How it works

MVISION Endpoint uses cloud content and local content to analyze data. It then presents the information in the Protection Workspace dashboard in McAfee ePO.

Managing the MVISION Endpoint client component

The MVISION Endpoint client component is installed on each protected endpoint and communicates directly with your McAfee ePO server.

  1. McAfee ePO server (on-premises, in a hosted service, or McAfee® MVISION ePO).
  2. MVISION Endpoint sends file metadata to the cloud infrastructure for analysis.
  3. When files are quarantined, they are stored in the Quarantine database on the relevant endpoint. The server then reads from these endpoint quarantine locations to enable centralized quarantine management across all your protected endpoints and servers.
  4. When enabled, firewall rules are pushed to Windows Defender Firewall on the managed endpoints and servers.
  5. Summaries are sent to McAfee ePO. These summaries include Windows Defender Firewall blocked events and firewall compliance data.
Note: When using MVISION Endpoint to manage Windows Defender Antivirus or Windows Defender Firewall, do not also use Domain Controller Group Policy or System Center Configuration Manager (SCCM) Policy. Domain Controller and SCCM policies have higher precedence and result in the MVISION Endpoint policies being overwritten.
How MVISION Endpoint works

Managing Windows Defender Antivirus

  1. MVISION Endpoint works with Windows Defender Antivirus
  2. Windows Defender Antivirus protects your endpoints and servers from known viruses and malware.
  3. Windows Defender Antivirus passes an executable to MVISION Endpoint for further analysis if it deems the executable to be safe. MVISION Endpoint then uses the McAfee local and cloud-based detection infrastructure for this more detailed analysis.
  4. Threat detections from Windows Defender Antivirus and MVISION Endpoint appear in the Protection Workspace where you can resolve threats and change your policies to refine your protection levels.
Note: MVISION Endpoint applies the Microsoft Defender policy when Tamper Protection is enabled. When enabled, Tamper Protection prevents Group Policy disabling some settings on Microsoft Defender. Because of this, MVISION Endpoint does not manage the following settings when Tamper Protection is enabled:
  • Real Time Monitoring
  • Behavior Monitoring
  • IOAV Protection

MVISION Endpoint applies Microsoft Defender policies on a best effort basis, and will try to apply all policies even if protected.

Windows Defender Antivirus and MVISION Endpoint can both quarantine files. You can manage quarantined files in the Quarantine Management area in McAfee ePO.

How MVISION Endpoint interacts with Windows Defender Antivirus

Managing Windows Defender Firewall rules

  • MVISION Endpoint lets you manage Windows Defender Firewall rules. These rules are used across your protected endpoints and servers.
  • With a default set of firewall rules available out-of-the-box, you can quickly implement these rules and push them to all your protected endpoints and servers.
  • You can create rules, or change the existing ones, to meet your corporate requirements.
  • When creating rules, consider re-creating any previous firewall rules to maintain your current level of protection.
  • As an administrator, you can allow local firewall rules to be run on the endpoints and servers.

How MVISION Endpoint interacts with Windows Defender Firewall