Upgrade SIEM from 9.1.1 to 9.1.3

Always download upgrade files using internet explorer or Mozilla. Don’t use Chrome.  Verify download file has been placed in the correct directory with correct file extension. To do so go to “cd /usr/local/NitroGuard” and verify the download file is placed in this directory with .tgz extension. If not then change the file extension to .tgz with command “mv RECEIVER_Update_9.1.3.signed.gz RECEIVER_Update_9.1.3.signed.tgz”. Compare hash values of downloaded files with original hash values provided at McAfee website. Upgrade ESM first...

Read More

Correlating IPS events in Nitro SIEM

Issue If you are using McAfee SIEM (previously Nitro SIEM) and don't have Nitro IPS then you might face issues with correlating IPS events. This is because McAfee SIEM doesn't automatically normalize other IPSs data and label IPS events as uncategorized. Solution A work around to this is to manually normalize your IPS events in categories e.g. exploit, p2p etc and then use these normalization rules in correlation rules. However, this is not a permanent solution as IPS signatures are constantly...

Read More

How to set HOMENET Variable in Mcafee Nitro SIEM

How to set HOMENET Variable in Mcafee Nitro SIEM Issue The issue we had was when we try to set HOMENET Variable in Policy Editor. The HOMENET variable is almost used in every rule that is used in Mcafee Nitro SIEM. However, we have observed that even though we have defined out custom values of Internet Subnet still the rules were showing that HOMENET variable is using 0.0.0.0/0. Solution: GO TO "Asset Manager" in Mcafee Nitro Siem as shown in the post Go TO "Network Discovery" CLICK...

Read More

How to detect and prevent users from removing McAfee agent from Client machines

1) Create an automated response for client events to show: Attempt to uninstall McAfee Agent 2) Setup a VirusScan access protection policy to not modify or terminate McAfee files, processes, etc. 3) Follow KB69716 to add a registry key to remove the option from add/remove programs for VirusScan. 4) Generate queries, called compliance reports, to show machines which do not have VirusScan or McAfee Agent installed and also specify which version. With this, you can then automatically deploy agents and VirusScan. If however, you give local admin...

Read More

Mcafee ePO policies for Microsoft Failover Cluster

Mcafee ePO policies for Microsoft Failover Cluster Lets suppose we want cluster for MS SQL Server, we will exclude the data file path and log file path as shown below along with the above three file/drive path exclusions C:\Program Files\Microsoft SQL Server\MSSQL10.RTCLOCAL\MSSQL\DATA C:\Program Files\Microsoft SQL Server\MSSQL10.RTCLOCAL\MSSQL\Log ...

Read More