Highlighted
Absent Member.
Absent Member.
912 views

McAfee EPO 5.1 support?

Hi all,

is there any chance to get McAfee EPO 5.1 supported? Actually the last version of the SmartConnector (7.0.4) only supports EPO 5.0. This SC does not seem to work on EPO 5.1. Does anyone had a chance to try it or found a workaround for this?

Thanks!

Alex

Labels (1)
0 Likes
Reply
11 Replies
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: McAfee EPO 5.1 support?

Hi Aleccese,

I´ve working with McAfee ePO 5.1 from some months and it´s working right. I follow the same steps to set up the smart connector for McAfee ePO and Arcsight is receiving the events without any issue.

Kind Regards,

Marcos

Be Water My Friend
0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: McAfee EPO 5.1 support?

Hi Marcos,

thanks for your feedback. Unfortunately I'm not trying the connector with EPO 5.1 directly. The customer is trying it, and I have only logfiles with many errors like these:

[ERROR][default.com.arcsight.agent.loadable.agent._McAfeeEPODatabaseAgent][doDatabaseDetection] Tried version [sae3.5/epo4.5&5.0]. ERROR: [java.sql.SQLException: [Microsoft][ODBC SQL Server Driver][SQL Server]Invalid object name 'EPOLEAFNODE'.

[WARN ][default.com.arcsight.agent.loadable.agent._McAfeeEPODatabaseAgent][doDatabaseDetection] Tried version [sae3.5+/epo4.x]. ERROR: [[[Microsoft][ODBC SQL Server Driver][SQL Server]Invalid object name 'SAEVersion'.]

I'm not pretty sure the customer made all the steps in the correct way. Anyway, this version of the product is not supported...so it should be "normal" that the SC does not work.

Our customer is tryint to collect events from the following components: virusscan,hips,move,siteadvisor.

Bye

Alex

0 Likes
Reply
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: McAfee EPO 5.1 support?

Hi Alex,

I´m using SC 6.0.1.6574.0 version an it runs ok. Th components that I´m collecting events are virusscan, hips, rsd, hdlp, siteadvisor, epoproductevents.

One question. Are you recevieng any event from ePO?

The ePO server is installed in the same machine of the BD?

Where is the SC installed, in the ePO Server Machine, in the BD Machine, in other machine? Is highly recommended that the SC is not installed in the BD server.

Kind Regards,

Marcos

Be Water My Friend
0 Likes
Reply
Contributor.
Contributor.

Re: McAfee EPO 5.1 support?

My first thought is: Do you use the correct database driver? We have to push the correct mssql (or mysql, dk, have to check) driver to the connector and then we can connect.

Ok, I've checked, we are using the JDBC Driver.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: McAfee EPO 5.1 support?

Hi Marcos,

6.0.1 is very oooold I'm actually trying to use 7.0.4, release on july 2014. I'm not receiving any event from EPO, only ArcSight internal connector events. The EPO should be installed on the same machine of the DB, while the SC is installed on a third Win 2008 system. Actually the support told me that EPO 5.1 will be officially supported in the upcoming version 7.0.5 of the SC.

Bye

Alex

0 Likes
Reply
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: McAfee EPO 5.1 support?

Hi Alex,

Yes, It´s a very old version, but it´s working fine. I suppose that you test the SC conection with the DataBase, no?

Ok, when you try the new SC version, tell me about it.

Kind Regards,

Marcos

Be Water My Friend
0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: McAfee EPO 5.1 support?

You can remove these types of events during the EPO connector installer, the defaults may be a bit aggressive; they're looking for installations of software you don't have.

Open up your agent configuration and look at 'event types' -- mine here are virusscan, hips, rsd, eporollup, siteadvisor, epoproductevents.

The default 'all' event types may be causing connector issues.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: McAfee EPO 5.1 support?

Hi,

New SmartConnector Version : 7.0.5.7132 added support for McAfee ePO 5.1. Use McAfee ePolicy Orchestrator DB Connector , you will get good result.

Also , check in McAfee ePO for the products integrated and while configuring the connector , add those event types only .

https://protect724.hp.com/docs/DOC-11462

- adhil

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: McAfee EPO 5.1 support?

Hi Adhil,

yes, the customer is already trying this, I have to call him to understand if it works. My only doubt (or concern) is about the components supported: ViruScan and HIPS. If the customer have also other McAfee components connected with EPO 5.1 what can he do to collect those events?

Bye

Alex

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: McAfee EPO 5.1 support?

Hi,

If they have other products integrated with EPO , while configuring the connector you need to specify parameter for the corresponding event type separated by comma. ( Refer Page 6 and Page 15 of the Doc : SmartConnector for McAfee ePolicy Orchestrator DB)

Eg: If they have the following products

hdlp - Host Data Loss Prevention

hips - Host Intrusion Prevention System (HIPS) 7.0, 8.0; DesktopFirewall

msme - Microsoft Security for Microsoft Exchange

rsd - Rogue System Detection 1.0, 2.0, 4.5

siteadvisor -  SiteAdvisor Enterprise

virusscan  - VirusScan Enterprise

Specify like this : hdlp,hips,msme,rsd,siteadvisor,virusscan  in the "event types" column.

- adhil

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: McAfee EPO 5.1 support?

Hi Adhil,

sure, but the only supported components are virusscan and hips, so only these two should "work". Based on your experience, also the unsupported EPO components will work?

Thanks

Alex

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.