Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CTE Agent Linux Integration and Solutions Guides

Using CTE with McAfee Endpoint Security for Linux Threat Prevention

search

Please Note:

Using CTE with McAfee Endpoint Security for Linux Threat Prevention

McAfee Endpoint Security for Linux Threat Prevention detects malware such as viruses and handles the malware according to polices that you configure in McAfee ePO. This chapter describes how to configure McAfee and CipherTrust Transparent Encryption to work together.

This section contains the following topics:

Supported McAfee Versions and Linux Operating Systems

In general, Thales has verified that CipherTrust Transparent Encryption is compatible with McAfee version 10.6.5 and later on Red Hat Enterprise Linux (RHEL) 7 and RHEL 8. See the most recent Compatibility Matrix for CipherTrust Transparent Encryption Agent with CipherTrust Manager or Compatibility Matrix for CipherTrust Transparent Encryption Agent with Data Security Manager for details about the versions of McAfee Endpoint Security for Linux Threat Prevention that have been verified to work with CipherTrust Transparent Encryption.

Ensuring the Correct McAfee Service Startup and Shutdown Order

CipherTrust Transparent Encryption services and McAfee services must be started and stopped in the correct order to prevent problems with any data that is guarded by CipherTrust Transparent Encryption. This order is important any time these services need to be started or stopped, such as:

  • During the normal startup and shutdown of your Linux host.

  • Before enabling a scheduled upgrade of CipherTrust Transparent Encryption.

  • Before performing a manual upgrade of CipherTrust Transparent Encryption.

  • As needed for maintenance or troubleshooting.

Ensuring the Correct McAfee Service Order in systemd

Configuring the proper startup and shutdown order of CipherTrust Transparent Encryption and McAfee services in systemd ensures that the services start in the right order during system startup and shutdown. This is also important if you configure a scheduled upgrade of CipherTrust Transparent Encryption, as CipherTrust Transparent Encryption services will need to be shut down during the upgrade.

The following McAfee services must be configured to start after CipherTrust Transparent Encryption services:

  • For McAfee 10.6.6 or later:

    • mfetpd.service

    • mfeespd.service

  • For McAfee 10.6.5 or earlier:

    • isectpd.service

    • isecespd.service

To configure this behavior, add these services to the Before= line in the secfs-fs-barrier.service file on your system. The order of these services on the Before= line in the secfs-fs-barrier.service file does not matter. For more information, see [Location of Application Unit Configuration Files] and [Adding Applications to the secfs-fs-barrier.service File].

Starting or Stopping McAfee and CipherTrust Transparent Encryption Manually

When you manually start or stop McAfee and CipherTrust Transparent Encryption, you must do so in the correct order.

To manually stop McAfee and CipherTrust Transparent Encryption:

  1. Stop McAfee services using one of the following:

    For McAfee 10.6.6 or later:

     systemctl stop mfetpd.service mfeespd.service

    For McAfee 10.6.5 or earlier:

     systemctl stop isecespd.service isectpd.service

  2. Stop CipherTrust Transparent Encryption:
    Linux distributions that support systemd /etc/vormetric/secfs stop
    Linux distributions that do not support systemd service secfs stop

To manually start McAfee and CipherTrust Transparent Encryption:

  1. Start CipherTrust Transparent Encryption:
    Linux distributions that support systemd /etc/vormetric/secfs start
    Linux distributions that do not support systemd service secfs start

  2. Start McAfee services using one of the following:

    For McAfee 10.6.6 or later:

     systemctl start mfetpd.service mfeespd.service

    For McAfee 10.6.5 or earlier:

     systemctl start isecespd.service isectpd.service

Excluding CTE protected directories with McAfee

Starting with CipherTrust Transparent Encryption v7.2.0, two conflicts exist between McAfee’s On-Access Scan and CipherTrust Transparent Encryption when both applications are installed, regardless of installation order. This conflict occurs because McAfee’s On-Access Scan tries to scan files in the initial startup (protected) directory, /opt/vormetric/DataSecurityExpert/agent/secfs/.sec/ whenever those files are accessed by CipherTrust Transparent Encryption's own processes and utilities. Access to a CipherTrust Transparent Encryption protected directory, and its subdirectories, is restricted so that no other process or utility can access them.

The fix is to add the CipherTrust Transparent Encryption protected directories to the McAfee On-Access Scan exclusion list:

  1. Change the directory. At the command line, type:

    • For McAfee 10.6.5 or prior versions:

      #cd /opt/isec/ens/threatprevention/bin/

    • For McAfee 10.6.6 or subsequent versions:

      #cd /opt/McAfee/ens/tp/bin

  2. Add the exclusion to McAfee’s On-Access Scan, type:

    '--addexclusionrw --excludepaths "/opt/vormetric/DataSecurityExpert/agent/secfs/.sec/" --excludesubfolder'

The entire exclusion list command should look like the following:

  • McAfee 10.6.5 or prior versions:

    ./isecav --setoasprofileconfig --profile standard --addexclusionrw --excludepaths "/opt/vormetric/DataSecurityExpert/agent/secfs/.sec/" –excludesubfolder

  • McAfee 10.6.6 or subsequent versions:

    ./mfetpcli --setoasprofileconfig --profile standard --addexclusionrw --excludepaths "/opt/vormetric/DataSecurityExpert/agent/secfs/.sec/" –excludesubfolder

Note

You only need to run this command once.

Updating McAfee

It is not necessary to shut down CipherTrust Transparent Encryption services when you update McAfee Endpoint Security to a new version. Follow the update procedure described by McAfee. Before updating, ensure that the new version of McAfee is compatible with CipherTrust Transparent Encryption as described in [Supported McAfee Versions and Linux Operating Systems].

Note

When you upgrade McAfee, make sure that the current McAfee services are configured to start after the CipherTrust Transparent Encryption services in systemd. The McAfee service names depend on the version of McAfee that you are using. For details, see [Ensuring the Correct McAfee Service Order in systemd].

Virus Scanning Behavior Differences for CIFS and NFS GuardPoints

By default, on McAfee Endpoint Security, on-access virus scanning for remotely mounted file systems such as CIFS and NFS, is disabled. However, for GuardPoints configured on CIFS and NFS volumes, this default is ignored. So on-access virus scanning is always on for GuardPoints configured on CIFS and NFS volumes. This means that if a process attempts to save an infeCipherTrust Transparent Encryptiond file to a GuardPoint configured on a CIFS or NFS volume, the infeCipherTrust Transparent Encryptiond file will be discovered immediately, if it matches the McAfee malware detection algorithm and handled according to the appropriate malware policy in McAfee ePO.

On this page