Using CTE with McAfee Endpoint Security for Linux Threat Prevention
McAfee Endpoint Security for Linux Threat Prevention detects malware such as viruses and handles the malware according to polices that you configure in McAfee ePO. This chapter describes how to configure McAfee and CipherTrust Transparent Encryption to work together.
This section contains the following topics:
-
Ensuring the Correct McAfee Service Startup and Shutdown Order
-
Virus Scanning Behavior Differences for CIFS and NFS GuardPoints
Supported McAfee Versions and Linux Operating Systems
In general, Thales has verified that CipherTrust Transparent Encryption is compatible with McAfee version 10.6.5 and later on Red Hat Enterprise Linux (RHEL) 7 and RHEL 8. See the most recent Compatibility Matrix for CipherTrust Transparent Encryption Agent with CipherTrust Manager or Compatibility Matrix for CipherTrust Transparent Encryption Agent with Data Security Manager for details about the versions of McAfee Endpoint Security for Linux Threat Prevention that have been verified to work with CipherTrust Transparent Encryption.
Ensuring the Correct McAfee Service Startup and Shutdown Order
CipherTrust Transparent Encryption services and McAfee services must be started and stopped in the correct order to prevent problems with any data that is guarded by CipherTrust Transparent Encryption. This order is important any time these services need to be started or stopped, such as:
-
During the normal startup and shutdown of your Linux host.
-
Before enabling a scheduled upgrade of CipherTrust Transparent Encryption.
-
Before performing a manual upgrade of CipherTrust Transparent Encryption.
-
As needed for maintenance or troubleshooting.
Ensuring the Correct McAfee Service Order in systemd
Configuring the proper startup and shutdown order of CipherTrust Transparent Encryption and McAfee services in systemd
ensures that the services start in the right order during system startup and shutdown. This is also important if you configure a scheduled upgrade of CipherTrust Transparent Encryption, as CipherTrust Transparent Encryption services will need to be shut down during the upgrade.
The following McAfee services must be configured to start after CipherTrust Transparent Encryption services:
-
For McAfee 10.6.6 or later:
-
mfetpd.service
-
mfeespd.service
-
-
For McAfee 10.6.5 or earlier:
-
isectpd.service
-
isecespd.service
-
To configure this behavior, add these services to the Before=
line in the secfs-fs-barrier.service
file on your system. The order of these services on the Before=
line in the secfs-fs-barrier.service
file does not matter. For more information, see [Location of Application Unit Configuration Files] and [Adding Applications to the secfs-fs-barrier.service File].
Starting or Stopping McAfee and CipherTrust Transparent Encryption Manually
When you manually start or stop McAfee and CipherTrust Transparent Encryption, you must do so in the correct order.
To manually stop McAfee and CipherTrust Transparent Encryption:
-
Stop McAfee services using one of the following:
For McAfee 10.6.6 or later:
systemctl stop mfetpd.service mfeespd.service
For McAfee 10.6.5 or earlier:
systemctl stop isecespd.service isectpd.service
-
Stop CipherTrust Transparent Encryption:
Linux distributions that support systemd
/etc/vormetric/secfs stop
Linux distributions that do not support systemd
service secfs stop
To manually start McAfee and CipherTrust Transparent Encryption:
-
Start CipherTrust Transparent Encryption:
Linux distributions that support systemd
/etc/vormetric/secfs stop
Linux distributions that do not support systemd
service secfs stop
-
Start McAfee services using one of the following:
For McAfee 10.6.6 or later:
systemctl start mfetpd.service mfeespd.service
For McAfee 10.6.5 or earlier:
systemctl start isecespd.service isectpd.service
Excluding CTE protected directories with McAfee
Starting with CipherTrust Transparent Encryption v7.2.0, two conflicts exist between McAfee’s On-Access Scan and CipherTrust Transparent Encryption when both applications are installed, regardless of installation order. This conflict occurs because McAfee’s On-Access Scan tries to scan files in the initial startup (protected) directory, /opt/vormetric/DataSecurityExpert/agent/secfs/.sec/
whenever those files are accessed by CipherTrust Transparent Encryption's own processes and utilities. Access to a CipherTrust Transparent Encryption protected directory, and its subdirectories, is restricted so that no other process or utility can access them.
The fix is to add the CipherTrust Transparent Encryption protected directories to the McAfee On-Access Scan exclusion list:
-
Change the directory. At the command line, type:
-
For McAfee 10.6.5 or prior versions:
#cd /opt/isec/ens/threatprevention/bin/
-
For McAfee 10.6.6 or subsequent versions:
#cd /opt/McAfee/ens/tp/bin
-
-
Add the exclusion to McAfee’s On-Access Scan, type:
'--addexclusionrw --excludepaths "/opt/vormetric/DataSecurityExpert/agent/secfs/.sec/" --excludesubfolder'
The entire exclusion list command should look like the following:
-
McAfee 10.6.5 or prior versions:
./isecav --setoasprofileconfig --profile standard --addexclusionrw --excludepaths "/opt/vormetric/DataSecurityExpert/agent/secfs/.sec/" –excludesubfolder
-
McAfee 10.6.6 or subsequent versions:
./mfetpcli --setoasprofileconfig --profile standard --addexclusionrw --excludepaths "/opt/vormetric/DataSecurityExpert/agent/secfs/.sec/" –excludesubfolder
You only need to run this command once.
Updating McAfee
It is not necessary to shut down CipherTrust Transparent Encryption services when you update McAfee Endpoint Security to a new version. Follow the update procedure described by McAfee. Before updating, ensure that the new version of McAfee is compatible with CipherTrust Transparent Encryption as described in [Supported McAfee Versions and Linux Operating Systems].
When you upgrade McAfee, make sure that the current McAfee services are configured to start after the CipherTrust Transparent Encryption services in systemd
. The McAfee service names depend on the version of McAfee that you are using. For details, see [Ensuring the Correct McAfee Service Order in systemd].
Virus Scanning Behavior Differences for CIFS and NFS GuardPoints
By default, on McAfee Endpoint Security, on-access virus scanning for remotely mounted file systems such as CIFS and NFS, is disabled. However, for GuardPoints configured on CIFS and NFS volumes, this default is ignored. So on-access virus scanning is always on for GuardPoints configured on CIFS and NFS volumes. This means that if a process attempts to save an infeCipherTrust Transparent Encryptiond file to a GuardPoint configured on a CIFS or NFS volume, the infeCipherTrust Transparent Encryptiond file will be discovered immediately, if it matches the McAfee malware detection algorithm and handled according to the appropriate malware policy in McAfee ePO.