.
By default, this task runs every hour. This is to ensure that the association betweenyour McAfee ePO system data and your McAfee Vulnerability Manager system dataare kept up to date. You can change the maintenance schedule to suit your needs.You can also manually run this maintenance task.
Change the maintenance scheduleUse this task to change the maintenance schedule for the MVM: Maintain linksbetween MVM and ePO systems task.
Task
For option definitions, click ? in the interface.
1 Select Menu | Automation | Server Tasks.
2 Click Edit for the taskMVM: Maintain links betweenMVM and ePO systems.
3 Click Schedule.
4 Modify the schedule, then click Save.
Run the maintenance task manuallyUse this task to manually run the MVM: Maintain links between MVM and ePOsystems task.
Task
For option definitions, click ? in the interface.
1 Select Menu | Automation | Server Tasks.
2 Click Run for the taskMVM: Maintain links betweenMVM and ePO systems.
Update the FoundstoneConfigurationAgent settingsUse this task to update the Foundstone Configuration Agent on your McAfee ePOserver.
Task
For option definitions, click ? in the interface.
1 On the system tray, double-click the Foundstone Configuration Agent icon.If the Foundstone Configuration Agent icon does not appear in the system tray,you can open the agent window by double-clicking the FCAgentSettings.exe.
Using the extensionMaintain association between McAfee Vulnerability Manager and McAfee ePO data
McAfee Vulnerability Manager14
This executable is located at C:\Program Files\McAfee\Vulnerability ManagerExtension for ePO\FCM on default installations.
2 In the Foundstone Configuration Agent Settings dialog box, type the new servername or IP address for the McAfee Vulnerability Manager Configuration Manager.Also type the port number the McAfee Vulnerability Manager ConfigurationManager listens on. The Bind to Local Interface settings are only used if yourMcAfee ePO server has multiple network cards and ports enabled. The Bind toLocal Interface settings allows you to set which port your McAfee ePO serverwill use when communicating with the McAfee Vulnerability ManagerConfiguration Manager.
3 Click Apply, then click Close.
Using the extensionUpdate the Foundstone Configuration Agent settings
15McAfee Vulnerability Manager
McAfee Vulnerability Manager dashboardmonitors
There are two default dashboards for McAfee Vulnerability Manager, the McAfeeVulnerability Manager Summary and the McAfee Vulnerability Manager WebAssessment Summary.
Vulnerability Manager Summary Dashboard
The McAfee Vulnerability Manager Summary dashboard has six default monitors.
• FSE: Managed vs Unmanaged vs Infrastructure – A pie chart representingthe Managed, Unmanaged, and Infrastructure assets on your network. Clickingon the list or part of the pie chart will display a list of the assets in the selectedasset type (Managed, Unmanaged, Infrastructure).
• Managed – Assets that have an ePO agent installed.
• Unmanaged – Assets that do not have an ePO agent installed.
• Infrastructure – Assets that do not allow an ePO agent to be installed. Forexample, a network printer.
• FSE: Top 10 Vulnerable Systems – A list of the most vulnerable assets(Managed, Unmanaged, or Infrastructure) on your network. Click on an asset tosee further details about the selected asset.
• FSE: Top 10 Vulnerable Managed Systems – A list of the most vulnerableManaged assets on your network. Click on an asset to see further details aboutthe selected asset.
• FSE: Top 10 Vulnerable Unmanaged Systems – A list of the most vulnerableUnmanaged assets on your network. Click on an asset to see further details aboutthe selected asset.
• FSE: Top 10 Vulnerable Infrastructure Systems – A list of the mostvulnerable Infrastructure assets on your network. Click on an asset to see furtherdetails about the selected asset.
• FSE: Foundscore Trend for Last 30 Days – A trend graph of the Foundscorefor all assessed assets on your network, over the last 30 days. Click on an assetto see the Foundscore Trend table for a specific date.
Other summary monitors include:
• FSE: Imported Systems – A list of systems imported from a McAfee VulnerabilityManager server. The McAfee Vulnerability Manager server filter should be modifiedbefore use.
• FSE: Top 10 Vulnerable Systems with No Tag – A list of the most vulnerablesystems without a tag on the System Tree, based on the Foundscore. Use thismonitor to query McAfee Vulnerability Manager systems after these systemshave been promoted to the System Tree.
McAfee Vulnerability Manager16
Vulnerability Manager Web Assessment Summary Dashboard
The McAfee Vulnerability Manager Web Assessment Summary dashboard has fivedefault monitors:
• FSE: Top 10 Vulnerable Host Systems By Web Vulnerability Count – A listof the most vulnerable systems running a web application, based on webvulnerabilities.
• FSE: Top 10 Vulnerable Web Assets – A list of the most vulnerable webapplications on your network.
• FSE: Top 10 Vulnerable Web Asset Pages – A list of the most vulnerable webpages from all of the host systems running a web application.
NOTE: To view the vulnerabilities associated with each web application, use thesystem details or detected system details pages.
• FSE: Foundscore Trend for Web Assets for Last 30 Days – A trend graphof the Foundscore for all assessed web assets on your network, over the last 30days. Clicking on the graph will show the Foundscore Trend table for a specificdate.
• FSE: Top 10 Web Vulnerabilities – A list of the web vulnerabilities that affectsthe highest number of assets in your network.
Foundscore overviewFoundscore is a security ranking system that compares aspects of your environmentagainst best practices in order to quantify your security risk. A scan can earn aFoundscore value from 0 to 100 for a full scan.
NOTE: If the scan does not check for vulnerabilities, the top Foundscore value is 50because it only detects running services and deducts the relevant points.
• A higher score reflects a more effective security posture (an environment withless risk).
• A low score indicates that your environment possesses more security weaknessesand, consequently, more risk.
These scores can be ranked with qualitative scores to give you an idea of yourenvironment's security posture.
Score Range Ranking
Poor0 - 25
Below Average26-50
Average51 - 70
Above Average71 - 85
Excellent86 - 100
McAfee Vulnerability Manager dashboard monitorsFoundscore overview
17McAfee Vulnerability Manager
Detected system detailsDefinitionOption
Detected Systems Information
Agent GUID – The McAfee Agent ID for the asset.
Agent Version – The version number of the RSD agent on theagent.
Canonical Name – The name given to an asset by McAfee RogueSystem Detection, based on the information provided by the asset.The canonical name is the first "non-null" value of:
• DNS Name
• Computer Name (NetBIOS Name)
• IP Address
• MAC Address
Comments – User entered comments. Click Edit Comment andthen type a comment in the Actions Taken field. Click OK to save.
Computer Name – The Computer name for the asset.
Detection Source – The name of the product that gathered theasset information.
Device Type – Specifies the type of device detected.
DNS Name – The DNS name for the asset.
Domain – The domain the asset belongs to.
ePO Server Name – Specifies the name of the McAfee ePO serverthat manages this detected system.
Exception – Lists any exceptions applied to this asset.
Exception Category – Specifies which exception category thissystem belongs to.
Inactive – States whether or not the system is in an inactive state.
Is New Detection – States if a system is a new detection or not.A true statement means the system is new.
Last Agent Communication – The date and time of the lastcommunication between the McAfee Rogue System Detectionsystem and the RSD agent.
Last Detected IP Address – The IP address associated with theasset the last time a scan was run against the asset.
Last Detected MAC Address – The MAC address associated withthe asset the last time a scan was run against the asset.
Last Detected Organization Name – The organization associatedwith the asset the last time a scan was run against the asset.
Last Detected Time – The date and time the last scan was runagainst the asset.
Managed – States whether or not the system is managed by aMcAfee Agent.
NetBIOS Comment – Optional information entered when namingthe computer.
OS Family – The specific OS name, including service pack level.For example: Windows XP (Service Pack 2).
OS Platform – The general OS type. For example: Microsoft, Linux.
OS Version – The specific OS type. For example: OS_WinXP forWindows XP.
OUI – Specifies the Organizationally Unique Identifier of thedetected system.
McAfee Vulnerability Manager dashboard monitorsDetected system details
McAfee Vulnerability Manager18
DefinitionOption
Recorded Time – Specifies the time this system was first detectedand recorded in the McAfee ePO database.
Rogue – These systems do not have a McAfee Agent.
Rogue Action – Shows the action taken by the McAfee RogueSystem Detection system for this asset.
Rogue State – The status of the asset in the McAfee Rogue SystemDetection system.
Users – Lists all users associated with the asset.
Detected System Interfaces
Detection Source – The name of the product that gathered theasset information.
IP Address – The IP address for the asset.
Last Detected Time – The date and time the last scan was runagainst the asset.
MAC Address – The MAC address for the asset.
Organization Name – The organization name the asset isassociated with.
Additional Detail for ManagedSystems
Vulnerability Manager system detail
Criticality – Criticality levels indicate how important an asset is toyour business, and the impact to your business should this assetbecome compromised. Criticality levels are set in McAfeeVulnerability Manager by an administrator.
• None – The criticality level has not been set.
• Low (1) – The lowest criticality; fixing the vulnerabilities onthis host is a low priority when compared to others.
• Limited (2)
• Moderate (3)
• Significant (4)
• Extensive (5) – The highest criticality; fixing the vulnerabilitieson this host should be the highest priority.
DNS Name – The DNS name for the asset.
ePO Agent GUID – The unique McAfee Agent identifier for theasset.
First Detected – The date the asset information was imported intothe McAfee ePO database.
Foundscore – The current Foundscore value for the asset.
Has wireless access point – McAfee Vulnerability Manager checksassets for wireless access. Wireless connections can providenetwork access to arbitrary users, completely bypassing firewallsand other security devices. They can also expose your networktraffic to anyone looking for it.
Import from Server – Lists the name of the server the informationwas gathered from.
IP Address – The IP address of the asset.
Last Changed – The last time the McAfee Vulnerability Managersystem details changed for this system.
MAC Address – The MAC address of the asset.
Modified Date – The date the last time the asset information wasupdated or modified.
My Foundscore – The current My Foundscore value for the asset.
McAfee Vulnerability Manager dashboard monitorsDetected system details
19McAfee Vulnerability Manager
DefinitionOption
Open Ports – Lists open TCP and UDP ports on the asset. Clickingon a port number will take you to a services information page forthe system.
Organization Name – The name of the McAfee VulnerabilityManager organization the system is associated with.
OS Major Category – The operating system type. For example:Windows, Linux.
OS Name – The specific OS type. For example: OS_WinXP forWindows XP.
OS Subcategory – The specific OS name, including service packlevel. For example: Windows XP (Service Pack 2).
System Label – The System label for the asset.
System Name – The System name for the asset.
Vulnerabilities – Lists the number of threats the system isvulnerable to and not vulnerable to, based on the scanconfiguration. Clicking on a number takes you to a vulnerabilitiesinformation page for the system.
Workgroup – The Workgroup the asset is associated with.
Detected system interfacesDefinitionOption
The name of the product that gathered the assetinformation.
Detection Source
The IP address for the asset.IP Address
The date and time the last scan was run againstthe asset.
Last Detected Time
The MAC address for the asset.MAC Address
The organization name the asset is associated with.Organization Name
Foundscore history detailsDefinitionOption
The date and time of the selected Foundscore value.Date
The current Foundscore value for the asset.Foundscore
The current My Foundscore value for the asset.My Foundscore
McAfee Vulnerability Manager system detailDefinitionOption
Criticality levels indicate how important an asset is to yourbusiness, and the impact to your business should this asset
Criticality
McAfee Vulnerability Manager dashboard monitorsDetected system interfaces
McAfee Vulnerability Manager20
DefinitionOption
become compromised. Criticality levels are set in McAfeeVulnerability Manager by an administrator.
• None – The criticality level has not been set.
• Low (1) – The lowest criticality; fixing the vulnerabilities onthis host is a low priority when compared to others.
• Limited (2)
• Moderate (3)
• Significant (4)
• Extensive (5) – The highest criticality; fixing thevulnerabilities on this host should be the highest priority.
The DNS name for the asset.DNS Name
The unique McAfee Agent identifier for the asset.ePO Agent GUID
The date the asset information was imported into the ePOdatabase.
First Detected
The current Foundscore value for the asset.Foundscore
McAfee Vulnerability Manager checks assets for wireless access.Wireless connections can provide network access to arbitrary
Has wireless access point
users, completely bypassing firewalls and other security devices.They can also expose your network traffic to anyone lookingfor it.
Lists the name of the server the information was gathered from.Import from Server
The IP address of the asset.IP Address
The last time the McAfee Vulnerability Manager system detailschanged for this system.
Last Changed
The MAC address of the asset.MAC Address
The date the last time the asset information was updated ormodified.
Modified Date
The current My Foundscore value for the asset.My Foundscore
Lists open TCP and UDP ports on the asset. Clicking on a portnumber will take you to a services information page for thesystem.
Open Ports
The name of the McAfee Vulnerability Manager organization thesystem is associated with.
Organization Name
The operating system type. For example: Windows, Linux.OS Major Category
The specific OS type. For example: OS_WinXP for Windows XP.OS Name
The specific OS name, including service pack level. For example:Windows XP (Service Pack 2).
OS Subcategory
The System label for the asset.System Label
The System name for the asset.System Name
Lists the number of threats the system is vulnerable to and notvulnerable to, based on the scan configuration. Clicking on a
Vulnerabilities
number takes you to a vulnerabilities information page for thesystem.
The Workgroup the asset is associated with.Workgroup
McAfee Vulnerability Manager dashboard monitorsMcAfee Vulnerability Manager system detail
21McAfee Vulnerability Manager
McAfee Vulnerability Manager systemsDefinitionOption
Criticality levels indicate how important an asset is to yourbusiness, and the impact to your business should this asset
Criticality
become compromised. Criticality levels are set in McAfeeVulnerability Manager by an administrator.
• None – The criticality level has not been set.
• Low (1) – The lowest criticality; fixing the vulnerability onthis host is a low priority when compared to others.
• Limited (2)
• Moderate (3)
• Significant (4)
• Extensive (5) – The highest criticality; fixing thevulnerabilities on this host should be the highest priority.
The DNS name for the asset.DNS Name
The McAfee Agent unique identifier for the asset.ePO Agent GUID
Foundscore is a security ranking system that compares aspectsof your environment against best practices in order to quantifyyour security risk.
Foundscore
McAfee Vulnerability Manager checks assets for wireless access.Wireless connections can provide network access to arbitrary
Has wireless access point
users, completely bypassing firewalls and other security devices.They can also expose your network traffic to anyone lookingfor it.
The IP address for the asset.IP address
The MAC address for the asset.MAC address
When you activate MyFoundscore and specify MyFoundscoremetrics, the metrics apply to all scan configurations within theorganization.
My Foundscore
The general OS type. For example: Microsoft, Linux.OS major category
The specific OS name, including service pack level. For example:Windows XP (Service Pack 2).
OS name
The specific OS type. For example: OS_WinXP for Windows XP.OS subcategory
The McAfee Rogue System Detection unique label for the asset.System label
The McAfee Rogue System Detection unique name for the asset.System name
The system type information from McAfee Rogue SystemDetection.
System type
The name of the Workgroup the system is associated with.Workgroup
McAfee Vulnerability Manager vulnerabilitiesDefinitionOption
The point from which an attack could occur.Attack vector
CVSS Base Score set by McAfee.Basic threat score
McAfee Vulnerability Manager dashboard monitorsMcAfee Vulnerability Manager systems
McAfee Vulnerability Manager22
McAfee Vulnerability Manager web assets detailsDescriptionOption
The date McAfee Vulnerability Manager first createdthe web asset information.
Created date
Criticality levels indicate how important an assetis to your business, and the impact to your business
Criticality
should this asset become compromised. Criticalitylevels are set in McAfee Vulnerability Manager byan administrator.
• None – The criticality level has not been set.
• Low (1) – The lowest criticality; fixing thevulnerabilities on this host is a low priority whencompared to others.
• Limited (2)
• Moderate (3)
• Significant (4)
• Extensive (5) – The highest criticality; fixingthe vulnerabilities on this host should be thehighest priority.
The current Foundscore value for the asset.Foundscore
The HTTP port used by the web asset.HTTP port
The HTTPS port used by the web asset.HTTPS port
The number of indeterminate pages discovered onthe web asset. If a web page cannot be classified
Indeterminate pages
as Vulnerable or Not Vulnerable, it is labeled asIndeterminate.
The system label for the web asset.Label
The most recent date McAfee Vulnerability Managerupdated or modified the web asset information.
Modified date
The current My Foundscore value for the asset.My Foundscore
The name of the McAfee Vulnerability Managerorganization the system is associated with.
Organization name
The full URL for the scanned web page.URL
The domain the URL belongs to. Typically comesafter the HTTP or HTTPS. For example:
URL domain
http://myhost.com/login, the domain would be"myhost.com".
The path used to access the web page. Forexample:
URL path
http://myhost.com/forms/user/preferences.html,the path to get to User Preferences is"/forms/user/preferences.html".
The port used when accessing the URL.URL port
The first part of the URL (examples: http or https)that determines the type of communication usedto access the web asset.
URL protocol
The number of vulnerable pages discovered on theweb asset.
Vulnerable pages
McAfee Vulnerability Manager dashboard monitorsMcAfee Vulnerability Manager web assets details
23McAfee Vulnerability Manager
McAfee Vulnerability Manager web asset pagesinformation
DescriptionOption
The date McAfee Vulnerability Manager first createdthe web asset information.
Created date
The most recent date McAfee Vulnerability Managerupdated or modified the web asset information.
Modified date
The full URL for the scanned web page.URL
The total number of web vulnerabilities discoveredon this web page.
Vulnerability count
McAfee Vulnerability Manager web asset pagevulnerabilities information
DescriptionOption
The date McAfee Vulnerability Manager first createdthe web asset information.
Created date
The CVE identifier for this web vulnerability.
NOTE: CVE-MAP-NOMATCH means there is noassociated CVE identifier.
CVE
Shows the FaultlineID related to the vulnerability,if available.
Faultline ID
Information Assurance Vulnerability Alert, an alertgiven by the Department of Defense (DoD).
IAVA
States whether the vulnerability is intrusive or not.Intrusive vulnerabilities can disrupt the service ofthe asset.
Intrusive
The most recent date Vulnerability Managerupdated or modified the web asset information.
Modified date
The McAfee Vulnerability Manager module used fordiscovering this vulnerability.
Module
The Microsoft Bulletin ID for this vulnerability.MSFTID
Lists any associated Microsoft KnowledgeBaseidentifiers.
MSKBID
Provides additional information on how thevulnerability can be used to compromise a system,
Observation
which types of software are vulnerable, andreferences to additional information for furtherresearch on the vulnerability.
McAfee's recommendations on how to remedy thevulnerability. Provides patch information and showswhere to get additional information.
Recommendation
The McAfee Vulnerability Manager risk level for thethreat:
Risk
• High – An attacker might gain privileged access(administrative, root) to the machine over aremote connection.
McAfee Vulnerability Manager dashboard monitorsMcAfee Vulnerability Manager web asset pages information
McAfee Vulnerability Manager24
DescriptionOption
• Medium – An attacker might gain non-privileged(user) access to the machine over a remoteconnection.
• Low – The vulnerability provides enticementdata to the attacker that can be used to launcha more informed attack against the targetenvironment. It can indirectly lead to some formof remote connection access to the machine.
• Informational – The available data that is lessvaluable to an attacker than the low riskvulnerability. You might not be able to addressinformational findings; they might be inherentto the network services or architecture in use.
A true statement means this vulnerability has beenidentified by the Federal Bureau of Investigation
SANS Top 20
as one of the top 20 most common vulnerabilities(both non-intrusive and intrusive checks).
The current state of the vulnerability.Status
A brief description of the vulnerability category.Vulnerability category description
The category the vulnerability belongs to.Vulnerability category name
A brief description of the vulnerability.Vulnerability description
The name of the vulnerability found on this webpage.
Vulnerability name
McAfee Vulnerability Manager sitemapDescriptionOption
The number of child page links discovered. Childpages are web pages that can be accessed by usinga hyperlink from this web page.
Child page count
The date McAfee Vulnerability Manager first createdthe web page information.
Created date
The most recent date McAfee Vulnerability Managerupdated or modified the web page information.
Modified date
The number of parent page links discovered. Parentpages are web pages that have hyperlinks thataccess this page.
Parent page count
The URL path used to access this page.URL
The number of vulnerabilities discovered on thispage.
Vulnerability count
Query typeDefinitionOption
A trend graph of the Foundscore for all assessedweb assets on your network, over the last 30 days.
FSE: Foundscore Trend for Web Assets for Last 30Days
A trend graph of the Foundscore for all assessedassets on your network, over the last 30 days.
FSE: Vulnerability Manager Trend for Last 30 Days
McAfee Vulnerability Manager dashboard monitorsMcAfee Vulnerability Manager sitemap
25McAfee Vulnerability Manager
DefinitionOption
A list of systems imported from a McAfeeVulnerability Manager database.
FSE: Imported Systems
A pie chart representing the Managed, Unmanaged,and Infrastructure assets on your network.
FSE: Managed vs Unmanaged vs Infrastructure
A list of the most vulnerable systems running a webapplication, based on web vulnerabilities.
FSE: Top 10 Vulnerable Host Systems By WebVulnerability Count
A list of the 10 most vulnerable infrastructuresystems (McAfee Agent cannot be installed) on thenetwork.
FSE: Top 10 Vulnerable Infrastructure Systems
A list of the 10 most vulnerable managed systems(McAfee Agent installed) on the network.
FSE: Top 10 Vulnerable Managed Systems
A list of the 10 most vulnerable systems (Managed,Unmanaged, or Infrastructure) on the network.
FSE: Top 10 Vulnerable Systems
A list of the 10 most vulnerable systems without atag on the system tree based on the Foundscore.
FSE: Top 10 Vulnerable Systems with no Tags
A list of the 10 most vulnerable Unmanagedsystems (no McAfee Agent installed) on thenetwork.
FSE: Top 10 Vulnerable Unmanaged
A list of the most vulnerable web applications onyour network.
FSE: Top 10 Vulnerable Web Assets
A list of the most vulnerable web pages from all ofthe host systems running a web application.
FSE: Top 10 Vulnerable Web Asset Pages
A list of the web vulnerabilities that affects thehighest number of assets in your network.
FSE: Top 10 Web Vulnerabilities
Service informationDefinitionService
A description of the service.Description
The details of the service.Detail
The port number being used by the service.Port number
The protocol being used by the service.Protocol
The identified service running on the asset.Service name
Vulnerability detailsDefinitionOption
States whether the asset has buffer overflow protection or not.
NOTE: An asset could be covered for buffer overflowvulnerabilities, but the coverage could be disabled.
Buffer Overflow Protection Covered
McAfee Vulnerability Manager dashboard monitorsService information
McAfee Vulnerability Manager26
DefinitionOption
States whether the buffer overflow protection is enabled ordisabled on an asset.
Buffer Overflow Protection Enable
The category affected by the vulnerability. Examples: Windows,Web, Miscellaneous.
Category
A description of the category affected by this vulnerability.Category Description
The CVE identifier for this vulnerability.
NOTE: CVE-MAP-NOMATCH means there is no associated CVEidentifier.
CVE
An overview of the vulnerability.Description
Information Assurance Vulnerability Alert, an alert given bythe Department of Defense (DoD).
IAVA
The IAVA reference number for the given vulnerability.IAVA Reference Number
States whether the vulnerability is intrusive or not. Intrusivevulnerabilities can disrupt the service of the asset.
Intrusive
The McAfee Vulnerability Manager module used for discoveringthis vulnerability.
Module
The Microsoft Bulletin ID for this vulnerability.MSFTID
Lists any associated Microsoft KnowledgeBase identifiers.MSKBID
Lists all CVE identifiers associated with this vulnerability.Multiple CVE
The name of the vulnerability.Name
Provides additional information on how the vulnerability canbe used to compromise a system, which types of software are
Observation
vulnerable, and references to additional information for furtherresearch on the vulnerability.
McAfee's recommendations on how to remedy the vulnerability.Provides patch information and shows where to get additionalinformation.
Recommendation
States whether the system is vulnerable, not vulnerable, orunknown.
Result
The McAfee Vulnerability Manager risk level for the threat:Risk
• High – An attacker might gain privileged access(administrative, root) to the machine over a remoteconnection.
• Medium – An attacker might gain non-privileged (user)access to the machine over a remote connection.
• Low – The vulnerability provides enticement data to theattacker that can be used to launch a more informed attackagainst the target environment. It can indirectly lead tosome form of remote connection access to the machine.
• Informational – The available data that is less valuable toan attacker than the low risk vulnerability. You might notbe able to address informational findings; they might beinherent to the network services or architecture in use.
A true statement means this vulnerability has been identifiedby the Federal Bureau of Investigation as one of the top 20
SANS Top 20
most common vulnerabilities (both non-intrusive and intrusivechecks).
McAfee Vulnerability Manager dashboard monitorsVulnerability details
27McAfee Vulnerability Manager
DefinitionOption
The current state of the vulnerability.Status
McAfee Vulnerability Manager dashboard monitorsVulnerability details
McAfee Vulnerability Manager28
Index
Aasset data import 11asset filter options 10attack vector 22
Bbasic threat score 22
Ddashboards 16data synchronization 12detected system details 18detected system interface 18detected system interfaces 20
FFC Agent 14FCM 14Foundscore history details 20Foundscore overview 17Foundscore trend 16Foundscore value 20Foundstone Configuration Agent 14
Iimported systems 16introduction 5
Mmaintenance schedule 14maintenance tasks 14McAfee ePO data source from McAfee Policy Auditor 13McAfee ePO data source from McAfee Vulnerability Manager13McAfee Vulnerability Manager installation 7McAfee Vulnerability Manager system details 18
McAfee Vulnerability Manager uninstall 8McAfee Vulnerability Manager upgrade 7Microsoft SQL 5Microsoft Windows 5monitors 16My Foundscore 20
Ooverview 11
Qquery type 25
Rregistered servers 8
Sserver task update 11service information 26setup 7single-sign on 12sitemap 25system data association 14system details 20system requirements 5systems 22
Vvulnerabilities 22vulnerability details 26vulnerable systems 16
Wweb asset page vulnerabilities information 24web asset pages information 24web assets 16web assets details 23
29McAfee Vulnerability Manager
McAfee Vulnerability Manager30
Index