Product Guide McAfee MOVE AntiVirus 3.0.0 For use with ePolicy Orchestrator 4.6.0, 5.0.
COPYRIGHT Copyright © 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc.
Contents 1 Preface 5 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5 5 6 Introduction to McAfee® MOVE AntiVirus Agentless 7 Components and what they do . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Create a product deployment task . . . . . . . . . . . . . . . . . . . . . . . 34 Assign a product deployment task . . . . . . . . . . . . . . . . . . . . . . . . 34 Assign a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 1 4 SVA security requirements 37 Index 39 McAfee MOVE AntiVirus 3.0.
Preface Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: • Administrators — People who implement and enforce the company's security program.
Preface Find product documentation Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access... Do this...
1 Introduction to McAfee® MOVE AntiVirus Agentless McAfee® MOVE AntiVirus Agentless provides virus protection for virtual machines (VMs) and contains a Security Virtual Appliance (SVA) delivered as an Open Virtualization Format (OVF) package.
1 Introduction to McAfee® MOVE AntiVirus Agentless Components and what they do File Quarantine — Remote quarantine system, where quarantined files are stored on an administrator‑specified network share. GTI (Global Threat Intelligence) — Classifies suspicious files that are found on the file system. When the real‑time malware defense detects a suspicious program, it sends a DNS request for analysis to a central database server hosted by McAfee Labs.
2 Installation and configuration To set up your environment for McAfee MOVE AV Agentless, you install VMware vShield Endpoint, configure the Security Virtual Appliance (SVA), and install the product extensions. VMware vShield Endpoint is installed on an ESXi host: • As a loadable kernel module within the hypervisor. • As a filter driver within the guest VM.
2 Installation and configuration Download the McAfee MOVE AV Agentless packages SVA requirements You must use the virtual machine we provide. This is a dedicated virtual appliance with VirusScan Enterprise for Linux installed. The Open Virtualization Format (OVF) is a secure image, so it doesn't require any additional hardening. The VM must meet these minimum requirements: CPU 2 vCPU, 1.
Installation and configuration Install VMware vShield Endpoint • McAfee MOVE AV Agentless multiple OVF deployment tool (MOVE‑AV‑AL_DeploySVA_3.0.0.zip) • McAfee MOVE AV Agentless ePolicy Orchestrator package (MOVE‑AV‑AL_SVA_3.0.0.zip) 2 If you have installed the ePolicy Orchestrator server 4.6.x using McAfee® Endpoint Advanced Suite Installer (McAfee EASI), these extensions are already installed and ready for use in McAfee ePO.
2 Installation and configuration Setting up the SVA Setting up the SVA You must deploy the OVF and configure the SVA before you can begin using the Agentless deployment option. OVF deployment options The provided OVF must be deployed to each hypervisor to protect the associated VMs. There are two deployment options: multiple OVF deployment and manual deployment. There are two configuration options: automatic configuration and manual configuration.
Installation and configuration Setting up the SVA 2 Task For option definitions, click ? in the interface. 1 Gather this information, which you'll need when you run the configuration script: SVA IP address vShield Manager IP address or DNS name user name and password vCenter IP address or DNS name user name and password Don't use special characters when creating the user name or password for vCenter. Using special characters will result in failure to deploy the SVA.
2 Installation and configuration Setting up the SVA Column Header OVF Property ePO Server Network The name of the ESXi network that is used by the McAfee ePO server to manage the McAfee SVA. To successfully deploy the SVA to a hypervisor with a network that is serviced by a distributed switch (vDS), at least two hypervisors must be connected to the vDS to provide DVPort backing.
Installation and configuration Setting up the SVA 2 2 Apply these settings to deploy the OVF: For this option... Do this... Source Browse to and select move‑sva.ovf file. OVF Template Details Review details about the OVF. End User License Agreement (EULA) Accept this to continue. Name and Location Specify the name of the SVA and the inventory location. Storage Select the datastore for the SVA. This page is displayed only if the hypervisor has multiple datastores.
2 Installation and configuration Setting up the SVA 1 Log on to the SVA using the root or administrator account. 2 Run this command: sudo date ‑s "16 APR 2012 16:05:00" In this example the DATE and TIME will be configured to be: 16 April 2012 4:05 PM. 3 Type your password, when prompted. Manually configure the SVA The first time you log on, the configuration script automatically runs.
Installation and configuration Setting up the SVA 2 OVF properties If you manually deploy the OVF from the vSphere Client, the Properties page contains these settings. If these settings are specified during deployment, the SVA is configured automatically the first time you start your system. Category Setting Description DNS Primary Server The IP address of the primary DNS server. DNS Secondary Server The IP address of the secondary DNS server.
2 Installation and configuration Setting up the SVA Install the McAfee MOVE AV Agentless extension A product's extension must be installed before ePolicy Orchestrator can manage the product. Before you begin Make sure that the extension file is in an accessible location on the network. Task For option definitions, click ? in the interface. 1 2 From the Software Manager or McAfee download site, download these files: Extension Name Main product extension MOVE‑AV‑AL_EXT_3.0.0.
3 Monitoring and managing The Agentless deployment option monitors the status of virtual desktops and modifies behavior from the ePolicy Orchestrator console.
3 Monitoring and managing Policy management Policies and their categories Policy information is grouped into two categories: SVA and Scan. You can create, modify, or delete as many policies as needed under these categories. ePolicy Orchestrator provides a preconfigured McAfee Default policy, which cannot be edited or deleted but can be copied. You then modify these copies to suit your needs. How policies are applied Policies are applied to any System Tree group or system by inheritance or assignment.
3 Monitoring and managing Policy management 7 In the Scan Settings tab, configure these settings to control which files are scanned. Increasing the Cache scan result of file size up to (MB) might negatively impact performance. The complete file must transfer to the SVA to create an accurate hash of the file's contents. • 8 Scan Time — Green symbolizes a time slot where a scan might start; white symbolizes when a scan might not start.
3 Monitoring and managing Policy management Apply a policy You must apply a policy for it to take effect. You can apply McAfee MOVE AV Agentless Scan policy to individual virtual machine, group, or even to SVA machines. However, you can apply the SVA policy to SVA virtual machines only. Task For option definitions, click ? in the interface. 1 From the ePolicy Orchestrator console, click Menu | Systems | System Tree. 2 Select the group containing the SVA. 3 Click Assigned Policies.
Monitoring and managing How quarantine works 3 How quarantine works McAfee MOVE AV Agentless implements a remote quarantine system, where quarantined files are stored on an administrator‑specified network share. In McAfee MOVE AV Agentless 2.6, the option for enabling Quarantine configuration and Quarantine network share were present under the Scan policy, however, the latter has now been moved to the SVA policy. This allows you to enable or disable quarantine for specific virtual machine.
3 Monitoring and managing How quarantine works 3 View the VMs corresponding to the selected file. 4 Save a file to your local system. 5 Restore a specific file to one or more selected VMs. Restore a file Restoring a quarantined file allows you to save to your local system or to a specific VM. Before you begin • Update the DATs on the SVA and the system where you run the restore. This is essential to successfully restore the file; otherwise the restored file is detected as a virus and deleted.
Monitoring and managing Enabling the scan policy quarantine configuration 3 The RestoreTool.log is where errors are logged. Enabling the scan policy quarantine configuration The Quarantine tab is located on the Scan policy page. Quarantine is only applicable if the on‑access scan or on‑demand scan primary action is Delete files automatically. If quarantine fails, the secondary action is applied.
3 Monitoring and managing Configure the quarantine folder Configure the quarantine folder You can limit access to the quarantine folder by configuring permissions. Tasks • Set permissions for shared folders on page 26 Setting permission for the quarantine folder allows you to specify who has access to the share. • Set permissions for shared files on page 26 Setting permission for shared files allows you to limit the permissions of those who can access the share.
Monitoring and managing Configure the quarantine folder • Quarantine folder • Domain User Account — The account used by the SVA to quarantine files. • Domain Local Security Group — This group has access to the Restore Tool. 3 Task 1 Right‑click the quarantine folder, select Properties, then click the Security tab. 2 Click Edit. a Select and remove the users group. You must prevent the folder from inheriting permissions to successfully remove the group.
3 Monitoring and managing How VM-based scan configuration works How VM-based scan configuration works Using the VM‑based scan configuration setting, the McAfee ePO administrator can enforce unique scan policies to different groups, resource pool, or specific virtual machines protected by MOVE‑SVA on a hypervisor, even when McAfee Agent is not deployed to the client systems. The Scan policy can be applied to SVA machines or to a specific virtual machine, or group.
3 Monitoring and managing Monitoring the SVA Monitoring the SVA Monitor the status of the SVA using the Threat Event Log in ePolicy Orchestrator, or the Health and Alarms feature in VMware vShield Endpoint. View the Threat Event Log Use the Threat Event Log to quickly view and sort through events in the database. You can choose which columns are displayed in the sortable table. Depending on which products you are managing, you can also take certain actions on the events.
3 Monitoring and managing Queries and reports To create reports, your assigned permission set must include the ability to create and edit reports. You can restrict access to reports using groups and permission sets exactly as you restrict access to queries. Reports and queries can use the same groups, and because reports primarily consist of queries, this allows for consistent access control. McAfee Agent isn't installed on each VM.
4 Upgrade McAfee MOVE AV Agentless There are two approaches for upgrading McAfee MOVE AV Agentless, you can deploy a new SVA or upgrade an existing SVA. You must perform these upgrade steps in a specific order to successfully upgrade the software. • Deploy a new SVA — This approach requires you to unregister an existing 2.6 SVA, then deploy the 3.0 SVA to the hypervisor. This option ensures that you have the latest security updates.
4 Upgrade McAfee MOVE AV Agentless Migrate existing policies Task For option definitions, click ? in the interface. 1 From the ePolicy Orchestrator console, click Menu | Software | Extensions. 2 When the Extensions page opens, click Install Extension. 3 Browse to and select the MOVE‑AV‑AL_EXT_3.0.0.zip file, then click OK. 4 After a confirmation message, click OK.
Upgrade McAfee MOVE AV Agentless Upgrade an existing SVA 6 4 Power off the SVA. Do not delete this SVA until the 3.0 version is successfully deployed. This SVA can be used to help troubleshoot deployment issues. 7 Deploy a new SVA to the hypervisor. Upgrade an existing SVA This upgrade approach does not require creating an additional SVA, and can create a short window of time when virtual machines are unprotected. In most environments, we recommend you perform this upgrade during scheduled downtime.
4 Upgrade McAfee MOVE AV Agentless Upgrade an existing SVA 3 Select the package type as Product or Update (.zip). 4 Browse to and select the MOVEAVAgentless.3.0.0.163‑SVA file. 5 Click Next. 6 On the Package Options page: 7 • Package Info — Confirm that this is the correct package. • Branch — Select the branch for new products, usually Current. • Package signing — Specify if the package is signed by McAfee or is a third‑party package. Click Save to check in the package.
Upgrade McAfee MOVE AV Agentless Assign a policy 4 Task For option definitions, click ? in the interface. 1 Click Menu | Policy | Client Task Assignments, then click the Assigned Client Tasks tab. 2 Click Actions | New Client Task Assignment. 3 Select these settings, then click Next. • Product — McAfee Agent • Task Type — Product Deployment • Task Name — The name of the task you used when you created the client task.
4 Upgrade McAfee MOVE AV Agentless Assign a policy 36 McAfee MOVE AntiVirus 3.0.
SVA security requirements The following security measures are implemented on the SVA. Security measure Description apparmor apparmor is a kernel module that envelops processes and limits their system access to predefined items as defined in their profile. The MOVE scanning process, mvsvc, contains this profile: /etc/apparmor.d/opt.McAfee .move.bin.mvsvc. There are two apparmor modes: complain and enforce. By default, mvsvc is in enforce mode.
SVA security requirements 38 McAfee MOVE AntiVirus 3.0.
Index A about this guide 5 Agentless deployment option install extension 18 integration with ePolicy Orchestrator 19 policy management 19 installation (continued) VMware vShield Endpoint 11 vShield Manager 11 M McAfee ServicePortal, accessing 6 C O components defined 7 overview 7 configuration security virtual appliance 16 open virtualization format deployment options 12 manual deployment 14 properties 17 conventions and icons used in this guide 5 CSV file properties 13 P D deployment options 12 O
Index security virtual appliance (continued) manually configure 16 monitoring 29 view status 29 ServicePortal, finding product documentation 6 T threat event log 29 V VMware vShield Endpoint deploy the SVA 11 installation 11 Technical Support, finding product information 6 40 McAfee MOVE AntiVirus 3.0.
00