Endpoint Security With McAfee ePolicy Orchestrator and ENS
In this post I'd like to go over what my experience has been providing endpoint security utilizing McAfee's on premise ePolicy Orchestrator and VSE/ENS Anti Virus products professionally for several years.
Intro
ePO Administration
ePO ties into AD and syncs with your entire AD OU structure. It allows for quality alerting and reporting. New product versions and server extensions can be checked in easily and pushed out to clients with tasks manually or automatically. The policies are fairly straight forward and easy to configure. All of this can be done through a single console which is very convenient for IT professionals. ePO 4.x versions had slightly confusing UI as certain configurations were a bit buried/hidden but McAfee has made huge strides since 5.x at making the UI much more user friendly.
ePO definitely has a learning curve but with great customer support, regularly updated KB articles ,and a very helpful and knowledgable community sysadmins should have no problem administering this product.
https://community.mcafee.com/t5/Enterprise-Forums/ct-p/mcafee-business
The McAfee agent can be installed remotely and handles all product, policy and task upgrades. Having one agent manage all of your products is convenient and intuitive.
The McAfee agent can be installed remotely and handles all product, policy and task upgrades. Having one agent manage all of your products is convenient and intuitive.
Anti Virus Administration
I've found the Anti Virus to be effective at discovering and automatically acting on threats found based on how you configure the policy. Virus Scan Enterprise had some shortcomings though. McAfee has built a new solution from the ground up called ENS (Endpoint Security) to address these issues and provide improvements. VSE scans tended to slow down the computer substantially and take a very long time. I found even with scheduling the scans over night some PCs were not finished scanning the next morning. There are many factors involved on why it would take a long time, such as hard disk size, processor/RAM limitations etc. but overall if a user was using the computer during a scan it was unusable. With some fine tuning you can prevent how much CPU the scans use and exclude specific directories which would speed up scanning.
Not only does it use a scheduled/On Demand Scan but also utilizes an On Access Scan that scans files as they are being accessed. This can lead to very slow file transfer/file serving experiences for end users and can cause extremely long back up jobs which forced me to create the necessary exclusions including defining what are Low Risk processes in the VSE policy. Essentially you want to specify your back up software's executables as Low Risk processes and exclude the affected directories from scanning. The following is for Symantec Backup Exec but the same logic can be applied to whichever back up software you are using:
Thoughts on ENS
To address the issues with systems slowing down during a scheduled scan McAfee provides ENS with Zero Impact Scanning. ENS monitors the system for disk usage. If usage is low it then checks to see if anything is being typed on the keyboard, if the mouse is in use, or if an application is in full screen mode. If that is also not discovered it will then begin scanning. If disk usage or keyboard/mouse inputs begin it will stop the scan. This provides a better experience for users and more flexibility for administrators instead of just the time based scheduled scans.
ENS also allows administrators to more granularly fine tune their exclusion policies to include registry read/write/create/delete, include or exclude processes for rules based on not just their file path but also their MD5 and digital signer.
ENS is also more modular with a main installation called ENS Platform and then adding on top of it Threat Prevention (think, AV), Firewall, and Web Control (browser based plugin, continuation of Site Advisor product) all being modules you can add onto ENS for easier administration instead of separating the products.
ENS includes Generic Buffer Overflow Protection (GBOP) which provides protection against a list of APIs from buffer overflows, Data Execution Prevention (DEP) which reports to you when Microsoft Windows is triggering DEP, Kevlar which is content based against ActiveX Vulnerabilities and threats, and Suspicious Caller which prevents an attacker injecting code into memory and return-oriented programming-based attacks.
Another confusing aspect of VSE was when configuring policies you needed to choose whether it was for a server or a workstation and so you would sometimes forget and configure the wrong policy or have to make all of your policy changes twice. ENS now combines all policies into one screen. Also high risk, low risk, and normal risk have all been condensed into 1 for ease of management.
The ENS user interface is much more improved over VSE, making it easier for touch screen use and only showing the modules you have installed.
With ENS McAfee introduced a new dat (definition) file called version 3 dat files (also known as AMCore). VSE and other products still use version 2 dat files. Version 3 dat files are tested by McAfee and can be rolled back if necessary unlike version 2 dat files. These version 3 dat files also include the engine so that you can be rest assured of compatibility.
Exploit Prevention content is also updating monthly with the most up to date protections against the latest threats for ENS.
Summary
In summary I recommend McAfee ePO and ENS for End Point protection. Coming from administering Kaspersky and Trend Micro previously I prefer McAfee. Server administration is straight forward and reliable. Any performance and usability issues have all been addressed with the latest versions and McAfee continues to improve on top of that. If you are a current VSE user thinking of migrating to ENS please consider doing so as it will make your environment safer (25% safer according to McAfee), and read the article below as I highly recommend moving to this new and enhanced platform: