Migrate from McAfee Active Response

If you are using McAfee® Active Response 2.3 or later, you can migrate to MVISION EDR.

Before you begin

Make sure that you have:

  • McAfee ePO 5.9.1 or later installed.
  • Active Response 2.3 or later installed and configured.

Note: For information about supported platforms, environments, and operating systems for McAfee Active Response, see KB84473.

For information about installing the McAfee Active Response client, see KB89991.

When creating the MVISION EDR account, use the same email address used to connect to MVISION Cloud Bridge for Active Response (MenuServer SettingsMVISION CloudBridge Settings).

Task

  1. Log on to MVISION EDR as administrator.
  2. Select MenuInvestigatingConfiguration.
  3. On the Configuration panel, select Use McAfee ePO on-premises for management, then click Save.
  4. In the Choose telemetry and region settings section, select I choose to share telemetry data (defined below) with McAfee, then click Save.
  5. Check in the MVISION EDR extension:
    1. Log on to McAfee ePO as administrator.
    2. On McAfee ePO, select MenuSoftwareSoftware Manager / Software Catalog, search for MVISION EDR.
    3. Select MVISION Endpoint Detection and Response package and click Check In.
    After checking in the extension, all dependent packages and extensions are installed:
    • DXLBrokerMgmt
    • DXL ePO client
    • DXL Client Mgmt
    • MVISION EDR Client Package
    • MVISION EDR Endpoint Snapshot Tool
    • MVISION EDR Client Extension
    • MVISION Cloud Bridge
  6. Add your MVISION EDR account credentials to MVISION Cloud Bridge:
    1. On McAfee ePO, select MenuServer SettingsMVISION Cloud Bridge.
    2. Click Edit.
    3. On the Edit MVISION Cloud Bridge page, enter the email address and password created for MVISION EDR and click Save.
    The message The server is actively linked. appears.
  7. Upgrade DXL Broker to 5.0 or later:
    1. Select MenuSoftwareSoftware Manager / Software Catalog and search for Data Exchange Layer Broker 5.0.
    2. Select Data Exchange Layer Broker package and click Check in.
    3. Go to MenuSystem Tree and select the required device on which DXL is to be upgraded.
    4. On the System Tree page, select ActionsAgentRun Client Task Now.
    5. On the Run Client Task page, select Product as McAfee® Agent, Task as Product Deployment , and click Create New Task.
    6. In the Target Platform section, select the operating system of the selected device.
    7. In the Products and components section, select Data Exchange Layer.
    8. Click Run Task Now.
    When the task is complete, the Running Client Task Status page shows the status as green (Completed).
  8. Select MenuSoftwareSoftware Manager / Software Catalog, search for Data Exchange Layer and click Check in.
  9. Deploy MVISION EDR client:
    1. Select MenuConfigurationSoftwareProduct Deployment and then click New Deployment.
    2. Enter a name and description for the deployment.
    3. Select McAfee MVISION EDR Client as the software package.
    4. Click Select Individual Systems.
    5. On the System Selection page, from System Tree, select the devices on which you want to deploy the MVISION EDR client and click OK.
    6. Save the new deployment.
    After you migrate the Active Response to MVISION EDR, the trace data and threats from Active Response is migrated to MVISION EDR. The existing trace data and threats remain in Active Response after the migration. All DXL brokers must be upgraded to 5.0 or later to allow the trace data to migrate from Active Response to MVISION EDR.
  10. Log on to MVISION EDR as administrator.
  11. Select MenuInvestigatingConfigurationInstall componentsAgent Deployment and click Save.
  12. Select MenuInvestigatingConfigurationConfigure data sources, select McAfee ePO and verify whether the connection status is green.
    All basic components are now installed and MVISION EDR is connected to McAfee ePO.

Results

Devices using Active Response are now successfully migrated to MVISION EDR. The potential threats start appearing on the Monitoring dashboard in MVISION EDR.

There are two linking or authentication extensions on McAfee ePO:

  • McAfee® ePO™ Cloud Bridge -> MAR 2.x linking/authentication
  • MVISION Cloud Bridge -> MVISION-EDR linking/authentication

Traces or events from Active Response 2.x clients and Mvision-edr clients will go to MVISION-EDR Cloud. (Threats/Alerts appears in Monitoring Dashboard). Traces/Events from Active Response 2.x clients no longer go to Active Response Cloud, so MAR Workspace will not be updated anymore, it should be used only to view previous activity, no further actions should be triggered from MAR 2.x workspace. There will be two checks box to control where the traces will go under Server Settings -> DXL Topology.

Unchecked -> Provides trace data to the cloud for MAR Workspace

Checked -> Forward MVISION EDR DXL events to cloud

Real-time Search could be executed from Real-time Search Dashboard on MVISION-EDR UI and from Active Response page on MAR 2.x. Both searches will reach all the Active Response 2.x Clients and Mvision-edr Clients and the results will go to the initiator only. Search errors handling is not supported in this MVISION-EDR and MAR 2.x mixed environment.

MVISION-EDR does not support Saved Searches, but Saved Searches created on MAR 2.x remain available and usable on Active Response page and/or Catalog on MAR 2.x.

MVISION-EDR supports Remediation and Containment actions like Stop And Remove or Quarantine. MVISION-EDR does not support Triggers, but existing Triggers on MAR 2.x remain available and usable on MAR 2.x.

When the migration is complete, new threats are shown in the Monitoring dashboard and the old Active Response threats are still available in Workspace in McAfee ePO.

To migrate to MVISION EDR, you can remove all Active Response extensions except the mar-client extension. This extension is required to monitor the devices that are not migrated to MVISION EDR.

For information about disabling the DXL broker and Active Response server, see KB91043.