McAfee VirusScan Enterprise 8.
COPYRIGHT Copyright © 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Update tasks and how they work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Mirror tasks and how they work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 How the AutoUpdate repository works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 How rolling back DAT files works. . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Unwanted program detections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 On-access scan detections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 On-demand scan detections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Email scan detections. . . . . . . . . . . . . . . . . . . . . . . . .
Preface To use this document effectively you should understand who this document is written for, the conventions used, what's in it, and how to find other reference documentation. Contents Audience Conventions How this guide is organized Finding product documentation Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: • Administrators — People who implement and enforce the company's security program.
Preface How this guide is organized How this guide is organized This document is meant as a reference to use along with the VirusScan Console and ePolicy Orchestrator user interfaces. It also describes, in order, how you should approach protecting your system from malware using VirusScan Enterprise.
Preface Finding product documentation Finding product documentation McAfee provides the information you need during each phase of product implementation, from installing to using and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access... Do this...
Getting Started ® ® Understanding the components of McAfee VirusScan Enterprise 8.8 software, and the order you should use to configure the software helps you protect your system from threats.
Getting Started Components and how they interact • The AntiSpyware Enterprise Module has been fully integrated into the VirusScan Enterprise 8.8 software. • Support for Outlook 2010 email scanning. • Support for Lotus Notes 8.0x through 8.5.1 email scanning. Components and how they interact As an administrator and user of VirusScan Enterprise, you should be familiar with its components and connections. The following figure shows these components for a basic environment.
Getting Started The importance of creating a security strategy McAfee Headquarters McAfee Headquarters, home to McAfee Labs and McAfee Technical Support, provides the following VirusScan Enterprise services: • DAT updates — Stored on a McAfee central database server, and using AutoUpdate, these DAT update files are copied to the VirusScan Enterprise clients or optional DAT repositories to provide information to fight known threats and new lists of known viruses as they are found in real time.
Getting Started The importance of creating a security strategy Detection — finding threats Develop an effective strategy to detect intrusions when they occur. Configure these features to detect threats: • Update Task — Get automatic updates of DAT and scanning engine from the McAfee download website. • On-Access Scanner— Detect potential threats from any possible source as files are read from or written to disk. You can also scan for potentially unwanted cookies in the cookies folder.
Getting Started VirusScan Console and ways to access it high and low risk profile scanning, and when to disable scan on write can all improve performance. CAUTION: Failure to enable When reading from disk scanning leaves your system unprotected from numerous malware attacks. VirusScan Console and ways to access it The VirusScan Console is the interface for the standalone version of the program's activities. You use it to configure, monitor, and update the product.
Getting Started VirusScan Console and ways to access it • Delete the selected task. • Configure alerting properties. • Launch the event viewer. • Access the Information Library on the McAfee Labs website. • Connect to a remote computer if you have administrator rights. • Create a new on-demand scan. Task list Displays the default tasks and any new tasks that you create, as well as the status and last result for each task. Status bar Displays the status of the current activity.
Getting Started VirusScan Console and ways to access it • Status — This icon does not change to indicate access protection trigger alerts or if on-access scanning is disabled on ePolicy Orchestrator managed clients with McTray version 2.x or later (with McAfee Agent 4.5 or later). The status changes are shown as tool tips. • Tool tips — The icon tool tips include: • McAfee Status: OK — Normal. Options indicate: • View Security Status — Displays a check mark.
Getting Started VirusScan Console and ways to access it • "V" in a shield with circle and line — Indicates on-access scanning is disabled. • "V" in a shield with red outline — Indicates on-access scanning is enabled, but see the Access Protection log file. • Tool tip — Displays "McAfee". • Menu options — The right-click menu options include: • VirusScan Console — Opens the VirusScan Console. • Disable or Enable On-Access Scanner — Toggles the on-access scanner.
Getting Started What to do first • McAfee Agent Status Monitor — Displays the McAfee Security Status Monitor dialog box. • About — Opens the About dialog box. What to do first When the software is installed, it uses the DAT files packaged with the product, which provide general security for your environment. McAfee recommends you get the latest DAT files and customize the configuration to meet your requirements before you deploy the product to client systems.
Getting Started What to do first • Quarantine Manager Policy. Configure the location of the quarantine folder and the number of days to keep quarantined items before automatically deleting them. See Quarantined items for more information. 18 McAfee VirusScan Enterprise 8.
Part I - Prevention: Avoiding Threats Prevention is the first step in a protection strategy, to keep threats from gaining access to your system. Contents Access protection Protecting your system access points Blocking buffer overflow exploits Restricting potentially unwanted programs Updating detection definitions Excluding scan items Using scheduled tasks Access protection Preventing threat access to your client system is your first line of defense against malware.
Part I - Prevention: Avoiding Threats Access protection • Internet Relay Chat (IRC) messages — Files sent along with these messages can easily contain malware as part of the message. For example, automatic startup processes can contain worms and Trojan threats. • Browser and application Help files — Downloading these Help files exposes the system to embedded viruses and executables.
Part I - Prevention: Avoiding Threats Access protection Log entry Description 2/10/2010 Date 11:00AM Time Blocked by Access Protection rule Action taken TestDomain\TestUser Credentials C:\Users\TestUser\Desktop\AnnoyMe.exe Process name that breeched the rule \REGISTRY\MACHINE\SOFTWARE\Microsoft... Location the process tried to access Prevent programs registering to autorun Access Protection rule that was triggered Similar information is available using ePolicy Orchestrator queries.
Part I - Prevention: Avoiding Threats Access protection Configure the General Options Policies user interface properties with these user interface consoles. ePolicy Orchestrator 4.5 or 4.6 Configure the General Options Policies user interface properties. Task For option definitions, click ? on each tab. 1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0.
Part I - Prevention: Avoiding Threats Protecting your system access points a Click New Policy to open New Policy dialog box. b From the Create a new policy based on this existing policy list, select one of the settings. c Type a new policy name. d Click OK. The new policy appears in the list of existing policies. 3 From the Settings for list, select Workstation or Server.
Part I - Prevention: Avoiding Threats Protecting your system access points Rule type descriptions Rule type Anti-virus Description These preconfigured rules protect your computer from common behaviors of malware threats. You can enable, disable, and change the configuration, but you cannot delete these rules.
Part I - Prevention: Avoiding Threats Protecting your system access points Protection level Outbreak control Description Anti-virus rules that block destructive code from accessing the computer until a DAT file is released. These rules are preconfigured to block access to shares during an outbreak. Access point violations and how VirusScan Enterprise responds An access violation occurs when a restricted user or process tries to start, stop, or access restricted components of your computer.
Part I - Prevention: Avoiding Threats Protecting your system access points Configuring access protection settings Use Access Protection Policies to protect your system’s access points and prevent termination of McAfee processes. CAUTION: Failure to enable access protection to prevent McAfee services from being stopped leaves your system unprotected from numerous malware attacks. There are two types of access-protection rules you can configure.
Part I - Prevention: Avoiding Threats Protecting your system access points ePolicy Orchestrator 4.5 or 4.6 From the Access Protection Policies, configure the predefined access-protection rules. Task For option definitions, click ? in the interface. 1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0.
Part I - Prevention: Avoiding Threats Protecting your system access points b From the Create a new policy based on this existing policy list, select one of the settings. c Type a new policy name. d Click OK. The new policy appears in the list of existing policies. 3 From the Settings for list, select Workstation or Server. 4 From the Access Protection Policy page, click the Access Protection tab to display the Access Protection Rules.
Part I - Prevention: Avoiding Threats Protecting your system access points Edit an existing policy a From the Category list, select the policy category. b From the Actions column, click Edit Setting to open the policy configuration page. Create a new policy a Click Actions | New Policy to open New Policy dialog box. b From the Category list, select an existing policy. c From the Create a new policy based on this existing policy list, select one of the settings. d Type a new policy name.
Part I - Prevention: Avoiding Threats Protecting your system access points a Click New Policy to open New Policy dialog box. b From the Create a new policy based on this existing policy list, select one of the settings. c Type a new policy name. d Click OK. The new policy appears in the list of existing policies. 3 From the Settings for list, select Workstation or Server. 4 Select the User-defined Rules category in the left pane, then click New to open the Select the new rule type dialog box.
Part I - Prevention: Avoiding Threats Protecting your system access points 5 Click OK. The new user-defined rule appears in the right-hand pane in the Rules column. To modify the new rule, select it and click Edit. Port blocking rule options Port blocking rules stop users from accessing specified inbound and outbound ports, and they prevent other computers from accessing the computer. Option definitions Option Definition Rule Name Type the name for this rule.
Part I - Prevention: Avoiding Threats Protecting your system access points Option Definition Files being deleted Block files from being deleted from the specified folder. Registry blocking rule options Registry blocking rules prevent users and unauthorized programs from altering, opening, or deleting specified registry keys and values. NOTE: When creating a registry blocking rule, use the best matching hive registry subtree abbreviation.
Part I - Prevention: Avoiding Threats Protecting your system access points Option Description Processes to exclude Allow access to these processes. Use the exact process name. For example, specify these exclusions: avtask.exe, cfgwiz,exe, fssm32.exe, giantantispywar*, kavsvc.exe, mmc.exe, navw32.exe, nmain.exe, rtvscan.exe. Removing user-defined rules Remove rules that you created but no longer use. Remove the user-defined rules using one of these user interface consoles. ePolicy Orchestrator 4.
Part I - Prevention: Avoiding Threats Blocking buffer overflow exploits Task For option definitions, click ? or Help in the interface. 1 Click Systems | Policy Catalog, then from the Product list select VirusScan Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0. 2 Edit an existing policy or create a new policy: Edit an existing policy a From the Category list, select the policy category.
Part I - Prevention: Avoiding Threats Blocking buffer overflow exploits VirusScan Enterprise uses a Buffer Overflow and Access Protection DAT file to protect approximately 30 applications, for example, Internet Explorer, Microsoft Outlook, Outlook Express, Microsoft Word, and MSN Messenger.
Part I - Prevention: Avoiding Threats Blocking buffer overflow exploits ePolicy Orchestrator 4.5 or 4.6 Configure the Buffer Overflow Protection Policies with this user interface consoles. Task For option definitions, click ? in the interface. 1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0.
Part I - Prevention: Avoiding Threats Blocking buffer overflow exploits 2 Edit an existing policy or create a new policy: Edit an existing policy a From the Category list, select the policy category. b From the Actions column, click Edit to open the policy configuration page. Create a new policy a Click New Policy to open New Policy dialog box. b From the Create a new policy based on this existing policy list, select one of the settings. c Type a new policy name. d Click OK.
Part I - Prevention: Avoiding Threats Restricting potentially unwanted programs Restricting potentially unwanted programs VirusScan Enterprise protects your computer from potentially unwanted programs that are a nuisance or present a security risk. One common unwanted program policy is configured, but you can individually enable or disable the policy and specify actions for each of the VirusScan Enterprise scanners.
Part I - Prevention: Avoiding Threats Restricting potentially unwanted programs 1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0. 2 Edit an existing policy or create a new policy: Edit an existing policy a From the Category list, select the policy category. b From the Actions column, click Edit Setting to open the policy configuration page.
Part I - Prevention: Avoiding Threats Restricting potentially unwanted programs 3 From the Settings for list, select Workstation or Server. 4 From the Unwanted Programs Policy page, click the Scan Items tab to configure: a Categories of unwanted programs to detect — For example, spyware and adware. These categories are defined by the current DAT file. b Exclusions — You must specify the exact detection name that you want to exclude, not the file name.
Part I - Prevention: Avoiding Threats Restricting potentially unwanted programs Task For option definitions, click ? in the interface. 1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0. 2 Edit an existing policy or create a new policy: Edit an existing policy a From the Category list, select the policy category.
Part I - Prevention: Avoiding Threats Updating detection definitions c Type a new policy name. d Click OK. The new policy appears in the list of existing policies. 3 From the Settings for list, select Workstation or Server. 4 From the On-Access Scan Policies or On-Delivery Email Policies page, click the Scan Items tab and select Detect unwanted programs. VirusScan Console Enable on-access and email scanners to detect unwanted programs using the VirusScan Console.
Part I - Prevention: Avoiding Threats Updating detection definitions DAT files and how they work When the scanning engine searches through files looking for threats, it compares the contents of the scanned files to known threat information stored in the detection definition (DAT) files. The known threat information, called signatures, is information McAfee Labs has found and added to the DAT files.
Part I - Prevention: Avoiding Threats Updating detection definitions Requirements for an efficient update strategy An efficient updating strategy generally requires at least one client or server in your organization to retrieve updates from the McAfee download site. From there, the files can be replicated throughout your organization, providing access for all other computers.
Part I - Prevention: Avoiding Threats Updating detection definitions an update. By default, detection for the new potentially unwanted program in the EXTRA.DAT is ignored once the new detection definition is added to the daily DAT files. Configuring the AutoUpdate task To update DAT files and scan engines automatically for all McAfee products, you must configure the AutoUpdate properties and schedule. Task For option definitions, click ? or Help on the tab.
Part I - Prevention: Avoiding Threats Updating detection definitions The VirusScan Enterprise software relies on a directory structure to update itself. When mirroring a site, it is important to replicate the entire directory structure. NOTE: This directory structure also supports previous versions of VirusScan Enterprise and NetShield, as long as the entire directory structure is replicated in the same location that VirusScan Enterprise 8.8 uses for updating.
Part I - Prevention: Avoiding Threats Updating detection definitions Tab definitions Tab Definitions Mirror • Specify the log file location and format. • Specify which executable to run after the mirror task has completed and whether to run it only after a successful mirror. How the AutoUpdate repository works The AutoUpdate repository list (SITELIST.XML) specifies the configuration information necessary to perform an AutoUpdate task.
Part I - Prevention: Avoiding Threats Excluding scan items Tab definitions Tab Definitions Repositories • Specify the repositories where you get updates. • Configure the order to access the repositories. Proxy settings Specify which proxy settings to use when updating. How rolling back DAT files works If you find your current DAT files are corrupted or incompatible, you can roll back the DAT files to the last backed up version.
Part I - Prevention: Avoiding Threats Using scheduled tasks Specifying exclusions Specify files, folders, and drives to exclude from scanning operations. You can also remove any exclusions you specified previously. Option definitions Option Definition What to exclude Select the type of exclusion. • Exclude by file name/location — Specify the file name, location, and whether to exclude subfolders. NOTE: You must add a backslash (\) at the end of the string to apply to a folder.
Part I - Prevention: Avoiding Threats Using scheduled tasks Contents Scheduling tasks Configuring the task schedule Scheduling tasks You have the option to schedule on-demand, AutoUpdate, and mirror tasks to run at specific dates and times, or intervals. The way you schedule tasks depends on the user interface console you use. To schedule these tasks: • ePolicy Orchestrator console — Use the Schedule tab to display the Schedule page.
Part II - Detection: Finding Threats Finding threats is the second step in a protection strategy to detect malware attempting to gain access to your system. Contents Scanning items on-access Scanning items on-demand Scanning email on-delivery and on-demand Scanning items on-access The on-access scanner examines files on your computer as they are accessed, which provides continuous, real-time detection of threats.
Part II - Detection: Finding Threats Scanning items on-access 2 If the file meets the scanning criteria, it is scanned by comparing the information in the file to the known malware signatures in the currently loaded DAT files. • If the file is clean, the result is cached and read, write, or rename operation is granted. • If the file contains a threat, the operation is denied and the configured action is taken.
Part II - Detection: Finding Threats Scanning items on-access When scanning Default + additional file types, the scanner examines a list of specific files based on the file types you select. • Default file types: The on-access scanner examines the specified file type only for threats that attack that file type. • Additional file types: The on-access scanner examines the files with matching extensions for all possible threats.
Part II - Detection: Finding Threats Scanning items on-access Determine the number of scanning policies Follow this process to determine whether to configure more than one on-access scanning policy. How general and process settings are configured The on-access scanner’s general and process policies are configured separately. • General Settings — Includes options that apply to all processes.
Part II - Detection: Finding Threats Scanning items on-access Configure the on-access general settings using the following user interface consoles. ePolicy Orchestrator 4.5 or 4.6 Configure the general settings that apply to scanning of all processes with this user interface console. Task For option definitions, click ? in the interface. 1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan Enterprise 8.8.0.
Part II - Detection: Finding Threats Scanning items on-access 6 On the Blocking tab, configure blocking connections from remote computers that write files with potential threats or unwanted programs. NOTE: By default, when a remote system writes any malware to a system with VirusScan Enterprise, VirusScan Enterprise blocks the connection to that remote system. You can also configure a message that is sent to the system that has written the malware.
Part II - Detection: Finding Threats Scanning items on-access 5 On the ScriptScan tab, enable ScriptScan and configure any processes or URLs to exclude from scanning. NOTE: With previous versions of VirusScan Enterprise disabling on-access scanning disabled ScriptScan. With VirusScan Enterprise 8.8 disabling on-access scanning does not disable ScriptScan. To disable ScriptScan deselect the Enable scanning of scripts checkbox.
Part II - Detection: Finding Threats Scanning items on-access 4 On the Blocking tab, configure blocking connections from remote computers that write files with potential threats or unwanted programs. NOTE: By default, when a remote system writes any malware to a system with VirusScan Enterprise, VirusScan Enterprise blocks the connection to that remote system. You can also configure a message that is sent to the system that has written the malware.
Part II - Detection: Finding Threats Scanning items on-access g From the Actions column of the new policy, click Edit Setting to open the policy configuration page. 3 From the Settings for list, select Workstation or Server. 4 From the Processes tab, click Configure different scanning policies for high-risk, low-risk, and default process to display the on-access Default Processes, Low-Risk Processes, or High-Risk Processes.
Part II - Detection: Finding Threats Scanning items on-access 4 From the On-Access Default, Low-Risk, or High-Risk Processes Policies page, configure the options on each tab. Refer to Process setting tab options. Process setting tab options The following table describes the on-access scanner tab options.
Part II - Detection: Finding Threats Scanning items on-access ePolicy Orchestrator 4.5 or 4.6 Enable on-network drives from the On-Access Default Processes Policies with this user interface console. Task For option definitions, click ? in the interface. 1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0.
Part II - Detection: Finding Threats Scanning items on-demand c Type a new policy name. d Click OK. The new policy appears in the list of existing policies. 3 From the Settings for list, select Workstation or Server. 4 On the On-Access Default Processes Policies page, click Scan Items tab and On network drives next to Scan files. 5 Click Save. VirusScan Console Enable on-network drives with this user interface console. Task For option definitions, click Help in the interface.
Part II - Detection: Finding Threats Scanning items on-demand • The file has not been cached. • The file has not been excluded. • The file has not been previously scanned. NOTE: The on-demand scanner uses heuristics to check for suspicious files, if you configure Artemis. For details, see How Artemis works. 2 If the file, folder, or disk meets the scanning criteria, it is scanned by comparing the information in the file to the known virus signatures in the currently loaded DAT files.
Part II - Detection: Finding Threats Scanning items on-demand storage to local storage. When you need to access a file on a volume managed by remote storage, open the file as usual. If the data for the file is no longer cached on your local volume, remote storage recalls the data from a tape library. How scan deferral works To improve performance, you can defer on-demand scan tasks when battery power is low or during full-screen presentations.
Part II - Detection: Finding Threats Scanning items on-demand Task For option definitions, click ? in the interface. 1 Click Menu | System | System Tree and select Client Task. 2 From the Client Task page that appears: • To edit an existing on-demand scan task, click Edit Setting from the Actions column of the task to open the Description page. • To create a new on-demand scan task, click Actions | New task to open the Description page.
Part II - Detection: Finding Threats Scanning items on-demand Task For option definitions, click Help in the interface. 1 Open the On-Demand Scan Properties page for an existing or new task: • Select and right-click an existing on-demand scan task, right-click, and select Properties. • Create a new task, select Task | New On-Demand Scan Task, right-click the new task, select Properties. 2 Configure each of the tabs in the On-Demand Scan Properties dialog box.
Part II - Detection: Finding Threats Scanning items on-demand Tab Definitions • Secondary action to take on an unwanted program detection if the first action fails. For allowed actions in the prompt dialog box, select the action. Reports • Enable activity logging. • Specify the log file name and location. • Specify the log file size limit. • Select the log file format. • Specify what to log besides scanning activity.
Part II - Detection: Finding Threats Scanning items on-demand Create a new policy a Click New Policy to open New Policy dialog box. b From the Create a new policy based on this existing policy list, select one of the settings. c Type a new policy name. d Click OK. The new policy appears in the list of existing policies. 3 From the Settings for list, select Workstation or Server.
Part II - Detection: Finding Threats Scanning email on-delivery and on-demand VirusScan Console Configure the scan cache feature with this user interface console. Task For option definitions, click Help in the interface. 1 Click Tools | General Options and the Global Scan Settings tab to display the Global Scan Settings dialog box. 2 Configure the following global settings for the scan cache: • Click Enable saving scan data across reboots — Saves the clean scan results when you reboot the system.
Part II - Detection: Finding Threats Scanning email on-delivery and on-demand 1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0. 2 Edit an existing policy or create a new policy: Edit an existing policy a From the Category list, select the policy category. b From the Actions column, click Edit Setting to open the policy configuration page.
Part II - Detection: Finding Threats Scanning email on-delivery and on-demand VirusScan Console Configure the On-Delivery Email Scan Policies using this user interface console. Task For option definitions, click ? in the interface. 1 From the Task list, right-click On-Delivery Email Scan Properties, then click Properties to open the dialog box. 2 From the On-Delivery Email Scan Properties dialog box, configure the options on each tab. Refer to On delivery email scan policies tab definitions.
Part III - Response: Handling Threats Responding to threats is the third step in a protection strategy to detect and clean malware that attempts to gain access to your system. Contents Detections and responses Configuring alerts and notifications Access queries and dashboards Configuring emergency DATs Detections and responses When a threat occurs and is detected, what happens next is determined by how VirusScan Enterprise is configured to respond and which feature detects the threat.
Part III - Response: Handling Threats Detections and responses System access point violations When a system access point is violated, the action taken depends on how the rule was configured. If the rule was configured to: • Report — Information is recorded in the log file. • Block — Access is denied.
Part III - Response: Handling Threats Detections and responses Review the information in the log file, then decide whether to take any of these additional actions: • Fine-tune scanning items — This makes your scans more efficient. • Exclude it from detection — If a legitimate program was detected, you can configure it as an exclusion. • Add it to the user-defined detection list — If an unwanted program was not detected, you can add it to the user-defined detection list.
Part III - Response: Handling Threats Detections and responses On-demand scan detections When an on-demand detection occurs, the scanner takes action according to how you configured the On-Demand Scan Properties, Actions tab. Review the information in the log file, then decide whether to take any of these additional actions: • Fine-tune scanning items — This make your scans more efficient.
Part III - Response: Handling Threats Detections and responses Tasks ePolicy Orchestrator 4.5 or 4.6 ePolicy Orchestrator 4.0 VirusScan Console ePolicy Orchestrator 4.5 or 4.6 Configure the Quarantine Manager Policies using this user interface console. Task For option definitions, click ? in the interface. 1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0.
Part III - Response: Handling Threats Detections and responses a From the Category list, select the policy category. b From the Actions column, click Edit to open the policy configuration page. Create a new policy a Click New Policy to open New Policy dialog box. b From the Create a new policy based on this existing policy list, select one of the settings. c Type a new policy name. d Click OK. The new policy appears in the list of existing policies.
Part III - Response: Handling Threats Configuring alerts and notifications • View detection properties. 3 A dialog box appears and describes the affect of your attempt. Configuring alerts and notifications Being notified when a potential threat is detected is an important part of protecting your environment. You can use the ePolicy Orchestrator console, or VirusScan Console, to configure how you are notified when detections occur.
Part III - Response: Handling Threats Configuring alerts and notifications c From the Create a new policy based on this existing policy list, select one of the settings. d Type a new policy name. e Type any notes, if required. f Click OK. The new policy appears in the list of existing policies. g From the Actions column of the new policy, click Edit Setting to open the policy configuration page. 3 From the Settings for list, select Workstation or Server. 4 Configure the alert policy tabs.
Part III - Response: Handling Threats Access queries and dashboards 2 Configure the alert policy tabs. Refer to Alert policy tab configuration. Alert policy tab configuration Task Configuration Alerts Policies 1 From the Actions column, select Edit Settings to open the Alerts Policies page. 2 Configure the Components that generate alerts and Alert Manager options.
Part III - Response: Handling Threats Configuring emergency DATs VSE: Spyware Detected in the Last 24 Hours VSE: Top 10 Threats per Threat Category VSE: Spyware Detected in the Last 7 Days VSE: Top 10 Users with the Most Detections VSE: Summary of Threats Detected in the Last 24 Hours VSE: Unwanted Programs Detected in the Last 24 Hours VSE: Summary of Threats Detected in the Last 7 Days VSE: Unwanted Programs Detected in the Last 7 Days VSE: Threat Count by Severity VSE: Version 8.
Part III - Response: Handling Threats Configuring emergency DATs EXTRA.DAT file, packaged in a SuperDAT (SDAT) executable file, is made available by McAfee Labs until the normal VirusScan Enterprise DAT update is released. NOTE: McAfee no longer posts individual EXTRA.DAT files on the Security Updates download site. To get an EXTRA.DAT file for a specific threat, go to the McAfee Avert Labs Extra.dat Request Page at, https://www.webimmune.net/extra/getextra.aspx.
Part III - Response: Handling Threats Configuring emergency DATs Task For option definitions, click ? in the interface. 1 To install the SuperDAT file on an ePolicy Orchestrator server, use one of the following: Server Steps... ePolicy Orchestrator 4.5 and 4.6 1 ePolicy Orchestrator 4.0 Click Menu | Software | Master Repository to open the Packages in Master Repository page in the ePolicy Orchestrator 4.5 and 4.6 console. 2 Click Actions | Check in Packages.
Part IV - Monitoring, Analyzing, and Fine-Tuning Your Protection After the initial configuration of your protection strategy, you should monitor, analyze, and fine-tune your protection. By checking the activity log files and ePolicy Orchestrator queries, you can improve the performance and the protection of VirusScan Enterprise systems.
Part IV - Monitoring, Analyzing, and Fine-Tuning Your Protection Monitoring activity in your environment • For Microsoft Windows XP, Microsoft Vista, Microsoft 2000 Server, Microsoft 2003 Server, and Microsoft 2008 Server — C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection • For Microsoft Windows 7 — C:\ProgramData\McAfee\DesktopProtection Table 1: Log files File name How to access Displays AccessProtectionLog.
Part IV - Monitoring, Analyzing, and Fine-Tuning Your Protection Analyzing your protection • A table with similar information and a total of the threats. NOTE: You can click on the bar chart or table information to open the ePolicy Orchestrator database data. 3 Click Close to return to the queries list. There are many more default queries you can run, plus you can create your own queries. See the ePolicy Orchestrator documentation for details.
Part IV - Monitoring, Analyzing, and Fine-Tuning Your Protection Analyzing your protection ePolicy Orchestrator 4.5 or 4.6 This example analysis is used as a framework for analyzing most VirusScan Enterprise protection scenarios with ePolicy Orchestrator 4.5 or 4.6. Before you begin You must have direct or remote access to a VirusScan Enterprise protected system to perform this example analysis. Task For option definitions, click ? in the interface.
Part IV - Monitoring, Analyzing, and Fine-Tuning Your Protection Analyzing your protection • Threat Source IP Address and target are shown to help you determine what actions to take. • Threat Name and Threat Type describe what malware was used in the attack. • Threat Event Descriptions describe how the attack affected the system and what actions were taken on the threat.
Appendix There are more configuration and troubleshooting features you can use to improve the protection provided by VirusScan Enterprise. These features use familiar tools, for example, the ePolicy Orchestrator console, the command-line, and the Internet.
Appendix Configuring ePolicy Orchestrator server tasks Before you begin You must have Administrator privileges to update the ePolicy Orchestrator configuration. Task For option definitions, click ? in the interface. 1 Open the existing Server Task page from ePolicy Orchestrator. • ePolicy Orchestrator 4.5 or 4.6 — Click Menu | Automation | Server Tasks. • ePolicy Orchestrator 4.0 — Click Automation | Server Tasks.
Appendix Using the command line with VirusScan Enterprise Using the command line with VirusScan Enterprise You can use the Command Prompt to run some basic VirusScan Enterprise processes. You can install, configure, and update VirusScan Enterprise from the command line. Command line installation options are described in the VirusScan Enterprise Installation Guide.
Appendix Using the command line with VirusScan Enterprise Command-line value Definition with options CLEAN Cleans the detected target file when a potentially unwanted program is found. CLEANA Cleans the detected file when an unwanted program is found. CONTINUE Continues scanning after a potentially unwanted program is detected. CONTINUE2 Continues scanning after a potentially unwanted program is detected and the primary action has failed.
Appendix Using the command line with VirusScan Enterprise Command-line value Definition with options PROMPTA2 Prompts the user for action when an unwanted program is detected and the primary action has failed. RPTSIZE Sets the size of the alert log, in Megabytes. START Runs the scan. Does not display the properties dialog box. TASK Launches the on-demand scanner task specified in the VirusScan Console.
Appendix Connecting to remote systems Connecting to remote systems You can connect to remote systems with VirusScan Enterprise installed to perform operations such as modifying, scheduling scanning, update tasks, or enabling and disabling the on-access scanner on a remote system. NOTE: If you do not have administrator rights to connect to the remote system, you receive an Insufficient user rights access denied message.
Appendix Access the McAfee Labs Threat Library WebImmune 1 From the VirusScan Console, select Help | Submit a Sample to access the website. The website is located at: https://www.webimmune.net/default.asp. 2 Log on to your free account, or create one. 3 Upload files directly to the McAfee Labs automated systems for review. Items are escalated to the McAfee Labs analysts if additional research is required. Email Send emails directly to the McAfee Labs automated systems for review.
Appendix Troubleshooting Option Reinstall all program files Definition Reinstalls the VirusScan Enterprise program files. CAUTION: Hotfixes, Patches, and Service Packs might be overwritten. Using SETUPVSE.exe at the command line To repair or reinstall VirusScan Enterprise from the command line with the SETUPVSE.exe command, use these commands. NOTE: For REINSTALLMODE command line parameter options, refer to REINSTALLMODE Property at http://msdn.microsoft.com/en-us/library/aa371182(VS.85).aspx.
Appendix Troubleshooting 2 From the On-Access Scanner Properties dialog box, click the Reports tab and click View Log. The OnAccessScanLog.txt file appears in a Notepad window. Following is an example of the log file output. 3 The following table describes the data in the previous OnAccessScanLog.txt example: Log entry example Description 4/27/2010 Date 1:35:47 PM Time Cleaned/Deleted/No Action Taken Action taken File updated = version, or (Clean failed because...
Appendix Troubleshooting • Download and install the tool from: http://mer.mcafee.com. NOTE: An ePolicy Orchestrator deployable version is also available. This version uses the ePolicy Orchestrator console to run the MER on client computers for collecting logs and information when diagnosing McAfee product problems. Download the McAfee MER for ePolicy Orchestrator 4.x (v2.0) from: http://mer.mcafee.com/enduser/downloadepomer.aspx. • Run the tool and send the output back to McAfee Technical Support.
Appendix Troubleshooting 3 Is the original system problem fixed by disabling Access Protection: • Yes — Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com and search for a solution or contact McAfee Technical Support. • No — The original system problem was probably not related to VirusScan Enterprise. Disabling ScriptScan Follow these steps to disable ScriptScan.
Appendix Troubleshooting Preventing MFEVTP from loading then reboot Follow these steps to prevent McAfee Validation Trust Protection Service (MFEVTP) from loading and reboot the system: CAUTION: This section contains information about opening or modifying the registry. • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Appendix Troubleshooting • No — Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com and search for a solution, or contact McAfee Technical Support. Suggested support and troubleshooting tools As a VirusScan Enterprise Global Administrator there are tools you should install and configure to help you troubleshoot and evaluate your system security and performance.
Appendix Troubleshooting Installation • Question: I just installed the software using the silent installation method, and there is no VirusScan Enterprise icon in the Windows system tray. Answer: The icon shield does not appear in the system tray until you restart your system. However, even though there is no icon, VirusScan Enterprise is running and your system is protected.
Appendix Troubleshooting • Start the service manually from the Services Control Panel. • Select Start | Run, then type Net Start McShield. • Set the service to start automatically from the Services Control Panel. • Question: I get an error saying that I cannot download CATALOG.Z. Answer: This error can be caused by many things. Here are some suggestions to help determine the source of the problem: • If you are using the McAfee default download site for updates, determine if you can download the CATALOG.
Access Protection tab Configure access protection rules and prevent McAfee processes from being stopped. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. Access protection settings • Enable access protection — Enables the access protection feature. • Prevent McAfee services from being stopped— Prevent users without debug privileges from terminating McAfee processes.
Access Protection tab Option Definition • Block — Blocks the process that is specified in the Rule Details. Select Block to enable the rule or deselect it to disable the rule. NOTE: To block access attempts without logging, select Block but do not select Report. • Report — Enables reporting of attempts to violate access protection. When a detection occurs, information is recorded in the activity log. NOTE: To receive a warning without blocking access attempts, select Report, but do not select Block.
Additional Alerting Options tab Configure filter and local alerting options. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. Severity Filter Local Alerting Choose from these filter options: • Don’t filter alerts — Send all alerts. • Suppress informational alerts — Don’t send informational alerts with a severity of less than one.
Alerts tab Select the components that you want to generate alerts and configure Alert Manager if it is installed. See the Alert Manager 4.7.1 Product Guide for more information. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. Components that generate alerts Alert Manager options • On-Access Scan — Generate alerts when the on-access scanner detects threats.
Reports tab Enable logging to track activity on your network and record which settings you used to detect and respond to any potential threat that the scanner found. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. Log to file Enable activity logging. Log file location Accept the default location for the log file or specify a new location. The default log name is AccessProtectionLog.
Blocking tab Block connections from remote computers that have files with potential threats or unwanted programs in a shared folder. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. Send a message Message text Block the connection Send the specified message to the network user when a threat is detected — Notify the network user on the remote computer when a threat is detected.
Reports tab Enable logging to track detections on the local system of any code execution from heap or stack overruns for certain processes. Option definitions Option Definition Alert on cookies Notify the user when a cookie detection occurs. Default = selected. Log to file Enable activity logging and accept the default location for the log file or specify a new location. Log file location Accept the default location for the log file or specify a new location.
Buffer Overflow Protection tab Prevent buffer overflow exploits from executing arbitrary code on your computer. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. Buffer overflow settings Enable buffer overflow protection — Enable the buffer overflow protection feature, then select the protection level. • Warning mode — Sends a warning when a buffer overflow is detected.
Display Options tab Configure which system tray options users can access and the preferred language. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. System tray icon Console options • Show the system tray icon with all menu options — Allow users to see all options on the system tray menu.
Actions tab Configure which actions to take when a threat or potentially unwanted program is detected. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. When a threat is found Perform this action first — Select the first action that you want the scanner to take when a threat is detected. Default = Clean attachments.
Actions tab Option Definition No secondary action is allowed for this option. • Continue scanning — Continue scanning when an attachment with a threat is detected. No secondary action is allowed for this option. • Move attachments to a folder — The scanner moves attachments with potential threats to the designated folder. • Delete attachments — The scanner deletes attachments with potential threats as soon as it detects them. For Microsoft Outlook, the email is deleted.
Alerts tab Configure the alert settings for the on-delivery email scanner. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. Email alert for user Send alert mail to user — Notify another user when a threatened email message is detected. Prompt for action message Specify the message that displays to the user when prompting for action.
Reports tab Enable logging to track activity on your network and record which settings you used to detect and respond to any potential threat that the scanner found. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. Log to file Enable activity logging. Log file location Accept the default location for the log file or specify a new location.
Scan Items tab Configure detection options for the email scanner. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. Scanning of email Enable scanning of on-delivery email. NOTE: This option is only available via ePolicy Orchestrator. Attachments to scan • All file types — Scan all types of files, regardless of extension.
Scan Items tab Option Definition Email message body (for Scan email message body — Scan the body of Microsoft Outlook email messages. Microsoft Outlook only) Heuristic network check for suspicious files 118 Configure the sensitivity level you wish to use when determining if a detected sample is malware. For all levels other than Disabled, fingerprints of samples, or hashes, are submitted to McAfee Labs to determine if they are malware.
Scan Items tab Configure detection options for the on-demand email scanner. Option definitions Option Definition Messages to scan • All highlighted items — Scan selected email messages and folders. • All messages in the Inbox folder — Scan all messages currently in the Inbox folder and its subfolders. • Attachments to scan Scan unread messages only — Scan all unread messages currently in the Inbox folder and its subfolders. • All file types — Scan all types of files, regardless of extension.
General tab Configure general on-access scanning options. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. Scan Specify general scan items: • Boot sectors — Scan boot sectors. Default = Enabled. • Floppy during shutdown — Scan floppy drives when the computer is shut down. Default = Enabled.
General tab Option Definition Artemis (Heuristic network check Specify one of the six sensitivity levels for Artemis between disabled and very for suspicious files) high. Default = very low. McAfee VirusScan Enterprise 8.
Messages tab Configure message options for local users and users without administrative rights. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. User messages Message text Actions available to users 122 Specify what messages local users receive.
Notes Scanner Settings tab Configure the Lotus Notes settings for the on-delivery email scanner. Lotus Notes password configuration When accessing a local database on Windows 2000 Server, Windows 2003 Server, or Windows XP, you are prompted for a password. When you type the password, the text search dialog is initiated and the password is inserted into the text search dialog instead of being inserted into the password dialog. The password dialog box is not completely modal.
Actions tab Configure which actions to take when a threat or potentially unwanted program is detected. If you are configuring different scanning policies for default, low-risk, and high-risk processes, the options on this tab must be configured for each process type. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator.
Actions tab Option Definition • Deny access to files — Prevent users from accessing detected files and programs. • Delete files automatically — Remove detected files and programs automatically. McAfee VirusScan Enterprise 8.
Exclusions tab Specify what items to exclude from scanning. If you are configuring different scanning policies for default, low-risk, and high-risk processes, the options on this tab must be configured for each process type. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator.
Reports tab Enable logging to track activity on your network and record which settings you used to detect and respond to any potential threat that the scanner found. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. Log to file Enable activity logging. Log file location Accept the default location for the log file or specify a new location. The default log name is OnAccessScanLog.txt.
Scan Items tab Configure detection options. If you are configuring different scanning policies for default, low-risk, and high-risk processes, the options on this tab must be configured for each process type. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. Scan files • When writing to disk — Scan all files as they are written to or modified on the computer or other data storage device.
Scan Items tab Option Definition Compressed files • Scan inside archives — Examine archive (compressed) files and their contents. • Decode MIME encoded files — Detect, decode, and scan Multipurpose Internet Mail Extensions (MIME) encoded files. NOTE: Although it provides better protection, scanning compressed files can increase the time required to perform a scan. Unwanted programs detection • Detect unwanted programs — Enables the on-access scanner to detect potentially unwanted programs.
Actions tab Configure which actions to take when a threat or potentially unwanted program is detected. Option definitions Option Definition When a threat is found Perform this action first — Select the first action that you want the scanner to take when a threat is detected. Default = Clean files. • Clean files — The scanner tries to remove the threat from the detected file. • Continue scanning — Continue scanning when a threatened file is detected.
Exclusions tab Specify what items to exclude from scanning. Option definitions Option Definition What to exclude Select the type of exclusion from the drop down list, then specify the details for the exclusion: • Exclude by file name/location — Type the file name and location in the text box. Select Also exclude subfolders if required. NOTE: You must add a backslash (\) at the end of the string to apply to a folder.
Reports tab Enable logging to track activity on your network and record which settings you used to detect and respond to any potential threat that the scanner found. Option definitions Option Definition Log to file Enable activity logging. Log file location Accept the default location for the log file or specify a new location. The default log name is OnDemandScanLog.txt. The default location is: :\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\ .
Scan Items tab Configure detection options. Option definitions Option Definition File types to scan • All files — Scan all files regardless of extension. • Default + additional file types — Scan the default list of extensions plus any additions you specify. The default list is defined by the current DAT file. Select this option, then enter file extensions separated by spaces in the text box.
Task tab Specify the platforms where this on-demand task runs. Option definitions Option Definition Platforms where this task will run • Run this task on servers — Run this on-demand scan task on servers. • Run this task on workstations — Run this on-demand scan task on workstations. User account to use when running task • Username — Specify the user’s account name. If no account information is entered, the task runs under the system account. • Password — Type the password.
Password Options tab Set password security for the entire system or selected items. See How setting a password affects users for more information. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. User interface password Specify the user interface security: • No password — No password is required to access configuration settings.
Processes tab Choose whether to configure one scanning policy for all processes or different scanning policies for default, low-risk and high-risk processes. See Determining the number of scanning policies and Determining which risk to assign to a process for more information. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator.
Processes tab Specify the processes that you define as low-risk. This is a two-step process. Option definitions for step 1 Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator.
Processes tab Specify the processes that you define as high-risk. This is a two step process. Option definitions for step 1 Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator.
Scan Items tab Select categories of potentially unwanted programs to detect and create exclusions for programs that you do not want to detect. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. Select categories of Specify the categories of potentially unwanted programs to detect. unwanted programs to detect Unwanted program exclusions Specify exclusions by detection name.
Quarantine Policy tab Configure the quarantine location and the length of time to keep the quarantined items. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. 140 Quarantine Directory Accept the default location for the quarantine directory or specify a new location. Default = \Quarantine.
Policy tab Configure the quarantine location and the length of time to keep the quarantined items. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. Quarantine Directory Accept the default location for the quarantine directory or specify a new location. Default = \Quarantine.
Manager tab Select an item in the list , then right-click to access advanced options. You can rescan, check for false positive, restore, delete, or view properties. 142 McAfee VirusScan Enterprise 8.
Task tab Specify account information for the user who has access to the restore location. If no account is entered here, the restore task runs under the system account. Option definitions Option Definition User Type the name of the user which has access to the restore location. Password Type a password for the specified user. Domain Type the domain for the specified user. McAfee VirusScan Enterprise 8.
Scan Locations tab Configure the item types and locations to scan. Option definitions Option Definition Locations to scan Select the locations to scan. Default = Memory for rootkits, running processes, all local drives, registry, and cookies. Click Add, Edit, and Remove to change the Item name(s). • Memory for rootkits. Scans system memory for installed rootkits, hidden processes and other behavior that suggests malicious code is attempting to hide itself. This scan occurs before all other scans.
Scan Locations tab Option Definition When the On-Demand Scan Progress dialog appears, the locations to scan appear as a comma-separated string following Scanning in. As the scan processes are completed, they are removed from the string. Scan options The type of scan for the selected item. • Include subfolders — The scanner examines all subfolders in the specified volumes. Deselect this option to scan only the root level of the volumes. • Scan boot sectors — The scanner examines the disk boot sector.
Performance tab Specify scan deferral and system utilization options to improve performance. Option definitions Option Definition Scan deferral options Select the scan deferral option: • Defer scan when using battery power— Postpone the scan when the system is in use and using battery power. • Defer scans during presentations— Postpone the scan while the system is in presentation mode. • User may defer scheduled scans — Allow the user to defer scheduled scans.
Performance tab Option Definition systems. Detections found with this level are presumed to be malicious, but they haven’t been fully tested to confirm that they are not false positives. McAfee VirusScan Enterprise 8.
ScriptScan tab Prevent unwanted scripts from executing. See Script scanning and how it works for more information. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. ScriptScan Enable scanning of scripts — Scan JavaScript and VBScript scripts before they are executed. ScriptScan process exclusions Process — Specify ScriptScan exclusions by process name.
User-Defined Detection tab Specify individual files or programs to treat as unwanted programs. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator. User-defined items • • file name — Specify the name of the file or program that you want to detect. Description — Specify the description that you want to display in the notification when the specified file is detected.
Repositories tab Configure the repositories where you get updates. NOTE: This feature is not available from the ePolicy Orchestrator Console. Access this feature from the VirusScan Enterprise 8.8 Console. Option definitions Option Repository description Definition Specify the name of the repository. The list is preconfigured with an HTTP and an FTP repository. • http://update.nai.com/Products/CommonUpdater • ftp://ftp.nai.com/CommonUpdater The HTTP repository is the default download site.
Adding and editing repositories Add new repositories or edit existing repositories. Option definitions Option Definition Repository description Specify the name of the repository. Retrieve files from Select the location from which to retrieve files. Default = HTTP repository. • HTTP repository — Retrieve files from the HTTP repository location that you designate.
Adding and editing repositories Option Definition on the repository, you ensure that the account has read permissions to the folders containing the update files. 152 • Download credentials are required for FTP and UNC repositories, but are optional for HTTP repositories. • FTP updates support anonymous repository connections. • With UNC updates you can also use the logged on account, making use of the logged on user's permissions to access the repository.
Proxy settings tab Proxy servers are used as part of internet security to hide internet users’ computers from the internet and improve access speed by caching commonly accessed sites. If your network uses a proxy server, you can specify which proxy settings to use, the address of the proxy server, and whether to use authentication. Proxy information is stored in the AutoUpdate repository list (sitelist.xml). The proxy settings you configure here apply to all repositories in this repository list.
Mirror task Configure the mirror task VirusScan Enterprise 8.8 Console — Option definitions Option Definition Log File Enable activity logging. Format Select the format of the log file. Default = Unicode (UTF8). • Unicode (UTF8) — Recommended if you are storing eastern text (every character is one or two bytes), or sharing information within a multi-national organization.
AutoUpdate task Configure the AutoUpdate task Option definitions Option Definition Log File Enable activity logging. Format Select the format of the log file. Default = Unicode (UTF8). • Unicode (UTF8) — Recommended if you are storing eastern text (every character is one or two bytes), or sharing information within a multi-national organization.
Schedule tab Specify the schedule frequency and other settings for this task. Option definitions Option Runtime Definition Run task Select the frequency for this task from these options: Daily — Run the task daily on the specified days. Daily tasks can be run every so many days, or every day Monday through Sunday. If you only want to run the task on specific days of the week, other than every day Monday through Sunday, we recommend that you use the weekly task frequency.
Schedule tab Option Minutes Definition The number of minutes. NOTE: The number of minutes available for selection depends on which options you have selected. For example: Run if missed • Enable randomization — Choose between 0 and 59 minutes. • Delay missed task by — Choose between 0 and 99 minute. Ensure that missed tasks run when the computer starts up again. If the computer was offline when a task was scheduled to be run, it may have been missed.
Schedule tab Option Definition This option is only available when scheduling the task At Startup or At Logon. When computer has been idle for Specify the number of minutes that the computer is idle before starting the task. Choose between 0 to 999 minutes. NOTE: If the task is started and a user resumes use of the computer before the task completes, the task continues to run until complete. This option is only available when scheduling the task When Idle. Advanced Configure advanced options.
Task tab Enable the schedule for this task and specify user account settings. Option definitions Option Enable (scheduled task runs at specified time) Stop the task if it runs for Definition Schedule the task to run at a specified time. NOTE: This option must be selected to schedule the task. Stop the task after the number of hours and minutes that you specify. NOTE: If the task is interrupted before it completes, the next time it starts it resumes scanning from where it left off.
Advanced schedule options Configure the schedule parameters. Option definitions Option Definition Start Date Specify the date to start this task. End Date Specify the date to end this task. Repeat Task Repeat the task at the specified frequency. If you select this option, also specify how frequently to repeat this task. Every Specify how frequently to repeat this task. Also select whether you want the frequency to be hours or minutes. Time (Local) Repeat this task at the specified local time.
Global Scan Settings tab Set scan cache options to save scan data during a system reboot and allow on-demand scans to use that clean cache data to improve performance. See Configuring global option settings for more information. Option definitions Option Definition Settings for Select Workstation or Server from the drop-down list. NOTE: This option is only available via ePolicy Orchestrator.
Index A access protection disabling during troubleshooting 98 access violations 25 anti-virus and common rules 26 common rules 23 detections and actions 73 excluding processes 32 file and folder blocking rules 31 getting started 23 log report example 20 overview 19, 23 policies, overview 26 port blocking rules 31 preconfigured rules 23 protocols, restricting 25 registry blocking rules 32 removing unused rules 33, 34 standard and maximum protection 23 threat example 20 types of rules 23 user-defined rules 23
Index common rules access protection, configuring 26 preconfigured access protection 23 standard and maximum protection 23 comon protection rules configuring access protection 26 components illustration 10 of VirusScan Enterprise 10 VirusScan Console 13 conventions used in this guide 6 D dashboards monitoring activity 80, 84 predefined, accessing 80 DAT files detection definitions 43 detections and defined actions 72 EXTRA.
Index McAfee Agent icons indicate version 14 VirusScan Enterprise component overview 10 McAfee Headquarters, VirusScan Enterprise component 10 McAfee Labs submit a sample 74 submitting samples 94 access 13 accessing Threat Library 95 Artemis sends fingerprint to 53 VirusScan Enterprise component overview 10 McAfee ServicePortal, accessing 8 McAfee Validation Trust Protection Service, disabling during troubleshooting 98 menu bar, VirusScan Console 13 MER tool (See Minimum Escalation Requirements tool) 97 Me
Index processes include and exclude 32 Processes tab, VirusScan Enterprise on-access scanning 58, 60 processes, VirusScan Enterprise default, configuring 54 in memory process scanning 63 incremental or resumable scanning 63 low-risk and high-risk 54 script scanning 53 Proxy settings tab, VirusScan Enterprise 47 PUPs (See unwanted programs) 38 Q quarantines, VirusScan Enterprise configuring with ePolicy Orchestrator 4.0 76 configuring with ePolicy Orchestrator 4.5 or 4.
Index T task AutoUpdate 45 mirror 45 scheduling 50 update 44 Task list, VirusScan Console 13 task schedule configuring 50 recommended on-demand interval 50 Task tab, VirusScan Enterprise scheduling on-demand scanning 66 scheduling tasks 50 Technical Support ServicePortal at McAfee 8 troubleshooting 98 using the MER tool 97 threat ePolicy Orchestrator 4.0 analysis 87 ePolicy Orchestrator 4.5 and 4.
