Week 5

Question 1

Two ways to access ESX

Answer 1

• cmd line

- Vsphere client

Question 2

Primary means of accessing VMs

Answer 2

• console tab

- console window

Question 3

What does HBSS provide?

Answer 3

• signature and behavior based threat protection

- desktop firewall

Question 4

What does the McAfee Agent do?

Answer 4

Tells point products what to do

Question 5

What does HIPS do?

Answer 5

Provides capability to block known intrusion systems

Question 6

What does RSD do?

Answer 6

• Rogue System Detection

- Notifies admin of any rogue/no agent/wrong agent

Question 7

What does VSE do?

Answer 7

Active

-protects hosts from viruses, worms, Trojans

Question 8

What does DCM/DLP do?

Answer 8

Module is what allows/prevents plug and play and USB devices

Question 9

What does ABM do?

Answer 9

• asset baseline monitor
• passive
• notifies admin when host goes against compose baseline

Question 10

What does PA do?

Answer 10

• policy auditor
• passive
• notifies admin when policies set in ePO are not enforced on host

Question 11

Where are polices applied?

Answer 11

System Tree

Question 12

Characteristics of Lost and Found group

Answer 12

1. Cannot be deleted
2. Cannot be renamed
3. Sorting criteria cannot be changed from being a catch-all group
4. Always appears last
5. Users must be granted permissions to see contents
6. When a system is sorted into L&F, it is placed in a subgroup named for the systems domain. If it doesn’t exist, it will be created

Question 13

What contains all the necessary information that a client will need to install the McAfee Agent and communicate with ePO server?

Answer 13

Framepkg.exe

Question 14

What are the HIP sub-agents?

Answer 14

• buffer overflow
• logon
• SQL
• registry
• services
• files
• HTTP
• HIP API
• Get Admin
• Illegal Use
• Program

Question 15

How often is detected network device information forwarded to the ePO server?

Answer 15

5 minutes

Question 16

What allows HBSS admins to configure and manage the instances of the rogue system sensor installed throughout the network?

Answer 16

RSD Policy Settings

Question 17

What are the system statuses?

Answer 17

1. Exceptions
2. Inactive
3. Managed
4. Rogue

Question 18

What are the Rogue System Sensor Statuses?

Answer 18

1. Active
2. Missing
3. Passive

Question 19

How many Rogue System Sensors should you have?

Answer 19

2 per subnet

Question 20

What are the Subnet Statuses?

Answer 20

1. Contains rogues
2. Covered
3. Uncovered

Question 21

What is a policy?

Answer 21

Collection of settings that are created, configured, and then enforced

Question 22

How are policy settings grouped?

Answer 22

By product then by category

Question 23

What are the stackable policy rules?

Answer 23

Firewall rules can’t be stacked and only one policy can be applied at a time

Question 24

How often is policy enforcement?

Answer 24

30 minutes

Question 25

Admins can assign policies by?

Answer 25

• site or group level
• single systems
• node with multiple policies

Question 26

What does HIP do?

Answer 26

• Provides the ability to protect systems from attacks such as buffer overflows and privilege escalation
• uses the IPS signature base to identify threats to the host from both the network and application later perspective

Question 27

What is the detection methodology?

Answer 27

HIP uses both signature and ananomly (behavior) based methods

Question 28

Elements that HIPS examines

Answer 28

• system calls
• file system access
• system registry settings
• host input/output
• host network traffic monitoring
• shielding
• enveloping of applications

Question 29

What are the general policies?

Answer 29

• Client UI
• Trusted Networks
• trusted applications

Question 30

How to navigate to threat event log

Answer 30

Menu>reporting>threat event log

Question 31

What is the trusted application policy?

Answer 31

When you mark an application as trusted, it helps to eliminate creating exceptions

Question 32

What do the IPS options tell you?

Answer 32

Whether it is on or off

Question 33

What does protect mode mean?

Answer 33

Blocks according to policy

Question 34

What is adapted mode?

Answer 34

• Blocks all high severity events

- allows everything else

Question 35

What does learned mode require?

Answer 35

User interaction

Question 36

What are the components of HIP policy?

Answer 36

• general
• IPS
• Firewall
• Application Blocking

Question 37

What are the policy categories under General?

Answer 37

• Client UI
• Trusted Networks
• Trusted Application

Question 38

What is the purpose of a Client UI?

Answer 38

To configure the HIP Agent interface

Question 39

What is the purpose of a Trusted Network?

Answer 39

To specify network ranges to allow through the Firewall with rules that specify “Trusted” specify IP address to “trust for NIPS”

Question 40

What is the purpose of the Trusted Application?

Answer 40

To specify applications to ignore IPS/Firewall/Application Blocking at a specified path

Question 41

What are the policy categories for IPS?

Answer 41

• options
• rules
• protection

Question 42

What is the purpose of options (IPS)?

Answer 42

Turns IPS protection on or off

Question 43

What is the purpose of rules (IPS)?

Answer 43

Specified the signatures and behaviors and their associates severity levels

Question 44

What is the purpose of protection?

Answer 44

Specified the protective reaction to detected signatures

Question 45

What are the policy categories for firewall?

Answer 45

• options

- rules

Question 46

What is options (firewall) for?

Answer 46

Turns firewall on or off

Question 47

What is the purpose of rules (firewall)?

Answer 47

Specified the access rules through the firewall with their ports, protocols, services, and “trusted”

Question 48

What are the sub-components of IPS?

Answer 48

• HIPS
• NIPS
• Application Protection

Question 49

What are the sub-components of Firewall?

Answer 49

• incoming comms

- outgoing comms

Question 50

What is hooking (application blocking)?

Answer 50

-controls which applications can BIND together

Question 51

What are the components of HBSS?

Answer 51

Server side: ACAS, HBSS, MSSQL

Client side: McAfee Agent

Question 51

Why is RDP the preferred method of accessing VMs?

Answer 51

Less resource intensive

Question 51

What order do you power on VMs?

Answer 51

• MSSQL, ACAS, HBSS

- to allow services to start on MSSQL

Question 51

How many types of users are in HBSS? What are they? How are they defined?

Answer 51

• Global: creates accounts, does everything
• Everyone Else: view
• defined based on permissions given

Question 51

What does the System tree contain?

Answer 51

• sites
• groups
• subgroups

Question 51

Why do we create subgroups?

Answer 51

To manage policies for systems in one place, rather than setting policies for each system individually

Question 51

How do you break inheritance?

Answer 51

At lowest level possible

• break DLP Policy? Do it at the workstation
• apply McAfee default policy? Do it at the top

Question 51

What criteria is used to place managed systems into a system tree group?

Answer 51

Tags with and without criteria

Question 51

What is the default Agent to Server Client Intervals?

Answer 51

-30 minutes

Question 51

Which file contains all necessary information that a client will need to install the McAfee Agent?
What does it contain?

Answer 51

• frampkg.exe

- contains drivers, ePO server information, and encryption keys

Question 51

What does the Wake Up Agent do?

Answer 51

Forces agents to call in and update policies and tasks

Question 52

What is priority event forwarding?

Answer 52

Forwards priority events immediately according to user-selected level of priority

Question 53

What is SADR?

Answer 53

A repository for ships

Question 54

What option must be selected in order for a system to become a superagent?

Answer 54

-convert Agent to Super Agent

Question 55

Explain lazy caching.

Answer 55

-a workstation needs software, it goes to SADR and gives it to the workstation. If SADR doesn’t have it, it goes to HBSS

Question 55

Where are HBSS servers located?

Answer 55

-UARNOC and PRNOC

Question 56

In regards to RSD, how many sensors are required to be on each subset and what kind of information do they gather?

Answer 56

• 2

- ARP, IP, DHCP, info about computers, routers, printers

Question 57

What is the purpose of detected systems menu?

Answer 57

Makes monitoring and managing network easier.

Question 58

What is the default policy enforcement?

Answer 58

15 minutes

Question 59

What does the overall system status show?

Answer 59

-a percentage of compliant systems. Managed, rogue, and exceptions

Question 60

What is a rogue device?

Answer 60

-device not managed by ePO server.

Question 61

DISA requires how many days before System is reported as rogue?

Answer 61

10 days

Question 62

3 classes of rogue devices and explain

Answer 62

• Alien: not in local ePO database
• Inactive: in ePO database by not detected
• No Agent: no McAfee Agent installed

Question 63

How is Rogue System Sensor Status displayed and explain them.

Answer 63

• active: sensors report info to ePO server
• missing: sensors that haven’t communicated in a certain amount of time
• passive: check in but do not report info

Question 64

What is the subnet status? Explain.

Answer 64

Subnet status: how many detected sinners are on network

• contains rogues
• covered
• uncovered

Question 65

What systems would you include on the Rogue Sensor blacklist?

Answer 65

-mission critical servers of core services

Question 66

Explain merging systems.

Answer 66

-a computer with multiple NICs with it’s own MAC address

Question 67

What are the three methods to installing McAfee Agents?

Answer 67

1. Rogue Agent Auto Push
2. Deploying agents via RSD
3. Manually installing agents

Question 68

When does an alien system occur?

Answer 68

When an agent is not recognized by the ePO server

Question 69

What is that logic statement?

Answer 69

-if rogue equals true & & domain = shipboard domain

Question 70

Other issues that may cause inactive

Answer 70

• system not on board
• network cable damaged
• agent service fail/corrupt
• system decommissioned and not removed from system tree
• system disconnected

Question 71

What kind of systems are excluded in RSD?

Answer 71

• routers
• switches
• WAP
• printers
• IP phones
• storage arrays
• ESX
• hypervisors

Question 72

What are the 3 days to correct a duplicate GUID?

Answer 72

• via server tasks
• via registry
• agent de-installation

Question 73

What are the steps for embarkable units to have the McAfee Agent installed?

Answer 73

• contact the embarkable unit prior to arrival
• create a custom group within system tree
• create a permission set
• create a group admin account

Question 74

What policy is crucial to your network to where if improperly configured, will not allow your network to receive updates?

Answer 74

McAfee Default Policy

Question 75

How do policies get enforced?

Answer 75

• every 15 minutes

- how long locally set client changes will last until server overwrites them

Question 76

Explain inheritance.

Answer 76

Child groups inherit policies from parent groups

Question 77

What does a host based IPS provide?

Answer 77

• protects systems from attacks such as buffer overflows and privilege escalation
• uses IPs to identify threats to the host from both the network and application layer perspective

Question 78

What is the IPS software responsible for?

Answer 78

• Host and network intrusion protection

- shielding and enveloping of applications

Question 79

What is the benefit of trusting applications and networks?

Answer 79

-eliminates the need to create exceptions

Question 80

Why do we have HIP tuning?

Answer 80

• network is a constantly hanging environment
• manual
• auto: learned, adaptive

Question 81

What type of incidents does intrusion detection and prevention protect against?

Answer 81

• incidents have many causes, malware
• attackers gaining unauthorized access to systems from internet
• authorized users of systems who misuse privileges

Question 82

The IPS protection policy sets the reaction to events based on what level?

Answer 82

Severity: high, medium, low, Informational

Question 83

What is an exception rule for?

Answer 83

-to allow a device that would otherwise be blocked

Question 84

Within DLP, what are the 3 device class statuses? Explain each.

Answer 84

• managed: USB, plug n play
• unmanaged: no McAfee Agent, could be managed but we don’t, like local printers and scanners
• unmanageable

Question 85

What does the computer assignment group features allow?

Answer 85

-DLP rules for specific groups of computer objects