McAfee Total Protection for Endpoint
Lab Evaluation Guide
COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE
EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,
WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in
connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property
of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
McAfee Total Protection for Endpoint Lab Evaluation Guide2
Contents
Welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Setting up McAfee Total Protection for Endpoint suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Logging on to ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Set Up the ePolicy Orchestrator Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Add Systems to Manage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Setting Policies for Endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Setting Policies for Email Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Set Tasks for Endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Deploy the McAfee Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Using Dashboards and Queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Server requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Database requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Operating systems language support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3McAfee Total Protection for Endpoint Lab Evaluation Guide
Welcome
Welcome to McAfee®Total Protection®for Endpoint. This solution incorporates the best and
most comprehensive McAfee security for endpoints, email, web, and data. Compared to
purchasing and maintaining multiple security components from multiple vendors, McAfee Total
Protection for Endpoint saves time, saves money, and provides a more powerful, integrated
defense against the threats that businesses know about, and the threats they can't see coming.
This guide is organized so you can evaluate McAfee Total Protection for Endpoint in a pilot
environment consisting of one ePolicy Orchestrator®(ePO™) server and a number of client
computers. The guide covers the basic steps required to install ePolicy Orchestrator quickly,
configure basic policies and tasks, and deploy these McAfee products for client protection:
• VirusScan®Enterprise 8.7i
• AntiSpyware Enterprise 8.7
• Host Intrusion Prevention 7.0
• SiteAdvisor®Enterprise Plus 3.0
• GroupShield®7.0.1 for Microsoft Exchange
• McAfee Security for Lotus Domino, v7.5 on Windows
This guide provides real examples of steps you take during a live deployment. It does not cover
every possible deployment scenario, nor examine every feature. For complete information on
all aspects of the products included in Total Protection for Endpoint, see their respective product
guides.
Full product documentation is available on the McAfee KnowledgeBase.
Under Self Service, click Product Documentation, choose a product and version, then
choose a document.
Product descriptions
The products in Total Protection for Endpoint are grouped into these categories:
• Management solution
• Endpoint protection
• Email server protection
Management solution
Total Protection for Endpoint provides these products for a management solution.
McAfee ePolicy Orchestrator 4.5
McAfee Total Protection for Endpoint Lab Evaluation Guide4
DescriptionProduct
ePolicy Orchestrator is the industry-leading system security management
solution for the enterprise. It delivers a coordinated, proactive defense
against malicious threats and attacks. ePolicy Orchestrator combines
unmatched global policy control with a single agent and a central console
with custom reporting to easily manage your system security
environment.
Welcome
DescriptionProduct
McAfee Agent 4.5
McAfee Agent is the client-side framework that supports the McAfee
security management infrastructure. It provides secure communication
between point-products and ePolicy Orchestrator, and local services to
point-products. As a framework, the McAfee Agent enables
point-products to focus on enforcing their policies, while delivering an
expanding set of services that includes logging, communication, and
policy storage.
Endpoint protection
Total Protection for Endpoint provides these products for endpoint protection.
DescriptionProduct
McAfee VirusScan®Enterprise 8.7i
McAfee AntiSpyware Enterprise 8.7
McAfee Host Intrusion Prevention 7.0
McAfee SiteAdvisor®Enterprise Plus 3.0
VirusScan Enterprise, a trusted name in security, is a leader in the
advanced, proactive protection for PCs and servers. Businesses rely on
the key features of VirusScan Enterprise during an outbreak, including:
cleaning memory, rootkits, the registry and files, as well as preventing
propagation of malicious code to other systems. VirusScan Enterprise
also contains functionality from anti-virus, intrusion prevention, and
firewalls for protection from known and unknown attacks.
AntiSpyware Enterprise Module, the leading enterprise anti-spyware
software solution, uses true on-access scanning to identify, proactively
block, and safely eliminate potentially unwanted programs (PUPs) for
optimal business availability. Centrally managed with ePolicy
Orchestrator, McAfee AntiSpyware Enterprise Module seamlessly
integrates with VirusScan Enterprise, reducing disruptions due to threats
and PUPs.
Host Intrusion Prevention monitors and blocks intrusions by combining
signature and behavioral protection with a system firewall. Shielding
your assets improves the availability, confidentiality, and integrity of
your business processes. A single agent makes it easy to deploy,
configure, and manage, and patching becomes less frequent and less
urgent.
SiteAdvisor Enterprise Plus allows your employees to surf and search
the web safely as threats like spyware, adware, phishing scams, and
more are blocked. Integrated into McAfee solutions, SiteAdvisor
Enterprise technology adds web security to your comprehensive
protection, guiding and shielding users from online threats.
Email server protection
Total Protection for Endpoint provides these products for email server protection.
McAfee GroupShield®7.0.1 for Microsoft
Exchange
McAfee Security for Lotus Domino, v7.5 on
Windows
DescriptionProduct
GroupShield protects your email and other documents as they enter
and leave your Microsoft Exchange server. GroupShield proactively
scans for viruses, automatically manages outbreaks, and prevents
malicious code from disrupting your systems. The GroupShield content
filter blocks or quarantines messages that contain specific words and
phrases that violate content rules.
McAfee Security for Lotus Domino protects your email and other
documents as they enter and leave your Domino server. McAfee
Security for Lotus Domino proactively scans for viruses, automatically
manages outbreaks, and prevents malicious code from disrupting your
systems. The McAfee Security for Lotus Domino content filter blocks
or quarantines messages that contain specific words and phrases that
violate content rules.
5McAfee Total Protection for Endpoint Lab Evaluation Guide
Welcome
DescriptionProduct
McAfee Anti-Spam add-on
Anti-Spam blocks spam from your Microsoft Exchange and Lotus Domino
mail servers. This increases employee productivity, while also stopping
phishing scams to protect confidential data from being disclosed by
employees. Anti-Spam integrates with McAfee GroupShield and McAfee
Security for Lotus Domino to reduce resource usage on your busy mail
servers.
When you are ready to deploy products to your environment, like VirusScan Enterprise or Host
Intrusion Prevention, you will use ePolicy Orchestrator and the McAfee Agent to handle the
deployment and updates. McAfee recommends that you use the workflow in the following
sections to get started with the solution.
McAfee Total Protection for Endpoint Lab Evaluation Guide6
System requirements
Before setting up McAfee Total Protection for Endpoint software, verify that each component
meets the minimum system requirements that are listed below:
• Server
• Database
Server requirements
Free disk space — 1 GB minimum (first-time installation); 2 GB recommended.
Memory — 1 GB available RAM; 2–4 GB recommended.
Processor — Intel Pentium III-class or higher; 1 GHz or higher.
Monitor — 1024x768, 256-color, VGA monitor.
NIC — Network interface card; 100 MB or higher.
NOTE: If using a server with more than one IP address, ePolicy Orchestrator uses the first
identified IP address.
Dedicated server — If managing more than 250 computers, McAfee recommends using a
dedicated server.
File system — NTFS (NT file system) partition recommended.
IP address — McAfee recommends using static IP addresses for ePO servers.
Server-class operating system — 32bit or 64bit
• Windows Server 2003 Enterprise with Service Pack 2 or later
• Windows Server 2003 Standard with Service Pack 2 or later
• Windows Server 2003 Web with Service Pack 2 or later
• Windows Server 2003 R2 Enterprise with Service Pack 2 or later
• Windows Server 2003 R2 Standard with Service Pack 2 or later
• Windows Server 2008
NOTE: Installation is blocked if you attempt to install on a version of Windows earlier than
Server 2003. In addition, ePolicy Orchestrator stops functioning if, after having been installed
on Windows Server 2003, the server is upgraded to Windows Server 2008.
Browser
• Firefox 3.0
• Microsoft Internet Explorer 7.0 or 8.0
If using Internet Explorer and a proxy, follow these steps to bypass the proxy server.
1 From the Tools menu in Internet Explorer, select Internet Options.
7McAfee Total Protection for Endpoint Lab Evaluation Guide
System requirements
Database requirements
2 Select the Connections tab and click LAN Settings.
3 Select Use a proxy server for your LAN, then select Bypass proxy server for local
addresses.
4 Click OK as needed to close Internet Options.
Domain controllers — The ePolicy Orchestrator server can manage systems in a Workgroup
or Windows Domain. In the installation instructions below, we will use the latter which requires
the server to be a member of your Windows domain. For instructions, see the Microsoft product
documentation.
Security software
• Install and/or update the anti-virus software on the ePolicy Orchestrator server and scan
for viruses.
CAUTION: If running VirusScan Enterprise 8.5i or 8.7i on the system where you are installing
ePolicy Orchestrator, you must ensure that the VSE Access Protection rules are disabled
during the installation process, or the installation fails.
• Install and/or update firewall software on the ePolicy Orchestrator server.
Ports
• McAfee recommends avoiding the use of Port 8443 for HTTPS communication. Although this
is the default port, it is also the primary port used by many web-based activities, is a popular
target for malicious exploitation, and it is likely to be disabled by the system administrator
in response to a security violation or outbreak.
NOTE: Ensure that the ports you choose are not already in use on the ePolicy Orchestrator
server computer.
• Notify the network staff of the ports you intend to use for HTTP and HTTPS communication
via ePolicy Orchestrator.
NOTE: Installing the software on a Primary Domain Controller (PDC) is supported, but not
recommended.
Supported virtual infrastructure software
• VMware ESX 3.5.x
• Microsoft Virtual Server 2005 R2 with Service Pack 1
• Windows Server 2008 Hyper-V
Database requirements
A database must be installed before ePolicy Orchestrator can be installed. Any of the following
databases, if previously installed, meets this requirement.
• SQL Server 2005
• SQL Server 2005 Express
• SQL Server 2008
• SQL Server 2008 Express
NOTE: SQL Server 2000 is not supported.
McAfee Total Protection for Endpoint Lab Evaluation Guide8
System requirements
Database requirements
If none of those databases was previously installed, the ePO installation wizard detects that no
database is present and offers you the opportunity to install SQL Server 2005 Express.
Database installation documented in this Guide
The only database installation scenario described in detail is a first-time installation of SQL
Server 2005 Express. In this scenario, the ePO Setup installs both the ePolicy Orchestrator
software and the database on the same server. If the database is to be installed on a different
server from the ePolicy Orchestrator, manual installation is required on the remote servers.
SQL Server
• Local database server — If using SQL Server on the same system as the ePO server,
McAfee recommends using a fixed memory size in Enterprise Manager that is approximately
two-thirds of the total memory for SQL Server. For example, if the computer has 1GB of
RAM set 660MB as the fixed memory size for SQL Server.
• SQL Server licenses — If using SQL Server, a SQL Server license is required for each
processor on the computer where SQL Server is installed.
CAUTION: If the minimum number of SQL Server licenses is not available after you install
the SQL Server software, you may have issues installing or starting the ePolicy Orchestrator
software.
Other relevant database installations and upgrades
See the documentation provided by the database manufacturer for information about the
following installation scenarios:
• Maintenance settings — McAfee recommends making specific maintenance settings to
ePO databases. For instructions, see
Maintaining ePO databases
in the
ePolicy Orchestrator
Help.
NOTE: For detailed system requirements information about Agent Handlers, Database and
Distributed Repositories, refer to the
ePolicy Orchestrator 4.5 Installation Guide
.
Other software requirements
The following table provides additional information about the other software requirements.
NoteSoftware
You must acquire and install.MSXML 6.0
1
From the Internet Explorer Tools menu, select Windows
Update.
2
Click Custom, then select Software.
3
Select MSXML6.
4 Select Review and install updates, then click Install Updates.
Firefox 3.0
You must acquire and install.Internet Explorer 7 or 8, or
Redistributable
You must acquire and install if using SQL Server 2005 Express..NET Framework 2.0
If not previously installed, the installation wizard installs automatically.Microsoft Visual C++
9McAfee Total Protection for Endpoint Lab Evaluation Guide
System requirements
Operating systems language support
NoteSoftware
Redistributable - x86 9.0.21022
Compatibility
SQL Server 2005 Express
Microsoft updates
If not previously installed, the installation wizard installs automatically.Microsoft Visual C++
If not previously installed, the installation wizard installs automatically.MDAC 2.8
If not previously installed, the installation wizard installs automatically.SQL Server 2005 Backward
If no other database has been previously installed, this database can be installed
automatically at user’s selection.
Update the ePolicy Orchestrator server and the database server with the most
current updates and patches.
The installation fails if using a version of MSI previous to MSI 3.1.MSI 3.1
Microsoft updates and patches
Update both the ePO server and the database server with the latest Microsoft security updates.
If you are upgrading from MSDE 2000 or SQL 2000, be sure to follow Microsoft's required
upgrade scenarios.
Operating systems language support
This version of the ePolicy Orchestrator runs on any supported operating system irrespective
of the language of the operating system.
Following is a list of languages into which the ePolicy Orchestrator has been translated. When
the software is installed on an operating system using a language that is not on this list, the
ePolicy Orchestrator interface attempts to display in English.
• Japanese• Chinese (Simplified)
• Chinese (Traditional) • Korean
• Russian• English
• French (Standard) • Spanish
• German (Standard)
McAfee Total Protection for Endpoint Lab Evaluation Guide10
Setting up McAfee Total Protection for Endpoint
suite
This section guides you to install the McAfee Total Protection for Endpoint suite with the default
options. The McAfee Total Protection for Endpoint suite installer will setup the ePO server and
check-in the endpoint softwares to the ePO repository in one go.
Task
1 From McAfee official site, download and extract the contents of McAfee Total Protection
for Endpoint software to a temporary directory on your ePO server or your intended
management server.
2 Double-click Setup.exe. The Welcome to the McAfee ePolicy Orchestrator setup
for Total Protection for Endpoint suite page appears.
3 Click Next. The Type License Key page appears.
4 Select Evaluation, then click Next. The McAfee Licensing Evaluation page appears.
5 Click OK. The McAfee End User License Agreement page appears.
6 Select I accept the terms in the license agreement, then click OK. The Choose
Software to Evaluate page appears with the following options, enabled by default:
• Base Installation
• Host Intrusion Prevention
• McAfee Security for Lotus Domino and MS Exchange (GroupShield)
7 Click Next. The Set Administrator Information page appears.
8 Type the username and password to use for the ePolicy Orchestrator administrative account
and click Next. The Choose Setup Type page appears.
NOTE: You will use the same credentials later, to log on to ePolicy Orchestrator.
9 Select Default to install ePolicy Orchestrator and Microsoft SQL 2005 Express using the
default location and settings, then click Next. A confirmation dialog box appears.
10 Click OK to install Microsoft SQL 2005 Express. The Set Database Information page
appears.
11 Identify the type of account and authentication details that the ePolicy Orchestrator server
uses to access the database.
• From the Database Server credentials field, select the windows domain from the
drop-down, type the domain user name and password, then click Next. The Start
Copying Files page appears.
NOTE: Windows authentication is enabled, as SQL Express does not allow SA authentication
by default.
11McAfee Total Protection for Endpoint Lab Evaluation Guide
Setting up McAfee Total Protection for Endpoint suite
12 Click Next to begin installation. The InstallShield Wizard Complete page appears with
the following options, enabled by default:
• Select Yes, I want to view the ReadMe file to view the Readme.
• Select Yes, I want to launch McAfee ePolicy Orchestrator now to launch the
ePolicy Orchestrator user interface.
NOTE: During installation, you may be prompted to change one or more of the default port
numbers incase of any conflict.
13 Click Finish.
McAfee Total Protection for Endpoint Lab Evaluation Guide12
Logging on to ePolicy Orchestrator
Use this task to log on to the ePolicy Orchestrator. You must have valid credentials to do this.
Task
1 To launch the ePolicy Orchestrator software, open an Internet browser and go to the URL
of the server (For example:
Orchestrator dialog box appears.
NOTE: You can also double-click the Launch McAfee ePolicy Orchestrator 4.5 console
icon on the desktop to launch ePolicy Orchestrator.
https://<servername>:8443
). The Log On to ePolicy
2 Type the User name and Password of a valid account, created in
"
Setting up McAfee Total Protection for Endpoint suite
NOTE: Passwords are case-sensitive.
3 Select the Language you want the software to display.
4 Click Log On.
" section.
Step 7
under the
13McAfee Total Protection for Endpoint Lab Evaluation Guide
Set Up the ePolicy Orchestrator Server
The ePolicy Orchestrator repository is the central location for all McAfee product installations,
updates, and signature packages. The modular design of ePolicy Orchestrator allows new
products to be added as
such as VirusScan Enterprise, and non-McAfee products from McAfee partners.
components that are checked in to the master repository, then deployed to client systems.
For information about extensions and packages, see these topics in the
Product Guide
•
Extensions and what they do
•
Deployment packages for products and updates
According to your selections during installation, the Total Protection for Endpoint client software
was added to your ePO master repository. To verify the installation, go to the Master
Repository.
Configure a repository pull task
:
extensions
. This includes new or updated versions of McAfee products,
Packages
ePolicy Orchestrator
are
For ePolicy Orchestrator to keep your client systems up-to-date, you must configure a
pull task
NOTE: A repository pull task was created for you automatically during installation.
Task
Use this task to create a repository pull task that adds and updates the client software.
1 Click Menu | Automation | Server Tasks.
2 In the list, find the task named Update Master Repository and, under the Actions
3 On the Description page, set Schedule status to Enabled, then click Next.
4 On the Actions page, there is a gray bar just below the page description labeled 1. Select
5 Select Move existing packages to Previous branch, then click Next.
6 On the Schedule page, choose when you want ePolicy Orchestrator to check the McAfee
that retrieves updates from a McAfee site (HTTP or FTP) at specified intervals.
column, click Edit to open the Server Task Builder.
Respository Pull from the drop-down list.
NOTE: Checking this option allows ePolicy Orchestrator to maintain more than one day's
signature files. When the next pull task runs, today's updates are moved to a directory on
the server called Previous. This allows you to rollback updates, if necessary.
site for updates.
• Schedule the task to run Daily, with No End Date.
• Set Schedule to between 9:00am and 11:00pm.
repository
McAfee Total Protection for Endpoint Lab Evaluation Guide14
Set Up the ePolicy Orchestrator Server
• Set every to two or three hours.
TIP: McAfee recommends checking for updates several times each day to ensure you have
the latest content.
7 Click Next.
8 On the Summary page, click Save. The console returns to the Server Tasks page.
9 Find the Update Master Repository task and, under the Actions column, click Run. This
immediately retrieves the current updates, and opens the Server Task Log.
Checking the status of the pull task
The Server Task Log is useful to show the status of the McAfee Pull task. Use this task to verify
that the Update Master Repository task has finished pulling updates from the McAfee site.
Task
1 Click Menu | Automation | Server Task Log.
2 In the list of tasks, find the Update Master Repository task.
3 The task is finished when the Status column reports Completed.
15McAfee Total Protection for Endpoint Lab Evaluation Guide
Add Systems to Manage
The ePolicy Orchestrator System Tree organizes managed systems in units for monitoring,
assigning policies, scheduling tasks, and taking actions. These units are called
are created and administered by global administrators or users with the appropriate permissions,
and can include both systems and other groups. Before you start managing endpoint policies
for client systems on your network, you must add those systems to your System Tree.
There are several methods of organizing and populating the System Tree:
• Manually structure your System Tree by creating your own groups and adding individual
systems.
•
Synchronize with Active Directory or NT domain
Active Directory, synchronization also provides System Tree structure.
• Create your own groups based on IP ranges or subnets. This is called
•
Import groups and systems from a text file
The workflow in this section uses the manual approach to create a simple structure for evaluation.
While this method can be too slow when deploying ePolicy Orchestrator in a live network, it is
a useful way to add a small number of systems in your test network. You can try the other
approaches once you become familiar with ePolicy Orchestrator.
Creating your System Tree groups
groups
as a source for systems. In the case of using
, which
criteria-based sorting
.
Use this task to add groups to your System Tree. For this exercise, we are creating two groups,
Servers
1 Click Menu | Systems | System Tree, then click Group Details on the menu bar.
2 Highlight My Organization, then click New Subgroup.
3 Type Test Group, then click OK. The new group appears in the System Tree.
4 Highlight Test Group, click New Subgroup, type Servers, and click OK.
5 Repeat Step 4, but type Workstations for the group name. Once you return to the Group
Adding systems to your System Tree groups
Use this task to manually add a few test systems to your ePO System Tree.
1 In the System Tree, highlight the Workstations group and click System Tree Actions
2 For How to Add Systems, select Add systems to the current group, but do not
3 For Systems to Add, type the NetBIOS name for each system in the text box, separated
4 Verify that System Tree sorting is disabled.
and
Workstations
page, highlight Test Group. Your Servers and Workstations groups are listed on the Group
page. The groups are alphabetically arranged.
| New Systems.
deploy agents.
by commas, spaces, or line breaks. You can also click Browse to select systems.
.
McAfee Total Protection for Endpoint Lab Evaluation Guide16
Add Systems to Manage
5 Click OK.
6 As needed, repeat these steps to add systems to your Servers group.
Organizing new systems into your groups
By performing the tasks in the previous sections, you now have several groups and systems in
your System Tree. In a live production environment, new systems contact the ePolicy
Orchestrator server, and need to be placed in the System Tree. This occurs if you installed the
McAfee Agent on new systems, through use of Rogue System Detection, or through another
method. In these cases, systems are placed in the Lost&Found group.
ePolicy Orchestrator has a powerful group sorting function that allows you to set up rules about
how systems sort themselves into your System Tree when they first contact the ePO server.
For details on this feature, refer to
Criteria-based sorting
in the
ePolicy Orchestrator 4.5 Product
Guide.
In this exercise, you will create a system sorting rule based on tags. ePolicy Orchestrator creates
two default tags,
Server
and
Workstation
, which you can use. The sorting rule does not function
until a system that is not in the System Tree calls in to the ePO server. You can also schedule
the sorting rule, or run it manually.
Task
Use this task to create a sorting rule based on the default tags.
1 Click Menu | Systems | System Tree, then click Group Details on the menu bar.
2 Highlight Test Group.
3 At the top of the Group page, locate the label Sorting Criteria and click Edit.
4 Select Systems that match any of the criteria below (IP addresses and/or tags).
The page expands with additional options.
5 Click Add Tag.
6 From the drop-down menu, select Server, click the plus sign (+), then select Workstation.
7 Click Save.
8 In the System Tree, highlight My Organization.
9 In the Sorting Order list, find the entry for Test Group. In the Actions column, click
Move Up until the group is at the top of the list. Now this group is the first to be evaluated
when new systems are put into the System Tree.
More on working with the System Tree
You can use many types of groupings to organize your System Tree.
Along with groups, you can add tags to your systems to further identify them, using a trait
based on the system's properties.
17McAfee Total Protection for Endpoint Lab Evaluation Guide
Setting Policies for Endpoints
Policies are used to set the configuration for the various Total Protection for Endpoint products
that run on client systems, such as the McAfee Agent and VirusScan Enterprise.
To have your policies reflect the configuration settings and exclusions you require, McAfee
recommends creating the policies before making policy assignments. It is helpful to name a
policy so it describes its function. Creating your own "named policies" makes it easy to apply
policies based on the role or function of systems.
This section steps you through a few policy changes, which might be useful in a production
environment, for the McAfee Agent, VirusScan Enterprise, Host Intrusion Prevention, and
SiteAdvisor Enterprise. Use the following real-time examples and learn how to set policies, so
you will know how to make policies specific to your environment.
If you install all products in Total Protection for Endpoint, McAfee recommends that you perform
all the tasks in this section.
Creating policies for the McAfee Agent
When evaluating McAfee Total Protection for Endpoint, it is helpful to have access to the McAfee
Agent system tray icon on client systems. This policy option is enabled by default. It allows you
to view the local Agent Status Monitor on the client, to see the communication of the client with
the ePO Server. It is also possible to remotely see a client’s Agent log through your browser.
Another reason to change the McAfee Agent policy might be slow WAN connections to remote
offices, or a very large number of managed nodes.
For example, you might determine that systems communicating over slower links should contact
ePolicy Orchestrator every 180 minutes, which is eight times a day rather than the default of
24. For this case, you might create a policy called "Low bandwidth" or "3 hour polling" and
change the Agent to Server Connection Interval option to 180 minutes from the default
of 60.
Use the following task to create a policy that enables remote access to the McAfee Agent log
on client systems:
Task
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select McAfee Agent.
3 On the line that lists McAfee Default, click Duplicate.
4 For Name, type Remote Log Access, then click OK.
5 On the line that lists your new policy, click Edit Settings.
6 Click the Logging tab and select Enable remote access to log.
7 Click Save.
McAfee Total Protection for Endpoint Lab Evaluation Guide18
Setting Policies for Endpoints
ePolicy Orchestrator provides you with the option to access the McAfee Agent log on each
system remotely.
NOTE: To view the Agent Log on a remote system, using a web-browser type: http://<computer
name or IP address>:8081 (where 8081 is the default port for the Agent Wake Up call). If you
changed this port number, then use the port you specified.
Creating policies for VirusScan Enterprise
This section covers three examples of VirusScan Enterprise policies. The first is designed to
prevent users from making changes to VirusScan settings on their managed systems. The
second establishes database exclusions on servers. The third temporarily modifies the Unwanted
Programs Policy.
Locking the local VirusScan console
Use this task to modify the default VirusScan Enterprise User Interface Policy to prevent users
from tampering with the local VirusScan interface. VirusScan Enterprise runs on both
workstations and servers; therefore, the VirusScan policies have separate settings for each
platform. In this case, you want to make changes only to the workstation settings.
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select VirusScan Enterprise 8.7.0.
3 From the Category drop-down menu, select User Interface Policies.
4 On the line that lists McAfee Default, click Duplicate.
5 For Name, type Lock VSE Console, then click OK.
6 On the line that lists your new Lock VSE Console policy, click Edit Settings.
7 On the menu bar, click Password Options.
8 Make sure the Settings for option is set to Workstation.
9 For User interface password, select Password protection for all items listed.
10 Type a password in the boxes provided, then click Save.
Creating file exclusions on a server
NOTE: In the above examples, you created your new policies in Policy Catalog. In this example
you will create the new policy from the System Tree, achieving the same results through a
different workflow. In addition, this second method applies your new policy to a specific group
upon creation.
Use this task to create a VirusScan policy that excludes two hypothetical database files on a
server. Creating these types of scanning exclusions is a typical practice on many database and
mail servers.
We will follow the second method of creating a policy, that is from the System Tree as opposed
to the Policy Catalog. The result is the same; its just another way of achieving the same result.
1 Click Menu | Systems | System Tree, then click Assigned Policies on the menu bar.
2 From the Product drop-down menu, select VirusScan Enterprise 8.7.0.
3 Expand Test Group, then click your Servers group. This policy can be configured prior
to adding systems to this group.
4 To the right of On-Access Default Processes Policies, click Edit Assignment.
5 For Inherit from, select Break inheritance and assign the policy and settings
below.
6 For Assigned policy, click New Policy.
19McAfee Total Protection for Endpoint Lab Evaluation Guide
Setting Policies for Endpoints
7 In the Create a new policy dialog box, type Database AV Exclusions, then click OK. This
opens the policy editor.
8 From the Settings for drop-down menu, select Server.
9 On the menu bar, click Exclusions.
10 For What not to scan, click Add.
11 In the dialog box, select By pattern and type data.mdf, then click OK. Click Add again,
and type data.ldf as another exclusion, then click OK.
Only the file name is specified in this task. In a real environment, you might want to specify
a full path to narrow your exclusions.
12 Once both exclusions are listed, click Save.
Take the example of Microsoft Exchange Server; the link takes you to Microsoft's recommended
exclusions when running file level antivirus on Exchange 2007:
http://technet.microsoft.com/en-us/library/bb332342.aspx.
Although a bit more extensive in terms of the number of exclusions, a VirusScan policy for the
Microsoft Exchange Server scenario would be configured in the same manner as in this example.
Allowing email servers to send emails using Port 25
By default VirusScan Enterprise blocks outbound traffic on Port 25, except for an editable list
of excluded applications. This prevents any new mass mailing worms from propagating even
before an anti-virus definition is available. While the list of excluded process covers many client
email applications, you can either disable the rule or modify its exclusions to allow mail to be
sent by email servers or other systems that send alerts via SMTP. Both options are described
below.
Use any of the following tasks to create a VirusScan policy that allows email servers to send
emails using Port 25.
Option 1: Turning OFF the Port block rule
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select VirusScan Enterprise 8.7.0.
3 From the Category drop-down menu, select Access Protection Policies.
4 On the line that lists McAfee Default, click Duplicate.
5 For Name, type Allow Outbound Email, then click OK.
6 On the line that lists your new Allow Outbound Email policy, click Edit Settings.
7 Make sure the Settings for option is set to Server.
8 For Categories under Access protection rules, select Anti-virus Standard Protection.
9 Deselect the Block option for Prevent mass mailing worms from sending email.
NOTE: Deselecting the Report option will prevent events from being sent to the ePO
server. There will be no reporting of additional processes using Port 25.
10 Click Save.
Option 2: Excluding the process name
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select VirusScan Enterprise 8.7.0.
3 From the Category drop-down menu, select Access Protection Policies.
4 On the line that lists McAfee Default, click Duplicate.
5 For Name, type Allow Outbound Email, then click OK.
McAfee Total Protection for Endpoint Lab Evaluation Guide20
Setting Policies for Endpoints
6 On the line that lists your new Allow Outbound Email policy, click Edit Settings.
7 Make sure the Settings for option is set to Server.
8 For Categories under Access protection rules, select Anti-virus Standard Protection.
9 Select Prevent mass mailing worms from sending email, then click Edit.
10 Under Processes to exclude, type the name of the process that sends the email.
NOTE: Use comma to delimit the process names.
11 Click OK, then Save.
If you do not know the exact process name, you can get it from the VirusScan’s
AccessProtectionLog.txt file, if the rule has already been triggered. If you would like to get
the process name in advance of the rule actually being triggered and blocking traffic, you can
create a policy that instructs VirusScan to log the event and not block. Follow steps 1-10 outlined
in Option #1 above. Once the rule has been triggered, the process name will be visible in the
local log file and in ePO reporting. To access the local log file on your server, open the VirusScan
Console, right-click Access Protection and click View Log.
After you have created the desired policy, you will need to apply it to the group or individual
client computers that require this configuration.
Creating policies for the AntiSpyware Enterprise module
When the AntiSpyware module is installed, it is immediately active and cleans or deletes any
potentially unwanted programs (PUPs) it finds. While it detects and cleans spyware and adware,
there are other PUPs that you might not want it to clean, such as your IT department's
administrative tools. For example, you might have remote administrative tools, port scanners,
or password cracking utilities that your IT staff uses. Many of these tools have legitimate uses
on the network by administrators.
This section presents a methodology for detecting the PUPs on your network to discover what
exists, create exclusions for any with legitimate purposes, then configure the scanner to block
the remainder.
The task modifies the VirusScan On Access Scan settings to log PUPs that it finds, but not
delete them. VirusScan continues to detect and clean viruses, worms, Trojan horses, and other
threats. The intent is to check for PUPs in "audit mode" for a few days or a week, check the
PUP detection reports in ePolicy Orchestrator, and identify your required exclusions.
Later, you will change the policy assignment so it once again cleans PUPs.
Task
Use this task to modify the default VirusScan On Access Scan policy so that PUPs are audited
on your managed systems.
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select VirusScan Enterprise 8.7.0.
3 In the Category column, select On-Access Default Processes Policies.
4 On the line that lists McAfee Default, click Duplicate.
5 For Name, type Audit for PuPs, then click OK.
6 On the line that lists your new policy, click Edit Settings.
7 From the Settings for drop-down menu, select Workstation.
8 On the menu bar, click Actions.
9 For When an unwanted program is found, select Allow access to files from the
drop-down menu for the first action to perform. This disables the secondary action.
21McAfee Total Protection for Endpoint Lab Evaluation Guide
Setting Policies for Endpoints
10 Click Save.
Creating policies for SiteAdvisor Enterprise Plus
In this section, you will create a SiteAdvisor Enterprise Plus Rating Actions policy and an
Enforcement Messaging policy.
Creating a Rating Actions policy
Use this task to create a new policy to block users from accessing sites that contain threats, or
to warn users about potential threats on sites.
The options for the Rating Actions policy let you use the SiteAdvisor ratings (yellow, red, or
unrated) to determine whether users can access a site or a site's resources, such as download
files.
• For each yellow, red, or unrated site, specify whether to allow, warn, or block the site.
• For each yellow, red, or unrated download file, specify whether to allow, warn, or block the
download. This provides a greater level of granularity in protecting users against individual
files that might pose a threat on sites with an overall green rating.
• For each phishing page, specify whether to block or allow access. This provides a greater
level of granularity in protecting users from pages that employ phishing techniques on a site
with an overall green rating.
Task
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select SiteAdvisor Enterprise Plus.
3 From the Category drop-down menu, select Rating Actions.
4 On the line that lists McAfee Default, click Duplicate.
5 For Name, type Rating Actions Policy, then click OK.
6 On the line that lists your new policy, click Edit Settings.
7 For Site navigation rating actions, set Warn on yellow sites, set Block on red sites,
and set Warn on unrated sites.
8 Click Save.
Creating an Enforcement Messaging policy
Use this task to create a new policy to customize messages displayed to users when they attempt
to access a site where you have associated an action with the site's rating. This message appears
in safety balloons and on Warn or Block pages.
Task
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select SiteAdvisor Enterprise Plus.
3 From the Category drop-down menu, select Enforcement Messaging.
4 On the line that lists McAfee Default, click Duplicate.
5 For Name, type Enforcement Messaging, then click OK.
6 On the line that lists your new policy, click Edit Settings.
7 Click the Site tab.
8 Select a language.
9 Type a message of up to 50 characters for these circumstances:
• For sites you have configured as Warn, type a warning message.
McAfee Total Protection for Endpoint Lab Evaluation Guide22
Setting Policies for Endpoints
• For sites you have configured as Block, type a "blocked access" message.
• For sites you have configured as Allow, type a "allowed access" message.
10 Click Save.
Assigning policies to systems
You now have several policies to assign to the systems in your System Tree. For this part,
you will assign all the policies from the System Tree interface.
1 Click Menu | Systems | System Tree, then click Assigned Policies on the menu bar.
2 Highlight Test Group.
3 Assign the McAfee Agent policy:
• From the Product drop-down menu, select McAfee Agent.
• On the line that lists My Default, click Edit Assignment.
• For Inherit from, select Break inheritance and assign the policy and settings
below.
• From the Assigned Policy drop-down menu, select Remote Log Access.
• Click Save.
4 Assign the SiteAdvisor Enterprise Plus policies:
• From the Product drop-down menu, select SiteAdvisor Enterprise Plus.
• On the line that lists Rating Actions, click Edit Assignment.
• For Inherit from, select Break inheritance and assign the policy and settings
below.
• From the Assigned Policy drop-down menu, select Rating Actions Policy.
• Click Save.
• On the line that lists Enforcement Messaging, click Edit Assignment.
• For Inherit from, select Break inheritance and assign the policy and settings
below.
• From the Assigned Policy drop-down menu, select Enforcement Messaging Policy.
• Click Save.
5 Assign the VirusScan Enterprise policies:
NOTE: When you created the Database AV Exclusions policy, you also assigned it to
the Servers group.
• From the Product drop-down menu, select VirusScan Enterprise 8.7.0.
• On the line that lists User Interface Policies, click Edit Assignment.
• For Inherit from, select Break inheritance and assign the policy and settings
below.
• From the Assigned Policy drop-down menu, select Lock VSE Console.
• Click Save.
• On the line that lists On-Access Default Processes Policies, click Edit Assignment.
• For Inherit from, select Break Inheritance and assign the policy and settings below.
• From the Assigned Policy drop-down menu, select Audit for PUPs.
23McAfee Total Protection for Endpoint Lab Evaluation Guide
Setting Policies for Endpoints
• Click Save. When you return to the Assigned Policies page, select My Organization.
You will see that On-Access Default Processes Policies has an entry in the Broken
Inheritence column. This is because you already assigned the Database AV
Exclusions policy to the Servers group.
Host Intrusion Prevention policies
McAfee Host Intrusion Prevention provides three types of protection: IPS, Firewall, and
Application Blocking. In a default installation, IPS protection is set to Prevent High Severity
Intrusions, while the firewall and application blocking policies are disabled. This provides
out-of-the-box protection that extends the basic capabilities of VirusScan Enterprise buffer
overflow, as well as protecting against many Microsoft vulnerabilities, while not impeding
business operations.
This section gets you started with a basic firewall policy, and provides guidance about other
rules you might apply or tune. Firewall Rules policies contain the Allow and Block rules that
govern the traffic flow on protected computers. McAfee makes it easy to get started with
endpoint firewall protection by including several preconfigured policies in Host Intrusion
Prevention.
The "Typical Corporate Environment" policy can be used as a baseline firewall policy. This is a
full-featured policy that meets the needs of most organizations. Use this policy as a starting
point, then combine the results from applying the Adaptive mode to learn and verify any
additional rules. This policy should generate fewer learned client rules in Adaptive mode,
compared to existing default firewall policies.
The first time you deploy a firewall policy, you might want to let clients learn the communication
needs of the various applications on your protected computers. This learning process is called
Adaptive mode
. In this mode, the firewall automatically appends rules to the policy to allow
traffic this is not already handled by the Firewall Rules policy. This is done without prompting
users. At each agent-server communication, the McAfee Agent sends any rules learned at the
client computer to ePolicy Orchestrator. You can review these "Client Learned Rules" by going
to Menu | Reporting | Host IPS in the interface. From this screen you can see which rules
the Host Intrusion Prevention clients have added, and promote rules to policies.
For detailed guidance on tuning the IPS functions beyond the default, refer to the White Paper
Adopting McAfee Host Intrusion Prevention: Best practices for quick success
, available through
your McAfee Support or Sales contacts.
Use the following tasks to set firewall rules according to the Typical Corporate Environment
template, and to set firewall options to use Adaptive mode.
Assigning a Firewall Rules policy
1 Click Menu | Systems | System Tree, then select Assigned Policies from the menu
bar.
2 In the System Tree, expand Test Group, then highlight the Workstations group.
3 From the Product drop-down menu, select Host Intrusion Prevention 7.X.X:Firewall.
4 In the Category column, find Firewall Rules (Windows), then click Edit Assignment.
5 For Inherit from, select Break inheritance and assign the policy and settings
below.
6 From the Assigned Policy drop-down menu, select Typical Corporate Environment.
7 Click Edit Policy, and review the existing rule settings.
8 Click Cancel to exit the policy's edit page.
9 When you return to the Policy Assignment page, click Save.
McAfee Total Protection for Endpoint Lab Evaluation Guide24
Setting Policies for Endpoints
If you want to change the rule settings in the Typical Corporate Environment policy, you
can duplicate it and make adjustments.
Setting Firewall Options
1 Click Menu | Systems | System Tree, then select Assigned Policies from the menu
bar.
2 In the System Tree, expand Test Group, then highlight the Workstations group.
3 From the Product drop-down menu, select Host Intrusion Prevention 7.X.X:Firewall.
4 In the Category column, find Firewall Options (Windows), then click Edit Assignment.
5 For Inherit from, select Break inheritance and assign the policy and settings
below.
6 From the Assigned Policy drop-down menu, select Adaptive to let the firewall create
rules for traffic not already handled by the Firewall Rules policy.
7 Click Save.
For more information about managing the Host Intrusion Prevention Firewall, review the
Intrusion Prevention Product Guide
provided in the
References
section.
. Links to Technical Briefs and other documentation are
Host
25McAfee Total Protection for Endpoint Lab Evaluation Guide
Setting Policies for Email Servers
McAfee provides protection for your Microsoft Exchange and Lotus Domino servers. It protects
against viruses, unwanted content, potentially unwanted programs, banned file types/messages,
and supports content filtering within the email messages.
• McAfee GroupShield®7.0.1 for Microsoft Exchange — Protects your email and other
documents as they enter and leave your Microsoft Exchange server.
• McAfee Security for Lotus Domino, v7.5 on Windows — Protects your email and other
documents as they enter and leave your Lotus Domino server.
It also supports anti-spam and anti-phish functionality for inbound messages through an add-on
package. It matches an extensive set of rules against every email message, then computes an
overall spam score.
GroupShield for Microsoft Exchange policies
In the following sections, you will create GroupShield for Microsoft Exchange sample policies
for the banned content, anti-spam and anti-phish scanners. McAfee recommends that you use
the default anti-virus policies as they are defined. Start with the default anti-spam policies and
fine-tune the thresholds as needed. The examples are meant for illustration purposes only.
Configuring banned content policies
This section provides an example of filtering banned content. Use this task to create a policy
that requires any email with the words "Company Confidential" in a document attachment have
the message replaced with an alert, and a notification sent to the administrator.
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select GroupShield for Exchange 7.0.1.
3 From the Category drop-down menu, select Scanner Settings.
4 On the line that lists My Default, click Duplicate.
5 For Name, type My Exchange Policy, then click OK.
6 On the line that lists My Exchange Policy, click Edit Settings.
7 Under Policy Manager, click Shared Resource.
8 Click the Filter Rules tab.
9 To create a new content scanner rule category, click New Category.
NOTE: If you are using Internet Explorer 7.0 and your browser security is set to a level
higher than "Medium", you will receive a warning “This website is using a scripted window
to ask you for Information. If you trust this website, click here to allow scripted windows…”.
Click on the warning and select "Temporarily Allow scripted windows". You must click New
Category again to continue.
10 For Name, type Content, then click OK.
11 To create a new rule for the category, click Create New under Content Scanner Rules.
McAfee Total Protection for Endpoint Lab Evaluation Guide26
Setting Policies for Email Servers
12 For Rule Name, type Blocked content.
13 Provide a description, and select the option Add this rule to this category's rules group.
14 Select the Word or Phrase tab. In the The rule will trigger when the following word
or phrase is found text box, type Company Confidential and select Ignore Case.
15 Select the File Format tab. Deselect the Everything option. Under File Categories,
select Documents. Under Subcategories, select All.
16 Click Save.
17 Click Save again when on the Shared Resource page.
18 Under Policy Manager, click On-Access.
19 Click Master Policy.
20 Under Core Scanners, select Active for Content Scanning. In the Name column, click
Content Scanning.
21 Select the View Settings tab. From the Selection drop-down menu, select Content
Scanning.
22 Under Options, select Include document and database formats in content scanning
and Scan the text of all attachments.
23 When you receive the warning about this causing high CPU usage, click OK.
24 For the Content Scanner rules and associated actions section, click Add rule.
25 From the Select rules group drop-down menu, select Content. The Select rules from
this group option should contain "Blocked content". Select Blocked Content.
26 From the If detected, take the following action drop-down menu, select Replace
item with an alert. Under the And Also section, select Notify administrator.
27 Click Save.
28 Click Save again when on the On-Access Policies page.
Configuring anti-spam scanner policies
Use this task to configure a policy that requires any "spam" email with a high score to be
rejected.
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select GroupShield for Exchange 7.0.1.
3 From the Category drop-down menu, select Scanner Settings.
4 On the line that lists My Exchange Policy, click Edit Settings.
5 Under Policy Manager, click Gateway.
6 Click Master Policy.
7 Click the View Settings tab. From the Selection drop-down menu, select Anti-Spam.
8 For the Actions to take if spam is detected section, click Edit.
9 Click the High Score tab.
10 From the Take the following action drop-down menu, select Reject the Message.
Under the And Also section, deselect Quarantine message.
11 Click Save.
12 Click Save again when on the External Mail Policies page.
27McAfee Total Protection for Endpoint Lab Evaluation Guide
Setting Policies for Email Servers
Configuring anti-phish scanner policies
Use this task to configure a policy that logs any phish email message.
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select GroupShield for Exchange 7.0.1.
3 From the Category drop-down menu, select Scanner Settings.
4 On the line that lists My Exchange Policy, click Edit Settings.
5 Under Policy Manager, click Gateway.
6 Click Master Policy, or if you are still on the My Exchange policy page, select Master
Policy from the Policy drop-down menu.
7 Click the View Settings tab. From the Selection drop-down menu, select Anti-Phishing.
8 For the Actions to take section, click Edit.
9 Under the And Also section, select Log.
10 Click Save.
11 Click Save again when on the External Mail Policies page.
Assigning policies to Exchange servers
Use this task to assign the policies you configured to your Microsoft Exchange servers.
1 Click Menu | Systems | System Tree, and click Assigned Policies on the menu bar.
2 Expand Test Group, and highlight Servers.
3 From the Product drop-down menu, select GroupShield for Exchange 7.0.1.
4 On the line for Scanner Settings, click Edit Assignment.
5 Select Break inheritance and assign the policy and settings below.
6 From the Assigned policy drop-down menu, select My Exchange Policy.
7 Click Save.
8 Click Systems on the menu bar.
9 Click Actions | Agent | Wake Up Agents.
10 Under Wake Up McAfee Agent, set Randomization to zero minutes.
11 Click OK.
NOTE: Actually, you may not have set up an Exchange server as part of your evaluation.
So the GroupShield policies created are not applied to any client computers. However the
above policy examples provide a good introduction on configuring and applying policies for
your email servers.
McAfee Security for Lotus Domino policies
In the following sections, you will create McAfee Security for Lotus Domino sample policies for
the banned content, anti-spam and anti-phish scanners. McAfee recommends that you use the
anti-virus default policies as they are defined. Start with the default anti-spam policies and fine
tune the thresholds as needed. The examples are meant for illustration purposes only.
Configuring banned content policies
This section provides an example of filtering banned content. Use this task to create a policy
that requires any email with the words "Company Confidential" in a document attachment have
the message replaced with an alert, and a notification sent to the administrator.
McAfee Total Protection for Endpoint Lab Evaluation Guide28
Setting Policies for Email Servers
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select McAfee Security for Lotus Domino 7.5.x.x.
3 From the Category drop-down menu, select Scanner Settings.
4 On the line that lists My Default, click Duplicate.
5 For Name, type My Domino Policy, then click OK.
6 On the line that lists My Domino Policy, click Edit Settings.
7 Under Policy Manager, click Shared Resource.
8 Click the Filter Rules tab.
9 To create a new content scanner rule category, click New Category.
NOTE: If you are using Internet Explorer 7.0 and your browser security is set to a level
higher than "Medium", you will receive a warning “This website is using a scripted window
to ask you for Information. If you trust this website, click here to allow scripted windows…”.
Click on the warning and select "Temporarily Allow scripted windows". You must click New
Category again to continue.
10 For Name, type Content, then click OK.
11 To create a new rule for the category, click Create New under Content Scanner Rules.
12 For Rule Name, type Blocked content.
13 Provide a description, and select the option Add this rule to this category's rules group.
14 Select the Word or Phrase tab. In the The rule will trigger when the following word
or phrase is found text box, type Company Confidential and select Ignore Case.
15 Select the File Format tab. Deselect the Everything option. Under File Categories,
select Documents. Under Subcategories, select All.
16 Click Save.
17 Click Save again when on the Shared Resource page.
18 In the Policy Catalog, click Edit Settings.
19 Under Policy Manager, click External Mails.
20 Click Master Policy.
21 Under Core Scanners, select Active for Content Scanning. In the Name column, click
Content Scanning.
22 Select the View Settings tab. From the Selection drop-down menu, select Content
Scanning.
23 Under Options, select Include document and database formats in content scanning
and Scan the text of all attachments.
24 When you receive the warning about this causing high CPU usage, click OK.
25 For the Content Scanner rules and associated actions section, click Add rule.
26 From the Select rules group drop-down menu, select Content. The Select rules from
this group option should contain "Blocked content". Select Blocked Content.
27 From the If detected, take the following action drop-down menu, select Replace
item with an alert. Under the And Also section, select Notify administrator.
28 Click Save.
29 Click Save again when on the External Mail Policies page.
29McAfee Total Protection for Endpoint Lab Evaluation Guide
Setting Policies for Email Servers
Configuring anti-spam scanner policies
Use this task to configure a policy that requires any "spam" email with a high score to be deleted.
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select McAfee Security for Lotus Domino 7.5.x.x.
3 From the Category drop-down menu, select Scanner Settings.
4 On the line that lists My Domino Policy, click Edit Settings.
5 Under Policy Manager, click External Mails.
6 Click Master Policy.
7 Click the View Settings tab. From the Selection drop-down menu, select Anti-Spam.
8 For the Actions to take if spam is detected section, click Edit.
9 Click the High Score tab.
10 From the Take the following action drop-down menu, select Delete Message. Under
the And Also section, deselect Quarantine message.
11 Click Save.
12 Click Save again when on the External Mail Policies page.
Configuring anti-phish scanner policies
Use this task to configure a policy that logs any phish email message.
1 Click Menu | Policy | Policy Catalog.
2 From the Product drop-down menu, select McAfee Security for Lotus Domino 7.5.x.x.
3 From the Category drop-down menu, select Scanner Settings.
4 On the line that lists My Domino Policy, click Edit Settings.
5 Under Policy Manager, click External Mails.
6 Click Master Policy, or if you are still on the My Domino policy page, select Master
Policy from the Policy drop-down menu.
7 Click the View Settings tab. From the Selection drop-down menu, select Anti-Phishing.
8 For the Actions to take section, click Edit.
9 Under the And Also section, select Log.
10 Click Save.
11 Click Save again when on the Gateway Policies page.
Assigning policies to IBM Lotus Domino servers
Use this task to assign the policies you configured to your IBM Lotus Domino servers.
1 Click Menu | Systems | System Tree, and click Assigned Policies on the menu bar.
2 Expand Test Group, and highlight Servers.
3 From the Product drop-down menu, select McAfee Security for Lotus Domino 7.5.x.x.
4 On the line for Scanner Settings, click Edit Assignment.
5 Select Break inheritance and assign the policy and settings below.
6 From the Assigned policy drop-down menu, select My Domino Policy.
7 Click Save.
8 Click Systems on the menu bar.
McAfee Total Protection for Endpoint Lab Evaluation Guide30
Setting Policies for Email Servers
9 Click Actions | Agent | Wake Up Agents.
10 Under Wake Up McAfee Agent, set Randomization to zero minutes.
11 Click OK.
NOTE: Actually, you may not have set up a Lotus Domino server as part of your evaluation. So
the policies created are not applied to any client computers. However the above policy examples
provide a good introduction on configuring and applying policies for your email servers.
31McAfee Total Protection for Endpoint Lab Evaluation Guide
Set Tasks for Endpoints
You have now created a System Tree, added some client systems, checked in the software,
and configured your policies. Next, you will schedule the deployment of VirusScan Enterprise,
and the other security products. Product deployment is accomplished using a client task that
the McAfee Agent retrieves and executes. You also use client tasks for scheduling scans and
updating.
After creating the deployment and update tasks in this section, create a VirusScan Enterprise
On-Demand Scan task.
Before you begin
Verify if any other third-party anti-virus product exists on your client computer(s). McAfee
VirusScan Enterprise will check for the existence of 200+ anti-virus products including the
previous McAfee versions. If any third party anti-virus software exists, VirusScan will invoke the
uninstaller of the software.
If you want to successfully deploy VirusScan and remove any third-party anti-virus software,
ensure that:
• You remove any "Uninstall Password" option that is set in the third-party anti-virus software
management console.
• You disable any "Self Protection" feature that is set in the third-party anti-virus software
management console.
While McAfee updates the anti-virus products list periodically, some products might not be
recognized and removed automatically. In such cases you must look for tools or scripts that
will help you automate the removal.
Creating a deployment task
In this section, you create a client task that deploys one or more products to a group of systems.
This tasks assumes you checked in all the endpoint products during installation. If not, only the
products you checked in are available in the product list (
1 Click Menu | Systems | System Tree, then click Client Tasks on the menu bar.
2 Highlight My Organization, then click New Task.
3 For Name, type McAfee Deployment.
4 For Type, select Product Deployment from the drop-down list, then click Next.
5 On the Configuration page under Products and components, select your endpoint
products. Use the plus symbol (+) to add additional lines. For each product, set Action
to Install, and set Language to the language used on your client systems. From the
Products and components drop-down list:
• Select VirusScan Enterprise 8.7.0.xxx, then click +.
• Select AntiSpyware Enterprise Module 8.7.0.xxx, then click +.
• Select Host Intrusion Prevention 7.0.0.xxx, then click +.
McAfee Total Protection for Endpoint Lab Evaluation Guide32
Step 5
).
Set Tasks for Endpoints
• Select SiteAdvisor Enterprise Plus 3.0.0.xxx.
6 On the Schedule page, set these options, then click Next:
EnabledSchedule status
Run ImmediatelySchedule type
7 On the Summary page, click Save.
When deploying to a large number of systems in a production environment, McAfee recommends
using the Randomization option on the Schedule page. Task randomization helps avoid
client systems sending numerous simultaneous requests to the server. Typically in a live
environment, you might want to schedule deployments at specific times of the day. Setting the
schedule to Run Immediately speeds up the deployment process for evaluation purposes.
Creating an update task
In this section, you create a client task that updates the VirusScan engine and DATs, and the
Host Intrusion Prevention content.
1 Click Menu | Systems | System Tree, then click Client Tasks on the menu bar.
2 Highlight Test Group, then click New Task.
3 For Name, type Daily Update.
4 For Type, select Product Update from the drop-down list, then click Next.
5 On the Configuration page, select Host Intrusion Prevention Content, DAT, then
click Next.
6 On the Schedule page, set Schedule type to Daily.
NOTE: If you are updating a large number of systems, McAfee recommends specifying
some randomization to stagger the client requests.
7 For Options, select Run missed task.
8 Set Schedule to Repeat Between, and set the time values to 7:00am, 6:59am, and
every 4 hours.
9 On the Summary page, click Save.
The time span for the schedule is an example only. Typically in a live environment, you want
to schedule client systems to check for updates throughout the day. The scheduling options
allow you to set up any schedule you require.
Systems that temporarily disconnect from your network (for example, laptops) continue to run
their assigned update tasks. In such a case, the laptop retrieves updates from the McAfee site
(rather than the ePO server) while in a hotel or anywhere there is an Internet connection.
Creating an On-demand scan task
In this section, you create a client task that does a weekly scan on the client computers.
1 Click Menu | Systems | System Tree, then click Client Tasks on the menu bar.
2 Highlight Test Group, then click New Task.
3 For Name, type Weekly Scan.
4 For Type, select On Demand Scan (VirusScan Enterprise 8.7.0) from the drop-down
list, then click Next.
NOTE: If you are performing the “PUP audit” as described in a previous section, click
Actions and then select Continue Scanning in the When an Unwanted Program is
Found drop down menu.
33McAfee Total Protection for Endpoint Lab Evaluation Guide
Set Tasks for Endpoints
5 The rest of the default settings are fine for testing. However when you click the Task tab,
there is an option to apply this scan task to servers, workstations or both, as you might
create different tasks based on the platform. There is no need to enter credentials on this
page, as the scan runs using the System Account, so just click Next.
6 On the Schedule page, set Schedule type to Weekly, select the day and time to run
this task, then click Next.
7 On the Summary page, click Save.
Clients will retrieve the task instructions at their next communication with the server and then
execute the task at the scheduled time. Later, try experimenting with the task settings. For
instance, you can modify its schedule to Run Immediately, send an Agent Wake-Up Call to the
clients to force an immediate scan if required and then set the schedule type back to weekly.
It is recommended to scan the entire drive(s) for this audit operation. Make sure that the client
systems have the normal set of tools installed, so that the Anti Spyware module can also audit
any registry entries associated with those applications. After the creating and testing of any
required exclusions, remember to change the On-Demand Scanner settings back to "Clean
PUPs", instead of "Continue Scanning". Reverting the policy to "Clean" is covered in the next
section.
McAfee Total Protection for Endpoint Lab Evaluation Guide34
Deploy the McAfee Agent
The McAfee Agent is the distributed component of ePolicy Orchestrator that must be installed
on each system in your network that you want to manage. The agent collects and sends
information to the ePO server. It also installs and updates the endpoint products, and applies
your endpoint policies. Systems cannot be managed by ePolicy Orchestrator unless the McAfee
Agent is installed.
Before deploying the McAfee Agent, it is useful to verify communication between the server
and systems, and access to the default administrator share directory. Also, you might need to
create firewall exceptions.
1 Check that you can ping client systems by name. This demonstrates that the server can
resolve client names to an IP address.
2 Check for access to the default Admin$ share on the client systems: in the Windows
interface, click Start | Run, then type \\computer-name\admin$. If the systems are properly
connected over the network, your credentials have sufficient rights, and the Admin$ shared
folder is present, a Windows Explorer dialog box opens.
3 If an active firewall is running on any client systems, create an exception for Framepkg.exe.
This is the file ePolicy Orchestrator copies to the systems you want to manage.
Deploying the agent
Use this task to deploy the McAfee Agent to your client systems.
1 Click Menu | Systems | System Tree, then click Systems on the menu bar.
2 Highlight Test Group. If this group has no systems, but has subgroups with systems, click
the Filter drop down and select This Group and All Subgroups.
3 Select one or more systems from the list, and click Actions | Agent | Deploy Agents.
4 Type credentials that have rights to install software on client systems, such as a Domain
Administrator, and click OK.
It will take a few minutes for the McAfee Agent to install and for client systems to retrieve and
execute the installation packages for the endpoint products. When first installed, the agent
determines a random time within 10 minutes for connecting to the ePO server to retrieve policies
and tasks.
There are many other ways to deploy the McAfee Agent (see the ePolicy Orchestrator
documentation or online help).
Verifying agent communication with ePolicy Orchestrator
Once the initial agent-server communication has occurred, the agent polls the server once every
60 minutes by default. This is known as the
Every time this occurs, the agent retrieves policy changes and enforces the policies locally.
With the default ASCI, an agent that polled the server 15 minutes ago will not pick up any new
policies for another 45 minutes. However, you can force systems to poll the server with an
Agent Wake Up Call. The Wake Up Call is useful when you need to force a policy change sooner
Agent to Server Communication IntervalorASCI
.
35McAfee Total Protection for Endpoint Lab Evaluation Guide
Deploy the McAfee Agent
than the next communication would occur. It also allows you to force clients to run tasks, such
as an immediate update.
Use this task to verify whether your client systems are communicating with ePolicy Orchestrator.
1 Click Menu | Systems | System Tree, then click Systems on the menu bar.
2 Highlight your Servers or Workstations group.
3 If an IP address and user name are listed, the agent on the client system is communicating
with the server.
4 If five to ten minutes pass and systems do not have an IP address and user name, select
Actions | Agent | Wake Up Agents and click OK.
If sending a wake-up call fails to retrieve an IP address and user name, other environmental
factors might be preventing the initial agent deployment. If this happens, you can copy the
agent installer, Framepkg.exe, from the ePO server and run it on the client systems.
Verifying client software installation
Depending on how many products you deployed, the client installation process might take some
time to complete. You can verify client installations from the ePO server, or on the client systems
by right-clicking the McAfee system tray icon.
Use this task to verify client installations from the ePO server.
1 Click Menu | Systems | System Tree, then click Systems on the menu bar.
2 Highlight your Servers or Workstations group.
3 Select individual systems using the checkboxes, or use Select All in this Page or Select
All in all Pages.
4 Click Actions | Agent | Wake Up Agents.
5 If you were waking up a large number of systems, adding a few minutes of Randomization
is useful. Click OK.
6 After a few minutes, click individual systems. The System Details page provides information
about the system, including the installed McAfee software.
Revisiting the PUP audit VirusScan policy
At this point, the software installation client tasks have run, or are running, and all the policies
you created in previous tasks are downloaded. If your test systems have clean, newly installed
operating systems, you might not have any PUP detections. For the purpose of this exercise,
assume that these items were detected on your clients:
• The remote administration tool Tight VNC.
• A port scanner called SuperScan.
Most PUPs are detected with both the family and name of the application. For instance, the
port scanner called SuperScan is detected as PortScan-SuperScan, and TightVNC is detected
as RemAdm-TightVNC. This is the basic nomenclature for the "detection names" as provided
in ePO reports and local client log files.
After completing your audit of PUPs, use this task to create a new policy, based on your existing
Unwanted Programs Policy
and Tight VNC as examples. You do not need to enter these exclusions now; you can refer back
to this example if and when you need to make any actual exclusions.
1 Click Menu | Systems | System Tree, then click Assigned Policies on the menu bar.
2 From the Product drop-down menu, select VirusScan Enterprise 8.7.0.
McAfee Total Protection for Endpoint Lab Evaluation Guide36
policy, and add any required exclusions. This task uses SuperScan
Deploy the McAfee Agent
3 Highlight Test Group.
4 To the right of Unwanted Programs Policy, click Edit Assignment.
5 Select Break inheritance and assign the policy and settings below.
6 Click New Policy.
7 Type a name for the policy, such as PUP exclusions for IT staff, and click OK. The Policy editor
opens.
8 In the Unwanted Program Exclusions area, type PortScan-SuperScan and click the plus
symbol (+) on the right.
9 Type RemAdm-TightVNC, click + again, and type Reg-TightVNC.
TightVNC also requires a "Reg" exclusion for the Windows Registry entries for this
application. This instructs the scanner not to clean the associated Registry entries for this
program. SuperScan does not require a Reg exclusion as it is just a standalone executable.
10 Click Save.
It is safer to exclude only the tools you use, rather than deselecting an entire category. For
example, considering remote administration tools, you might need to exclude a few tools for
normal operations, but you might also want to know if the McAfee AntiSpyware module finds
any non-approved, rogue tools of this nature on your network.
After completing the PUP audit, it is important that you change the VirusScan setting back to
Clean, and create a policy with exclusions. If you don't revert the policy to clean PUPs, you
won't remove spyware.
Resetting the On-Access Scan policy
Previously, you created a new policy that instructed the on-access scanner to detect PUPs but
not clean them. Use this task to reapply the default scanner policy, which enables cleaning.
1 Click Menu | Systems | System Tree, then click Assigned Policies on the menu bar.
2 From the Product drop-down menu, select VirusScan Enterprise 8.7.0.
3 Highlight Test Group.
4 To the right of On-Access Default Processes Policies, click Edit Assignment.
5 For Inherit from, select Break inheritance and assign the policy and settings
below.
6 From the Assigned Policy drop-down menu, select My Default.
7 Click Save.
Verifying the On-Demand Scan task
In a previous exercise, you scheduled a recurring scan for the client system. As part of that
configuration we instructed the scanner to temporarily only detect PUPs, and not to clean them.
Use this task to reset the option that enables cleaning during a scheduled scan.
1 Click Menu | Systems | System Tree, then click Client Tasks on the menu bar.
2 Highlight Test Group.
3 Locate the scan task you created, then under the Action column click Edit Settings.
4 On the first page of the task wizard, click Next.
5 On the Configuration page, click Actions, then in the When an Unwanted Program
is Found drop-down menu, select Clean Files.
6 Click Save.
37McAfee Total Protection for Endpoint Lab Evaluation Guide
Deploy the McAfee Agent
VirusScan will now clean any PUPs that you have not explicitly excluded. The next time client
systems poll the server, they will download your configuration changes.
McAfee Total Protection for Endpoint Lab Evaluation Guide38
Using Dashboards and Queries
Dashboards and queries provide various types of status information about your environment.
Each product in the Total Protection for Endpoint suite has predefined queries. The suite includes
several predefined dashboards. You can also create custom dashboards and queries.
By default, the only active dashboard after installation is the ePO Summary dashboard. In this
section, you will activate a second dashboard, change one of the monitors, run a predefined
query, and create a custom query.
Activating a dashboard
To make a dashboard part of your active set on the tab bar of the Dashboards page, you
need to activate it.
1 Click Menu | Reporting | Dashboards.
2 From the Options drop-down list, select Manage Dashboards. The Manage Dashboards
page appears.
3 From the Dashboards list, highlight HIP Dashboard, then click Make Active.
4 When prompted, click OK, then click Close.
The HIP Dashboard now appears on the tab bar. Take a moment to examine this dashboard
and the information it provides.
Changing a dashboard monitor
Most default dashboards contain six monitors. If the default monitors do not give you the
information you want, you can change the set of monitors rather than create a new dashboard.
To view some information about VirusScan Enterprise and Potentially Unwanted Programs, you
will duplicate, then modify the VSE: Current Detections dashboard.
1 Click Menu | Reporting | Dashboards.
2 From the Options drop-down list, select Manage Dashboards. The Manage Dashboards
page appears.
3 From the Dashboards list, highlight VSE: Current Detections then click Duplicate.
4 For Name, type VSE: Detections (custom), and click OK.
5 Click Edit.
6 Find the monitor named VSE: Threats Detected in the Last 24 Hours and click Remove.
7 Click New Monitor.
8 From the Category list, select Queries.
9 From the Monitor list, select VSE: DAT Deployment, then click OK.
10 Find the monitor named VSE: Threats Detected in the Last 7 Days and click Remove.
11 Click New Monitor.
12 From the Category list, select Queries.
39McAfee Total Protection for Endpoint Lab Evaluation Guide
Using Dashboards and Queries
13 From the Monitor list, select VSE: Top 10 Access Protection Rules Broken, then click
OK.
14 Click Save.
15 ClickMake Active, then when prompted, click OK.
16 Click Close.
17 On the Dashboards tab, click VSE: Detections (custom).
The two monitors you added display a pie chart (DAT Deployment), and a summary table (Top
10 Access Protection Rules Broken). When creating your own queries, consider the type of data
you want to view, and how to display it.
Running a predefined query
As you discovered in the previous task, queries can be the source data displayed by dashboard
monitors. You also can run queries individually.
You can run the "MA: Agent Versions Summary" query, to make sure the McAfee Agent is
deployed on all your test systems and to view the version number.
1 Click Menu | Reporting | Queries.
2 Expand Shared Groups and highlight McAfee Agent group.
3 In the query list, select MA: Agent Versions Summary.
4 Click Run.
The results are displayed in a pie chart, showing the clients running the McAfee Agent and its
version. Any systems that do not have McAfee Agent is displayed in a second pie slice.
You can click on the pie slice showing version 4.x of the McAfee Agent to see the systems. Click
Close to return to the pie chart and click Close again to return to the list of queries.
To check whether Host Intrusion Prevention is installed and has the correct version of the
program, run the HIP: Client Versions query. To check whether those clients have the most
current updates, run the HIP: Content Versions query. You could also add these queries as
dashboard monitors.
Creating a custom query
Use this task to create a query that shows all PUP detections.
1 Click Menu | Reporting | Queries.
2 Click New Query.
3 From the list, select Feature Group as Events and Result Type as Threat Events,
then click Next.
4 Makes these selections, then click Next:
5 Click Next again to bypass the Columns page.
6 On the Filter page, from the Events section of Available Properties:
• Click Detecting Product Name and set Comparison to Equals. For Value, type
VirusScan Enterprise 8.7.
• Click Event ID and set Comparison to Greater than. For Value, type 20000.
McAfee Total Protection for Endpoint Lab Evaluation Guide40
Select this...For this...
Single Group Bar ChartDisplay Results As
Threat Name (under Threat Events)Bar labels are
Number of Threat EventsBar values are
Using Dashboards and Queries
• Click Threat Name and set Comparison to Does not contain. For Value, type
Cookie.
7 Click Run.
8 After the results appear, click Save. For the query name, type VSE: All PUP Detections, then
click Save.
You can save a custom query either in an existing group or a new group. When saving it to a
new group, you have the choice of storing it under a Private Group under My Groups, or a
Public Group under Shared Groups. Queries stored in a Private Group are only visible to the
administrator, under whose login it was created. Those queries stored in a Shared Group are
visible under all ePO administrative accounts, so they can be shared with others.
41McAfee Total Protection for Endpoint Lab Evaluation Guide
Summary
Congratulations. By completing this guide, you have performed many of the common tasks
used in creating and maintaining a secure network environment.
Here is what you have accomplished:
1 Installed the Total Protection for Endpoint suite.
2 Enabled and run a task that updates the ePO master repository from the McAfee site.
3 Created a System Tree structure, and added test systems into groups.
4 Created and applied a new McAfee Agent policy, that enables remote access to the McAfee
Agent Log on client computers.
5 Created and applied new policies for endpoint products, consisting of:
• Several VirusScan policies, including a policy to audit PUPs.
• A SiteAdvisor Enterprise Plus policy.
• A Host Intrusion Prevention policy.
6 Created a deployment task to install VirusScan, Host Intrusion Prevention, and SiteAdvisor
Enterprise Plus on the client systems.
7 Created and applied policies for email protection.
8 Created a client update task to keep the clients current.
9 Created a VirusScan On-demand scan task.
10 Deployed the McAfee Agent.
11 Verified agent-server communication, and sent agent wake-up calls to ensure that your
managed systems retrieved the new policies.
12 Modified the PUP audit policy with exclusions.
13 Reapplied the default on-access scan policy, and reset the on-demand scan task to clean
PUPs.
14 Activated a second dashboard, changed monitors on a dashboard, and ran a predefined
query.
15 Created a custom query to list PUP detections.
McAfee Total Protection for Endpoint Lab Evaluation Guide42
References
Use the links in this section to access more information.
Support by Reading
Search McAfee's award-winning KnowledgeBase to find answers to questions.
Search the Knowledge base
For more information on Total Protection for Endpoint, refer to the following product
documentation:
ePolicy Orchestrator 4.5
• ePolicy Orchestrator 4.5 Evaluation Guide
• ePolicy Orchestrator 4.5 Product Guide
• ePolicy Orchestrator 4.5 Installation Guide
• ePolicy Orchestrator 4.5 Log files Reference Guide
• ePolicy Orchestrator 4.5 - Master list of release Support articles
• License Management in ePolicy Orchestrator 4.5
• Release Notes for ePolicy Orchestrator 4.5
VirusScan Enterprise 8.7i
• VirusScan Enterprise 8.7i Installation Guide
• VirusScan Enterprise 8.7i Product Guide
• Access Protection in McAfee VirusScan Enterprise and Host Intrusion Prevention - Whitepaper
AntiSpyware Enterprise 8.7
• AntiSpyware Enterprise 8.7 Product Guide
• AntiSpyware Enterprise 8.7 Release Notes
McAfee Host Intrusion Prevention 7.0
• Host Intrusion Prevention 7.0.0 Installation Guide
• Adopting Host Intrusion Prevention - Best practices for quick success
• Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide
• Host Intrusion Prevention 7.0 Firewall Protocol Support
• Host Intrusion Prevention 7.x Multi-Slot Policies and their Effective Policy
• Host Intrusion Prevention Firewall: Connection-Aware Groups
• Host Intrusion Prevention 7.x Adaptive Mode
• Access Protection in McAfee VirusScan Enterprise and Host Intrusion Prevention - Whitepaper
43McAfee Total Protection for Endpoint Lab Evaluation Guide
References
SiteAdvisor Enterprise Plus 3.0
• SiteAdvisor Enterprise Plus 3.0 Product Guide
• Whitepaper: Mapping the mal web, Revisited
• Whitepaper: Prevention is the best medicine
• McAfee SECURE™ shopping portal
• Resources for Site Owners and Consumers
GroupShield 7.0.1 for Microsoft Exchange
• GroupShield 7.0.1 for Microsoft Exchange Best Practices Guide
• GroupShield 7.0 for Microsoft Exchange User Guide
• GroupShield 7.0.1 for Microsoft Exchange User Guide Addendum
McAfee Security for Lotus Domino, v7.5 (Windows)
• McAfee Security for Lotus Domino, v7.5 (Windows) - User Guide
• McAfee Security for Lotus Domino, v7.5 (Windows) - Release Notes
Support by Seeing
Video tutorials
View video tutorials that address common issues and questions
Support by Doing
Download Software Updates
Obtain the latest anti-virus definitions, product security updates and product versions. To get
product patches and maintenance releases you must be logged on to the ServicePortal.
Global Support Lab
Configure and walk through common issues in a live test environment
McAfee Total Protection for Endpoint Lab Evaluation Guide44
Loading...