Recommendations for configuring clients

You can use McAfee ePO policies to configure MVISION EDR clients. Based on how the policies are configured, all device event data is sent to MVISION EDR for effective threat detection.

Using policies, you can:

  • Set the maximum number of results returned by search expressions.
  • Enable Network Flow and File Hashing collectors.
  • Set database limits and maximum number of results returned by the Network Flow collector. For Network Flow in Windows, traffic can be excluded for specific processes. This is done using the complete process path.
  • Set database limits, maximum number of results returned, and files excluded by the File Hashing collector.
    • You can also exclude entire paths and extensions by policy.
    • File Hashing "Hash Strategy" determines how many device resources are dedicated for hashing. For example, setting the default to Low reduces performance impact (resource consumption), but makes the hashing period longer.
  • Set database and data limits for the Trace plug-in.
  • Enable system logging on managed devices.
  • Enable data folder protection. Even after the data folder protection is enabled, you can still read the files in C:\ProgramData\McAfee\MAR\data.

Preset McAfee ePO policies

After installing MVISION EDR, the following McAfee ePO policies are available in the Policy Catalog:

  • McAfee Default — This is the policy enforced by default after installation. When this policy is enforced, Network Flow and Trace feature are enabled.
  • Full Visibility — When this policy is enforced, NetworkFlow, File Hashing, and Trace feature are enabled.
  • Full Monitoring — When this policy is enforced, all collectors are enabled.