How it Works
McAfee
Loading...
VirusScan Enterprise 8.8
Supplement Manual
15 pgs568.68 Kb0
User Manual
166 pgs2.67 Mb0
Table of contents
Loading...

McAfee VirusScan Enterprise 8.8 User Manual

McAfee VirusScan Enterprise 8.8 software
Product Guide
COPYRIGHT
Copyright © 2010 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
McAfee VirusScan Enterprise 8.8 Product Guide2

Contents

Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Part I - Prevention: Avoiding Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
How this guide is organized. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Finding product documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Introducing VirusScan Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Components and how they interact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
The importance of creating a security strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
VirusScan Console and ways to access it. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
VirusScan Console and how it works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Using right-click features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
System tray icons and how they work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
What to do first. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Access protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
How access threats are stopped. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Control access to the user interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Protecting your system access points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
How access protection rules are defined. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Access point violations and how VirusScan Enterprise responds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Types of user-defined rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configuring access protection settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Blocking buffer overflow exploits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
How buffer overflow exploits occur. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Configuring buffer overflow protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Restricting potentially unwanted programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Configuring unwanted programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Updating detection definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
DAT files and how they work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
The importance of an update strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3McAfee VirusScan Enterprise 8.8 Product Guide
Contents
Update tasks and how they work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Mirror tasks and how they work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
How the AutoUpdate repository works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
How rolling back DAT files works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Excluding scan items. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Specifying exclusions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
How to use wildcards to specify scan items. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Using scheduled tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Scheduling tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Configuring the task schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Part II - Detection: Finding Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Scanning items on-access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
On-access scanning and how it works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Scanning comparison: writing to disk vs. reading from disk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Scanning comparison: scanning all files vs. scanning default + additional file types. . . . . . . . . . . . . 52
Script scanning and how it works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
How Artemis works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Determine the number of scanning policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
How general and process settings are configured. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Scanning items on-demand. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
On-demand scanning and how it works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
On-demand scanning methods and how they are defined. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
How scanning of remote storage works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
How scan deferral works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
How system utilization works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Configuring on-demand scan tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Configuring global system cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Scanning email on-delivery and on-demand. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
ePolicy Orchestrator 4.5 or 4.6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
ePolicy Orchestrator 4.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
VirusScan Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
On delivery email scan policies tab definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Part III - Response: Handling Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Detections and responses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
What happens when a detection occurs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
System access point violations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Buffer overflow detections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
McAfee VirusScan Enterprise 8.8 Product Guide4
Contents
Unwanted program detections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
On-access scan detections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
On-demand scan detections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Email scan detections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Quarantined items. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Configuring alerts and notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Configuring alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Access queries and dashboards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Configuring emergency DATs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
About emergency DATs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Downloading a SuperDAT file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Installing the SuperDAT files on an ePolicy Orchestrator repository. . . . . . . . . . . . . . . . . . . . . . . . . . 82
Installing the EXTRA.DAT file on a client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Part IV - Monitoring, Analyzing, and Fine-Tuning Your Protection. . . . . . . . . . . . . . . . . 84
Monitoring activity in your environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Tools for monitoring activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Analyzing your protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
The importance of analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Analyzing protection examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Configuring ePolicy Orchestrator server tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Configuring example server task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Using the command line with VirusScan Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
On-demand scanning command-line options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Update task command-line options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Connecting to remote systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Accessing remote systems with VirusScan Enterprise installed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Submit threat samples for analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Access the McAfee Labs Threat Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Repairing the product installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Viewing the on-access activity log file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Using the MER tool during troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Disabling VirusScan Enterprise during troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Suggested support and troubleshooting tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Frequently asked questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5McAfee VirusScan Enterprise 8.8 Product Guide

Preface

To use this document effectively you should understand who this document is written for, the conventions used, what's in it, and how to find other reference documentation.
Contents

Audience

Conventions

How this guide is organized
Finding product documentation
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
Administrators — People who implement and enforce the company's security program.
Users — People who are responsible for configuring the product options on their systems, or for updating their systems.
Conventions
This guide uses the following typographical conventions.
Book titleorEmphasis
User input or Path
Code
User interface
Note
Important/Caution
Warning
Title of a book, chapter, or topic; introduction of a new term; emphasis.
Text that is strongly emphasized.Bold
Commands and other text that the user types; the path of a folder or program.
A code sample.
Words in the user interface including options, menus, buttons, and dialog boxes.
A live link to a topic or to a website.Hypertext blue
Additional information, like an alternate method of accessing an option.
Suggestions and recommendations.Tip
Valuable advice to protect your computer system, software installation, network, business, or data.
Critical advice to prevent bodily harm when using a hardware product.
McAfee VirusScan Enterprise 8.8 Product Guide6
Preface How this guide is organized

How this guide is organized

This document is meant as a reference to use along with the VirusScan Console and ePolicy Orchestrator user interfaces. It also describes, in order, how you should approach protecting your system from malware using VirusScan Enterprise. To describe that process, this document is separated into four major parts, plus an appendix:
Part I — Prevention: Avoiding Threats — The best way to protect your system is to keep any malware from ever gaining access to your system. This part of the document describes the following:
• Protecting your systems' access points, memory from overflow errors, and unwanted
programs.
• Detection definitions and how they are used to protect your system and the importance
of updating these definitions on a regular basis.
• Excluding files, folders, and disks from scanning.
• Using scheduled task to periodically scan your system and update the files used by
VirusScan Enterprise.
Part II — Detecting: Finding Threats — Files that are opened or copied from other file systems or the Internet might provide access to your system. Also, application programming interface (API) calls and scripts can pose a threat to your system. These threats are found during the following VirusScan Enterprise scan processes:
• On-access scanning — Scans a file for malware when the file is read or written to disk,
it also protects boot sectors, scans memory of processes already running, detects cookies, and protects against unwanted programs.
• On-demand scanning — Scans the entire system for threats on a scheduled basis or as
needed when started from the VirusScan Console.
• Email on-delivery and on-demand scanning — Protects against malware arriving through
email in Microsoft Outlook and Lotus Notes.
• Buffer overflow protection — Analyzes API calls made by certain processes, to confirm
they do not attempt to overwrite adjacent data in the memory buffer.
• ScriptScan — Finds threats from browsers or other applications accessed that use the
Windows Script Host.
Part III — Response: Handling Threats — VirusScan Enterprise can be configured to perform any of the following steps, when a threat is found:
• Deny Access to the threat or take no further action.
• Delete or Clean the threat. When either of these actions is taken a copy of the original
file is stored in the Quarantine folder.
NOTE: For any detection, you can configure VirusScan Enterprise to notify the user or not.
Part IV — Monitoring, Analyzing, and Fine-Tuning Your Protection — Once your protection is up and running, you should monitor your system using ePolicy Orchestrator queries and reports. Then you could decide to make changes to your security settings in order to increase or reduce the amount of system protection. Alternatively, you might also use VirusScan Console logs and Simple Network Management Protocol (SNMP) traps to monitor your systems.
Appendix — Describes some additional features you should be aware of when using VirusScan Enterprise. For example, VirusScan Enterprise command-line options, connecting to remote systems through VirusScan Enterprise, and more.
7McAfee VirusScan Enterprise 8.8 Product Guide
Preface Finding product documentation

Finding product documentation

McAfee provides the information you need during each phase of product implementation, from installing to using and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.
1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
2 Under Self Service, access the type of information you need:
Do this...To access...
User documentation 1 Click Product Documentation.
2 Select a Product, then select a Version.
3 Select a product document.
KnowledgeBase Click Search the KnowledgeBase for answers to your product questions.
Click Browse the KnowledgeBase for articles listed by product and version.
McAfee VirusScan Enterprise 8.8 Product Guide8

Getting Started

Understanding the components of McAfee®VirusScan®Enterprise 8.8 software, and the order you should use to configure the software helps you protect your system from threats.
Contents

Introducing VirusScan Enterprise

Components and how they interact
The importance of creating a security strategy
VirusScan Console and ways to access it
What to do first
Introducing VirusScan Enterprise
As soon as the VirusScan Enterprise software is installed, it begins protecting your system from threats. You can increase your protection if you understand what the software does, what is new in this release, and its major components.
What it is and does
VirusScan Enterprise offers easily scalable protection, fast performance, and a mobile design to protect your environment from the following:
• Viruses, worms and Trojan horses
• Access point violations and exploited buffer overflows
• Potentially unwanted code and programs
It detects threats, then takes the actions you configured to protect your environment.
You can configure the software as a standalone product or you can use McAfee®ePolicy Orchestrator®software version 4.0 and later, to manage and enforce VirusScan Enterprise policies, then use queries and dashboards to track activity and detections.
NOTE: This document addresses using ePolicy Orchestrator 4.0, 4.5, and 4.6. For information
about using these versions of ePolicy Orchestrator, see that version's product documentation.
What is new
This release includes the following new features:
• Enhanced performance.
• Allows ePolicy Orchestrator 4.5 and 4.6 to manage your VirusScan Enterprise systems.
• A new ScriptScan URL exclusion feature allows you to configure exclusions instead of manually editing the registry.
9McAfee VirusScan Enterprise 8.8 Product Guide
Getting Started Components and how they interact
• The AntiSpyware Enterprise Module has been fully integrated into the VirusScan Enterprise
8.8 software.
• Support for Outlook 2010 email scanning.
• Support for Lotus Notes 8.0x through 8.5.1 email scanning.

Components and how they interact

As an administrator and user of VirusScan Enterprise, you should be familiar with its components and connections. The following figure shows these components for a basic environment.
Figure 1: VirusScan Enterprise components
Client system
This is where VirusScan Enterprise and optional McAfee Agent are installed and configured.
DAT files — Detection definition files, also called malware signatures, work with the scanning engine to identify and take action on threats.
Scan engine — Used to scan the files, folders, and disks on the client computer and compares them to the information in the DAT files for known viruses.
NOTE: DAT files and scan engine are updated as needed using the Internet connection to
McAfee Headquarters, or using the optional connections over the Enterprise Intranet to a designated server.
Artemis (Heuristic network check for suspicious files) — Looks for suspicious programs and DLLs running on client systems that are protected by VirusScan Enterprise. When the real-time malware defense detects a suspicious program, it sends a DNS request containing a fingerprint of the suspicious file to a central database server hosted by McAfee Labs.
McAfee Agent (optional) — Provides secure communication between McAfee managed products and McAfee ePolicy Orchestrator server. The agent also provides local services like updating, logging, reporting events and properties, task scheduling, communication, and policy storage.
McAfee VirusScan Enterprise 8.8 Product Guide10
Getting Started The importance of creating a security strategy
McAfee Headquarters
McAfee Headquarters, home to McAfee Labs and McAfee Technical Support, provides the following VirusScan Enterprise services:
DAT updates — Stored on a McAfee central database server, and using AutoUpdate, these DAT update files are copied to the VirusScan Enterprise clients or optional DAT repositories to provide information to fight known threats and new lists of known viruses as they are found in real time.
Scan engine updates — Stored on a central database server, scan engine updates are downloaded as needed to keep the VirusScan Enterprise scan engine up-to-date.
McAfee Labs — This threat library has detailed information on virus, Trojan, hoax, and potentially unwanted program (PUP) threats — where they come from, how they infect your system, and how to handle them. The Artemis feature sends the fingerprint of the suspicious file to McAfee Labs, where they analyze the file and determine what action to take.
Server
The optional server uses the following components to manage and update many client systems remotely:
ePolicy Orchestrator — Centrally manages and enforces VirusScan Enterprise policies, then uses queries and dashboards to track activity and detections.
NOTE: This document addresses using ePolicy Orchestrator 4.0, 4.5, and 4.6. For information
about ePolicy Orchestrator, see the product documentation for your version.
DAT repository — Retrieves the DAT updates from the McAfee download site. From there, DAT files can be replicated throughout your organization, providing access for all other computers. This minimizes the amount of data transferred across your network by automating the process of copying updated files to your share sites.

The importance of creating a security strategy

Protecting your client systems from viruses, worms, and Trojan files using VirusScan Enterprise requires a well-planned strategy: defining threat prevention and detection, response to threats, and ongoing analysis and tuning.
Prevention — avoiding threats
Define your security needs to ensure that all of your data sources are protected, then develop an effective strategy to stop intrusions before they gain access to your environment. Configure these features to prevent intrusions:
• User Interface Security — Set display and password protection to control access to the VirusScan Enterprise user interface.
• Access Protection — Use access protection rules to protect your computer from undesirable behavior with respect to files, registry, and ports.
• Buffer Overflow Protection — Prevent abnormal programs or threats from overrunning the buffer's boundary and overwriting adjacent memory while writing data to a buffer. These exploited buffer overflows can execute arbitrary code on your computer.
• Unwanted Program Protection— Eliminate potentially unwanted programs such as spyware and adware from your computer.
11McAfee VirusScan Enterprise 8.8 Product Guide
Getting Started The importance of creating a security strategy
Detection — finding threats
Develop an effective strategy to detect intrusions when they occur. Configure these features to detect threats:
• Update Task — Get automatic updates of DAT and scanning engine from the McAfee download website.
• On-Access Scanner— Detect potential threats from any possible source as files are read from or written to disk. You can also scan for potentially unwanted cookies in the cookies folder.
• On-Demand Scan Tasks — Detect potential threats using immediate and scheduled scan tasks. You can also scan for potentially unwanted cookies and spyware-related registry entries that were not previously cleaned.
• On-Delivery and On-Demand Email Scanner — Detect potential threats on Microsoft Outlook email clients using on-delivery scanning of messages, attachments, and public folders. Detect potential threats on Lotus Notes email clients when messages are accessed.
• Quarantine Manager Policy — Specify the quarantine location and the length of time to keep quarantined items. Restore quarantined items as necessary.
Response — handling threats
Use product log files, automatic actions, and other notification features to decide the best way to handle detections.
• Actions — Configure features to take action on detections.
• Log files — Monitor product log files to view a history of detected items.
• Queries and dashboards — Use ePolicy Orchestrator queries and dashboards to monitor scanning activity and detections.
Tuning — monitoring, analyzing, and fine-tuning your protection
After initially configuring VirusScan Enterprise, it is always a good practice to monitor and analyze your configuration. This can improve your system and network performance, plus enhance your level of virus protection, if needed. For example, the following VirusScan Enterprise tools and features can be modified as part of your monitoring, analyzing, and fine-tuning processes:
• Log files (VirusScan Console) — View a history of detected items. Analyzing this information could tell you if you need to enhance your protection or change the configuration to improve system performance.
• Queries and dashboards (ePolicy Orchestrator console) — Monitor scanning activity and detections. Analyzing this information could tell you if you need to enhance your protection or change the configuration to improve system performance.
• Scheduled tasks — Modify tasks (like AutoUpdate) and scan times to improve performance by running them during off-peak times.
• DAT repositories — Reduce network traffic over the enterprise Internet or intranet by moving these source files closer to the clients needing the updates.
• Modifying the scanning policies — Increase performance or virus protection depending on your analysis of the log files or queries. For example, configuring exclusions, when to use
McAfee VirusScan Enterprise 8.8 Product Guide12
Getting Started VirusScan Console and ways to access it
high and low risk profile scanning, and when to disable scan on write can all improve performance.
CAUTION: Failure to enable When reading from disk scanning leaves your system
unprotected from numerous malware attacks.

VirusScan Console and ways to access it

The VirusScan Console is the interface for the standalone version of the program's activities. You use it to configure, monitor, and update the product.
NOTE: This information applies only to the standalone version of the product, not the managed
ePolicy Orchestrator version.

VirusScan Console and how it works

After you understand what VirusScan Enterprise does and its components, you need to understand how to access its features. Use one of these methods to open the VirusScan Enterprise 8.8 Console:
• From the Start menu, select Programs | McAfee | VirusScan Console.
• Right-click the VirusScan Enterprise shield icon in the system tray, then select VirusScan
Console.
Menu bar
Use the menu items to create tasks, configure properties, and access additional information.
Task — Create and configure tasks such as scanning for threats or updating the DAT files.
Edit — Copy, paste, delete, or rename the selected task.
View — Display the Toolbar and Status bar and refresh the display.
Tools — Configure interface options for users, lock or unlock user interface security, configure alerts, access the event viewer, open a remote console if you have administrator rights, import or edit the repository list, and roll back the DAT files.
Help — Access online Help topics, the Threat Library on the McAfee Labs website, the Submit a Sample website, and the Technical Support website. You can also repair the product installation and view the About dialog box for copyright information and which versions of the product, license, definition files, scanning engine, extra driver, and patch are installed.
NOTE: Each item on the menu has an associated shortcut key. On some operating systems,
these shortcut keys might not be available unless you use F10 or ALT to access the menus.
Toolbar
Use the icons to access these commonly used commands:
• Display properties of the selected task.
• Start the selected task.
• Stop the selected task.
• Copy the selected task.
• Paste the selected task.
13McAfee VirusScan Enterprise 8.8 Product Guide
Getting Started VirusScan Console and ways to access it
• Delete the selected task.
• Configure alerting properties.
• Launch the event viewer.
• Access the Information Library on the McAfee Labs website.
• Connect to a remote computer if you have administrator rights.
• Create a new on-demand scan.
Task list
Displays the default tasks and any new tasks that you create, as well as the status and last result for each task.
Status bar
Displays the status of the current activity.

Using right-click features

Use right-click features for quick access to commonly used actions such as creating new tasks, viewing task statistics and logs, opening task property pages, scanning a specific file or folder, or performing an immediate update task.
Feature descriptions
ExamplesDescriptionLocation
The Console In the console, right-click a task to
Windows Explorer
Right-click the VirusScan Console to display right-click features. These features vary depending on whether you selected a task in the task list and which task you select.
Right-click a selected file or folder to perform an immediate Scan for threats. You can select an action for the scan:
Continue -— Report the detection and continue scanning.
See

System tray icons and how they work

for VirusScan Enterprise icon right-click descriptions.The system tray
access its properties. Depending on which task you select, you might also be able to start, stop, enable or disable it, and view statistics and the activity log. In some cases, you can also rename or delete a task.
Right-click a blank area in the console to create a new scan or update task.
Perform an immediate scan on a file or folder that you suspect is threatened.
When you start the scan, the on-demand scanner is invoked directly with all scan Clean — Report and clean the detected item. settings enabled. Select the action option. You cannot customize any other scan settings.
System tray icons and how they work
Once VirusScan Enterprise is installed, one of the following icons appears in the Windows system tray, if you configured this feature during the installation process.
"M" in a shield icon
Appears on ePolicy Orchestrator managed systems using McAfee Agent version 4.5 or later. It displays:
McAfee VirusScan Enterprise 8.8 Product Guide14
Getting Started VirusScan Console and ways to access it
Status — This icon does not change to indicate access protection trigger alerts or if on-access scanning is disabled on ePolicy Orchestrator managed clients with McTray version 2.x or later (with McAfee Agent 4.5 or later). The status changes are shown as tool tips.
Tool tips — The icon tool tips include:
• McAfee Status: OK — Normal. Options indicate:
View Security Status — Displays a check mark.
Quick Settings | On access Virus Scanning - On — Displays a check mark.
• McAfee Status: Issue Detected — On-access scan disabled. Options indicate:
View Security Status — Displays an exclamation point.
NOTE: Click View Security Status to display the McAfee Security Status dialog box
with Issue — "On-Access Scan disabled" in the Status column.
Quick Settings | On access Virus Scanning - Off — No check mark is displayed.
• McAfee Status: Issue Detected — Access protection event triggered. Options indicate:
View Security Status — Displays an exclamation point.
NOTE: Click View Security Status to display the McAfee Security Status dialog box
with Issue — "Please see Access Protection Log" in the Status column.
Quick Settings | On access Virus Scanning - On — Displays a check mark.
Menu options — The right-click menu options include:
Update Security — Updates the DAT files and any other changes.
Quick settings — Displays:
On-Access Scan Properties — Opens the on-access scanner properties.
On-Access Scanning on or off — Toggles the on-access scanner.
On-Access Scan Properties — Opens the on-access scanner properties.
On-Access Scan Messages — Opens the on-access scan statistics or messages.
Open On-Access Protection Log File — Opens the log file.
Manage Features | VirusScan Enterprise — Opens the VirusScan Console.
Scan Computer for | Threats — Starts an immediate scan.
View Security Status — Displays the McAfee Security Status dialog box.
McAfee Agent Status Monitor — Displays the McAfee Security Status Monitor dialog
box.
About — Opens the About dialog box.
"M" in a box
Appears on standalone systems using McTray 1.0 and on ePolicy Orchestrator managed systems using McAfee Agent version 4.0 that use McTray 1.0. It displays:
Status — Displays include:
"M" in a box — Normal status.
"M" in a box with an exclamation point — Access protection violation event is triggered
or on-access scanning is disabled. Right-click menu options indicate:
15McAfee VirusScan Enterprise 8.8 Product Guide
Getting Started VirusScan Console and ways to access it
• "V" in a shield with circle and line — Indicates on-access scanning is disabled.
"V" in a shield with red outline — Indicates on-access scanning is enabled, but
see the Access Protection log file.
Tool tip — Displays "McAfee".
Menu options — The right-click menu options include:
VirusScan Console — Opens the VirusScan Console.
Disable or Enable On-Access Scanner — Toggles the on-access scanner.
On-Access Scan Properties — Opens the on-access scanner properties.
On-Access Scan Statistics — Opens the on-access scan statistics.
On-Access Scan Messages — Opens the on-access scan statistics or messages.
On-Demand Scan — Creates a one-time configurable on-demand scan.
Update Now — Performs an immediate update task.
About VirusScan Enterprise — Opens the About dialog box.
"V" in a shield icon
Appears on standalone systems that do not have McTray 1.0. It displays:
Status — Displays include:
• "V" in a shield — Normal.
"V" in a shield with circle and line — Indicates on-access scanning is disabled.
A "V" in a shield with red outline — Indicates on-access scanning is enabled, but see
Access Protection log file.
Tool tips — The tool tips include:
• "V" in a shield — McAfee OAS: enabled, normal.
"V" in a shield with circle and line — McAfee OAS: disabled.
"V" in a shield with red outline — McAfee OAS: enabled, see the Access Protection
Log.
Menu options — The right-click menu options include:
Update Security — Updates DAT files and any other changes.
Quick settings — Displays:
On-Access Scan Properties — Opens the on-access scanner properties.
On-Access Scanning on or off — Toggles the on-access scanner.
On-Access Scan Messages — Opens the on-access scan statistics or messages.
Open On-Access Protection Log File — Opens the log file.
Manage Features | VirusScan Enterprise — Opens the VirusScan Console.
Scan Computer for | Threats — Starts an immediate scan.
View Security Status — Displays the McAfee Security Status dialog box.
McAfee VirusScan Enterprise 8.8 Product Guide16
Getting Started What to do first
McAfee Agent Status Monitor — Displays the McAfee Security Status Monitor dialog
box.
About — Opens the About dialog box.

What to do first

When the software is installed, it uses the DAT files packaged with the product, which provide general security for your environment. McAfee recommends you get the latest DAT files and customize the configuration to meet your requirements before you deploy the product to client systems.
Take these actions immediately after installing the product.
1 Set user interface security. Configure the display and password options to prevent users
from accessing specific components or the entire VirusScan Enterprise user interface. See
Controlling Access to the User Interface
2 Update DAT files. Perform an Update Now task to ensure that you have the most current
DAT files. See
3 Prevent intrusions. Configure these features to prevent potential threats from accessing
your systems:
Access Protection. Configure access protection rules to prevent unwanted changes to your computer and enable the option to prevent McAfee processes from being terminated. See
Buffer Overflow Protection. Enable buffer overflow detection and specify exclusions. See
Blocking buffer overflow exploits
Unwanted Programs Policy. Configure the policy that the on-access, on-demand, and email scanners use to detect potentially unwanted programs. Select unwanted program categories to detect from a predefined list, then define additional programs to detect or exclude. See
Updating detection definitions
for more information.
for more information.
Protecting your system access points
for more information.
Restricting potentially unwanted programs
for more information.
for more information.
4 Detect intrusions. Configure these features to detect potential threats on your systems,
then notify you and take action when detections occur:
AutoUpdate. Configure update tasks to get the most current DAT files, scanning engine, and product upgrades. See
On-Access Scanner. Configure the scanner to detect and take action on potential threats as the threats are accessed in your environment. Enable scanning of unwanted programs and scan for cookies in the cookies folder. See more information.
On-Demand Scanner. Configure scan tasks to detect and take action on potential threats in your environment. Enable scanning of unwanted programs and scan for cookies in the cookies folder and potentially unwanted spyware-related registry entries that were not previously cleaned. See
Email Scanners. Configure the on-delivery and on-demand scanning of Microsoft Outlook and Lotus Notes email clients. Enable scanning of unwanted programs. See
Scanning email on-delivery and on-demand
5 Send alerts and quarantine threats. Configure these features to alert you when
detections occur and manage quarantined items:
Alerts and Notifications. Configure how and when you receive detection notifications and alerts. See
Configuring alerts and notifications
Updating detection definitions
Scanning items on-demand
for more information.
for more information.
for more information.
Scanning items on-access
for more information.
for
17McAfee VirusScan Enterprise 8.8 Product Guide
Getting Started What to do first
Quarantine Manager Policy. Configure the location of the quarantine folder and the number of days to keep quarantined items before automatically deleting them. See
Quarantined items
for more information.
McAfee VirusScan Enterprise 8.8 Product Guide18

Part I - Prevention: Avoiding Threats

Prevention is the first step in a protection strategy, to keep threats from gaining access to your system.
Contents

Access protection

Protecting your system access points
Blocking buffer overflow exploits
Restricting potentially unwanted programs
Updating detection definitions
Excluding scan items
Using scheduled tasks
Access protection
Preventing threat access to your client system is your first line of defense against malware. The Access Protection feature of VirusScan Enterprise compares an action being requested against a list of configured rules. Each rule can be configured to block or report, or block access violations when they occur.
Access protection prevents unwanted changes to your computer by restricting access to specified ports, files, shares, registry keys, and registry values. It also protects McAfee processes by preventing users from stopping them. This protection is critical before and during outbreaks.
This feature uses predefined rules and user-defined rules to specify which items can and cannot be accessed. Each rule can be configured to block or report, or block and report access violations when they occur. Predefined rules and categories can be updated from the McAfee update sites.
and
report
NOTE: The on-access scanner, which detects access violations, must be enabled to detect
attempts to access ports, files, shares, and registry keys and registry values.
How threats gain access
The most common ways threats gain access to your system include:
Macros — As part of word processing documents and spreadsheet applications.
Executable files — Seemingly benign programs can include viruses along with the expected program. For example, some common file extensions are .EXE, .COM, .VBS, .BAT, .HLP and .DLL.
Email — Jokes, games, and images as part of email messages with attachments.
Scripts — Associated with web pages and emails, scripts such as ActiveX and JavaScript, if allowed to run, can include viruses.
19McAfee VirusScan Enterprise 8.8 Product Guide
Part I - Prevention: Avoiding Threats Access protection
Internet Relay Chat (IRC) messages — Files sent along with these messages can easily contain malware as part of the message. For example, automatic startup processes can contain worms and Trojan threats.
Browser and application Help files — Downloading these Help files exposes the system to embedded viruses and executables.
Combinations of all these — Sophisticated malware creators combine all of these delivery methods and even embed one piece of malware within another to try and access your computer.
Contents

How access threats are stopped

Control access to the user interface
How access threats are stopped
By enabling or changing the configuration of the Access Protection feature you can configure anti-spyware protection, anti-virus protection, common protection, virtual machine protection, and define your own rules of protection. Following is the basic process VirusScan Enterprise uses to provide access protection.
Steps taken when a threat occurs
1 A user or process tries to take an action.
2 That action is examined by Access Protection according to the defined rules.
3 When a rule is broken, the action requested by the user or process is managed using the
information in the rules configured. For example, the action causes nothing to happen, it is blocked, or it is blocked and a report is sent.
4 The Access Protection log file is updated, and an event is generated for the ePolicy
Orchestrator Global Administrator.
Example of an access threat
1 A user downloads a program, MyProgram.exe, from the Internet.
NOTE: For this example, MyProgram.exe is not malware.
2 The user launches the program and it seems to launch as expected.
3 MyProgram.exe then launches a child process called AnnoyMe.exe and it attempts to modify
the operating system to ensure it always loads on startup.
4 Access Protection processes the request and matches it against an existing rule that is
configured to block and report.
5 AnnoyMe.exe is denied access when it attempts to modify the operating system, Access
Protection logs the details of the attempt, and it generates an alert to the ePolicy Orchestrator Global Administrator.
Log report and alerts generated
This is an example of an Access Protection log entry.
2/10/2010 11:00AM Blocked by Access Protection rule TestDomain\TestUser C:\Users\TestUser\Desktop\AnnoyMe.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Window\CurrentVersion\Run\ Prevent programs registering to autorun
This table describes the data in the previous Access Protection log entry:
McAfee VirusScan Enterprise 8.8 Product Guide20
Part I - Prevention: Avoiding Threats Access protection
DescriptionLog entry
Date2/10/2010
Time11:00AM
Action takenBlocked by Access Protection rule
CredentialsTestDomain\TestUser
Process name that breeched the ruleC:\Users\TestUser\Desktop\AnnoyMe.exe
Location the process tried to access\REGISTRY\MACHINE\SOFTWARE\Microsoft...
Access Protection rule that was triggeredPrevent programs registering to autorun
Similar information is available using ePolicy Orchestrator queries. For details, refer to
queries and dashboards
.

Control access to the user interface

Setting security for the interface on client computers is an important part of protecting your environment.
As an administrator, you can:
• Control the access users have to the VirusScan Enterprise interface.
• Set a password to prevent users from accessing or changing selected features.
• Lock and unlock the user interface as necessary.
Contents
How setting a password affects users
Configuring user interface security settings
How setting a password affects users
Set a user interface password to deter users with malicious intent.
When you password-protect the user interface on client computers, the following users are affected:
Non-administrators — VirusScan Enterprise applications in read-only mode. They can view some configuration parameters, run saved scans, and run immediate scans and updates. They cannot change any configuration parameters, create, delete, or modify saved scan or update tasks.
Administrators — to access the protected tabs and controls in read/write mode. If a password is not provided for a protected item, they view it in read-only mode.
Users without administrator rights
Users with administrator rights
Access
. Non-administrators run all
. Administrators must type the password
Configuring user interface security settings
Use the General Options Policies user interface properties to configure the display and password options available to the users.
CAUTION: Consider carefully the security ramifications before you make changes to these
properties. These options let you restrict or allow users to make changes to their security configuration and could leave systems unprotected from numerous malware attacks.
21McAfee VirusScan Enterprise 8.8 Product Guide
Part I - Prevention: Avoiding Threats Access protection
Configure the General Options Policies user interface properties with these user interface consoles.
ePolicy Orchestrator 4.5 or 4.6
Configure the General Options Policies user interface properties.
Task
For option definitions, click ? on each tab.
1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan
Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise
8.8.0.
2 Edit an existing policy or create a new policy:
Edit an existing policy
a From the Category list, select the policy category.
b From the Actions column, click Edit Setting to open the policy configuration page. Create a new policy
a Click Actions | New Policy to open New Policy dialog box.
b From the Category list, select an existing policy.
c From the Create a new policy based on this existing policy list, select one of the
settings.
d Type a new policy name.
e Type any notes, if required.
f Click OK. The new policy appears in the list of existing policies.
g From the Actions column of the new policy, click Edit Setting to open the policy
configuration page.
3 From the Settings for list, select Workstation or Server.
4 On the Display Options tab, configure which VirusScan Enterprise system tray icons the
users see, if they can connect to remote systems, and the user's language option settings.
5 On the Password Options tab, configure which VirusScan Enterprise tasks and user
interface options the users can change with the correct password.
ePolicy Orchestrator 4.0
Configure the General Options Policies user interface properties.
Task
For option definitions, click ? on each tab.
1 Click Systems | Policy Catalog, then from the Product list select VirusScan Enterprise
8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0.
2 Edit an existing policy or create a new policy:
Edit an existing policy
a From the Category list, select the policy category.
b From the Actions column, click Edit to open the policy configuration page. Create a new policy
McAfee VirusScan Enterprise 8.8 Product Guide22
Part I - Prevention: Avoiding Threats Protecting your system access points
a Click New Policy to open New Policy dialog box.
b From the Create a new policy based on this existing policy list, select one of the
settings.
c Type a new policy name.
d Click OK. The new policy appears in the list of existing policies.
3 From the Settings for list, select Workstation or Server.
4 On the Display Options tab, configure which VirusScan Enterprise system tray icons the
users see, if they can connect to remote systems, and the user's language option settings.
5 On the Password Options tab, configure which VirusScan Enterprise tasks and user
interface options the users can change with the correct password.
VirusScan Console
Configure the General Options user interface properties.
Task
For option definitions, click Help on each tab.
1 Click Tools | General Options to open the General Options configuration dialog box.
2 On the Display Options tab, configure which VirusScan Enterprise system tray icons the
users see, if they can connect to remote systems, and the user's language option settings.
3 On the Password Options tab, configure which VirusScan Enterprise tasks and user
interface options the users can change with the correct password.

Protecting your system access points

Access protection prevents unwanted changes to your computer by restricting access to specified ports, files, shares, registry keys, and registry values. It also protects McAfee processes by preventing users from stopping them. This protection is critical before and during outbreaks.
This feature uses predefined rules and categories and user-defined rules to specify which items can and cannot be accessed. Each rule can be configured to block and report access point violations when they occur. Predefined rules and categories are subject to content updates via the McAfee update sites.
Contents

How access protection rules are defined

Access point violations and how VirusScan Enterprise responds
Types of user-defined rules
Configuring access protection settings
How access protection rules are defined
Rules are separated into these types and provide these levels of protection.
23McAfee VirusScan Enterprise 8.8 Product Guide
Part I - Prevention: Avoiding Threats Protecting your system access points
Rule type descriptions
DescriptionRule type
Anti-virus
Common
These preconfigured rules protect your computer from common behaviors of malware threats. You can enable, disable, and change the configuration, but you cannot delete these rules.
Two rule examples are:
Prevent disabling or changing of critical processes, remote creation or modification of executable files, hijacking of executable files, Windows Process spoofing, and mass mailing worms from sending mail.
Protect phone book files from password and email stealers.
These protection levels apply to anti-virus rules:
Standard Protection
Maximum Protection
Outbreak Control
These preconfigured rules prevent modification of commonly used files and settings. You can enable, disable, and change the configuration, but you cannot delete these rules.
Three rule examples are:
Prevent modification of McAfee files and settings.
Protect Mozilla and Firefox files and settings, Internet Explorer settings, and network settings.
Prevent installation of Browser Helper Objects and automatically running programs from the Temp folder.
These protection levels apply to the common rules:
Standard Protection
Maximum Protection
Virtual Machine Protection
User-defined
These preconfigured rules prevent termination of VMWare processes and modification of VMWare files. You can enable, disable, and change the configuration, but you cannot delete these rules.
Rule examples are:
Prevent termination of VMWare Processes.
Prevent modification of VMWare workstation, server, or virtual machine files.
These custom rules supplement the protection provided by the Anti-virus and Common rules.
Rule examples are:Anti-spyware
Prevent Internet Explorer favorites and settings.
Prevent programs from running and execution of scripts from the Temp folder.
Protection level descriptions
DescriptionProtection level
Standard
Maximum
Anti-virus and common rules that protect some critical settings and files from being modified, but generally allow you to install and execute legitimate software.
Anti-virus and common rules that protect most critical settings and files from being modified. This level provides more protection than Standard, but might prevent you from installing legitimate software. If you cannot install software, we recommend that you disable the Access Protection feature first, then enable it again after installation.
McAfee VirusScan Enterprise 8.8 Product Guide24
Part I - Prevention: Avoiding Threats Protecting your system access points
DescriptionProtection level
Outbreak control
Anti-virus rules that block destructive code from accessing the computer until a DAT file is released. These rules are preconfigured to block access to shares during an outbreak.

Access point violations and how VirusScan Enterprise responds

An access violation occurs when a restricted user or process tries to start, stop, or access restricted components of your computer.
When an access point violation occurs:
• Information is recorded in the log file, if you selected the Report option for the rule that detected the violation.
• The event is recorded in the local event log and to SNMP, if you configured Alert Properties to do so.
• The event is reported to Alert Manager and ePolicy Orchestrator, if those products are configured to do so.
• A Block and Report action for a rule determine what happens when a rule detects a violation.
• On the standalone client system, a red frame surrounds the system tray icon and remains visible for 30 minutes, unless you reset it.
NOTE: To reset the icon, open the Access Protection Log File from the system tray icon.
Opening the log file by any other method does not reset the icon to its normal state.

Types of user-defined rules

When you configure a new access protection user-defined rule you are allowed to create port blocking, file and folder blocking, and registry blocking rules.
The following table describes these rules.
Rule descriptions
DescriptionRule
Port Blocking Rule
File/Folder Blocking Rule
Blocks incoming or outgoing network traffic on specific ports or ranges of ports.
NOTE: When you block a port, Transmission Control Protocol (TCP) and User Datagram
Protocol (UDP) accesses are blocked.
NOTE: When you block a port any protocol using that port or range of ports is blocked.
For example, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) accesses are blocked.
Blocks write access to files and folders, file execution, plus new file creation and file deletion.
NOTE: Once you restrict access to a file or folder, the restriction remains in place until
the administrator removes it. This helps prevent intrusions and stops them from spreading during an outbreak.
Protects registry keys or values by blocking these actions: write to, create, or delete.Registry Blocking Rule
25McAfee VirusScan Enterprise 8.8 Product Guide
Part I - Prevention: Avoiding Threats Protecting your system access points

Configuring access protection settings

Use Access Protection Policies to protect your system’s access points and prevent termination of McAfee processes.
CAUTION: Failure to enable access protection to prevent McAfee services from being stopped
leaves your system unprotected from numerous malware attacks.
There are two types of access-protection rules you can configure.
Predefined rules — Allow you to:
• Open the access-protection rule category in one of the user interface consoles.
• Select the block and report action to take if the rule is broken.
User-defined rules — Allow you to:
• Create the user-defined rule category with one of the user interface consoles.
• Choose which type of blocking the rule enforces: port blocking, file and folder blocking,
or registry blocking.
• Configure the rule details.
• Save the rule and modify it in the future, if needed.
Tasks
Configuring predefined rules
Configuring user-defined rules
Port blocking rule options
File and folder blocking rule options
Registry blocking rule options
Include or exclude specific process options
Removing user-defined rules
Configuring predefined rules
Use predefined rules to protect your computer from unwanted changes. These rules can be enabled and edited, but they cannot be deleted.
The predefined access protection rules include:
• Anti-spyware Standard Protection
• Anti-spyware Maximum Protection
• Anti-virus Standard Protection
• Anti-virus Maximum Protection
• Anti-virus Outbreak Control
• Common Standard Protection
• Common Maximum Protection
• Virtual Machine Protection
Refer to protection rules.
Configure the predefined access protection rules using one of these user interface consoles.
How access protection rules are defined
for details about these predefined access
McAfee VirusScan Enterprise 8.8 Product Guide26
Part I - Prevention: Avoiding Threats Protecting your system access points
ePolicy Orchestrator 4.5 or 4.6
From the Access Protection Policies, configure the predefined access-protection rules.
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan
Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise
8.8.0.
2 Edit an existing policy or create a new policy:
Edit an existing policy
a From the Category list, select the policy category.
b From the Actions column, click Edit Setting to open the policy configuration page. Create a new policy
a Click Actions | New Policy to open New Policy dialog box.
b From the Category list, select an existing policy.
c From the Create a new policy based on this existing policy list, select one of the
settings.
d Type a new policy name.
e Type any notes, if required.
f Click OK. The new policy appears in the list of existing policies.
g From the Actions column of the new policy, click Edit Setting to open the policy
configuration page.
3 From the Settings for list, select Workstation or Server.
4 From the Access Protection Policy page, click the Access Protection tab to display the
Access Protection Rules.
5 Select the one of the predefined rule categories in the left pane, then select the specific
rule in the right pane.
6 Configure the Block or Report options, or both Block and Report.
7 Click Edit to configure Rule Details.
ePolicy Orchestrator 4.0
From the Access Protection Policies, configure the predefined access-protection rules.
Task
For option definitions, click ? in the interface.
1 Click Systems | Policy Catalog, then from the Product list select VirusScan Enterprise
8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0.
2 Edit an existing policy or create a new policy:
Edit an existing policy
a From the Category list, select the policy category.
b From the Actions column, click Edit to open the policy configuration page. Create a new policy
a Click New Policy to open New Policy dialog box.
27McAfee VirusScan Enterprise 8.8 Product Guide
Part I - Prevention: Avoiding Threats Protecting your system access points
b From the Create a new policy based on this existing policy list, select one of the
settings.
c Type a new policy name.
d Click OK. The new policy appears in the list of existing policies.
3 From the Settings for list, select Workstation or Server.
4 From the Access Protection Policy page, click the Access Protection tab to display the
Access Protection Rules.
5 Select the one of the predefined rule categories in the left pane, then select the specific
rule in the right pane.
6 Configure the Block or Report options, or both Block and Report.
7 Click Edit to configure Rule Details.
VirusScan Console
From the Access Protection properties, configure the predefined access-protection rules.
Task
For option definitions, click Help in the interface.
1 From the Task list, right-click Access Protection, then click Properties to open the
dialog box.
2 From the Access Protection Policy dialog box, click the Access Protection tab to display
the Access Protection Rules.
3 Select the one of the predefined rule categories in the left pane, then select the specific
rule in the right pane.
4 Configure the Block or Report options, or both Block and Report.
5 Click Edit to configure Rule Details.
Configuring user-defined rules
Create and edit user-defined rules to supplement the protection provided by the predefined rules.
Refer to protection rules.
Create and edit the user-defined rules access protection rules using one of these user interface consoles.
ePolicy Orchestrator 4.5 or 4.6
From the Access Protection Policies, configure the user-defined access-protection rules.
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan
2 Edit an existing policy or create a new policy:
How access protection rules are defined
Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise
8.8.0.
for details about the predefined access
McAfee VirusScan Enterprise 8.8 Product Guide28
Part I - Prevention: Avoiding Threats Protecting your system access points
Edit an existing policy
a From the Category list, select the policy category.
b From the Actions column, click Edit Setting to open the policy configuration page. Create a new policy
a Click Actions | New Policy to open New Policy dialog box.
b From the Category list, select an existing policy.
c From the Create a new policy based on this existing policy list, select one of the
settings.
d Type a new policy name.
e Type any notes, if required.
f Click OK. The new policy appears in the list of existing policies.
g From the Actions column of the new policy, click Edit Setting to open the policy
configuration page.
3 From the Settings for list, select Workstation or Server.
4 Select the User-defined Rules category in the left pane, then click New to open the
Select the new rule type dialog box.
5 Select the rule type and click OK. Refer to
Types of user-defined rules
for details.
The access rule dialog box that appears depends on the rule type selected.
6 Configure these access rule details.
Network Port Access Protection Rule — Refer to the options table in
rule options
.
File/Folder Access Protection Rule — Refer to the options table in
blocking rule options
.
Registry Access Protection Rule — Refer to the options table in
rule options
.
Port blocking
File and folder
Registry blocking
NOTE: To configure which processes to include and exclude, refer to
specific process options
7 Click OK.
The new user-defined rule appears in the right-hand pane under Block/Report/Rules. To modify the new rule, select it and click Edit.
ePolicy Orchestrator 4.0
From the Access Protection Policies, configure the user-defined access-protection rules.
Task
For option definitions, click ? in the interface.
1 Click Systems | Policy Catalog, then from the Product list select VirusScan Enterprise
8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0.
2 Edit an existing policy or create a new policy:
Edit an existing policy
a From the Category list, select the policy category.
b From the Actions column, click Edit to open the policy configuration page. Create a new policy
Include or exclude
.
29McAfee VirusScan Enterprise 8.8 Product Guide
Part I - Prevention: Avoiding Threats Protecting your system access points
a Click New Policy to open New Policy dialog box.
b From the Create a new policy based on this existing policy list, select one of the
settings.
c Type a new policy name.
d Click OK. The new policy appears in the list of existing policies.
3 From the Settings for list, select Workstation or Server.
4 Select the User-defined Rules category in the left pane, then click New to open the
Select the new rule type dialog box.
5 Select the rule type and click OK. Refer to
The access rule dialog box that appears depends on the rule type selected.
6 Configure these access rule details.
Network Port Access Protection Rule — Refer to the options table in
rule options
File/Folder Access Protection Rule — Refer to the options table in
blocking rule options
Registry Access Protection Rule — Refer to the options table in
rule options
.
.
.
Types of user-defined rules
for details.
Port blocking
File and folder
Registry blocking
NOTE: To configure which processes to include and exclude, refer to
specific process options
7 Click OK.
The new user-defined rule appears in the right-hand pane under Block/Report/Rules. To modify the new rule, select it and click Edit.
VirusScan Console
From the Access Protection properties, configure the user-defined access-protection rules.
Task
For option definitions, click ? in the interface.
1 From the Task list, right-click Access Protection, then click Properties to open the
dialog box.
2 Select the User-defined Rules category in the left pane, then click New to open the
Select New Type Rule dialog box.
3 Select the rule type and click OK. Refer to
The access rule dialog box that appears depends on the rule type selected.
4 Configure these access rule details.
Network Port Access Protection Rule — Refer to the options table in
rule options
File/Folder Access Protection Rule — Refer to the options table in
blocking rule options
Registry Access Protection Rule — Refer to the options table in
rule options
Include or exclude
.
Types of user-defined rules
for details.
Port blocking
.
File and folder
.
Registry blocking
.
NOTE: To configure which processes to include and exclude, refer to
specific process options
McAfee VirusScan Enterprise 8.8 Product Guide30
.
Include or exclude
Loading...
+ 136 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use