McAfee VirusScan Enterprise 8.
COPYRIGHT Copyright © 2008 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
Contents Introducing VirusScan Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Using VirusScan Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Getting started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 What to do first. . . . .
Contents Mirror tasks and how they work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Configuring the mirror task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 How the AutoUpdate repository works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Configuring the repository list. . . . . . . . .
Contents On-access scan detections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 On-demand scan detections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Email scan detections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Quarantined items. .
Introducing VirusScan Enterprise VirusScan Enterprise offers easily scalable protection, fast performance, and mobile design to protect your environment from viruses, worms, and Trojan horses. It also protects your system from access point violations, exploited buffer overflows, and potentially unwanted code and programs. It detects threats, then takes the actions you configured to protect your environment. See the VirusScan Enterprise Release Notes for information about what’s new in this release.
Introducing VirusScan Enterprise Using VirusScan Enterprise Module, you have additional rules to protect you from potentially unwanted spyware-related threats. • Buffer Overflow Protection — Prevent exploited buffer overflows from executing arbitrary code on your computer. • Unwanted Program Protection — Eliminate potentially unwanted programs such as spyware and adware from your computer. Detection Develop an effective strategy to detect intrusions when they occur.
Introducing VirusScan Enterprise Getting started • Connecting to remote system — Connect to remote systems with VirusScan Enterprise installed to perform actions such as modify and schedule scanning or update tasks or to enable and disable the on-access scanner. • Submitting threat samples for analysis — Submit samples of undetected potential threats to Avert Labs through WebImmune. • Accessing the Avert Labs Threat Library — Access the information in the Avert Labs Threat Library.
Introducing VirusScan Enterprise Where to find product information • Buffer Overflow Protection. Enable buffer overflow detection and specify exclusions. See Blocking Buffer Overflow Exploits for more information. • Unwanted Programs Policy. Configure the policy that the on-access, on-demand, and email scanners use to detect potentially unwanted programs. Select categories of unwanted program categories to detect from a predefined list, then define additional programs to detect or exclude.
Introducing VirusScan Enterprise Where to find product information Installation Phase • Last-minute changes to the product or its documentation. Installation Guide • Preparing for, installing and deploying software in a production environment. Setup Phase • • Managing and deploying products through ePolicy Orchestrator. Maintenance Phase Knowledgebase (knowledge.mcaf) • Detailed information about options • in the product. • Release notes and documentation. Supplemental product information.
Controlling Access to the User Interface Setting security for the interface on client computers is an important part of protecting your environment. As an administrator, you can control the access users have to the VirusScan Enterprise interface. Specify a password to prevent users from accessing or changing selected features. You can also lock and unlock the user interface as necessary.
Controlling Access to the User Interface Configuring user interface security settings 12 Tab Description Password Options Specify password security for the entire system or selected items. McAfee VirusScan Enterprise 8.
Protecting Your System Access Points Access protection prevents unwanted changes to your computer by restricting access to specified ports, files, shares, registry keys, and registry values. It also protects McAfee processes by preventing users from stopping them. This protection is critical before and during outbreaks. This feature uses predefined rules and categories and user-defined rules to specify which items can and cannot be accessed.
Protecting Your System Access Points Access point violations and how VirusScan Enterprise responds Rule type Description Three rule examples are: • Prevent modification of McAfee files and settings. • Protect Mozilla and Firefox files and settings, Internet Explorer settings, and network settings. • Prevent installation of Browser Helper Objects and automatically running programs from the Temp folder. These protection levels apply to common rules.
Protecting Your System Access Points Types of user-defined rules • The event is recorded in the local event log and to SNMP, if you configured Alert Properties to do so. • The event is reported to Alert Manager and/or ePolicy Orchestrator, if those products are configured to do so. • The Block and/or Report action is taken depending on which actions are configured for the rule that detected the violation.
Protecting Your System Access Points Configuring access protection settings Tab Description Reports • Enable activity logging. • Specify the log file name and location. • Specify the log file size limit. • Select the log file format. Configuring anti-virus and common rules Use predefined Anti-virus and/or Common rules to protect your computer from unwanted changes. These rules can be enabled and edited, but they cannot be deleted.
Protecting Your System Access Points Configuring access protection settings Option Definition Inbound Prevent systems on the network from accessing the specified ports. Outbound Prevent local processes from accessing the specified ports on the network. Configuring file/folder blocking rules Prevent users from taking action on specified files or folders. Option definitions Option Definition Rule name Type the name for this rule. Processes to include Restrict access to the specified processes.
Protecting Your System Access Points Configuring access protection settings Option Definition Rule type Select the type of rule: • Key — This rule protects the specified key. • Value — This rule protects the specified value. Write to key or value Block writing to the specified key or value. Create key or value Block creating the specified key or value. Delete key or value Block deleting the specified key or value.
Blocking Buffer Overflow Exploits Buffer overflow protection prevents exploited buffer overflows from executing arbitrary code on your computer. It monitors user-mode API calls and recognizes when they are called as a result of a buffer overflow. When a detection occurs, information is recorded in the activity log and displayed in the On-Access Scan Messages dialog box if you configured those options to do so.
Blocking Buffer Overflow Exploits Configuring buffer overflow protection Tab descriptions Tab Description Buffer Overflow Protection • Enable buffer overflow protection. • Configure the detection mode to warn and/or protect you from buffer overflows. • Display the On-Access Scan Messages dialog box when a detection occurs. • Enable activity logging. • Specify the log file name and location. • Specify the log file size limit. • Select the log file format.
Restricting Potentially Unwanted Programs VirusScan Enterprise protects your computer from potentially unwanted programs that are a nuisance or present a security risk. One common unwanted program policy is configured, but you can individually enable or disable the policy and specify actions for each of the VirusScan Enterprise scanners.
Restricting Potentially Unwanted Programs Configuring the unwanted programs policy Tab descriptions Tab Description Scan Items • Select the categories of unwanted programs to detect. For example, spyware, adware, etc. These categories are defined by the current DAT file. • Specify exclusions. User-Defined Items 22 Define additional unwanted programs for detection. McAfee VirusScan Enterprise 8.
Updating Detection Definitions VirusScan Enterprise software depends on the scanning engine and the information in the detection definition (DAT) files to identify and take action on threats. New threats appear on a regular basis. To meet this challenge, McAfee releases new DAT files every day, incorporating the results of its ongoing research. The update task retrieves the most current DAT files, EXTRA.DAT file, scanning engine, Service Packs, and Patches.
Updating Detection Definitions Update tasks and how they work whenever new product versions are available. Avoiding the competition for network bandwidth enables you to deploy your new software with minimal interruptions. Update tasks and how they work Use the update task to get the most current DAT files, scanning engine, and Service Packs and Patches. VirusScan Enterprise includes a default update task. The default task is scheduled to update every day at 5:00 p.m. with one-hour randomization.
Updating Detection Definitions Update tasks and how they work • A connection is made to the first enabled repository (update site) in the repository list. If this repository is not available, the next site is contacted, and so on until a connection is made, or until the end of the list is reached. • An encrypted CATALOG.Z file downloads from the repository. The file contains the fundamental data required to update. This data is used to determine which files and/or updates are available.
Updating Detection Definitions Mirror tasks and how they work Tab Description • Specify which executable to run after the update task has completed and whether to run it only after a successful update. Mirror tasks and how they work The mirror task replicates the update files from the first accessible repository defined in the repository list, to a mirror site on your network. The most common use of this task is to mirror the contents of the McAfee download site to a local server.
Updating Detection Definitions How rolling back DAT files works • Encrypted credentials required to access each repository. When an AutoUpdate task is performed, a connection is made to the first enabled repository (update site) in the repository list. If this repository is not available, the next repository is contacted, and so on until a connection is made, or until the end of the list is reached.
Updating Detection Definitions How rolling back DAT files works Task 1 From the VirusScan Console, select Tools | Rollback DATs. 2 Click Yes to proceed with the DAT roll back. NOTE: This feature is not available from the ePolicy Orchestrator console. Configure the options on the tab. For option descriptions, click Help on the tab. 28 McAfee VirusScan Enterprise 8.
Scanning Items On-Access The on-access scanner examines files on your computer as they are accessed to provide continuous, real-time detection of threats. Both the Access Protection and Buffer Overflow Protection features also use the on-access scanner to detect access point violations and buffer overflow exploits respectively.
Scanning Items On-Access Script scanning and how it works Scanning comparison: writing to disk vs. reading from disk The on-access scanner treats scans differently depending on whether the user is writing to disk or reading from disk. When files are being written to disk, it scans these items: • Incoming files being written to the local hard drive.
Scanning Items On-Access Determining the number of scanning policies Determining the number of scanning policies Follow this process to determine whether to configure more than one on-access scanning policy: Determining which risk to assign to a process Once you decide that you need more than one scanning policy, identify your processes and determine which risk to assign to each one. Task 1 Determine which processes you are using.
Scanning Items On-Access How general and process settings are configured Backup software Compiling processes • High-risk — Processes with a greater possibility of spreading or introducing a potential threat. For example: Processes that launch other processes, such as Microsoft Windows Explorer or the command prompt. Processes that execute scripts or macros, such as WINWORD or CSCRIPT. Processes used for downloading from the internet, such as browsers, instant messengers, or mail clients.
Scanning Items On-Access Configuring process settings Tab Description ScriptScan Enable scanning of scripts and specify exclusions. Blocking • Send a message when a remote computer writes a threat to this system and specify the message. • Block the connection when a remote computer writes a threat to this system. • Unblock the connection after the specified time. • Block the connection when a file with a potentially unwanted program is detected in a shared folder.
Scanning Items On-Access Configuring process settings Tab Description • On-Access Low-Risk Processes — Specify the processes that you define as low-risk. • On-Access High-Risk Processes — Specify the processes that you define as high-risk. NOTE: The Configure different scanning policies for high-risk, low-risk, and default processes option must be selected on the On-Access Default Processes tab before you can configure individual policies for low-risk and/or high-risk processes.
Scanning Items On-Demand The on-demand scanner provides a method for scanning all parts of your computer for potential threats, at convenient times or at regular intervals. Use on-demand scans to supplement the continuous protection that the on-access scanner offers, or to schedule regular scans when they do not interfere with your work.
Scanning Items On-Demand How scan deferral works • The lower level, remote storage, is located on the robotic tape library or stand-alone tape drive that is connected to the server computer. Remote Storage automatically copies eligible files on your local volumes to a tape library, then monitors space available on the local volumes. File data is cached locally so that it can be accessed quickly as needed. When necessary, Remote Storage moves data from the local storage to remote storage.
Scanning Items On-Demand Configuring on-demand scan tasks Configuring on-demand scan tasks VirusScan Enterprise includes a default on-demand scan task. You can use the default task and/or create new tasks. To access the on-demand scan task: • From the ePolicy Orchestrator console, go to Systems | System tree | Client Task. Select an existing on-demand task or to access the default task, click New Task, then from the Type list, select On-Demand Scan (VirusScan Enterprise 8.7.0) and click Next.
Scanning Items On-Demand Configuring on-demand scan tasks Tab Description Task Specify where the on-demand scan task runs. NOTE: This tab is only available via ePolicy Orchestrator. 38 McAfee VirusScan Enterprise 8.
Scanning Email On-Delivery and On-Demand The email scanner automatically examines email messages and attachments: • For Microsoft Outlook, email is scanned on delivery or you can invoke on-demand email scans directly from Microsoft Outlook. • For Lotus Notes, email is scanned when accessed.
Scanning Email On-Delivery and On-Demand Configuring email scan properties Tab descriptions Tab Description Scan Items • Specify which messages and attachments to scan. • Scan for potential threats that resemble malware. • Scan for unknown macro viruses. • Find attachments with multiple extensions. • Scan inside archives and decode MIME encoded files. • Enable the email scanner to scan for unwanted programs. • Scan email message bodies.
Defining the Quarantine Policy Detected files, registry keys, and registry values are quarantined based on the quarantine policy you configured. You can restore quarantined items as necessary. Contents Configuring the quarantine policy and restoring items Configuring the quarantine policy and restoring items To access the Quarantine policy and Restore properties, refer to each method described below. Configure the options on each tab. For option descriptions, click ? or Help on each tab.
Defining the Quarantine Policy Configuring the quarantine policy and restoring items VirusScan Console — Quarantine Manager Policy From the VirusScan Console, open the Quarantine Manager Policy properties. Tab descriptions Tab Description Quarantine • Specify the quarantine location. • Configure the length of time to keep the quarantined items. • Restore, rescan, delete, and view quarantined items. Manager NOTE: The name of the item to restore can be found in the log file as the detection name.
Configuring Alerts and Notifications Being notified when a potential threat is detected is an important part of protecting your environment. You can use Alert Manager or VirusScan Enterprise local alerting to notify you when detections occur. • Alert Manager is a discrete component that works with VirusScan Enterprise to handle alerts and events in real time. In a typical configuration, Alert Manager resides on a central server and listens for alerts sent to it by VirusScan Enterprise.
Accessing Queries and Dashboards Use queries and dashboards to monitor activity and help you determine what action to take on detections. You can use the predefined queries and dashboards and create additional ones to meet you needs. For information about queries and dashboards, see the ePolicy Orchestrator product documentation. Queries To access queries in the ePolicy Orchestrator console, go to Reporting, then under Queries, scroll down to queries starting with VSE.
Responding to Detections There are different ways to take action on detections depending on which feature detects the threat. Contents How actions are taken on detections System access point violations Buffer overflow detections Unwanted program detections On-access scan detections On-demand scan detections Email scan detections Quarantined items How actions are taken on detections When a detection occurs, the resulting action depends on how the detection definition is defined in the DAT file.
Responding to Detections Buffer overflow detections Detection Type Legitimate processes Scenarios • If the rule blocked the violation but did not report the violation in the log file, select the Report option for the rule. • If the rule blocked the violation and reported it in the log file, no action is necessary. • If you find an unwanted process that was not detected, edit the rule to include it.
Responding to Detections On-access scan detections On-access scan detections When a detection occurs: • The scanner takes action according to how you configured the On-Access Scan Properties, Actions tab. • A message is recorded in the On-Access Scan Messages dialog box. Review the information in the activity log and/or the On-Access Scan Messages dialog box, then decide whether to take any of these additional actions. • Fine-tune scanning items to make scanning more efficient.
Responding to Detections Email scan detections • Submit a sample to Avert Labs for analysis — If the scanner detects something that you think it should not detect or does not detect something that you think it should, you can send a sample to Avert Labs. Email scan detections When a detection occurs, the scanner takes action according to how you configured the On-Delivery Email Scan Properties or On-Demand Email Scan Properties, Actions tab.
Supplemental Information Refer to these topics for supplemental information about using VirusScan Enterprise. Contents Accessing user interface options Adding and excluding scan items Scheduling tasks Configuring command-line options Connecting to remote systems Submitting threat samples for analysis Accessing the Avert Labs Threat Library Troubleshooting Accessing user interface options There are a number of ways to access the standalone version of the VirusScan Enterprise user interface.
Supplemental Information Accessing user interface options • Help — Access online Help topics, the Threat Library on the Avert Labs website, the Submit a Sample website, and the Technical Support website. You can also repair the product installation and view the About dialog box for copyright information and which versions of the product, license, definition files, scanning engine, extra driver, and patch are installed. NOTE: Each item on the menu has an associated shortcut key.
Supplemental Information Accessing user interface options Location Description Examples You cannot customize any other scan settings. The system tray Right-click the VirusScan Enterprise shield icon to display menu items. • Open the VirusScan Console. • Disable or enable the on-access scanner. • Open the on-access scanner properties. • View the on-access scan statistics or messages. • Create a one-time configurable on-demand scan. • Perform an immediate update task.
Supplemental Information Adding and excluding scan items • On-Access Scan — Opens the on-access scan property pages. • On-Demand Scan -— Opens the on-demand scan property pages where you configure and perform a one-time unsaved Full Scan. Command line and using it to configure VirusScan Enterprise Use the command line to perform activities from the Command Prompt. See Command-line Options for more information.
Supplemental Information Scheduling tasks • Valid wildcards are question mark (?) for excluding single characters and asterisk (*) for excluding multiple characters. • Wildcards can appear in front of a back slash (\) in a path. For example: C:\ABC\*\XYZ matches C:\ABC\DEF\XYZ. • An exclusion containing question mark (?) characters applies if the number of characters matches the length of the file or folder name. For example: The exclusion W?? excludes WWW, but does not exclude WW or WWWW.
Supplemental Information Configuring command-line options For example, SCAN32 PROPERTY=VALUE [,VALUE] [/option]. On-demand scanning option definitions Command-line Option 54 Definition ALL Scans all files in the target folder. ALLOLE Scans default files plus all Microsoft Office documents. ALWAYSEXIT Forces exit from on-demand scan, even if scan completed with error/failure. APPLYNVP Scans for the potentially unwanted programs that are defined in the Unwanted Programs Policy.
Supplemental Information Configuring command-line options Command-line Option Definition PRIORITY Sets the priority of the scan relative to other CPU processes. Requires an additional numerical parameter. A value of 1 assigns priority to all other CPU processes. A value of 5 assigns the highest priority to the scan. PROMPT Prompts the user for action when a potentially unwanted program is detected.
Supplemental Information Connecting to remote systems Command-line Option Definition hkey_local_machine\software\McAfee\DesktopProtection\Tasks /QUIET Performs the task silently. Connecting to remote systems You can connect to remote systems with VirusScan Enterprise installed to perform operations such a modifying or scheduling scanning or update tasks, or enabling and disabling the on-access scanner on a remote system.
Supplemental Information Accessing the Avert Labs Threat Library If the scanner detects something that you think it should not detect, you can also submit a sample of it to Avert Labs through WebImmune. Avert analyzes it and considers excluding it from the DAT file. You can submit a sample to Avert Labs through WebImmune by directly accessing the web site, via email, or via standard mail. WebImmune From the VirusScan Console, select Help | Submit a Sample to access the website.
Supplemental Information Troubleshooting Option definitions Option Definition Restore all settings to installation defaults Restores the VirusScan Enterprise default installation settings. Reinstall all program files Reinstalls the VirusScan Enterprise program files. CAUTION: Customized settings might be lost. CAUTION: Hotfixes, Patches, and/or Service Packs might be overwritten. Frequently asked questions This section contains troubleshooting information in the form of frequently asked questions.
Supplemental Information Troubleshooting VirusScan Enterprise assign the same file name for every on-demand scan cookie detection when other programs assign an individual or incremental file name to each cookie detection? Answer: VirusScan Enterprise assigns the same file name to each cookie detection because of the way the on-demand scanner detects and takes action on cookies. This behavior applies only to cookies detected by on-demand scans. A cookie file might contain many cookies.
Supplemental Information Troubleshooting • The CATALOG.Z file, which contains the latest updates, can be downloaded from this site: ftp://ftp.mcafee.com/CommonUpdater/catalog.z. • Question: If I do detect a potentially unwanted program and I have chosen prompt user for action, what action should I choose (Clean or Delete)? Answer: Our general recommendation is to choose Clean if you are not sure what to do with a detected file.
Index A access protection 6, 13, 14, 15, 16, 17, 18, 45 about 6 access violations 14 anti-virus and common rules 16 common rules 13 detections and actions 45 excluding processes 18 file/folder blocking rules 17 getting started 13 port blocking rules 16 preconfigured rules 13 protocols, restricting 15 registry blocking rules 17 removing unused rules 18 standard and maximum protection 14 types of rules 14 user-defined rules 14, 15, 16 virtual machine protection 14 access protection, configuring 15 actions unw
Index detections (continued) email scanning 39, 48 on-access scanning 47 on-demand scanning 37, 47 responding to 44 dialers (See unwanted programs) 21 documentation product 9 release notes 10 E email scanning about 6 configuring 39 detections and actions 48 engine updating AutoUpdate, process overview 24 getting started 8 strategies 23 events, VirusScan Enterprise access violations 14 Alert Manager 15 exclusions identifying processes for 46 on-demand scanning 37 using wildcards to specify scan items 52 wh
Index processes, VirusScan Enterprise (continued) default, configuring 32 in memory process scanning 35 incremental or resumable scanning 35 low-risk and high-risk 32 script scanning 30 Q quarantines, VirusScan Enterprise about 6 configuring 41 detections and actions 48 restore tasks, configuring 41 queries, VirusScan Enterprise about 6 accessing from ePO navigation bar, Reporting 44 monitoring activity 44 predefined, list of 44 R registry keys access protection, configuring 17 restricting access 15 repo
Index VirusScan Enterprise (continued) user interface security 11 what to scan, adding and excluding 52 64 McAfee VirusScan Enterprise 8.
