McAfee VirusScan TC
Administrator’s Guide
Version 6.0
COPYRIGHT
Copyright © 2000 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication
may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language
in any form or by any means without the written permission of Networks Associates Technology, Inc., or
its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network
Associates legal department at: 3965 Freedom Circle, Santa Clara, California 95054, or call (972) 308-9960.
LICENSE AGREEMENT
NOTICETOALLUSERS:FORTHESPECIFICTERMSOFYOURLICENSETOUSETHESOFTWARE
THAT THIS DOCUMENTATION DESCRIBES, CONSULT THE README.1ST, LICENSE.TXT, OR
OTHER LICENSE DOCUMENT THAT ACCOMPANIES YOUR SOFTWARE, EITHER AS A TEXT FILE
ORASPART OF THESOFTWAREPACKAGING. IFYOU DO NOTAGREETO ALL OFTHE TERMS SET
FORTH THEREIN, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE
PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND.
NETWORK ASSOCIATES TRADEMARK ATTRIBUTIONS
* ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX, Compass 7,
CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr Solomon’s, Enterprise
Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk, Hunter, ISDN Tel/Scope, LM 1,
LANGuru, Leading Help Desk Technology, Magic Solutions, MagicSpy, MagicTree, Magic University, MagicWin,
MagicWord, McAfee, McAfee Associates, MoneyMagic, More Power To You, Multimedia Cloaking, NetCrypto,
NetOctopus, NetRoom, NetScan, Net Shield, NetShield, NetStalker, Net Tools, Network Associates, Network
General, Network Uptime!, NetXRay, Nuts & Bolts, PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy),
PocketScope, Pop-Up, PowerTelnet, Pretty Good Privacy, PrimeSupport, RecoverKey, RecoverKey-International,
ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager,
ServiceMagic, Site Meter, Sniffer, SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR),
SupportMagic,Switch PM,TeleSniffer,TIS, TMach,TMeg,TotalNetworkSecurity,TotalNetworkVisibility,Total
Service Desk, Total Virus Defense, T-POD, Trusted Mach, Trusted Mail, Uninstaller, Virex, Virex-PC, Virus
Forum, ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker WebWall, andZAC 2000 are
registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All
other registered and unregistered trademarks in this document are the sole property of their r espective
owners.
Issued September, 2000/McAfee VirusScan TC v6.0.0
Contents
Chapter1. Introduction ........................................5
Features .........................................................5
The deployment and installa tion scenarios . . .........................6
CompleteInstallation—Overview ...............................7
OptimizedInstallation—Overview ..............................8
ConfiguringelementsofVirusScanTCsoftware ......................10
Chapter 2. Deploying and Installing VirusScan TC . . ..............11
Overview .......................................................11
CompleteInstallation .............................................11
OptimizedInstallation.............................................14
Overview...............................................14
InstallePolicyOrchestratorsoftware .......................15
InstalltheePolicyOrchestratoragent .......................15
Copyprogramconfigurationfilestothesoftwarerepository....15
CopyInstallerandprogramfilestothenetwork ..............17
ConfiguretheVirusScanTCInstaller .......................18
Selectrebootoptions ....................................25
Set policy for the on-access scanner .......................25
Deployingtheinstallationpolicy ...........................25
UninstallingtheVirusScanTCprogram ..............................27
Chapter3. SettingPolicyforOn-AccessScanning ................29
Overview .......................................................29
Configuring on-access scan ning options ............................30
DetectionOptions ...........................................32
Actionoptions ..............................................36
Status of infected files after scanning .......................38
Reportoptions ..............................................39
Exclusionoptions ...........................................43
Deploying scanning policy to the ag ents .............................46
Administrator’s Guide iii
Contents
Chapter4. UpdatingandMirroringTasks .......................49
Whyupdate? ....................................................49
Overviewoftheupdatingandmirroringtasks ........................49
Configuring the AutoUpdate and Mirroring tasks ..................51
Setting schedule for tasks .....................................60
Settingbasicschedule ...................................60
Settingadvancedscheduleoptions ........................63
SelectingScheduleSettings...............................64
Editinganddeletingatask ....................................65
Dealingwithvirusoutbreaks.......................................65
Deployingroutine.DATfileupdates ............................66
DeployinganEXTRA.DATfile..................................66
Independentlyoftheweekly.DATupdate....................66
Withtheweekly.DATupdate ..............................67
AppendixA. Terminology .....................................71
Appendix B. Contact and
supportinformation ...................................73
Customerservice ................................................73
Technicalsupport................................................73
Internationalcontactinformation ...................................77
PrimeSupportoptions ............................................80
NetworkAssociatesconsultingandtraining..........................85
iv McAfee VirusScan TC
1Introduction
Features
McAfee VirusScan TC (Thin Client) is an anti-virus software application that
includes:
On-Access Scanner Checks fo r viruses each time you open or copy a
Scanning engine The tool that recognizes viruses and malicious
Virus definition files *.DAT files include information that the scanning
AutoUpdate Keeps the virus definition files and the scann ing
1
file from, save a file to, or otherwise use any file
stored on your server or client disk or hard drive.
code.
engine uses to recognize and act upon viruses.
engine up-to-date.
Site replication
(mirroring) fe ature
Installer Installs the VirusScan TC program and the
Automatic uninstaller Removes previously installed anti-virus software,
This chapter provides an overview of the configuration, deployment and
installation of the elements that are required to place the VirusScan TC
softwareon your n etwork’s servers and workstations. These elements are
separate, but intimately interconnected. See Appendix A for a discussion of
the way the following terms are used in this Administrator’s Guide:
configuration , deployment, installation, task, and policy.
Used in conjunction with AutoUpdate, creates a
copy of the updating folder on the Network
Associates FTP site for distribution of virus
definition files on the network.
AutoUpdatefunction on the target computers.
including McAfee VirusScan v4.5, and other
anti-virus software products produced by McAfee
and most other major manufacturers.
Administrator’s Guide 5
Introduction
The deployment and installation scenarios
You can deploy the VirusScan TC software to the computers on your network
using one of two installation scenarios—Complete Installation or Optimize d
Installation. The major characteristics of the two approaches are described
below:
Complete Installation Optimized Installation
Deployment
VirusScan TC is deployed by SMS, Windows NT
login scripts.
The installation files that are deployed to target
systems include all of the program files, including
one versionof theMicrosoft Installer (MSI) foruse
with Windows 95 and Windows 98, and another
version for u se with Windows NT. This assures
the availability of all files required for installation
without regard to whether they are already
present on the system.
VirusScanTC is deployed using the ePolicy Orchestrator Console.
Installation
Only one small installation file is deployed to the
system, which, in turn, pulls only those program
files that are required, but not already present, for
installation and operation of VirusScan TC o n the
target computers.
*
The compressed siz e of the installation files is
approximately 6
The installation includes an executable file for
eachof twoversionsof theMicrosoftInstaller v1.1
(MSI).
The space used on the client system af ter installation is about10
VirusScan TC c a n only be configured using the
ePolicy Orchestrator Console.
• You must be running ePolicy Orchestrator v1.1
on your network.
• The target computers must be running the
ePolicy Orchestrator agent v1.1.
MB.
MB.
Configuration
The compressed size of the installation files
ranges between approximately:
MB on a Windows 2000 system
•3.1
to
MB on a Windows 95 system without MSI
•4.6
previously installed.
The installation includes no more than one executable file for the single version of the Microsoft
Installerv1.1thatyoursystemrequires.IfMSIis
already present on the client, the installation routine does not include either MSI file.
The space used on the client system after
installation is about 10MB.
Same as C omplete Installation.
6 McAfee VirusScan TC
Introduction
Complete Installation Optimized Installation
Limitations
If you are not running ePolicy Orchestrator, or if
the target computers are not running the ePolicy
Cannot be deployed by SMS o r Windows NT
login scripts.
Orchestrator agent:
• You cannotchange the default configurationof
the VirusScan TC software.
• You cannot update the virus definition files.
* In an Optimized Installation, ePolicy Orchestrator “pushes” a single small file, the Installer, to the target computers.
In turn,the Installer“pulls”all the other files requiredfrom locationsthat you designate on theInstallerconfiguration
pages. SeeFigure 2-4 on page 19.
Complete Installation — Overview
The Complete Installation consists of all the program files included in the
VSCAN_TCfolder that is located ontheCD-ROM. The following table lists the
names of the program files with a description of their function and size:
Filename Function Approximate
INSTMSIW.EXE Installs MSI Service in Windows NT
environments.
INSTMSI.EXE Installs MSI Service in Windows 95 and
Windows 98 environments.
SETUP.EXE • Executes either INSTMSIW.EXE or
INSTMSI.EXE, as appropriate.
• Executes LWISETUP.EXE, (see below),
• Executes UNINST.EXE (which removes
most previously installed anti-virus software.)
• Executes VSCANTC.MCS (see below).
LWISETUP.EXE • Installs AutoUpdate component.
• Installs UNINST.EXE Uninstaller.
VSCANTC.MCS • Installs the scanning engine.
• Installs the virus definition (.DAT) files.
• Installsand starts the on-access scanner.
Size
(compressed)
1.45
MB
1.45MB
KB
16
364KB
MB
2.74
When your SM S program or login script invokes SETUP.EXE, the Complete
Installation procedure selects o nly those program files that it r equires to
perform a successful installation.
Administrator’s Guide 7
Introduction
Keep in mind:
• You can set and enforce policy for VirusScan TC centrally from the
ePolicy Orchestrator Console as soon as you install the ePolicy
Orchestrator agent on the target computers.
• You cannot configure the program before deploying it across your
network. The program is sent to the workstations with default settings.
• If you are not running the ePolicy Orchestrator progra m, or if an ePolicy
Orchestrator agentisnot present on the workstation,thereisno interface
through which you can change the program’s default settings. Nor is
there any functionality that allows you to update the program’s virus
definitionfiles.
The C omplete Installation approach is useful where:
• TheIT organization has rulesforbiddingsoftwaredeploymentbymeans
other than approved deployment software, such as SMS or NT login
scripts.
• The administrator prefers using existing SMS or Windows NT login
scripts.
• The administrator does not intend to configure the VirusScan TC
program w hen it is d eployed and installed, but rather intends to
configure the anti-virus program at a later time.
Optimized Installation — Overview
The Optimized Instal lation consists of files that you sele ct from the
VSCAN_TC folder that is located on the CD-ROM. (See the list of files on page
7.) Your selectionsare based on your network’s needs.
æ
IMPORTANT:The Optimized Installation is only possible if you are
running McAfee ePolicy Orchestrator v1.1 on your network,an d if the
ePolicy Orchestrator agent is present on the computers where the
VirusScan TC software will be installed. For information on installing
ePolicy Orchestrator v1.1; on upgrading your ePolicy Orchestrator
software from v1.0; and on installing the ePolicy Orchestrator agent, see
the Administrator’s Guide for the ePolicy Orchestrator software.
If you intend to use ePolicy Orchestrator to deploy and manage the VirusScan
TC software,there are some advantagestousingthe Optimized Installation to
do so, including:
8 McAfee VirusScan TC
Introduction
• Econom y of bandwidth usage because the total size of the installat ion
files is, in most ca ses, substantially less than the total size of the file s that
make up a Complete installation.
• Opportunity to configure the ePolicy Orchestrator agent to reboot the
computeras required by the installationprocess withoutprompting you
for a response.
Keep in mind:
• You can set policy (configure) the VirusScan TC program’s scanning
options before deploying it. After deployment, the policies are ready to
be enforced when the agent receives them from the ePolicy Orchestrator
server. That will happen at the time of the next communication between
the server and the agent.
• You can set a schedule for the AutoUpdate feature before deploying it.
• When the Optim ized Installer program (LWISETUP.EXE) is deployed to
the targetcomputers, it will calltheuninstaller program,which removes
most previous installation of a virus-protection program that is resident
on the target computer. The un installer will remove previous versions of
McAfee or Dr Solomon’s anti-virus software, or the anti-virus software
of other major manufacturers. Then, LWISETUP.EXE pulls the VirusScan
TC program, and the MSI v1.1 installation files to the target computers,
and pr o vides the functionality necessary for the AutoUpdate function
that keeps the program’s v irus definition files up-to-date.
• You must copy three files from the CD-ROM to a location on your
network. The ePolicy Orchestrator agent uses these files to install the
VirusScan TC program. The files are:
–VSCANTC.MCS
–INSTMSI.EXE
– INSTMSIW.EXE
Administrator’s Guide 9
Introduction
Confi guring element s of VirusS ca n TC softwa re
There are three aspects of VirusScan TC software that can be configured:
Installation process This proc ess must be c onfigured if you are
using the ePolicy Orchestrator software to
deploy and install the VirusScan TC
software. You cannot configure it using the
ePolicy Orchestrator Consoleif you are
using SMS or login scripts to de ploy the
software. For additional information, see
Chapter 2, “Deploying and Installing
VirusScan TC.” starting on page 11.
Anti-virus s oftw are This includes the on-access scanner, which
looks for viruses every time a file is written
to disk or read from disk. For additional
information, see Chapter 3 , “Setting Policy
for On-Access Scanning.” starting on page
29.
AutoUpdate function This allows you to schedule regular u pdates
of the virus definition f iles that the scanner
requires to recognize and act o n viruses. This
featurecanalso upgradethescanningengine
when a new version is released. For
additional information, see Chapter 4,
“Updating and Mirroring Tasks.” starting on
page 49.
10 McAfee VirusScan TC
2Deploying and Installing
VirusScan TC
Overview
This section describes the procedures for deploying and installing the
VirusScan TC program. You can do this in one of two ways, depending on
your environment and the rules by which your enterprise operates. The two
methods are:
Using SMS or
Windows NT login scripts
Using ePolicy Orchestrator
software v1.1
Chapter 1 of this manual describes the two installation scenarios available to
you: the Complete Installation and the Optimized Installation. For a detailed
description of each installation, see th e table on page 6.
2
If your enterprise requires this method for
software deployment.See “Complete
Installation” on page 11.
If you use the McAfee management tool to
deploy, install, and manage your anti-virus
software. See “Optimized Installation” on
page14.
Complete Installation
This section describes the procedure for de ploying and installing the
VirusScan TC program using SMS or Windows NT login scripts.
If you are running McAfee ePolicy Orchestrator v1.1 on your network, and if
theePolicyOrchestratoragent is present on the computersthataretargeted for
installation of the anti-virus program, you can use the ePolicy Orchestrator
software to configure the on-access scanner and auto-update functions after
the program has been installed. See Chapter 3, “Setting Policy for
On-Access Scanning,” starting on page 29,andChapter 4, “U pdating an d
Mirroring Tasks,” starting on page 49 for information on configuring those
program components.
If you are not ye t running McAfee ePolicy Orchestrator v1.1 on you r network,
or if th e ePolic y Orchestrator agent is not present on the computers that are
targeted for installation of the anti-virus program, you cannot configurethe
on-access scanner or autoupdate functions.The VirusScan TC program will
run using its unalterable default settings, and you will not be able to update
the v irus definition files that the scanner depends on for identification of
viruses. For a description of the default settings, see page 29 .
Administrator’s Guide 11
Deploying and Installing VirusScan TC
To deploy and install the VirusScan TC program on your computer, follow
these steps:
1. Place the CD-ROM in your server’s drive.
2. On your network, create a shared folder where you will copy the
program files for the target computers to share. The shared folder must
provide “read” access to every computer on which VirusScan TC will be
installed .
æ
IMPORTANT:On Windows 9 5 and Windows 98 systems, the share
mustbeinthesamedomainasthecurrentlylogged-inuser.
3. Copy the following files from the VSCAN_TC folder on the CD-ROM to
the shared folder:
INSTMSIW.EXE LWISETUP.EXE VSCANTC.MCS
INSTMSI.EXE SETUP.EXE
4. Creat e an SMS or Windows NT login script to perform the following
actions:
• Copy the five VirusScan T C filesfrom the shared network folder to
a temporary location on the target computer.
•InvokeSETUP.EXE.
• Reboot the target computer if SETUP.EXE returns 3010.
Rebooting is required if:
– T he Microsoft Installer(MSI) demands it.
– Previously installed anti-virus software was removed during
the installation.
– The product was installed ina Windows NT environment, thus
introducing McAfee file system drivers to the operating
system.
+
WARNING:If a reboot is necessary, the system will not be
protected against virus infection until rebooted.
12 McAfee VirusScan TC
Deploying and Installing VirusScan TC
What next?
If you have installed the ePolicy Orchestrator v1.1 program, you can now
configurethe VirusScan TC software before deploying it to the target
computers. The features t hat you can c ustomize are:
• The On-Access Scanner. See Chapter 3, “Setting Policy for
On-Access Scanning,” starting on page 29.
• AutoUpdate.SeeChapter 4, “Updating and Mirroring Tasks,” starting
on page 49.
After configuring these fea tures, you can run the SMS or Windows NT login
scripts to complete the deployment and installation on the target computers.
æ
IMPORTANT:If you are not yet running McAfee ePolicy Orchestrator
v1.1 on your network, or if the ePolicy Orchestratoragent is not present
on the targeted computers,you cannot conf igure the on-access scanner or
updating functions. The VirusScan TC program will run using its
unalterable default settings, and you will not be able to update its virus
definitionfiles. For a description of the default settings, see page 29.
Administrator’s Guide 13
Deploying and Installing VirusScan TC
Optimi zed Install a tion
This section describes the procedures for placing the program files onto the
server, then deploying and installing the Installer and V irusScan TC programs
via the ePolicy Orchestrator software.
Overview
Optimized installation and deployment consists of these seven basic tasks,
which are described in detail later in this chapter:
1. Install the ePolicy Orchestrator v1.1 server software o n your s erver.
2. Install the ePolicy Orchestrator agent on the target computers.
æ
IMPORTANT:You must install the ePolicy Orchestrator v1.1
server software and the agent before attempting to deploy or install
the VirusScan TC program files. The software and its
documenta tion are include d on the CD-ROM. See the ePolicy
Orchestrator v1.1 Administrator’s Guide for instructions on installing
or upgrading to version 1.1 of the program.
3. Copy the required program configuration files for the VirusScan TC
Installer and the on-access scanner from the CD-ROM to the ePolicy
Orchestrator software repository.
4. Copy the required Microsoft Installer filesand the VirusScan TC
program installation file from the CD-ROM to one or several commonly
accessiblelocations on the network. These locations might be shared
folders or FTP sites.
5. Configur e the VirusScan TC Installer:
• Designate the locat ions where the Ins taller finds the VirusScan TC
program installation file.
• Designate the locations where the Installer finds the files that insta ll
MSI on the target computers.
• Define the way you want the Installer to record its activity in a log
file, and the characteristics of the log file (name, size, and content).
6. Select reboot options for the ePolicy Orchestrator agent to enforce when
rebooting is required during installation.
14 McAfee VirusScan TC
¥
NOTE: You can designate up to eight sites for the VirusScan
TC program installation file, and for the files that install MSI.
This helps assure that the installation procedure will be able to
locate the required files, even if one or more of the locations is
temporarily off-line. Listing the sites in order of proximity
helps assure that the installation procedu re will contact the
most preferred location first.
7. Set policy for (configure) the on-access scanner.
8. Deplo y the installation po licy and install the VirusScan TC program.
For tasks 1, 2, and 6, see the ePolicy Orchestratorv1.1 Administrator’sGuide.For
tasks 3–7, see the following sections in this chapter.
1. Install ePolicy Orchestra torsoftware
Before you can perform the Optimized Installation, you must first install and
configure the ePolicy O rchestrator v1.1 software on your server. For complete
instructions, see the ePolicy Orchestrator v1.1 Administrator’s Guide,whichyou
can find on the CD-ROM.
•Toinstall the program for the first time, follow the instructions for
“First-time Installation.”
Deploying and Installing VirusScan TC
•Toupgrade the program from the previous version, follow the
instructions for “Upgrading Version 1.0 to Version 1.1.”
2. Install the ePolicy Orchestrator agent
You must install the ePo licy Orc he strator agent on all the target computers
before you can pe rform the Optimized Installation. For complete instructions,
see the ePolicy Orchestrat or v1.1 Administrator’s Guide, which you can find on
the CD-ROM.
3. Copy program configuration files to the software repository
In order to configure and deploy the VirusScan TC software, you must place
the.NAP files (Network Associates Package) on the server where you installed
and configured the ePolicy Orchestr ator sof tware. These files are identifiable
by their extension, .NAP.
• LWI100EN.NAP Installer
• VTC600EN.NAP VirusScan TC
æ
IMPORTANT:In order to install LWI100EN.NAP in the software
repository, it must be installed from a location that also includes
LWISETUP.EXE. No user interaction with LWISETUP.EXE is required.
Administrator’s Guide 15
Deploying and Installing VirusScan TC
To place a .NAP file in the software repository, follow these steps:
1. In the ePolicy Orchestrator console tree, right-click on Software,and
select Install (Figure 2-1).
Figure 2-1. Console Tree—Install software in repository
The Select a Software Package dialog box appears (Figure 2-2).
2. Click at the top of the dialog box to select the CD-ROM. Locate each
of th e following .NAP files on the CD-ROM and click Open to place it in
the software repository.
After you have placed the Installer and the VirusScan TC prog ram file s in the
repository, they appear in two places on the ePolicy Orchestrator console (see
Figure 2-3 on p age 17):
• In the upper portion of the details pane.
• In the console tree under Software.
16 McAfee VirusScan TC
Figure 2-2. Select a Software Package dialog box
• LWI100.NAP Installer
• VTC600.NAP VirusScan TC
Deploying and Installing VirusScan TC
Figure 2-3. ePolicy Orchestrator Console
displaying the contents of the Software Repository
4. Copy Installer and program files to the network
In order for the I nstaller to f ind th e files needed for downloading, you must
firstcopy those filesfrom the CD-ROMtoa place on the networkthat alltarget
computers can access. This can be either an FTP site or a shared folder on the
network.
The files include two MSI (Microsoft Installer) files: on e for Windows NT
environments and one for Windows 95 and Windows 98 environments; and
an MCS file, the VirusScan TC program file.
Follow these steps to copy the installation files from the CD-ROM:
1. On the CD-ROM, locate these files:
• INSTMSIW.EXE for Windows NT
• INSTMSI.EXE for Windows 95 an d Windows 98
• VSCANTC.MCS VirusScan program file
Administrator’s Guide 17
Deploying and Installing VirusScan TC
2. Copy the appropriateMSI file or files for your Windows environmentto
either an FTP site or to a shared folder on the network.
• Ifyournetworkincludes bothtypes ofWindowsenvironment,copy
both MSI files.
• If you are operating in an exclusively Windows 2000 environment,
you do not need to copy either of the MSI files.
• If you are copying to a shared folder, you must use Universal
Naming Convention (UNC) to target it.
æ
3. Copy the file named VSCANTC.MCS to either an FTP site or shared
folderon the network.Youcanuse the same folderwhereyou copiedthe
MSI installation files, or you can use a different folder.
If you are copying to a shared folder, you must use Universal Naming
Convention (UNC) to target it.
IMPORTANT:OnWindows95and Windows98systems, the
sharemustbeinthesamedomainasthecurrentlylogged-in
user.
¥
NOTE:Although the *.MSIfilesandthe VSCANTC.MCS file canbe
placed in the same location, some administrators may prefer to
place them in different locations to control network traffic.
4. You can create up to eight FTP sites or shared network folders to hold
these files. This enables large networks to provide fail-over pro tection
and control network traffic.
5. Conf igure the VirusScan TC Install er
For installation to take place, the VirusScan TC Installer must be able to find
the executable files that places the Microsoft Installer into the target
computers, and t he install package that contains the VirusScan TC software.
The files that install the Microsoft Installer are named INS TMSI.EXE and
INSTMSIW.EXE. These have been described und er “4. Copy Installer and
program files to the network”. The package that contains the VirusScan TC
softwareis namedVSCANTC.MCS. You must place these files in one or more
locations on your network, and then configure the VirusScan TC installer to
look for them in the locations y ou have selected.
18 McAfee VirusScan TC
Deploying and Installing VirusScan TC
Setting policy for the installation files
Follow these steps to set policy for the installation files:
1. Verify that the Policies tab is s elected in the upper portion o f the details
pane,on the rightside of the ePolicy Orchestrator console.
2. If you have not already done so, c lick the next to Installer for
VirusScan TC in t he upper portion o f the details pane.
3. Select Configurations to display the Configurations property pages. By
default, the Install Sites property page appears (see Figure 2-4 .) This is
the property page on which you can designate up to eight locations
where you placed VSCANTC.MCS. When you select the MSI tab, you
can designate up to eight locations where you placed INSTMSI.EXE and
INSTMSIW.EXE. The pro cedures for adding sites is identical for both
Install Sites and MSI Sites property pages.
Figure 2-4. Installer Config urations pages—Install Sites and
MSI property pages
4. Deselect Inherit. The buttons on the right are activated.
Administrator’s Guide 19
Deploying and Installing VirusScan TC
¥
NOTE:Disabling the Inheritance feature lets you set new policy for
the installation of the Installer program for the target (group or
computer) that you have selected in the console tree. During future
installation s to computers in other branches of your network , you
might want to leave t his checkbox selected if you w ant the Site
policies you set now to affect computers that are in subordinate
positions in the console tree. See the ePolicy O rchestrator
documentation for a completediscussion of Inheritance.
5. Click Add to designate a new site for the file. The Site Opt ions property
page opens. By default, FTP Site is sele cted, and the dialog assumes that
login credentials are required (see Figure 2-5.)
¥
NOTE: You can designate a maximum of eight sites, each with a
unique name. The order in which the sites are listed on the Install
Sites and MSI Sites pr operty pages is the order in wh ich the
VirusScan TC installer softw are will look for the file.
20 McAfee VirusScan TC
Figure 2-5. Site Options property page
Deploying and Installing VirusScan TC
6. Enter a name for the site that you are defining. This is the name that will
appearin themain Install Sites,o r M SI Sites page, shown in Figure 2-4 on
page 19, and in the installation log. See “Setting po licy for the installation
files” on page 19 for information about the installation log.
7. Verify that Enable Site is selected.
8. Provide the ne cessary infor mation appropriate to the site where the files
are located:
• For an FTP site
a. Enter the name of the FTP server and the directory containing
the file or files. For example, ftp.myserver/install.
b. If, in Step 2 on page 18 you placed one or both MSI file s on a
File Transfer (FTP) site:
– that requires login credentials, enter the User Name and
Passwordinformation required for access to the server.
Regardless of the number of characters in the password,
eight asterisks appear in the password field.
– that accepts anonymous logins, select Use Anonymous
FTP Login. The boxes for login credentials are disabled.
¥
NOTE: You must also perform this step for
VSCANTC.MCS if, in Step 3 on page 18 you placed
that file on an FTP site.
c. Enter the path of the file or files.
d. If your network requires use of a proxy server, selectUse
Proxy Server. Two previously disabled text boxes are now
enabled. Enter the name of the proxy server, and the port it
uses.
æ
IMPORTANT:If you are using proxy software, be certainthat
you have the most current version, includinganyservicepacks
that hav e been released for use w ith the proxy software.
• For a UNC shared folder
a. Select the UNC path option.
b. Using UNC notation,(\\servername\path), enter the path
of the location where youplaced the MSIfiles in Step 2 on page
18. On Windows 95 and W indows 98 systems, the currently
logged-in user must have “read” rights to the shared folder.
Administrator’s Guide 21
Deploying and Installing VirusScan TC
¥
c. Fill in the Use r Name and Password boxes. Regardless of the
• Forapathonthelocalcomputer
a. Select the UNC path option.
b. Enter the path of the local folder in the field labeled En ter a
9. When you have finished setting options, click OK. Your changes are
saved for deployment, and you are returned to Install Sites or MSI Sites
property page.
+
WARNING:If you do not click OK, the options that you selected
will be ignored.
NOTE:You must also perform this step for VSCANTC.MCS if,
in Step 3 on page 18, you placed that file on a UNC shared
folder.
number of charactersin the password, eight asterisks appear in
the password field.
local path.
10. Use the buttons on the right side of the interface to modify previously
configuredsites.
• Click Edit to modify the configuration of a site already listed on the
Install Sites page.
• Click Delete to remove a s elected site.
• Click MoveUporMove Downto change the order in which the sites
are listed. In general, the first site on the list should be the nearest
site. The last site on the list should be the most remote site.
11. When you have finished setting Site Options, click OK to save your site
options selections and close the dialog box. You return to the
Configurations property pages.
12. Click Apply to save your selections for Install Sites or MSI Sites.
+
WARNING: If you do not click OK and Apply, the options thatyou
selected are ignored.
22 McAfee VirusScan TC
Deploying and Installing VirusScan TC
Setting policy for the Installer’s loggingfeature
This feature of the Installer allows you to configure the way in which the
installer logs activity during installation. You can set the name and location of
the log file, its size, and the level of detail that is reported.
æ
IMPORTANT:When deploying and installing the VirusScan TC
program, the only report that an installation has failed is found in the
local log file on the target machines. Such events are not reported by the
Anti-Virus Informant module.
A failed installation is also reflected by the absence of information on the
Properties tab about the o n-access scanner.
To configure the logging activity feature, follow these steps:
1. Select the Log Activity tab (Figure 2-6.)
Figure 2-6. Installer Configurations pages—Log Activity property
page
2. Deselect Inherit. The logging options are activated. See the NOTE on
page 20 for information about Inheritance.
Administrator’s Guide 23
Deploying and Installing VirusScan TC
3. Make sure that Logtofileis selected.
4. Bydefault,thenameofthelogfileisInstall.log.Thedefaultpathof
the log file is:
<drive>:\Program Files\McAfee\VirusScan TC\Install.log
Here,<drive>refersto the clientdiskwhere the VirusScanTC software is
installed .
If you prefer,you can enter a different file name or path.
5. By default, the maximum size for the log file is set to 1,024
can en ter any value between 10
ë
TIP: If the data in the log exceeds the file size you set, the oldest 20
KB and 32,767KB.
KB (1MB).You
percent of the log text is deleted to m a ke room for new information
that is added to the end of the file. If you place no size restriction on
the log file, you run the risk of it consuming all available space on
the drive where it is located.
6. By default, Enable Verboseis selected. If you want the log to report
every step in a procedure, leave it unc hanged. Otherwise, deselect it.
Figure 2-7and Figure 2-8 show samplesof an event recorded in verbose
and non-verbose mode, respectively.
Figure 2-7. Verbose Log
7. When you have finished setting Log Activity options , click Applyto save
your selections for deployment. You ret urn to the Installer
Configurations property pages.
24 McAfee VirusScan TC
Figure 2-8. Non-verbose Log
+
WARNING: Ifyoudo not click Apply, the optionsthat you selected
are ign ored.
6. Sele ct reboot options
Using the ePolicy Orchestrator Agent Options page, you can specify the wa y
you want the installer to respond to r ebooting requirement. The options are:
• Prompt user when software installation requires reboot.
and/or
• Automatic reboot with timeout.
See Chapter 5 (The Agent) in the ePolicy Orchestrator Administrator’ s Guide
for information about selecting these options.
7. Set policy for the on-access scanner
You can set policy for the on-accessscannerat any time. Administrator’s may
find it convenient to configure the scanner as part o f the initia l deployment
and installation activity. However, it ca n be done at any time.
Deploying and Installing VirusScan TC
For a complete discussion of configuring the on-access scanner, see “Setting
Policy for On-Access Scanning” starting on page 29.
8. Dep loying the inst allat ion policy
After you have finished making configuration choices for the Install Sites, MSI
Sites, and Log Activity property pages, youare ready to distribute the policies
and install VirusScanTC on the target computers.
¥
NOTE: In most situations, you will want to configure the on-access
scanner before deploying and installingthe VirusScan TC program. For
detailed information about configuring this component, see Chapter 3,
“Setting Policy for On-Access Scanning,” starting on page 29.
You can configure AutoUpdate before you deploy the VirusScan TC
program. However, AutoUpdate cannot run until you have deployed the
VirusScan TC program and it has been installed on the client machines.
For information about configuring this component, see Chapter 4,
“Updating and Mirroring Tasks,” starting on page 49.
Administrator’s Guide 25
Deploying and Installing VirusScan TC
To deploy the policy and install VirusScan TC, follow these steps:
1. Select a target in the ePolicyO rchestrator consoletree where you will be
installing the Installer and VirusScan TC program s. The target can be a
group or a single computer (See Figure 2-9 on page 26).
2. Deselect Inherit on the Installation Options page, located in the lower
portion of the details pane. See the NOTE on page 20 for information
about Inheritance.
3. Make sure that E nforce Policies fo r Installer for VirusScan TC v6.0.0
for Windows is selected.
4. Select Force Install Installer for VirusScan TC v6.0.0 for Windows.
5. Verify that the Install Package box displays the path of the Installer, or
click Select to locate the package.
26 McAfee VirusScan TC
Figure 2-9. ePolicy Orchestrator—Installation Options property
page
¥
NOTE: By default, when you placed the Installer program in the
ePolicy Orchestrator software r epo sitory, its executable file was
automatically placed on the ePolicy Orchestrator server at the
following locati on:
<drive>:\Program Files\McAfee\EPO\Db\Software
\LWI___1000\1.0.0\English\InstallFiles
Deploying and Installing VirusScan TC
6. Click Apply. The policy is r eady for deployment to the computers that
you selected in the console tree in Step 1 on page 26.TheVirusScanTC
program will be transmitted when the ePolicy Orchestrator agent
requests new policies from the server.
+
WARNING: Ifyoudo not click Apply, the optionsthat you selected
are ign ored.
Uninstalling the VirusScan TC program
This chapter does not include instructions for the use of the Force Uninstall
Installer for VirusScan TC v6.0.0 for Windows option. Thisfeature is useful
onlyaftertheprogramhasalreadybeen installed. Briefly,the Force Uninstall
checkbox allowsyou to remove any previously installed versionorcopy of the
Installer software, including VirusScan TC.
An alternative approach to uninstalling the prog ra m involves issuing the
following command at the command line prompt on each client machine:
LWI /script uninstall.LWS
Administrator’s Guide 27
Deploying and Installing VirusScan TC
28 McAfee VirusScan TC
3Setting Policy for
On-Access Scanning
Overview
TheVirusScanTCprogramusesitsOn-AccessScannertoprovidecontinuous,
real-time virus detection and response. The On-Access Sc anner checks for
infections each time you open or copy a file from, savea file to, or otherwise
use any file stor ed on the hard drive. The scanner starts when the computer
starts up, and stays in memory until the c omputer shuts down. By default, the
scanner:
• Scans files when they are written to disk.
• Scans files when they are read from disk.
• Scans the boot sector of floppydisks when they are inserted,and when
the computer is shut down.
• Scans file types that are susceptible to virus infection.
• Scans archive files with file name extensions: ARC, ARJ, CAB, LZH,
RAR, TAR, ZIP, and their contents, if you are running Windows NT or
Windows 2000.
3
• Scans compressed executa ble files that the current scanning engine and
virus definition (.DAT) files clas sify as susceptible to infection.
• Cleans in fected files immediately upon access or when saved.
• Records its activities in a log file.
• Exclude s the Windows R ecycle Bin from scanning activities.
If you have installed the Vir u sScan TC program, the ePolicy Orchestrator
software will enforce the default scanning policies without any further
interaction with the administrator. However, if you want to modify a policy
setting you can use the VirusScan TC On-Access Sc an Options property pages
to do so.
¥
NOTE: The phrase setting policy for on-access scanning is synonymous
with configuring on-access scanning options.
Administrator’s Guide 29
Setting Policy for On-Access Scanning
Configuring on-access scanning options
If you have the ePolicy Orchestrator softw are running on your network, you
can change o r modify the default policy for the on-access scanner’s detection,
action, reporting, and exclusion features. You cannot change the scanner’s
default settings without the ePolicy Orchestrator software.
To configure the on-access scanner, follow these steps:
1. Make sure thatyouhaveplaced the VirusScan TC softwareint he ePolicy
Orchestratorsoftwarerepository.For instructions, see“3. Copy program
configuration files to the software repository” on page 15.
After you have placed the software in the repository, it appears on the
Policies ta b in the upper portion of t he details pane o f the ePolicy
Orchestrator C onsole (Figure 3-1).
.
2. In the console tree, select a target Directory for which you want to set
policy. The target could be a group or a single computer.
3. In the upper portion of thedetailspane,clickt he next to the VirusScan
TC v6.0.0 for Windows icon. The expanded list, (Figure 3-2)showsthe
on-accessscanner.
.
4. Select On-Access Scan Options.TheOn-Access Scan Options page
appears in the lower details pane (Figure 3-3 on page 31).
30 McAfee VirusScan TC
Figure 3-1. Upper Details pane—Policies tab
Figure 3-2. Upper Details pane—with expanded software branch
Setting Policy for On-Access Scanning
Figure 3-3. On-Acc ess Scan Options—Detection property page
Each tab governs a set of options for the on-access scanning operation:
Detection
Optionsfor the scanner’sbehavior—whenandwhat
to scan.
Action
Actions y ou want the scanner to take when it finds a
virus.
Report
Exclusions
Features that customize the output of the log files.
Any item (file, folder or disk) that you want to
exclude from scanning.
The following sections describe each option tab in detail.
Administrator’s Guide 31
Setting Policy for On-Access Scanning
Detection Opti ons
To setthe Detection options, follow these steps:
1. Deselect Inherit to change the product’s current configuration settings.
¥
NOTE:Disabling the Inheritance feature lets you set new policy for
scanning activities for the target (group or computer) that you have
selected in the console tree. D urin g futureinstallations to computers in
other branches of your network, you can leave this checkbox
selected if you want the policies you set now to a ffect computers
that are in subordinate positions in the Directory tree. See the
ePolicy Orchestrator A dministrator’s Guide for a complete
discussion of Inheritance.
2. Select Enable On -Access Scan to enable the options for on-access
scanning. If you do not check t his box, the options on this page are
grayed out.
3. Under Scan Files, select circumstances under which you want the
program to scan the files.Your options are:
32 McAfee VirusScan TC
When writing to disk
When readingfrom disk
ë
TIP: If you select both options, any file that you can open and
change will be scanned twice each time it is used—once when it is
readfrom the di sk (outbo u nd) and aga in when it is written to the
disk (inbound). This is the most comprehensive approach to
scanning because it ensur e s that no infectionsarewritten to the hard
disk. If an infected file was already on the disk before the anti-virus
software was installed, the scanner will f ind the virus when the user
takes some action on the file such as opening, moving, or deleting it.
If you elect to sc an inbound files only, or outbound file s only, it is
importantthatall computers sharing files be configured identically.
Otherwise , an infected file could be copied from a computer that
scans only i nbound files to a server that scans only outbound files.
Files that are written to aharddrive,
or other data storage device.
Files that are read from aharddrive,
or other data storage device.
Setting Policy for On-Access Scanning
Scanning files only when they are read from disk can be a element of
an effective virus protection program. However, under s ome
circumstances, scanning files only when they are written to disk may
not be equally effective. For additional information, see the footnote
page 39.
4. Under Scan Floppies, select At system shu tdow n to scan any floppy
disk that is left in the dr ive when th e computer shuts down.
5. Under What to Scan,you can chooseto scan allfiles,defaultfiles, or only
program files—those file types you can see by clicking Extension.
• Select one of these three choices:
All files Scans every file, irrespective of the file type.
Defaultfiles
Scans only those file types that the scanning engine
recognizes as susceptible to virus infection. This list
of file types is specific to the current scanning engine
and t he current virus d efinition (.DAT) files in use.
McAfee recommends selecting this opt ion.
Custom files Scans only those file types with a f ile name extension
that appears in the list of extensions.
Click Extension to view or edit the list of Cus tom
Files included in scanning activities. The Program
File E xtensions dialog box appears (Figure 3-4).
Figure 3-4. Program File Extensions dialog box
Administrator’s Guide 33
Setting Policy for On-Access Scanning
¥
NOTE: When the VirusScan TC product is
shipped,thelist of Default filesis identicalwith
the list of Custom files.However, over time, as
you upgrade the scanning engine, the list of
Default files may grow or s hrink dependingon
the most current research on the susceptibility
of certain file types to virus infection.
Upgrading the scanning engine will not affect
the list of Custom files, which is under the
control of the user.
By default, the on-access scanner ex amines files
with t hese extensions:
??_
001
002
386
ACM
ADT
APP
ARC
ARJ
ASP
AX?
BAT
BIN
BO?
CAB
CDR
CHM
CLA
CMD
CNV
COM
CPL
CSC
DEV
DLL
DOC
DOT
DRV
EXE
GMS
GZ?
HLP
HT?
ICE
IM?
INI
JS?
LZH
MB?
MD?
MPP
MPT
MSG
MSO
OBD
OBT
OCX
OLE
OTM
OV?
PCI
POT
PP?
QLB
QPW
RAR
REG
RTF
SCR
SHS
• Select Netwo rk drives to include network resources that are
accessed by your system. This is a convenient way to extend virus
protection to a resource that does not have virus protection.
However, it can have a negativeeffectonoverallperformance of the
system that is running the scan.
• Select Comp ressed files t o include executable files that were
compres sed using the following utilities:
PkLite
LZexe
MS Compressed
Ice
Cryptcom
Com2Exe
Diet
Teledisk
SMM
SYS
TAR
TD0
TGZ
TLB
TSP
VBS
VS?
VXD
VWP
WBK
WIZ
WPC
WPD
WSI
XL?
XML
XSL
XTP
34 McAfee VirusScan TC
– I f you selectedAll files, every compressed file will be scanned.
Setting Policy for On-Access Scanning
–IfyouselectedDefault files,the compressed file types thatthe
current scanning engine and .DAT file s classify as susceptible
to infection will be included in scanning activities.
– I f you selected Custom files, the scanner will examine only
those compressed file typesthatappearinthe listofextensions.
• Select Boot sectors to scan the disk boot sector of a floppy disk or
hard disk when a file is first accessed.
• Select Archive files for W indows N T or Windows 2000 if you want
the scanner to examine these archive file types and their contents:
ARC
ARJ
CAB
LZH
RAR
TAR
ZIP
– To include these file types in scanning activities, you must
select this checkbox whether you selected All files, Default
files or CustomFiles.
– I f you selected Custom files, you must also verify that these
file t ypes appear in the list of extensions.
6. Under Enable Heuristic Scanning Of, select the type o f heuristic
scanning you prefer. Your options are:
Macros Identifies all Microsoft Word, Microsoft Excel, a nd
other Microsoft Office files that contain embedded
macros,then compares the file characteristics
against a list of known virus characteristics. The
scanner identifies code signatures that resemble
existing v iruses, and considers them to be potential
macro virus.
Program Files Locatesnewvirusesinprogramfilesbyexamining
file characteristics and comp aring them against a list
of known virus characteristics. The scanner
identifies files with a sufficient number of these
characteristics as potential viruses.
7. Under General, select Show i con in the taskbar to display the
VirusScan icon in the workstation’s taskbar. If you deselect this item, the
user sees no indication that virus scanning is active on t he workstation.
8. Click Apply to save your d etection policy settings.
+
WARNING: If you do not click Ap ply, you settings are ignored.
Administrator’s Guide 35
Setting Policy for On-Access Scanning
Action options
When VirusScan TC software detects a virus, it can respond either by
automatically taking an action that you determine ahead of time. Use the
Action tab to specify the scanner’s behavior when it finds a vir us.
To set the Action options, follow these steps:
1. Select the Action tab on the On-A ccess Scan Options page (Figure 3-5).
2. Deselect Inherit to change the product’s current configuration settings.
See the NOTE on page 32 for more information about Inheritance.
36 McAfee VirusScan TC
Figure 3-5. On-Access S can Options — Action property page
Setting Policy for On-Access Scanning
3. Under When a Virus is Found, select one of these options:
• Deny access to infected files and continue. Denies any user
access to an infected file. If you select this option, b e sure to enable
the logging option so that you have a record of which files are
infected. See “Report options” on page 39 for details.
ë
TIP: When you select this option, the scanner automatically
stops read and copy operations for any file that it identifies as
infected. As a result, the infection can notbe transmitted once it
is identified. McAfee recommends that you select this option if
you plan to leave your server unattended for long periods.
When you are able to return your attentionto the server, you
can then verify the infection, and decide whether to clean the
infection, delete the file, or restore an earlier version of the file
from backups.
• Move infected files automatically. The scanner moves infected
files to a quarantine folder as soon as it finds them.
By default, the first time that the scanner moves a file, it creates a
folder named Infected, which it uses to store qua rantined files. The
default path of the quarantine file is:
<drive>:\Infected
Here,drive refers to the client disk on which the virus was detected.
If you prefer,you can enter a different name or path.
• Clean infected files immediately. The scanner removes the v irus
code from the infected file as soon as it finds it.
• Delete infected files immediatel y. The scanner deletes every
infected file itfinds. Be sure to enablethe logging feature so that you
have a recordof the files that the application deleted. You will need
to resto re deleted files from backup copies. If the application cannot
delete an infected file, it notes the incident in its log file.
For more information about the status of infected files relativeto the
outcome of the scanning activity, see page 39.
4. If you want the scanner to warn users that the file they opened, copied
from, or saved is infected, select Send message touser,then,inthebox
provided, enter the message you want users to s ee.
Administrator’s Guide 37
Setting Policy for On-Access Scanning
5. Click Apply to save y our action policy settings. The settings are
transmitted to the ePolicy Orchestrator agents for enforcement the next
time that the agents request new policies and tasks from the server. See
the ePolicy Orchestrator Administrator’s Guide for information about
agent-server communication.
+
WARNING: If you do not click Ap ply, you settings are ignored.
Status of infected files after scanning
The status of an infected file after scanning depends upon anumber of factors:
Scanning action • Deny Access
• Delete
•Move
• Clean
Operating system • Windows 95 and Windows 98
• Windows NT and Windows 2000
Trigger • File read from disk
• File written to disk
Outcome • Success *
•Failure**
The table below shows, by factor, the status of infected files after scanning:
38 McAfee VirusScan TC
* Success means that the scanner took the action that the administrator specified and
the desired result was achieved,without incident.
** Failure means that the scanner was not able to take the action that the administrator
specified, but took a different action instead.
Failure can occur for a varietyof reasons, suchas: no driveryet exists forcleaning a
new virus; the virus has characteristics that are uncleanable; timing conflicts exist
between actions taken on a file by two different applications;timing conflictsexist
relating to the way that an application, such as MicrosoftWorddeals with multiple
versionsofafilewhenitisinuse.
Setting Policy for On-Access Scanning
Status of Infected File
Selected
Action
Deny
Access
Delete
Move
Clean
* There are cases where an infected file is written to disk intact even if you have selected When writing to disk on the scanner’s
detection property page. This includes the extremely rare circumstances where the deletion command fails. In those cases the virus
cannot be activated until a user attempts to open, copy, or move the infected file. At that time, the file will be scanned if you have
selectedWhen reading from disk on the scanner’s detection property page.
Outcome
Read from disk Written to disk Read from disk Written to disk
Success
Failure Not applicable. Denial of access to the file is always available.
Success Deleted
Failure
Success Movedtoquarantinefolder
Failure
Success Cleaned
Failure*
• Left intact
• Access denied
• Left intact
•AccessDenied
• Left intact
• Access denied
• File name
acquires.
extension.
• Access denied.
Windows 95 and
Windows 98
Left intact* • Left intact
VIR
Windows NT and
Deleted* • Left intact
•Accessdenied
•Accessdenied
Deleted* • Left intact
•Accessdenied
Deleted* •Filename
acquires.
extension.
• Access denied.
Windows 2000
Deleted*
Left intact*
Left intact*
Deleted*
VIR
Report options
The scanner lists its current settings and summarizes all of the actions it takes
during its scanning operations in a log file, which, by default is called
VSHLOG.TXT. You can accept the defaults, or make selectionsto customize
your log file, which you can open and print for later review.
You can use the log file to track virus activity on your system and to note
which settings the program used to detect and respond to infections. You can
also use the incident reports recorded in the file to determine which files you
need t o examine in quarantine, or delete from your computer.
Administrator’s Guide 39
Setting Policy for On-Access Scanning
¥
NOTE: T he reporting function of the VirusScan TC program does not
replace, supersede, or affect the function of the McAfee Anti-Virus
Informant applica tio n that is included with the ePolicy Orc hestrator
software. See the ePolicy Orchestrator Administrator’s Guide fo r more
information abou t the Anti-Virus Informant module.
Also, this reporting function does not replace or supersede the Alerting
functions that might be present o n your network if you have installed the
Alert Manager component of McAfee NetShield for Windows NT and
Windows 2000 on your servers.
To set the Report options:
1. Select the Report tab on the On-Access Scan Options page (Figure 3-6).
40 McAfee VirusScan TC
Figure 3-6. On-Access Scan Options — Report property page
Setting Policy for On-Access Scanning
2. Deselect Inherit to change the product’s current configuration settings.
See the NOTE on page 32 for more information about this step.
3. Select Logtofileto save the log in a file that you sp ecify.
By default, the scanner writes log information to the file VSHLOG.TXT
in the VirusScan program directory. The program creates the default fil e
in the default path.
4. To minimize the size of the log file, click Limit size of log file to,then
enter a value for the file size, in kilobytes, in the text box. If you do not
select this checkbox, the log file can continue growing without any limit.
Enter a value between 10
the file size to 1024
ë
TIP: If the data in the log exceeds the file size you set, the oldest 25
KB and 32767KB. By default, the scanner limits
KB.
percentofthe log text is deletedto make room for new information.
If you place no size re striction on the log file, you run the risk of it
consuming all available space on the drive where it is located.
5. Select the checkboxes that corresp ond to the information you w ant t o
record in the log file. Deselect any box to om it the information from the
log file. The options are:
Virus detection
Virus cleaning
Records detection of a virus.
Records the scanner’s attempt to clean an
infected file.
Infected files
deleted
Infected files
moved
Session
settings
Session
summary
Records deletion of an in fected file.
Records the relocation of an infected file to the
quarantine folder.
Records the configuration settings that were in
use when the VirusScan TC scanner was started.
Summarizethe actionsthat the scannertook.The
log records all the options you select on this tab.
Dateandtime
Username
Records the date and time when the reported
event occurred.
Records the name of the u ser that acces sed the
file that precipitated the action being reported.
Administrator’s Guide 41
Setting Policy for On-Access Scanning
6. Select Enable Centralized Alerting if you have installed a McAfee
product that includes Alert Manager, such as the NetShield or
GroupShield software, on one o r more servers, and want to continue
using it. This feature allows workstations to transmit alerts to a
centralized folder from whichAlert Manager can retrieveanddistribute
them, using the methods that you configured within Alert Manager.
7. In the box labeled Destination for alerts, enter the path of the shared
folder. This is the share folder where the workstations w ill send their
alerts, in the form of .ALR files. It is also the folder from which the
NetShield program retrieves alerts,converts them into its own format,
and distributes them via the methods yo u have configur ed for Alert
Manager. Typically the shared folder is located on the NetShield server
where Alert Manager is located. However, you can configure Alert
Manager to look for the folder in a different location.
æ
IMPORTANT:Very careful planning is required to assure that
workstations have easy access to the shared folder without
compromising overall network security.Achieving this combination
requires that you a) designate the s hared folder as a NullSessionShare,
and b) take advantage of appropriate Windows securities measure for
NTFS systems to protect the N ullSessionShare.
a. Designate the shared folder that receives the .ALR files as a
NullSessionShare. This allows the workstations to have easy access
to the shared folder without providing login credentials. To do so ,
create a name for the shared folder, and add the name to the value
NullSessionShares located in the follo wing registry key on th e
NetShield server where Alert Manager is located:
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
LanmanServer
Parameters
See your NetShield documentation for more information about
configuring Alert Manager.
b. Because a NullSessionShare can result in a security vulnerability,
McAfee strongly recommends that you take advantage of all of the
following security features available for Windows NTFS systems
including:
• granting clients only “write” privileges to the shared folder.
• granting the Alert Manager server privileges for searching,
reading, and deleting only.
42 McAfee VirusScan TC
8. Click Apply t o save your report policy settings. Th e settings are
transmitted to the ePolicy Orchestrator agents for enforcement the next
time that the agents request new policies and tasks from the server. See
the ePolicy Orchestrator Administrator’s Guide for information about
agent-server communication.
+
WARNING: If you do not click Ap ply, you settings are ignored.
Exclusi on opti ons
Many of the files stored on your computer are not vulnerable to virus
infection. Having the on-access scanner examine these files can take a long
time and produce few r esults. You can reduce the time the scanner spends
looking at each file you modify by restricting the scanner to examine only
susceptible file types. You can also tell the sc anner to ignore files or entire
folders that you know cannot become infected.
Setting Policy for On-Access Scanning
• establishing a quota for the number of messages that the
shared fold er can accept.
• using the NTFS auditing feature.
The exclusion list identifies which items—disks, folders, or in dividual files—
you want to exclud e from scanning activities. By default , the scanner does not
examine files that are in the Recycle Bin because Windows will not run items
stored there. This item appears in the exclusions list when you first open the
property page.
Each entry in the exclusions list displays the path to the item, notes whether
the module will also e xclude any nested folders, and expla ins whether the
application will exclude the item when it scans files, when it scans your hard
disk boot sector, or both.
To choose Exclusion options, follow these steps:
1. Click the Exclusions tab (Figure 3-7 on page 4 4.)
Administrator’s Guide 43
Setting Policy for On-Access Scanning
2. Deselect Inherit to change the product’s current configuration settings.
See the NOTE on page 32 for more information about Inheritance.
3. Specify the items you wa nt to exclude. Use the Add button to add a file
or folder to the list; or use the Edit and Remove buttons to change o r
remove existing items in this list.
44 McAfee VirusScan TC
Figure 3-7. On-Access Scan Options — Exclusions proper ty page
• Add files, folders or volumes to the exclusion list. Click Add to
open the Add Exclusio n Item dialog box (Figure 3-8 on page 45).
Setting Policy for On-Access Scanning
Figure 3-8. Add E xclusion Item dialog box
Follow these steps to add items to the list:
a. I n the text box, enter the path of a folder or a file or folder that
you want to exclude from scanning activ ities.
¥
NOTE: If you have chosento move infected files to a
quarantinefolder automatically,the moduleexcludes that
folder fro m scan operations.
b. SelectInclude subfolders to tell the scanner to ignore all files
stored in any subfolders within the folder you specifie d in
Step a. Deselecting Include subfolders will exclude from
scanning the files located in the target folder, but will not
exclude its subfolders.
+
WARNING:McAfee recommends that you do not
exclude your system files during a scan session.
c. Repeat Steps a to b until you have listed all of the files and
folders t hat you do not want scanned.
• Change the exclusion list. To change the settings for an exclusion
item, select it in th e Exclusions list, then click Edit to open the Edit
Exclusion Item dialog box. Make the changes you need, then click
OK to closethe dialog box.
• Remove an item from thelist. To deleteanexclusionitem,select it
in the list, then click Remove. This means that the scanner will scan
this file or folder during this scan session.
Administrator’s Guide 45
Setting Policy for On-Access Scanning
4. Click Apply to save y our exclusion policy settings. The settings are
transmitted to the ePolicy Orchestrator agents for enforcement the next
time that the agents request new policies and tasks from the server. See
the ePolicy Orchestrator Administrator’s Guide for information about
agent-server communication.
+
WARNING: If you do not click Ap ply, you settings are ignored.
Deploying scanning policy to the agents
When you finished configuring each of the on-access scanner’s properties,
(detection, actions, reports, and exclusions) you c licked Apply to save your
policy c hoices. That step assured that your policies were ready for t ransmittal
the ePo licy Orchestrator agents for enforcement. You m us t now prepare th e
server to actually transmit the policies to the agents.
To prepare the server to deploy the policiesto the agents,follow these steps:
1. On the ePolicy Orchestrator console,select VirusScan TC v6.0.0 for
Windows on the Policies tab in the upper details pane. The Installation
Options page appears (Figure 3-9 on page 46).
46 McAfee VirusScan TC
Figure 3-9. ePolicy Orchestrator Console
displaying the VirusScan TC Instal lation O ptions page
Setting Policy for On-Access Scanning
2. In the Directory tree, select a target group or computer to which you
want to deploy scanning policy. The target could be a group or a single
computer.
3. DeselectInherit to changethe installationsettings.SeetheNOTE on page
32 for information about Inheritance.
4. Verify that E nfor ce Pol icies fo r VirusScan TC v.6.0.0 f or W in dows is
selected.
5. Click Apply. Your policiesaretransmitted to the agentsthe next time that
the agents request new polici e s a nd tasks from the server. See the ePolicy
Orchestrator Administrator’s Guide for information about agent-server
communication.
¥
NOTE: If you deselect EnforcePolicies..., the agentswill not
enforce your policies.
Administrator’s Guide 47
Setting Policy for On-Access Scanning
48 McAfee VirusScan TC
4 Updating and Mirroring Tasks
Why update?
To protect your network, the VirusScan TC software needs regular updates of
its virus definition files (.DATfiles), improvements to its scanning engine, and
other technical enhance ments. Without updated files, the VirusScan TC
software m ight not detect new virus strains or respond to them effectively.
McAfee r eleases new .DAT files weekly to pr ovide protection against the
approximately 500 new viruses that appear each month. If new, dangerous
virusesappearbetweenregularw eekly r eleases, McAfee issues a special .DAT
file, known as EXTRA.DAT to deal with the outbreak. Periodically, McAfee
releases upgrades to the scanningengine, incorporating improved technology
for dealing with malicious code.
McAfee has introduced a new incremental .DAT technology, called iDAT. It
consists of small file collections that contain only the virus definitions that
have changed between weekly .DAT file releases—not the entire .DAT file set.
This development means that you can download .DAT file updates much
faster, and at a far lower c ost in bandwidth, than ever before. McAfee offers
free .DAT file updates for the life of your product. McAfee also distributes
updated .DAT files in a form known as SuperDAT, which includes periodic
upgrades to the s canning engine.
4
VirusScan TC supports full updates of all .DAT files, incremental changes to
the .DAT files currently in us e, and SuperDAT u p g rades of the scanning
engine. T he update task includes functionality that determines which kind of
update is required to achieve the maximum virus protection.
Overview of the updating and mirroring tasks
Revised virus definition files appear on the Network Associates FTP site as
data file packages identified by the extension .DAT. (The update site is
ftp.nai.com/virusdefs/4.x.) A .DAT package consists of a .ZIP archive file
named DAT-XXXX.ZIP.The XXXX in the file name is a series number that
changes with each .DAT file release. The Automatic DAT Update utility
downloads these files, stops the on-access scanner t emporarily, installs the
revisedfiles,then restarts the on-accessscanner. The scanner will then use the
revised files immediately.
¥
NOTE: McAfee recommends that client have access to a utility for
extracting .ZIP files.
Administrator’s Guide 49
Updating and Mirroring Tasks
In relatively small networks, where every computer has unlimited access to
the int ern et, each computer could p ull the update files directly from the
NetworkAssociatesFTP updatesite.However,suchan approachisimpractical
in situations where some computers do not have access to the internet, and
inefficient in situations where many computers are all downloading files from
a r emote, external source, such as the Network Associates FTP site.
A typical approach to updating on networks that are managed by the ePolicy
Orchestratorsoftwareinvolvesthecreationofone ormoremirror siteson your
network. Each mirror site replicates the directory on the Network Associates
FTP site that contains the .DAT files. The computers on your network then
downloadthe update files from amirrorsite. Thisapproachis practicalbecause
it permits updating of any computer on your network whether o r not it has
internet access, and efficient because your workstations are communicating
with a server that is probablycloser than a Network Associates FTP server,
thus economizing access and download time.
If yo u are planning to use mirrored sites on your networ k, you must:
• Configure the AutoUpdate task and the Mirroring task. The order in
which you configure thesetasks is not important.
• Schedule the AutoUpdate task and the Mirroring task to run at
convenient times. It is essential that the Mirroring task run first,andthatit
be completed before the AutoUpdating task begins.
The relationship between the AutoUpdate task and Mirroring task is
summarized on the following table:
50 McAfee VirusScan TC
AutoUpdate Mirroring
Target
This task applies to a domain, and af fects
all computers in the selected domain that
have McAfee VirusScan TC installed. Any
computer in the domain can AutoUpdate
its .DAT files.
Pullstheupdatefilesfromapre-defined
server to the workstation. The server can
be the Network Associates FTP update
site, or a mirror server on your network
thatreplicatesthe contentsof theNetwork
Associates FTP update site.
Configuration
Creates a list of servers where your client
computers can pull the update files that
the VirusScan TC program uses to detect
viruses.
This task applies toa serverthatyou select
asthesourceforupdatefiles.Any
computer that can “see” the mirror folder
can receive its updates.
Function
Replicates the f iles on the Network
AssociatesFTP update site on one or more
servers, or from one local server to
another.
Defines a location that contains an image
of the contents of the Network Associates
FTP update site.
Updating and MirroringTasks
Results
A location, preferably nearby, is defined
where yourcomputers canpull update
files. The .DAT files and engine files on
theclientcomputerareupdated.
A location, preferably nearby, is defined
as a mirror image of the Network
Associates FTP update site, and is
available to your computers. . DAT files
aremadeavailableforupdatetasks
Configuring the AutoUpdate and Mirroring tasks
Many of the steps for configuring the two tasks are identical, and others are
similar. The order in which you configure the two tasks is irrelevant.
Therefore, the two procedures are described simultaneously. Where the two
procedures differ, they ar e clearly distinguished.
æ
IMPORTANT:Your configuration settings apply to the target (group, or
computer) that is selected in the ePolicy O rchestrator console tree.
Administrator’s Guide 51
Updating and Mirroring Tasks
To configure the AutoUpdateand Mirroring tasks, follow these steps:
1. Select a target in the ePolicy Orchestrator Directory tree for which you
want to configure an updating task. The target could be a group or a
single computer.
2. Right-click and select Schedule Task. The ePolicy Orchestrator
Schedulerdialog box appears (Figure 4-1).
52 McAfee VirusScan TC
Figure 4-1. Scheduler dialog box—Task page
¥
NOTE: There a r e three alternative ways to open the Scheduler.
• Select the Tasks tab at the top of the details pane, on the right
side of the console.
Figure 4-1. Tasks tab sel ected in details pane
Right-click anywhere in th e deta ils pane, and select Schedule
Task. This approach is particularlyusefulwhenyouwanttoe di t
an existing task. Tasks are listed here as soon as you create and
save them.
• Select Schedule Task from the ePolicy Orchestrator Action
menu.
Updating and MirroringTasks
• Select All Tasks from the ePolicy Orchestrator Action menu.
Then selectSchedule Task from the drop-down menu.
3. Select the Task tab to define the activity you ar e configuring.
4. In the Name box, enter a descriptive name for the task that you are
creating. T asks can be saved for repeated u se. The name yo u assign to a
particular updat e task might describe the group of computers you are
targeting for update, and/or the frequency of the update task.
5. In theSoftwarebox,selectthe software thatyou wanttouseforthetask.
When operating the VirusScan TC software, the only available choice is
Installer for Viru sScan TC v6.0.0 for Wi ndows.
6. In the Task Type box, click . From the drop-down menu, select the
type of task that you are setting up. Your choices are: VirusScan TC
AutoUpdate and Mirror AutoUpdate Site.
7. Click Settings. T he property page for the selected type of task appears
(Figure 4-2).
AutoUpdate Mirroring
Figure 4-2. AutoUpdate and Mirroring property pages
8. Click Add
.The Site Options property page opens. By default, FTP site is
selected, and the dialog assumes that login credentials are required (see
Figure 4-3 on page 54.)
Administrator’s Guide 53
Updating and Mirroring Tasks
¥
NOTE: You can designate a maximum of eight sites, each with a
unique name. The order in which the sites are listed on the Install
Sites and MSI Sites pr operty pages is the order in wh ich the
VirusScan TC installer softw are will look for the file.
9. Enter a name for the site that you are defining. This is the name that will
appear in the main Update Sites or So urce Sites page seen in Figure 4-2
on page 53,andintheUpdatelog.
10. Verify that Enable Site is selected.
54 McAfee VirusScan TC
Figure4-3. Site Options property page
Updating and MirroringTasks
11. Provide the necessary information to identify the location of the update
files. This might be the NAI update FTP site or a site on your network
that mirrors the NAI update FTP site.
• For an FTP site
a. Enter the name of the FTP server and the directory containing
the file or files. For example, ftp.myserver/install.
b. If theFTPlocation:
– requires login credentials, enter the User Name and
Passwordinformation required for access to the server.
Regardless of the number of characters in the password,
eight asterisks appear in the password field.
– accepts anonymous logins (like th e NAI FTP site,) select
Use Anonymous FTP Login.Theboxesforlogin
credentials are disabled.
c. Enter the path of the file or files.
d. If your network requires use of a proxy server, selectUse
Proxy Server. Two previously disabled text boxes are now
enabled. Enter the name of the proxy server, and the port it
uses.
æ
IMPORTANT:If you are using proxy software, be certainthat
you have the most current version, includinganyservicepacks
that hav e been released for use w ith the proxy software.
• For a UNC shared folder
a. Select the UNC path option.
b. Using UNC notation,(\\servername\path), enter the path
of the location where t h e update files are located.On Windows
95 and Windows98 systems,thecurrently logged-inusermust
have “read” rights to the shared folder.
c. Fill in the User Name and Password boxes. Regardless of the
number of charactersin the password, eight asterisks appear in
the password field.
Administrator’s Guide 55
Updating and Mirroring Tasks
æ
IMPORTANT:Very careful planning is required to assure that
workstations have easy access to the shared folder, using
SYSTEMACCOUNT,without compromising overall network security.
Achieving this combination requires that you a) designate the shared
folder as a N ullSessionShare, and b) take advantage of appropriate
Windows securities measure for NTFS systems to protect the
NullSessionShare.
a. Designate the shared folder that receives the .ALR files as a
NullSessionShare. This allows the workstations to have easy access
to the shared folder without providing login credentials. To do so,
create a name for the shared folder, and add the name to the value
NullSessionShares located in the follo wing registry key on th e
NetShield server where Alert Manager is located:
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
LanmanServer
Parameters
See your NetShield documentation for more information about
configuring Alert Manager.
56 McAfee VirusScan TC
b. Because a NullSessionShare can result in a security vulnerability,
McAfee strongly recommends that you take advantage of all of the
following security features available for Windows NTFS systems
including:
• granting clients only “read” and “search” privileges to the
shared folder.
• granting the server that ho uses the shared folder “write”
privileges to the shared folder.
• establishing a quota for the number of messages that the
shared fold er can accept.
• using the NTFS auditing feature.
• Forapathonthelocalcomputer
a. Select the UNC path option.
b. Enter the path of the local folder in the field labeled En ter a
local path. For example, C:\DATS\
Updating and MirroringTasks
12. When you have finished setting Site Option, click OK.Yourchangesare
saved for deployment,and you are returned to the AutoUpdate property
page.
+
WARNING:If you do not click OK, the options that you selected
will be ignored.
13. Select the second tab on the dialog box (Figure 4-4).
AutoUpdate Mirroring
Select the Advanced tab. Select the Destination tab.
Figure 4-4. AutoUpdate Advanced property page and Mirroring
Destination property page
14. Make the selections appropriate for each task:
• Mirror AutoUpdate Site—Enter the path of the location where the
replicated .DAT files will be placed on the server that will run the
mirroringtask. This is the location of the shared folder or FTP site
that is accessible by the workstations that will update their .DAT
files.The path must correspond to the precise location of the folder
as it is displayed in Windows Explorer. Do not use an informal
name by which the shared folder is known.
• VirusScan TC AutoUpdate—Select on of the following options:
– Backup the existing .DAT files . Select this checkbox to
rename existing .DAT files before installing new files. The
original files are copied to a directory called DAT_XXXX.SAV.
– Update Engine if newer Engine exists. Select this checkbox
to have the utility replace the scanning engine you are
currently u sing with a mo re recent one, if one exists.
Administrator’s Guide 57
Updating and Mirroring Tasks
– Force-update .DAT files. Select this checkbo x if:
• You want to downgradethe current .DAT file to an earlier
.DAT file that you h ave preserved. You may want to take
this action as a tem porary step if the newer .DAT files are
not behaving as e xp ected. Another situation inwhich you
may want to select t his option is where you want to
includean EXTRA.DAT file witha routineupdate of your
virus definition files. See Deploying an EXTRA.DAT file
“With the weekly .DAT update” on page 67.
• The current .DAT file installation on a particular
workstation has been corrupted, or rendered in effective
because an essential file, such as CLEAN.DAT, has been
inadvertently deleted.
– Run a Program after a successful update. Select this for the
utility to start another program after it finishes installing new
.DAT files.
¥
NOTE: Theexecutableprogramfilethatyouselectmust
be located in the same folder as the VirusScan TC
executable, a nd should not require a user interface.
17. Select the Log Activity tab (Figure 4-5).
Figure 4-5. Log Activity property page
58 McAfee VirusScan TC
Updating and MirroringTasks
18. Verify that Logtofileis selected.
19. The name of the log files are UPDATE.LOG and MIRROR.LOG.The
default path of the logfiles is:
<drive>:\Program Files\McAfee\VirusScan TC\
Here,drive refers to the client disk where the VirusScan TC software is
installed .
If you prefer,you can enter a different name or path.
20. By default, the maximum size for the log file is set to 1,024
can en ter any value between 10
ë
TIP: If the data in the log exceeds the file size you set, the oldest 20
KB and 32,767KB.
KB (1MB).You
percentofthe log text is deletedto make room for new information.
If you place no size re striction on the log file, you run the risk of it
consuming all available space on the drive where it is located.
21. Verify that Enable Verbose is selected if you want the log to rep ort
every step in a procedure. A sample of an event recorded in verbose
mode is:
Figure 4-6. Verbose log
Figure4-7. Non-verbose log
22. When you have finished setting Log Activity options, click OK.Your
changes are saved for deployment, and you are returned to the ePolicy
Orchestrator Scheduler dialog box (see Figure 4-8 on page 60).
Administrator’s Guide 59
Updating and Mirroring Tasks
23. ClickApply to save your settings and continueconfiguring the task with
schedule settings. If you have finished configuring the task, click OK to
save your settings and close the Scheduler dialog box. Your saved
settings are transmitted to the ePolicy Orchestrator agents for
enforcement the next time that the agents request new policies and tasks
from the server. See the ePolicy Orchestrator Administrator’s Guide for
information about agent-server communication.
Figure 4-8. ePolicy Orchestrator Agent Options property page
Setting schedule for tasks
Setting basic schedule
After you have set configuration policy for the updating and/or mirroring
task, you must set a schedule for the task.
To set a schedule for a task, follow these steps:
1. TheePolicyOrchestratorconsoleshouldbeopen.
To schedule a task, select the target in the console tree; verify that the
Tasks tab is selected; right-click the details pane; and select Schedule
New Task. Whent he ePolicy Orchestrator Scheduler dialog box appears,
click in the Task Type box to select the task that you want to
schedule.
60 McAfee VirusScan TC
Updating and MirroringTasks
For a more complete description of opening the Scheduler and naming a
task, see Step 1 on page 52 through Step 4 on page 53.
2. Select the Schedule tab (Figure 4-9).
Figure 4-9. Scheduler dialog box—Scheduler page
3. In the box labe ledSchedule Task, click to select the frequency for t he
task. Depending on your selection, the display in the lower portion of the
dialog box changes, allowing you to further specify the scheduling
details.
•ForDaily, click to specify the number of days that intervene
between r epetitions of t his activity.
•ForWeekly, specify the number of weeks that intervene between
repetitions of the scanning activity. Then specify the d ays of the
week on which the task is to run.
•ForMonthly, select either Day or The __ day of the month.
–ForDay, use to specify the day of the month on which the
task will run.
–ForThe__dayofthemonth,usethe inbothboxesand
select the monthly pattern that you want to apply to the
scanning activity.
Next, click Select Months, and place a checkmark next to
every month during which you want to apply the specified
pattern.
•ForOnce, use to select a day and date from the drop-down
calendar that appears.
Administrator’s Guide 61
Updating and Mirroring Tasks
•ForAt System Startup, there is nothing more to configure. The task
•ForAt Logon, there is nothing more to configure. The task will run
•IfyouselectWhen Idle, use to specify the number of minutes of
•ForRun Immediately, there is n othing more to configure. The task
4. In the Start Timebox, specify the starting time for the task.
• Select the two-digit figure in front of the colon, representing
will run when the system starts.
¥
NOTE: On Windows 95 and Windows 98 systems, the user
must be logged-onfor this option to work.
when a user logs on.
idleness that will trigger the task. This option is useful for some
kinds of tasks, but is not considered useful for an updatingor
mirroring task.
will run when it is received by the c omputers that you selected in
the ePolicy Orchestrator console tree.
the hour, then use to select a different hour.
• Select the two-digit figure following the colon, representing the
minutes, then use to select a different minute setting on the clock.
• Indicate whether the time setting refers toGMT (Greenwich Mean
Time) or Local T ime by selecting one of those options next to the
Start Time box.
– GMT is useful if you want the task to run simult aneously in
multiple domains that are in different time zones. Th is is u seful
in outbreak situations when you want all of you r ePo licy
Orchestrator agents to run the task at exactly the same time.
– Local time is useful when youwant every ePolicy Orchestrator
agent to run the update task at the time specified for its own
localtimezone.
5. You can set a pattern for randomizing the time at which the scheduled
task is to run. Randomizationmeans that the event may not start at the
time s pecified, but rather at a time, randomly selected by the program,
within a specified time frame. This is especially useful if you want to
control network trafficwhena task, such asAutoUpdate, isscheduledto
affect multiple servers. By randomizing the s cheduled time,not all of the
servers will attempt to connect simultaneouslyto the serverw here the
update files are stored. If you want to employ randomization, follow
these s teps:
62 McAfee VirusScan TC
• Select Enable randomization.
• In the two adj oining boxes, click to enter the time frame,inhours
and minutes, wit hin which you want the updating task to start. For
example, i f you set the randomization range to 1 hour and 30
minutes, updating may occur at any time during the 1.5 hours
preceding or following the time specifie d in the Start at box .
6. Bydefault,Run missed task is se lected. As a result, any scheduled task
that failed to run due to a client computer being of fline at the scheduled
time will run the next time the client machine is online.
Setting advanced schedule options
1. If you selected Daily, Weekly , Monthly,orOnce in Step 3 on page 61,
you can define a range of dates during which the task will run, and set a
repetition pattern for t he scanning task. To do so, click Advanced.The
Advanced Schedule Options dialog box opens (Figure 4-10).
Updating and MirroringTasks
Figure 4-10. Advanced Schedule Options dialog box
2. To specify a range of dates when you w ant the task to run, select End
Date. Next,use the in the ad jacent boxes tospecifya starting date and
an end date.
3. If you want the task repeated on a regular basis, select Repeat Task.
Next, use the two boxes adjoining the word Every to specify the
repetition pattern in hours o r minutes.
Then, select either a specific local time when the task will run, or the
number of hours and minutes that the scanning activity will run.
4. When you have finished setting Advanced options, click OK.Thissaves
your settings for deployment, and returns you to the Schedule page.
Administrator’s Guide 63
Updating and Mirroring Tasks
Selecting Schedule Settings
After you have setaschedule for a task, and haveclicked OK,youarereturned
to the ePolicy Orchestrator Sc hedu ler page to compl ete the Schedule Set tings
portion of that dialog box (Figure 4-11).
Figure 4-11. Scheduler dialog box
There are two settings available:
• Enable (sched ul ed task runs at specified time). Select this to run the
task at the times and under the circumstances that you specified on the
Scheduletab.
• Stop the task if it runs for __hour (s) __minutes. Selec t this to limit the
duration of the scheduledactivity. Use the buttons to specify the
maximum number of hours and minutes that the task can run. Use this
option with care so that the task does not end before the files have been
downloaded.
5. Click Apply to save your settings and continueconfiguring the task with
schedule settings. If you have finished configuring the task, click OK to
save your settings and close the Scheduler dialog box. Your saved
settings are transmitted to the ePolicy Orchestrator agents for
enforcement the next time that the agents request new policies and tasks
from the server. See the ePolicy Orchestrator Administrator’s Guide for
information about agent-server communication.
64 McAfee VirusScan TC
Editing and deleting a task
When y ou have finished defining a task and setting its schedule, the task
appears on the Tasks page of the ePolicy Orchestrator details pane.
Figure 4-12. Task List
Right-click a listed task and select an action from the menu t hat appears:
• Delete. Select this option to remove the task from the list.
• Schedule Task. Select this option t o schedule a n ew task.
• Edit Task. Select this option to change the task’s settings.
Dealing with virus outbreaks
The McAfee AVERT research organization publishes new .DAT files when it
determines that either of these conditions exists:
Updating and MirroringTasks
• A virus present s a “medium on-watch,” “ high ri sk threat of infection”, or
“high risk outbreak“ situation. To learn a bout what constitutes a m edium
on-watchor high risk,or to learn about McAfee AVERT risk assessmentin
general,visit the AV ERT website at:
http://www.mcafeeb2b.com/asp_set/anti_virus/alerts/ara.asp
• A high-prevalence virus threatens an outbreak situation.
The new .DAT files are designed to detect the infection and, if possible, to
clean the file. In the past, the only way to distribute a new ly developed driver
between regular .DAT and SuperDAT release, was to distribute an
EXTRA.D AT file. For information on distributing EXTRA.DAT files, see
“Deploying an EXTRA. DAT file ,” starting on page 66.
Now, a new method is available for distributing new drivers during an
outbreak — by deploying routine .DAT file updates.
Administrator’s Guide 65
Updating and Mirroring Tasks
Deploying routin e .DAT file update s
When an outbreak condition exists, the new drivers are, as u sual, added tothe
routine, weekly .DA T files. H owever, instead of waiting until the next weekly
distribution day to incorporate the new virus definition, a new incremental
.DAT file is created to deal with the new virus, and is included with the .DAT
files availablefrom the McAfee FTP site. Thus, by performing a routineupdate
at any time, you are assured of received the most current .DAT files, including
the m o st current drivers. If variants of the original virus appear, additional
incrementals are created, as needed, and added to the downloadable .DAT
package. A dministrators can now schedule very frequent updates during an
outbreak,even dailyor hourlyupdates,if requiredandfeasible in termsofthe
size and topology of the network and its traffic.
This approach requires th at McAfee change the .DAT file naming convention
thatcurrentusers already know. Inthepast, each weekly .DAT filereleasewas
assigned anumberinseries.Fo r ex ample, if the .DAT set created on June 7 was
designed 4.0.4081,you couldexpect the .DAT release of June 14 to be 4.0.4082,
and the release of June 21 to be 4.0.4083, and so on.
In an outbreak situation,several releases may occur during a single week. For
example, all three .DAT release described above (4.0.4081 through 4.0.4083)
might all be released in a single week. In this case, the routine .DAT file
released on the next weekly release day will be 4.0.4084.
Although McAfee has not yet discontinued issuing EXTRA .DAT files dur ing
outbreaks, for many users, the new approach of simply deploying the
standard .DAT file will replace the cu rrent practice of relying on EXTRA.DAT
to protect their networks.
Deploying an EXTRA.DAT file
Independently of the weekly .DAT update
The McAfee AVERT research organization sometimes provides EXT R A.DAT
files to combat high-risk viruses between regular .DAT and SuperDAT
releases. In ordinary circumst ances, McAfee researchers publish these files
when they determine that these situations warrant one:
• A virus presents a “medium on-watch, “high” risk threat of infe ction, or
“high” risk outbreak situation. To learn about what constitutes a medium
on-watchor high risk,or to learn about McAfee AVERT risk assessmentin
general,visit the AV ERT website at:
http://www.mcafeeb2b.com/asp_set/anti_virus/alerts/ara.asp
• A high-prevalence virus threatens an outbreak situation.
66 McAfee VirusScan TC
Updating and MirroringTasks
When AVERT publishes an EXTRA.DAT file, they announce its availability
and a location where you can download the file. If you subscribe to the
Enterprise SecureCastupdateservice, you can receive all such alert messages.
The procedure for deploying EXTRA.DAT independently of the weekly.DAT
updates is a six step process:
1. Download EXTRA.DAT from the location designated in the AVERT
announcement .
2. Place EXTRA.DAT in the this folder on all client machines:
<drive>:\Program Files\Common F iles\McAfee\VirusScan Engine\4.0.xx\
This is the location that the scanner is programmed to look for EXTRA.DAT
3. Disable the on-access scanner temporarily. To do so:
• Select a target Directory in the ePolicy Orchestrator console tree.
• Deselect Enable On-Access Scan on the scanner’s detection
propertypage (seeFigure3-3onpage 31),andclickApply.Thisnew
policy will allow the scanner to stop operating while EXTRA.DAT
is installing itself.
4. Perform an agent wakeup call so t hat the agent enforces t he new policy,
and the scanner stops. To do so:
• Verify that the target Directory is still selected in the Directory.
• Right-click and sele ct Agent Wakeup Call.
• Configure the agent wakeup call. Se e Agent Wakeup Call in the
ePolicy Orchestrator administrator’s guide for detailed information.
5. Re-enable the on-access scanner. To do so, select Enable On-Access
Scan on the s canner’s detection property page, and c lick Apply.This
re-sets the policy for the scanner.
6. Repeat step4 . This second agent wakeup callenforcesthe new policy and
the scanner restarts.
With the weekly .DAT update
You can also add an EXTRA.DAT file to the .ZIP file that contains the weekly
updates.When you then run AutoUpdate,EXTRA.DAT is deployed with the
other contents of the .ZIP file. Th e following procedure uses the ex ampl e of a
weekly update file named DAT-4085. Substitute the number of the .DATs you
are currently installing.
Administrator’s Guide 67
Updating and Mirroring Tasks
To deploy EXTRA.DAT with a weekly .DAT file, follow these steps:
1. Select the Advanced tab on the VirusScan TC AutoUpdate property
pages. For information on navigating to this tab, see Step 1 through Step
7onpage53,andStep 12 on page 57 through Step 14 on page 57.
2. Select Force-update .DAT files. This will ensure that all .DAT files are
included in the update activity.
3. Add EXTRA.DAT to the weekly .ZIP fil e containing the .DATs. To do so:
a. Place DAT-4085.ZIP and EXTRA.DAT in the same folder.
b. Create a new archive that contains the two files. To do so, type the
4. Edit the UPDATE.INI file so that the file size a n d Check sum e ntries for
the new archive correspond to the actual values that resulted from the
addition of the EXTRA.DAT file to the DAT-4085.ZIP file.
¥
following at the command line:
pkzip dat-4085.zip extra.dat.
NOTE: UPDATE.INI is located in the folder on the FTP site where
you found DAT-4085.ZIP.
To determine the new file size and Checksum, type the following at the
command line:
The outputfrom that command includes the file size and Checksum for
the original DAT file plus EXTRA.DAT. The output is:
5. In the UPDATE.INIfile, changethe FileSize and Checksum fields to
matchtheinformationintheoutputdescribedinStep2,above.Todoso,
use a text editor, open the file UPDATE.INI, and edit it, as follows:
68 McAfee VirusScan TC
validate dat-4085.zip
Validate v3.0.1
(c)1994-1999 Network Associates, Inc. and its Affiliated
Companies.
All Rights Reserved.
Directory of C:\BLD\BUILDS\DATS
DAT-4085 ZIP 1707954 04-26-00 4:07a 9120 9B2F
dat-4085.zip
1 file(s) were validated
Original text Edited text
[ZIP]
EngineVersion=0
DATVersion=4085
FileName=dat-4085.zip
FileSize=1707214
Checksum=42BE,D02E
[ZIP]
EngineVersion=0
DATVersion=4085
FileName=dat-4085.zip
FileSize=1707954
Checksum=9120,9B2F
Updating and MirroringTasks
Administrator’s Guide 69
Updating and Mirroring Tasks
70 McAfee VirusScan TC
ATerm i no logy
This appendix supplements the glossary found in the ePolicy Orchestrator
Administrator’s Guide, elaborating on the usage of selected terms.
• Deploying refers to sending a software program or utility to the target
computers. Deployment does not include installation, although the two
processes sometimes overlap. You can deploy installation software, such
as the McAfee Installer for VirusScan TC, or anti-virus software
packages, suc h as VirusScan TC. Some elements are deployed using
“push” technology, while others are deployed using “pu ll” technology.
• Installing refers to the process of making the software functional on the
target c o mpu ter. It does not include deployment, a lthough the two
processes som etimes overlap. You can install installation s oftware,
anti-virus software packages, or updating software. I nstalling is
sometimes used tomeanonlyplacement of a software packageina target
location.
• Configuring refers to the options that youchoose to create a policy or task
that is customized to meet particular requirements or preferences. You
can configure deployment procedures, installation procedures, or
software functionality. When you configure the Installer, you are setting
installation policy. When you configure the on-access scanner, you are
setting scanning po licy. However, w hen you configure the Au toUpdate
feature, or the site replicat ion feature, you aredefining a scheduled task,not
setting a policy. See the comparison of Policy and Task,below.
A
• Policy and Task both refer to the way that you specify and configure an
activity for the software to carry out. However, the terms refer to
different types of activity. A comparison of the two types appears in the
following table:
Administrator’s Guide 71
Terminology
Policy Task
Enforced configuration settings for routine
software operations that are triggered by users’
actions, such as on-access scanning. This term
can refer to a particular rule,suchassetting a
policy to scan files only when reading from disk,orto
a strategy,suchassetting policy for on-access
scanning, which includes policies for detection of
viruses; scanner action when it detects a virus;
reporting scanner activities; and excluding
selected files from scanning activity.
Policies remain in effect until they are modified
or reversed.
The ePolicy Orchestraor agentenforces the
policy every time it receives new policies and
tasks from the server.
Definition
A software operation that is triggered by clock
or calendar settings, such as the periodic
updatingof virus definition files used by the
anti-virus scanner. Tasks are scheduled to occur
at a particular time, or at specified intervals.
Duration
Tasks scheduled to occur at a particular time are
obsolete after they take place. Tasks scheduled
to occur at speci fied intervals remain in effect
until they are mo dified or discontinued.
Action
Oncethe ePolicyOrchestrator agentreceivesthe
task from the server, it makes the task happen
based on the schedule that you set.
Number
One policy per computer for each installed
software product. Here, policy refers to a
strategy, rather than to the particular rules that
comprise the strategy.
Unlimited number of tasks that the installed
software products are capable of performing on
the basis of a schedule.
Applicability
Applies to Installer and On-Access Scanner. The major tasks in VirusScan TC is the
AutoUpdate feature, with its associated Site
Mirroring action.
Security
If the on-access scanner is deleted from a
workstation, or its configurationmodified, the
scanner will be reinstalled and the pol icy
enforced again the next time the agent requests
new policies.
The task is not visible at the workstation, so it
cannot be deleted.
Disabling
Can be disabled by deselecting Enforce Policies
for..., visi ble when a software package is
selected on the Policies page of ePolicy
Orchestrator details pane (see Figure 2-3 on
page 17.)
Can be disabled by deselectingEnable, visible
when the ePolicy Orchestrator Scheduler is open
to theTask page(see Figure 4-1 on page 52.)
72 McAfee VirusScan TC
BContact and
support information
Customer service
You may direct all ques tions, comments, or requests concerning the software
you purchased, your registration status, or similar issues to the Network
Associates Customer Service department at the following address:
Network AssociatesCustomer Service
4099 McEwen, Suite 500
Dallas, Texas 75244
U.S.A.
The department's hours of operation are 8:00 a.m. to 8:00 p.m. Central time,
Monday through Friday
Other contact information for corporate-licensed customers:
Phone: (972) 308-9960
Fax: (972) 619-7485 (24-hour, Group III fax)
E-Mail: services_corporate_division@nai.com
Web: http://www.nai.com
B
Other contact information for retail-licensed customers:
Phone: (972) 308-9960
Fax: (972) 619-7485 (24-hour, Group III fax)
E-Mail: cust_care@nai.com
Web: http://www.mcafee.com/
Technical support
McAfee and Network Associates are famous for their dedication to customer
satisfaction. The companies have continue d thistradition by making theirsites
on the World Wide Web valuable resources for answersto technical support
issues. McAfee encourages y ou to make this your first stop for a nswers to
frequently asked questions, for updates to McAfee and Network Associates
software,andforaccesstonewsandvirusinformation
WorldWideWeb http://www.nai.com/asp_set/services/technical_support
.
/tech_intro.asp
ManualName 73
Contact and support information
If you do not find what you need or do not have web access, try one of our
automated services.
Internet techsupport@mcafee.com
CompuServe GO NAI
America Online keyword MCAFEE
If the a utomated services do not have the answers you need, contact N etwork
Associates at one of the following numbers Monday through Friday between
8:00
A.M. and 8:00 P.M. Centraltime to find out aboutNetwork Associates
technical support plans.
For corporate-licensed customers:
Phone (972) 308-9960
Fax (972) 619-7845
For retail-licensed customers:
Phone (972) 855-7044
Fax (972) 619-7845
This guide includes a summary of the PrimeSupport plans avail able to
McAfee c ustomers. To learn more about plan features and other details, see
“PrimeSupport options” starting on page 80.
To provide the answers you need quickly and efficiently, the Network
Associates technical support staff needs some information about your
computerand your software. Please include this information in your
correspondence:
• Product name and version number
• Computer brand and m odel
• Any additional har dware or peripherals connected to your computer
• Operating syst em type and version numbers
• Network type and version, if applicable
• Contents of your AUTOEXEC.BAT, CONFIG.SYS, and system LOGIN
script
• Specific steps to reproduce the problem
74 Product Name
Download support
To get help with navigating or downloadingfilesfrom the Network Associates
or McAfee websites or FTP sites, call:
Corporate customers (801) 492-2650
Retail customers (801) 492-2600
Network Associates training
For information about schedulingon-site trainingforany McAfee or Network
Associates product, call Network Associates CustomerServiceat:
(972) 308-9960.
Comments and feedback
McAfee appr eciates your comments a nd reserves the r ight to use a ny
information you supply in any way it believes ap propriate without incurring
any obligation whatsoever. Please address your comments about McAfee
anti-virus product documentation to: McAfee, 20460 NW Von Neumann,
Beaverton, OR 97006-6942, U.S.A. You can also send faxed comments to
(503) 466-9671 or e-mail to tvd_documentation@nai.com.
Contact and support information
Reporting new items for anti-virus data fil e update s
McAfee anti-virus software offers y ou the best available d etection and
removal capabilities, including advanced heuristic scanning that can detect
new and unnamed viruses as they emerge. Occasionally, however, anentirely
new t ype of virus that is not a variation on an older type can appear on your
system and escape detection.
ManualName 75
Contact and support information
Because Mc Afee researchers are committed to providing you with effective
andup-to-date toolsyou can use toprotectyour system,please tellthem about
any new Java classes, ActiveX controls, dangerous websites, or viruses that
yoursoftwaredoes not now detect. Note that McAfee reservesthe right to use
any information you supply as it deems appropriate, without incurring any
obligations whatsoever. Send your questions or virus samples to:
virus_research@nai.com Use this address to send questions or
vsample@nai.com Usethis address to send questions or
To report items to the McAfee European o r South Africa research office, use
these e-mail addresses:
virus_research_europe@nai.com Use this address to s end questions or
virus_research_sa@nai.com Use this address to send questions or
virus samples to our North America
and South America offices
virus samples gathered with Dr
Solomon’s Anti-Virus Toolkit* software
to our offices in the United Kingdom
virus samples to our offices in Western
Europe
virus samples to our South Africa
offices
76 Product Name
virus_research_de@nai.com Use this address to send questions or
virus samples gathered with Dr
Solomon’s Anti-Virus Toolkit software
to our offices in Germany
To report items to the McAfee Asia-Pacific research office, or the office in
Japan, use one of these e-mail addresses:
virus_research_japan@nai.com Use this address to send questions or
virus samples to our offices in Japan
and East Asia
virus_research_apac@nai.com U se this address to send questions or
virussamples to our offices in Australia
and Southeast Asia
International contact information
To contact Network Associates outside the United States, use the addresses,
phone numbers and fax numbers below.
Contact and support information
Network Associates
Australia
Level 1, 500 Pacific Highway
St. Leonards, NSW
Sydney, Australia 2065
Phone: 61-2-8425-4200
Fax: 61-2-9439-5166
Network Associates
Belgique
BDC Heyzel Esplanade, boîte 43
1020 Bruxelles
Belgique
Phone: 0032-2 478.10.29
Fax: 0032-2 478.66.21
Network Associates
Canada
139 Main Street, Suite 201
Unionville, Ontario
Canada L3R 2G6
Phone: (905) 479-4189
Fax: (905) 479-4540
Network Associates
Austria
Pulvermuehlstrasse 17
Linz, Austria
Postal Code A-4040
Phone: 43-732-757-244
Fax: 43-732-757-244-20
Network Associates
do Brasil
Rua GeraldoFlausino Gomez 78
Cj. - 51 Brooklin Novo - São Paulo
SP - 04575-060 - Brasil
Phone: (55 11) 5505 1009
Fax: (55 11) 5505 1006
Network Associates
People’s Republic of China
Room 913, Tower B
Full Link Plaza
No. 18 Chao Yang Men Wai Avenue
Beijing
People’s Republic of China 100020
Phone: 86-10-6538-3399
Fax: 86-10-6588-5601
Network Associates Denmark
Lautruphoej 1-3
2750 Ballerup
Danmark
Phone: 45 70 277 277
Fax: 45 44 209 910
NA Network Associates Oy
Mikonkatu9,5.krs.
00100 Helsinki
Finland
Phone: 358 9 5270 70
Fax: 358 9 5270 7100
ManualName 77
Contact and support information
Network Associates
France S.A.
50 Rue de Londres
75008 Paris
France
Phone: 33 1 44 908 737
Fax: 33 1 45 227 554
Network Associates Hong Kong
14th Floor, Plaza 2000
2-4 Russell Way
Causeway Bay, Hong Kong
Phone: 852-2892-9500
Fax: 852-2832-9530
Network Associates Japan, Inc.
Shibuya Mark City West 20F
1-12-1 Dougenzaka, Shibuya-ku
Tokyo 150-0043, Japan
Phone: 81 3 5428 1100
Fax: 81 3 5428 1480
Network Associates
Deutschland GmbH
Ohmstraße 1
D-85716 Unterschleißheim
Deutschland
Phone: 49 (0)89/3707-0
Fax: 49 (0)89/3707-1199
Network Associates Srl
Centro Direzionale Summit
Palazzo D/1
Via Brescia, 28
20063 - Cernusco sul Naviglio (MI)
Italy
Phone: 39 02 92 65 01
Fax: 39 02 92 14 16 44
Network Associates Latin America
1200 S. Pine Island Road, Suite 375
Plantation, Florida 33324
United States
Phone: (954) 452-1731
Fax: (954) 236-8031
78 Product Name
Network Associates
de Mexico
Andres Bello No. 10, 4 Piso
4th Floor
Col. Polanco
Mexico City, Mexico D.F. 11560
Phone: (525) 282-9180
Fax: (525) 282-9183
Network Associates
International B.V.
Gatwickstraat 25
1043 GL Amsterdam
The Netherlands
Phone: 31 20 586 6100
Fax: 31 20 586 6101
Contact and support information
Network Associates
Portugal
Av. da Liberdade, 114
1269-046 Lisboa
Portugal
Phone: 351 1 340 4543
Fax: 351 1 340 4575
Network Associates
South East Asia
78 Shenton Way
#29-02
Singapore 079120
Phone: 65-222-7555
Fax: 65-220-7255
Network Associates Sweden
Datavägen 3A
Box 596
S-175 26 Järfälla
Sweden
Phone: 46 (0) 8 580 88 400
Fax: 46 (0) 8 580 88 405
Net Tools Network Associates
South Af rica
Hawthorne House
St. Andrews Business Park
Meadowbrook Lane
Bryanston, Johannesburg
South Africa 2021
Phone: 27 11 700-8200
Fax: 27 11 706-1569
Network Associates
Spain
a
Orense 4, 4
Planta.
Edificio Trieste
28020 Madrid, Spain
Phone: 34 9141 88 500
Fax: 34 9155 61 404
Network Associates AG
Baeulerwisenstrasse 3
8152 Glattbrugg
Switzerland
Phone: 0041 1 808 99 66
Fax: 0041 1 808 99 77
Network Associates
Taiwan
Suite 6, 11F, No. 188, Sec. 5
NanKingE.Rd.
Taipei, Taiwan, Republic of China
Phone: 886-2-27-474-8800
Fax: 886-2-27-635-5864
Network Associates
International Ltd.
227 Bath Road
Slough, Berkshire
SL1 5PP
United Kingdom
Phone: 44 (0)1753 217 500
Fax: 44 (0)1753 217 520
ManualName 79
Contact and support information
PrimeSupport options
Adding value to your McAfee produ ct
Choosing McAfee anti-virus, Sniffer Technologies network mana gement, and
PGP s ecurity software helps to ensure that the critical technology you rely on
functions smoothly and effectively. Taking advantage of a Network
Associates support plan extends the protectionyou get from your softwareby
giving you access to the expertise you need to install, monitor, maintain and
upgrade your system with the latest Network Associates technology. With a
support plan tailored to your needs, you can keep your system or your
network wor king dependably in your computing environment for mo nths or
yearstocome.
Network Associates support plans come under two general headings. If you
areacorporate customer,you canchoosefrom fourlevelsof extendedsupport
under the Network Associates Corporate PrimeSupport* program. If you are
a home user, you can choose a plan gearedtoward your needs from the Home
User PrimeSupport program.
PrimeSuppo rt options for corporate customers
The Corporate PrimeSupport program o ffers these four support plans:
• PrimeSupport KnowledgeCenter plan
• PrimeSupport Connect plan
• PrimeSupport Priority plan
• PrimeSupport Enterprise plan
Each plan has a range of fea tures that provide you with cost-effective and
timely suppo rt geared to m eet your needs. The following sections describe
each plan in detail.
The PrimeSupport KnowledgeCenter plan
The PrimeSupport KnowledgeCenter plan gives you access to an extensive
array of technical support information via a Network Asso cia tes online
knowledgebase, anddownloadaccess toproductupgradesfromthe Network
Associates website.If you purchasedyour Network Associates productwitha
subscription license, you receive the PrimeSupport KnowledgeCenter plan as
part of the package, for the length of your subscription term.
If you purchased a perpetual license for your Network Associates product,
you c an purchase a PrimeSupport KnowledgeCenter plan for an annual fee.
80 Product Name
To receive your KnowledgeCenter password or to register your PrimeSupport
agreement with Network Associates, visit:
http://www.nai.com/asp_set/support/introduction/default.asp
Your c ompl eted form will go to the Network Associates Customer Service
Center.You must submit this form before you connect to the PrimeSupport
KnowledgeCenter site.
With the PrimeSupport KnowledgeCenter plan, you get:
• Unrestricted, 24-hour-per-day online access to technical solutions from a
searchable knowledge base within the Network Associates website
• Electronic incident and query submission
• Technical documents, including user’s guides, FAQ lists, and release n otes
• Online data file updates a nd product upgrades
The PrimeSupport Connect plan
The Pr imeSupport Connect plan gives you telephone access to essential
product assistance from experienced technical support staff members. With
this plan, you get:
Contact and support information
• InN orth America, unlimited toll-free telephone access to technical support
from Monday through Friday, 8: 00 a.m. to 8:00 p.m . Central Time
• In Europe, the Middle East, and Africa, unlimited telephone access to
technicalsupport,atstandard long-distance orinternationalrates,Monday
through Friday, from 9:00 a.m. to 6:00 p.m. local time
• In the Asia-Pacific region, unlimited toll-free, telephone access to technical
support,Monday through Friday, from 8:00 a.m. to 6:00 p.m. AEST
• In Latin America, unlimited telephone access to t echnical support, at
standard long-distance or international rates, Monda y through Friday,
from 9:00 a.m. to 5:00 p.m. Central Time
• Unrestricted, 24-hour-per-day online access to technical solutions from a
searchable knowledge base within the Network Associates website
• Electronic incident and query submission
• Technical documents, including user’s guides, FAQ lists, and release n otes
• Data file updates and product upgrades via the Network Associates
website
ManualName 81
Contact and support information
The PrimeSupport Priority plan
ThePrimeSupportPriorityplangivesyouround-the-clocktelephone access to
essential product assistance from experienced NetworkAssociates technical
support staff members. You can purchase the Pr imeSupport Priority plan on
an annual basis when you purchase a Network Associates product , eitherwith
a subscription license or a one-year license.
The Pr imeSupport Priority plan has these features:
• InN orth America, unlimited toll-free telephone access to technical support
from Monday through Friday, 8: 00 a.m. to 8:00 p.m . Central Time
• In Europe, the Middle East, and Africa, unlimited telephone access to
technicalsupport,atstandard long-distance orinternationalrates,Monday
through Friday, from 9:00 a.m. to 6:00 p.m. local time
• In the Asia-Pacific region, unlimited toll-free, telephone access to technical
support, Monday through Friday,from 8:00 a.m. to 6:00 p.m. AEST
• In Latin America, unlimited telephone access to t echnical support, at
standard long-distance or international rates, Monda y through Friday,
from 9:00 a.m. to 5:00 p.m. Central Time
• Priorityaccess to tech nical support staff m em bers during regular business
hours
• Responses within one hour for urgent iss ues that happen outside regular
business ho urs, including those that happen during w eekend s and local
holidays
• Unrestricted, 24-hour-per-day online access to technical solutions from a
searchable knowledge base within the Network Associates website
• Electronic incident and query submission
• Technical documents, including user’s guides, FAQ lists, and release n otes
• Data file updates and product upgrades via the Network Associates
website
The PrimeSupport Enterprise plan
The Pr im eSupport Enterprise plan gives you round-the-clock, per sonalized,
proactive support from an assigned technical s upport engineer. You’ll enjoy a
relationship with a support professional who is familiar with y our Network
Associates product deployment and support history,and who will call you at
an interval you designate to verify that you have the knowledge you need to
use and maintain Network Associates products.
82 Product Name
Contact and support information
By calling in advance, your PrimeSupport Enterprise representative can help
to prevent problems before they occur. If, however, an emergency arises, the
PrimeSupport Enterprise plan givesyou a committed response time that
assures you that help i s on the way. You may purchase the PrimeSupport
Enterprise plan on an annual basis when you purchase a Network Associates
product, either with a subscription license or a one-year license.
With the PrimeSupport Enterprise plan, you get:
• Unlimited, toll-free telephone access to an assigned technical s upport
engineer on a 24-hour-per-day, seven-day-per-week basis, including
during w eekends and local holidays.
¥
NOTE: The availability of toll-free telephone support varies by
regionandi s not available in somepartsof Europe, the Middle East,
Africa,and Latin America.
• Proactive support contacts from your as signed support engineer via
telephone or e-mail, at intervals you designate
• Committed response times from your support engineer, who will respond
to pages within half an hour, to voice mail within one hour, and to e-mail
within fo ur hours
• Assignable customer contacts,which allow you todesignate five people in
your organization who your s u pport engineer can contact in your abs ence
• Optional beta site status, which gives you access to the absolute latest
Network Associates products and technology
• Unrestricted, 24-hour-per-day online access to technical solutions from a
searchable knowledge base within the Network Associates website
• Electronic incident and query submission
• Technical documents, including user’s guides, FAQ lists, and release n otes
• Online data file updates a nd product upgrades
Ordering a corporate PrimeSuppor t plan
To order any PrimeSupport plan, contact your sales r epresentative, or
• In North America,call Network Associates at (972) 308-9960,Monday
through Friday from 8:00 a.m. to 7:00 p.m. Central Time. Press 3 on your
telephone keypad for sales assistance.
• In Europe, the Middle E ast, and Africa, c ontact your local Network
Associates office. Contact information appears near the front of this guide.
ManualName 83
Contact and support information
Table B-1. Corporate PrimeSupport Plans at a Glance
Plan
Feature
Technical
support via
website
Software
updates
Technical
support via
telephone
Priority call
handling
After-hours
support
Knowledge
Center Connect Priority Enterprise
Yes Yes Yes Yes
Yes Yes Yes Yes
— Monday–Friday
North America:
8 a.m.–8 p.m. CT
Europe, Middle East,
Africa:
9am-6pm local time
Asia-Pacific:
8 a.m .-6 p.m. AEST
Latin America:
9 a.m.-5 p.m. CT
—— Yes Yes
—— Yes Yes
Monday–Friday,after
hours emergency
access
North America:
8 a.m.–8 p.m. CT
Europe, Middle East,
Africa:
9am-6pm local time
Asia-Pacific:
8 a.m.-6 p.m. AEST
Latin America:
9 a.m.-5 p.m. CT
Monday–Friday,af ter
hours emergency
access
North America:
8a.m.–8p.m.CT
Europe, Middle East,
Africa:
9am-6pm local time
Asia-Pacific:
8 am-6 p.m. AEST
Latin America:
9a.m.-5p.m.CT
Assigned
support
engineer
Proactive
support
Designated
contacts
Response
charter
84 Product Name
—— — Yes
—— — Yes
—— — Atleast5
E-mail within
one business
day
Calls answered in 3
minutes, response in
one business day
Within 1 hour for
urgent issues af ter
business hours
After hourspager:30
minutes
Voicemail: 1 hour
E-mail: 4 hours
The Pr imeSupport options described in the r est of this chapter are available
only in North America. To find out more about PrimeSupport, Training and
Consultancy options available outside North America, contact your regio nal
sales office. Contact information appears near the front of this g uide.<
Contact and support information
Network Associates consulting and training
The Network Associates Total Ser vice Solutions program provides you with
expert consulting and comprehensive education t hat can help you maximize
the security and performance of your network investments. The Total Service
Solutions program includes the Network AssociatesProfessional C onsulting
arm and the Total Education Services program.
Professional Services
Network Associates Professional Services i s ready to assist you during all
stages of yo ur network gro wt h, from planning and design, through
implementation, and with ongoing management. Network Associates
consultants provide an expert’s independent per spective that you can use as a
supplemental resource to resolve your problems. You’ll get help integrating
Network Associates products into your environment, along with
troubleshooting assistance or help in establi shing baselines for network
performance. NetworkAssociates consultants also developand deliver
custom solutions to help accomplish your project goals—from lengthy,
large-scale implem entations to b rief problem-solving assignments.
Jumpstar t Services
For focused helpwith specific problem resolution or software implementation
issues, Network Associates offers a Jumpstart Service that gives you the tools
you need to manage your environment. This service can include these
elements:
• Installation and optimization. This service brings a Network Associates
consultant onsite to install, configure, and optimize your new Network
Associates product and give basic operational product knowledgeto your
team.
• Selfstart knowledge. Thisservice brings a NetworkAssociates consultant
onsite to help prepare yo u to perform your new product implementation
on your own and, in some cases,to install the product.
• Proposal D ev elopme nt. This service helps you to evaluate which
processes,pr ocedures, hardware and softwareyouneedbefore you roll out
or upgrade Network Associates products, after which a Netwo rk
Associates consultant prepares a custom proposal for your environment.
ManualName 85
Contact and support information
Network consulting
Network Associates consultants provide expertise in protocol analysis and
offer a vendor-independent perspective to recommend unbiased solutions for
troubleshooting and optimizing your network. Consultants can also bring
their broad understanding o f network management bes t practices and
industry relationships to speed problem escalation and resolution through
vendor support.
You canordera custom consultation to helpyouplan, design,implement,and
manage your network,which can enable you to assess the impactofrolling out
new applications, network operating systems, or internetworking devices.
To learn more about the options available:
• Contact your regional sales representative.
• In North America, call Network Associates at (972) 308-9960,Monday
through Friday from 8:00 a.m. to 7:00 p.m. Central Time.
• Visit the Network Associates website at:
http://www.nai.com/asp_set/services/introduction/default.asp
Total Education Services
Network Associates Total Education Services builds and enhances the skills of
all network professionals through practical, hands-on instruction. The Total
Education Services technology curriculum focuses on network fault and
performance management and teaches problem-solving at alllevels. Network
Associates also offers modular product trainingso that you understand the
features and functionality of your new software.
You can enroll in Total Education Services courses year-round at Network
Associates educational centers, or you can learn from customized courses
conducted at your location. All courses follow educational steps along a
learning path that ta kes you to the highest levels of expertise. Network
Associates is a founding member of the Certified Network Expert (CNX)
consortium. To learn more aboutthese programs:
• Contact your regional sales representative.
• Call Network Associates Total Education Services at (800) 395-3151 Ext.
2670 (for private course scheduling) or (888) 624-8724 (for public course
scheduling).
• Visit the Network Associates website at:
http://www.nai.com/asp_set/services/educational_services/education_intro.asp
86 Product Name
Index
A
access, deny to infected files, 37 to 39
action
setting policy for scanner
status of files after scanning
, 36 to 39
, 38 to 39
See also
clean infected files
delete infected files
deny access to infected files
move in fected files
Action tab
, 36 to 39
advanced options
AutoUpdate
schedule
Advanced tab
Agent Wakeup Call
Alert Manager
alerts, destinationfolder
.ALR file
, 42
archive file types
, 57 to 58
, 63
, 57 to 58
, 67
, 42, 56
, 42
, 35
AutoUpdate
compared to mirroring
configuring
, 51 to 60
advanced options
schedule
update sites
, 60 to 64
, 53 to 57
, 49 to 51
, 57 to 58
C
centralized alerting, 42
clean infected files
Complete Installation
, 37 to 39
, 7, 11 to 12
compared to Optimized
Installation
, 6 to 7
configuring
AutoUpdate
advanced options
logging activity
scheduling
site options
update sites
defined
, 71
, 57 to 58
, 58 to 59
, 60 to 64
, 54 to 57
, 53 to 57
installer
install sites
logging activity
MSI sites
site options
, 19 to 22
, 23 to 25
, 19 to 22
, 21 to 22
mirroring
destination
logging activity
source sites
, 57 to 58
, 58 to 59
, 53 to 57
on-access scanner
action options
detection options
exclusion options
report options
reporting activity
, 36 to 39
, 32 to 35
, 43 to 46
, 39 to 43
, 39 to 43
configuring VirusScan TC software
AutoUpdate and Mirroring
Installer
On-Access Scanner
overview
, 17 to 27
, 29 to 47
, 10
, 49 to 69
Administrator’s Guide 87
contacting
consulting and training services
customer service
international offic es
PrimeSupport
reporting n ew viruses
technical support
customer service
, 73
, 77 to 79
, 83 to 84
, 75 to 76
, 73 to 75
, 73
D
.DAT file
for
, 49
, 66 to 69
, 49
, 51
, 50
, 66
, 49
, 49
, 57
, 49
, 49
, 37 to 39
, 37 to 39
, 71
, 66 to 69
, 25 to 27
, 46 to 47
contents
deploying during an outbreak
deploying EXTRA.DAT
downgrade to earlier version
incremental
located on mirror site
mirrored from FTP site
naming convention
need to update
Network Associates download site
option to backup the existing
option to force update of
reporting n ew items for update
SuperDAT
updated using AutoUpd ate
ZIP file
delete infected files
deny access to infected files
deploying
defined
EXTRA.DAT file
installation policy
scanning policy
, 65
, 58
, 57
, 51
, 85 to 86
, 76
Destination tab
destination, for mirror update site
Detection tab
detection, setting policy for virus
, 57 to 58
, 57 to 58
, 32 to 35
, 32 to 35
E
educational services, description of , 86
engine
, 5, 7, 10, 29, 33, 49, 51
updating
, 57
exclusion options
add files, folder or volumes
configuring
, 43 to 46
include subfolders
setting policy
Exclusion tab
extensions
, 33 to 35
, 43 to 46
, 43 to 46
, 45
, 44 to 45
EXTRA.DAT, deploying during a virus
outbreak
, 66 to 69
F
file
extensions
, 33, 35
size depending on installation
scenario
types
foreign offices, contact information
, 6 to 7, 9
, 33 to 34
, 77 to 79
FTP
Network Associates site for .DAT
updates
, 49
using for source location
for MSI files
for VSCANTC.MCS
, 18, 21
, 18, 21
H
heuristic scanning, 35
88 McAfee VirusScan TC
I
infected files, status of after
scanning
inheritance
Install Sites tab
Installation
Complete
Optimized
installation
deploying policy
INSTMSI.EXE and INSTMSIW.E XE
log, setting policy for
MSI files
non-verbose logging of activities
setting policy for
verbose logging of activities
installing, defined
INSTMSI.EXE and INSTMSIW.E XE
defined
installing
placing where Installer can fin d
use in Complete Installation
use in Optimized Installation
, 38 to 39
, 32
, 19 to 22
, 7, 11 to 12
, 8 to 9, 14 to 27
, 25 to 27
, 23 to 24
, 17
, 17 to 24
, 24
, 71
, 17
, 17
, 12
, 17 to 20
, 17
, 24
, 17 to 20
updating and mirroring
mirroring activities
scanning activities
, 39 to 43
, 58 to 59
, 59
updating and mirroring activities,
non-verbose
, 59
logging, setting policy for scanning
activities
, 39 to 43
LWISETUP.EXE, use in Complete
Installation
, 12
M
macro viruses, 35
.MCS file, VSCANTC.MCS
message, to user when v ir us is found
mirroring
, 49 to 60
compared to AutoUpdate
configuring
destination
source sites
missed task
move infected files
, 51 to 60
, 57 to 58
, 53 to 57
, 63
, 37 to 39
MSI files. See INSTMSI.EXE and
INSTMSIW. EXE
MSI Sites tab
, 19 to 22
, 19
, 49 to 51
, 37
L
Log Activity tab
for A ut oUpdate and Mirroring
for Installer
logging
AutoUpdateactivities
installation activities, verbose
installer activities
limiting size of log file
installation
on-access scanner
, 23 to 24
, 23 to 25
, 24
, 58 to 59
, 41
, 58 to 59
, 24
N
.NAP files, placing in repository, 15 to 17
new viruses, reporting to McAfee
non-verbose logging
installation activitie s
, 24
updating and mirroring activities
notify user when virus is found
null session share
as destination for Centralized
Alerting
, 42
as source of update files
Administrator’s Guide 89
, 75
, 59
, 37
, 56
O
on-accessscanner
configuring
defined
file types scanned
overview
Optimized Installation
compared to Complete Insta llation
, 30 to 46
, 29
, 33 to 34
, 29
, 8 to 9, 14 to 27
, 6
outbreak
dealing with
high-prevalence virus threat
using EXTRA.DAT to control
, 65 to 69
, 66
, 49,
66 to 69
using GreenwichMean Time to
synchronize d efense
, 62
P
packages, deployment and installation, 6 to 7
ping. See Agent Wakeup call
Policies tab
, 30
, 67
policy
compared to task
, 71 to 72
setting for
file that installs VirusScan
TC
, 18 to 22
installation log
scanner actions
scanner exclusions
scanner reporting
virus detection
VSCANTC.MCS
PrimeSupport
, 80 to 84
, 23 to 24
, 36 to 39
, 43 to 46
, 39 to 43
, 32 to 35
, 18 to 22
R
randomization, starting time of scheduled
task
, 62
recycle bin, excluding contents from
scanning
removing the VirusScan TC program
, 43
, 27
replication, See mirroring
report options
configuring
enable centralized alerting
log to file
Report tab
, 40 to 43
, 42
, 41
, 39 to 43
reporting
AutoUpdateactivities
installer activities
mirroring activities
scanning activities
, 58 to 59
, 23 to 25
, 58 to 59
, 39 to 43
setting policy for scanning
activities
viruses not detected to McAfee
, 39 to 43
, 75
repository
placing .NAP file in
software
, 30
, 15 to 17
response to virus detection, setting policy
, 36 to 37
for
Run Immediate l y, scheduled task
, 62
S
scanner action
outcome
setting policy for
schedule
tab on Scheduler dialog box
Schedule tab
SETUP.EXE
use in Complete Installation
SETUP.EXE, use in Co m plete Installation
, 38 to 39
, 36 to 39
, 53, 61 to 63
, 61
, 12
, 12
90 McAfee VirusScan TC
site options
AutoUpdate
installer
, 54 to 57
, 21 to 22
Site Options page
for A ut oUpdate and Mirroring
for Installer
, 20 to 22
, 53 to 57
site replication, See mirroring
software repository
placing .NAP file in
, 30
, 15 to 17
source sites
configuring
, 53 to 57
support
download
PrimeSupport
technical
training and consultation
, 75
, 80 to 84
, 73 to 74
, 85 to 86
T
task
compared to policy
editing and deleting
mirroring
missed
, 49 to 60
, 63
Run Immediately
setting schedulefor
tab o n Scheduler dialog box
updating
Task tab
Tasks tab
, 49 to 60
, 52, 59, 64
, 52
technical support
training for Network Associates products
, 71 to 72
, 65
, 62
, 60 to 64
, 52 to 53
, 73 to 74
for M SI files
for VSCANTC.MCS
, 18, 21
, 18, 21
uninstalling the VirusScan TC program
UniversalNaming Convention. SeeUNC
update Sites
configuring
updating
, 53 to 57
, 49 to 60
updating and mirroring
non-verbose logging of activities
V
verbose logging
virus
VSCANTC.MCS
, 75
VSHLOG.TXT
installation activitie s
updating and mirroring activities
actions when found
detection, setting policy for
outbreak
dealing with
high-prevalen ce viru s threat
using EXTRA.DAT t o control
66 to 69
using Greenwich Mean Time to
synchronize defense
reporting new strain to McA fee
defined
, 17
placing where Installer can find
setting policy for
use in Complete Installation
use in Optimized Installation
, 39
, 24
, 37 to 39
, 66 to 69
, 19 to 22
, 27
, 59
, 59
, 32 to 35
, 66
, 49,
, 62
, 75
, 17 to 20
, 12
, 17 to 20
U
UNC, using for shared folder
for Aut oUpdate
, 55
W
wakeup call, 67
Administrator’s Guide 91
Loading...