The McAfee ePO package is to be used in conjunction with the Malware Solution Pack.
Installation instructions are provided within the wiki under the Security Technology Monitoring section.
Note: If you have access to McAfee ePO and are well versed in the product, please reach out to us. I'm looking for help in understanding how to best configure the agents and ePO.
Also, a big thanks to and his team for helping pull this together!
So, my guess, and this seems to be a common problem, is that you didn't put all the contents of the zip file into your console's current directory. If you used 7zip or native Windows extraction, it may have put them in a sub-directory. If so, move the contents up a level, and that should fix it when you run the .bat file again.
Hope this helps,
Yes, you are correct, this is done from your console directory, not from ESM.
The screenshot you added has everything you need. The L1-Malware_Monitoring... bundle contains all the other bundles. The .bat file (script) imports this bundle onto the manager, which includes the other .arb files.
The screenshot also has this path:
C:\arcsight\Console\current\L-1Malware Monitoring - Indicators and Warnings 22.214.171.124
This means you have:
C:\arcsight\Console\current\L-1Malware Monitoring - Indicators and Warnings 126.96.36.199\DO NOT IMPORT VIA CONSOLE.txt, etc.
Move the .bat and .arb files up one directory, then run the .bat file again. It will work.
ok...now this (apologies for the noobie questions):
'bin\arcsight' is not recognized as an internal or external command,
operable program or batch file.
Could Not Find C:\arcsight\Console\current\L1-Perimeter_and_Network_Monitoring_-_Indicators_and_Warn
For anyone else that might be having issues below is the resolution:
- I am using several console versions to connect to several versions of ESM
- Extracted file contents need to be copied into the *\current directory of the console version/installation for the corresponding ESM destination of the package (oh yeah, of course, totally makes sense!)
Thanks for the call, WebEx, and 2nd pair of eyes Prentice!
Another issue, in the installation guide for the McAfee ePO package there are instructions from the wiki for the package configuration that outlines "hooking" four filters into the L1 Malware package. In the screenshots it shows just the McAfee filter. However, in my package there is a broken filter resource present called "/All Filters/ArcSight Activate/Core/Common/Events/No Events".
Do I need to address this or should I delete that dependency?
Yeah, just delete it. I'll fix it in the next update! It should be "false", not a reference to a filter...
Thanks for pointing that out!
Just a clarification point, if I may.
The filters that we hook product package filters into should have a default value of false. This should be deleted and replaced with the appropriate product filter.
This allows us to install the packages and keep them from randomly firing off of the wrong events before we can configure the product packages. It makes all of our lives easier!
Thanks & fyi,