Navigating the Protection Workspace

The Protection Workspace is where you can see all potential threats on managed devices and respond to them.

The Protection Workspace provides a visual representation of threat incidents in your environment and device compliance data, all from a single dashboard. You can quickly identify threats detected in the environment and seamlessly navigate to any impacted device to remediate the threat.

The Protection Workspace helps you answer these questions:

  • What was discovered by advanced threat protection technologies from products like McAfee® MVISION Endpoint, Real Protect, and McAfee® Endpoint Security Adaptive Threat Protection (ATP)?
  • Why is a device escalated?
  • Where did the threat come from?
  • When was the threat discovered?

Identifying threats

Colors in the Protection Workspace represent the type of threat discovered:

Red — A threat was discovered, or your software or devices are running outdated versions and must be updated to be compliant.

Orange — There are threats to investigate or some devices are not up to date.

Green — The current state of your environment is healthy, threats have been mitigated, and devices are compliant.

Gray — No data available.

Investigating threats

The Protection Workspace is divided into several categories, allowing you to view compliance information and manage key threats in one place. When interacting with the Protection Workspace, start on the left side and progress to the right.



  1. View the total number of devices tracked by the McAfee ePO server, and the total number of devices that are tagged as escalated. View the number of devices that have communicated with McAfee ePO at least once. Systems that have never communicated with McAfee ePO are not included in the count.
    Important: The systems that never communicated with McAfee ePO appear in the System Tree and not in the Protection Workspace.
  2. View threat information across multiple categories. View the number of escalated devices to track devices that have encountered multiple threats and might require attention. Devices are escalated automatically based on the severity of the threats impacting the system. Select any value to see a more detailed view of the categories.
  3. View the status of security content and the individual products deployed in the environment. Devices are color-coded to indicate the security status (health) of the device. You can easily identify the systems that are up to date, or require an update or product deployment.
  4. View your devices by tags (default), as System Tree, or as a list. Use the search feature to quickly find a device. The Devices view changes depending on the device summary you select. If you selected Escalations, the pane displays all escalated devices.
  5. Drill down to view the device details and the top 5 threats.
  6. Drill down to filter and view your threat activity. For example, you can filter by device, threat, or originating process.

Managing threats

Protection Workspace bar

Item Description
Devices Total number of devices tracked by the McAfee ePO server. Systems that have never communicated with McAfee ePO are not included in the count.
Escalations Total number of devices that are tagged as escalated. Select a device to view Escalated Devices. System is escalated if it detects 5 threats or more in 24 hours.
Update Data on the backend is automatically refreshed every 60 seconds, and the interface is automatically refreshed every 5 minutes. Click the refresh icon to manually redisplay the Protection Workspace with the latest updates.
Settings Use the Protection Workspace settings to:
  • Change the interface to High Contrast Mode.
  • Adjust the Security Content Color Thresholds and Check-In Failure Color Thresholds to customize the security levels for your environment.

Threat Overview

Item Description
Escalated Devices Total number of devices that received a threat over the past 7 days. System is escalated if it detects 5 threats or more in 24 hours.
Resolved Threats Total number of threats that were resolved in the past 7 days.

Basic — Detected by products like McAfee VirusScan Enterprise, McAfee® Endpoint Security Threat Prevention, and Microsoft Windows Defender.

Advanced — Detected by advanced detection techniques like McAfee® MVISION Endpoint, Real Protect, and McAfee® Endpoint Security Adaptive Threat Protection (ATP).

Report Only Detections Total and daily counts of report-only detections over the last 7 days. Arrow indicates the trend. Select the value to open the details for total or daily threat events.
Unresolved Threats Total number and count per day of detected threats that are unresolved. Arrow indicates the trend over the past 7 days.

Compliance Overview

Item Description
Security Content

Status of the security content in the environment.

Here's how the compliance status is calculated for these items:

McAfee Endpoint Security AMCore — Number of systems with AMCore content compliant or noncompliant.

  • Compliant — The AMCore content creation date is less than 7 days old.
  • Non-Compliant — The AMCore content creation date is more than 7 days old.

McAfee Endpoint Security Exploit Prevention — Number of systems with Exploit Prevention content compliant or noncompliant.

  • Compliant — Enabled state in policy matches the enabled state on client system.
  • Non-Compliant — Enabled state in policy doesn't match the enabled state on client system.

McAfee DAT — An endpoint is considered compliant if the DAT Date is within 7 days from today. For example, if today is July 19, endpoints with a DAT date of July 13 or later are compliant.

Microsoft Windows Defender — An endpoint is considered compliant if the Anti-Virus Signature Last Updated date is within 7 days from today. For example, if today is July 19, endpoints with a DAT date of July 13 or later are compliant.

For McAfee DAT and Microsoft Windows Defender, the endpoint reports the date, which can be viewed on the Products tab of the System Information page.

Deployment Status Status of the individual products deployed in the environment. For example, McAfee Endpoint Security, McAfee Agent, and McAfee MVISION Endpoint.

The devices are color-coded to indicate the health of the security status (health) of the device:

Green — Latest (most recent) version.

Orange — One or more versions behind, or if a policy has been successfully applied.

Light gray — No data available. The extension is checked in to McAfee ePO, but the product hasn't been deployed.

Dark gray — Indicates that the extension is checked in, but the product isn't installed on the endpoint.

Device Management Status

Check-in Failure indicates the number of devices that haven't checked in to the McAfee ePO server for more than 15 days.

Managed Devices without Protection indicates the number of devices that don't have these antimalware products installed: Threat Prevention, MVISION Endpoint, or VirusScan Enterprise.

Managed Devices indicates the total number of managed devices over the past 7 days.

View the number of devices that have communicated with McAfee ePO at least once. Systems that have never communicated with McAfee ePO are not included in the count.

Important: The systems that never communicated with McAfee ePO appear in the System Tree and not in the Protection Workspace.

Devices

Description

View your devices by tags (default), in the System Tree, or as a list.

Use the search feature to quickly find a device.

The information that appears in the Devices pane changes depending on the category you select:

  • Devices
  • Escalated Devices

Important: The systems that never communicated with McAfee ePO appear in the System Tree and not in the Protection Workspace.

Device Details

Description

From the Devices panel, you can drill down to view the device details and the top 5 threats. Select a threat to open the Threat Details pane, and view details about a specific threat.

Activity Filters

Description

From the Devices panel, you can drill down to view the device details and the top 5 threats. Select a threat to open the Threat Details pane, and view details about a specific threat.