Installing the Active Response server

Active Response server is provided as an ISO image or an OVA virtual appliance, packaging a McAfee® Linux Operating System (MLOS) version 2 instance.

The ISO package can be deployed on bare-metal servers and other virtual infrastructure. The OVA package can be deployed only on VMware.

Tip: Use the OVA package instead of the ISO package on VMware because it preconfigures resources such as CPU, RAM, and disk.

The TIE server is distributed as an OVA appliance optimized for VMware or as an ISO image used with compatible hardware or other virtualization technologies.

If you are using the ISO package, the Active Response MLOS installation, and the actual installation of the server start automatically when you turn on the VM. All base operating system packages are installed. Bash, sage, and partitioning of the disk are done without interaction with the VM. When the installation finishes, the VM turns off and you can remove the ISO. For a complex infrastructure, you can set up and deploy the package on multiple servers. For more information about deploying TIE, see the McAfee Threat Intelligence Exchange Sizing and Performance Guide.

Best practices when installing TIE and Active Response servers

If you are installing the TIE and Active Response servers for the first time, install the TIE server first. Run the TIE server in your environment for a few days before enabling tracing on endpoints.

  • Files that don't show suspicious activity and have high prevalence because they are executed on a majority of endpoints, are eventually set to Might be Trusted reputation. This means you don't need to manually change occurrences of these reputations in the Active Response Workspace later.
  • You can fine-tune the TIE Reputations database and decide on the reputations for your corporate-owned files and certificates before Active Response starts inspecting running processes, looking for potential threats. For more information about managing unknown threat reputations, see the Knowledge Base article KB90344.