Best practices for tuning and using Endpoint Security to prevent and respond to threat incidents

Artículos técnicos ID: KB94048
Última modificación: 6/17/2021

Entorno

McAfee Endpoint Security (ENS) 10.x
McAfee ePolicy Orchestrator (ePO) 5.x

Resumen

This article contains recommendations for tuning and using ENS and ePO in the following scenarios:

As a proactive measure to prevent threat incidents
To facilitate containment, eradication, and recovery during a threat incident response case

These recommendations have been developed based on input from many McAfee teams. These teams include McAfee Advanced Cyber Threat Services (McAfee ACTS), McAfee Advanced Threat Research team, McAfee Advanced Programs Group, and McAfee Labs. These recommendations are based on experiences in responding to many types of incidents. These recommendations are a general guide for the education and convenience of McAfee customers. It is up to the customer to determine what configuration is appropriate for their situation and environment.

The file Policies.zip in the Attachment section of this article contains example policies based on the recommendations in this article. Review these policies before you apply them in your environment.

For detailed instructions to configure these settings and features, see the Endpoint Security 10.7 Product Guide.

This article is updated as needed for the accuracy, relevance, and timeliness of the information described.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Contents
Click to expand the section you want to view:

General settings

Microsoft Anti-Malware Scan Interface (AMSI) – The AMSI detection function is one of the most critical to enable. Make sure that you deselect Observe mode. This setting is found in the ENS Threat Prevention, On-Access Scan policy, and the ENS Adaptive Threat Protection Options (under Real Protect). For more information about AMSI, see the section "How AMSI integration with Threat Prevention improves security" in the Endpoint Security 10.7 Product Guide.
Self-Protection – Verify that Self-Protection is enabled within ENS and McAfee Agent.
Password protection – Verify that a password is set for GUI access and product removal.
McAfee Global Threat Intelligence (GTI) – Set GTI to "High" during an incident. Then, continue to maintain GTI at "Medium" after an incident, and once a stable state is reached. This setting is found in the following policies:
- ENS Threat Prevention On-Access Scan and On-Demand Scan
- ENS Adaptive Threat Protection Options (under Real Protect)
Access Protection – Create rules for any indicators of compromise (IOCs) found in the environment. For example, a file extension that ransomware creates. Other tools can also be used if present, such as McAfee Threat Intelligence Exchange (TIE) reputations.
ePO snapshot – Make sure that you take a regular ePO snapshot, the passphrase is known, and the SQL backup is occurring. These backups help you recover after a loss of ePO. Make sure that the KeyStore is backed up if you need to perform a manual recovery. In virtual environments, a best practice is to periodically perform a restore of the database from a backup and reinstallation of the ePO server. This restore makes sure that this whole process works.
System coverage – Review systems for product coverage and updates. This review is especially important for AMCore content and Real Protect rules. A good starting point is to use the default "McAfee Dashboards" labeled beginning with "Endpoint Security:"
Rogue Sensor Detection – Unmanaged systems are detrimental in an environment when trying to achieve containment and eradication of a threat. These systems can attack and reinfect systems previously restored. It is important to find and remediate such systems on the network. McAfee Rogue Sensor Detection can help with this process. Consider implementing it on key networks.
False positives – As all environments differ, for example, with in-house applications or varying solutions within a network, false positives do occur. A false positive is simply a detection that is then determined to be non-malicious, or legitimate. It is in our experience that with these recommendations, generally speaking the number of false positives experienced is minimal. But, it is suggested (as with any other implementation within an environment) to monitor and tune as needed.

Exploit Prevention

PowerShell rules in Exploit Prevention – Consider enabling the following rules. The most important rules to enable are 6070 and 6087:
- 6108 - Powershell - Suspicious download string script execution
- 6109 - Powershell - Suspicious wmi script execution
- 6070 - Hidden Powershell Detected
- 6081 - Powershell Command Restriction - NoProfile
- 6082 - Powershell Command Restriction - ExecutionPolicy
- 6083 - Powershell Command Restriction - NonInteractive
- 6084 - Powershell Command Restriction - NoLogo
- 6085 - Powershell Command Restriction - File
- 6086 - Powershell Command Restriction - Command
- 6087 - Powershell Command Restriction - EncodedCommand
- 6096 - Powershell Command Restriction - InvokeExpression
Fileless rules in Exploit Prevention – Enable all these Fileless rules:
- 6113 - Fileless Threat: Reflective Self Injection
- 6114 - Fileless Threat: Reflective EXE Self Injection
- 6115 - Fileless Threat: Reflective DLL Remote Injection
- 6118 - Fileless Threat: Malicious Code Execution using DotNetToJScript Technique
- 6120 - Fileless Threat: Process Hollowing
- 6121 - Fileless Threat: Shellcode Self Injection
- 6122 - Fileless Threat: Reflective Loading of mimikatz using DotNetToJScript Technique
- 6124 - Fileless Threat: Spoof Parent Process
- 8003 - Fileless Threat: Suspicious Powershell Behavior Detected
- 8004 - Fileless Threat: Malicious Powershell Behavior Detected
Mimikatz rules in Exploit Prevention – The most important rule to enable is 6078. But, the other rules listed below are beneficial as well:
- 6078 - Mimikatz usage
- 6116 - Mimikatz LSASS Suspicious Memory Read
- 6117 - Mimikatz LSASS Suspicious Memory DMP Read
- 6122 - Fileless Threat : Reflective Loading of mimikatz using DotNetToJScript Technique
Mimikatz rule in Access Protection – Select both Block and Report for Executing Mimikatz malware

Scanning

During an outbreak, it is recommended to perform full on-demand scans (Full Scan) daily. With recent ENS versions, the scans do not have much impact on performance. Scans can be scheduled to run at a time the system is least active, such as 2 a.m. Implement policy-based scans where possible, which allows Telemetry to be received without the need for Events. The Telemetry is available within the properties for ENS Threat Prevention.

During normalized operating conditions, a good cadence would be to run weekly Full Scans and daily Quick Scans. Also see: KB74059 - Best practices for on-demand scans.

Create a Quick Scan and schedule it to run every 4 hours. Make sure that the Scan Subfolders checkbox is deselected. At a minimum, scan the following:

Memory for rootkits
Running processes
Registry
Registered files
%SYSTEMDRIVE%\Documents and Settings
%SYSTEMDRIVE%\Users
%SYSTEMDRIVE%\Temp\
%PROGRAMDATA%
\Users\%\AppData\Local\Temp
\Startup\
c:\Windows\
c:\Windows\SysWOW64\
c:\Windows\System32\
c:\Windows\Temp
%SYSTEM ROOT%
%SYSTEM ROOT%\Installer
%SYSTEM ROOT%\System32
%SYSTEM ROOT%\System32\Tasks
%SYSTEM ROOT%\WinApp
%SYSTEM ROOT%\SysWOW64
%SYSTEM ROOT%\Tasks
%TEMP%
%APPDATA%\Roaming\Microsoft\
%APPDATA%\Local\
%APPDATA%\Local\Temp

In addition, configure the following scanning options:

Enable Real Protect cloud-based scanning. The setting Enable cloud-based scanning is found in the ENS Adaptive Threat Protection policy, Real Protect Scanning section.
Set the Clean when reputation threshold reaches level to Known Malicious. This setting is found in the ENS Adaptive Threat Protection policy, Action Enforcement section.
Enable Scan Processes started from network drives. This setting is found in the ENS Adaptive Threat Protection policy, Adaptive Threat Protection section.
Set the hash for files detected by Real Protect to Known Malicious reputation in McAfee Threat Intelligence Exchange (TIE).
Enable Detect suspicious email attachments. This setting is found in the ENS Threat Prevention, On-Access Scan policy.
Enable Scan when copying network folders and removable drives. This setting is found in the ENS Threat Prevention, On-Access Scan policy.
Enable the scanning of network drives for Standard and High Risk processes. Go to the ENS Threat Prevention, On-Access Scan policy, Process Settings section. On the Standard and High Risk tabs, select On network drives under What to scan.

Adaptive Threat Protection (ATP)

Enable the Security setting in the ATP Options policy.

NOTE: You can find the individual ATP rules under Server Settings, Adaptive Threat Protection. For information about ATP rules, see: KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event. A few ATP rules are disabled by default, which you can change to the Observe state.
Apply the "McAfee Default Security" policy for ATP Dynamic Application Containment.

Archivo adjunto

Policies.zip
118K • < 1 minute @ broadband

Productos implicados

Best Practices
Configuration
Endpoint Security Adaptive Threat Protection
Endpoint Security Firewall 10.7.x
Endpoint Security Firewall 10.6.x
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
Endpoint Security Web Control 10.7.x
Endpoint Security Web Control 10.6.x
Threat Prevention and Removal

Idiomas:

Este artículo se encuentra disponible en los siguientes idiomas:

English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glosario de términos técnicos

Resaltar los términos del glosario

Tómese un momento para consultar nuestro Glosario de términos técnicos.

Knowledge Center

Best practices for tuning and using Endpoint Security to prevent and respond to threat incidents

Entorno

Resumen

Archivo adjunto

Productos implicados

Idiomas:

Glosario de términos técnicos

Title

Title

Knowledge Center

Best practices for tuning and using Endpoint Security to prevent and respond to threat incidents

Entorno

Resumen

Archivo adjunto

Productos implicados

Idiomas:

Glosario de términos técnicos

Elija su región

Title

Title