ESS (HBSS) Overview with complete verified solutions 2025

ESS products: ePO ePolicy Orchestrator CWS -cloud workload security DXL- Data exchange layer DLP-DCM Device control module TACC (was MACC)- TA Trellix agent (MA)- ENS Endpoint Security- PA policy auditor- RSD rogue system detection TIE APS (an ePO extension) DATT- ePO extension? OAM- ePO extension ePO extensions (3) APS DATT OAM ENS Modules ENS TP Threat Prevention module (VSE and HIPS replacement) ENS FW Firewall module (HIPS replacement) ENS WC Web Control module DCM The Device Control Module (DCM) is a subset of the McAfee product Data Loss Prevention (DLP). Within the current ESS project, DCM provides the ability to restrict system access to peripheral devices such as thumb drives and other removable storage. DCM is available from the patch repository. TACC (was MACC) Trellix application and change control. Used to whitelist and blacklist items. TACC is not required but people can ask for it. prevents zero-day and advanced persistent threats by blocking the execution of unauthorized applications while McAfee Change Control is monitoring and preventing changes to the file system, registry, and user accounts. TIE Threat intelligence exchange. Trellix Threat Intelligence Exchange (TIE) is a repository and distributor of enterprise threat intelligence. TIE quickly shares intelligence between deployed solutions and uses the Data Exchange Layer (DXL) to communicate with the other security products. Based on policy settings, security products/modules take action based on intelligence provided. The TIE solution consists of a TIE Server, TIE clients (manage endpoints) and the DXL. DXL Trellix Data Exchange Layer (DXL) is a communication mechanism that enables near real-time bidirectional communication between endpoints on a network. DXL connects multiple products and applications, shares data, and sends security tasks using a real-time application framework called the Data Exchange Layer Fabric. On the DXL fabric, OpenDXL can be used to connect products from different vendor applications and tools to quickly share threat data. APS The APS is aan ESS ePO extension, which is developed utilizing ESS Software Development Kit (SDK) library. It accesses the Microsoft SQL Server database directly. It uses common Java frameworks such as Spring and Hibernate to support business logic, object oriented design, delegation of control, and data access. It uses JAX-WS as the Web Service stack to implement security and create the WS-Notification Web Service Consumer stubs to publish data. RE This capability supports the custom DoD rollup architecture of managed systems properties. Rollup Extender extends native ePO rollup capabilities to include three additional server tasks to provide backwards compatibility and for rollup to occur to and from a staging server. OAM The OAM is the ESS ePO extension that allows to associate assets with key operational metadata including managing organization, location, systems affiliation and administrative POC. The OAM utilizes ePO System Tree to tag ESS assets. To improve data quality and synchronization, the OAM maintains standardized organizations and locations data consumed from the Cyber Operational Attributes Manager Service (COAMS). The OAM collected data enables DISA's Continuous Monitoring Risk Scoring (CMRS) system to generate organization-specific reports to quickly assess compliance, generate risk scores and identify organizations responsible for applying mitigation measures. PA McAfee Policy Auditor (PA) is a component of the ESS baseline that provides the capability to validate the integrity of HBSS/ESS hosts by scanning for configuration settings and options. As an SCAP-compliant OVAL/XCCDF scan engine, Policy Auditor can support compliance checking for STIGs, IAVAs, FDCC, and other technical configuration benchmarks.