McAfee VIRUSSCAN ENTERPRISE Betriebsanweisung

McAfee VirusScan Enterprise 8.8 softwareProduct Guide

• The AntiSpyware Enterprise Module has been fully integrated into the VirusScan Enterprise8.8 software.• Support for Outlook 2010 email scanning.• Su

Preventing MFEVTP from loading then rebootFollow these steps to prevent McAfee Validation Trust Protection Service (MFEVTP) from loadingand reboot the

• No — Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.comand search for a solution, or contact McAfee Technical Support.S

Installation• Question: I just installed the software using the silent installation method, and there is noVirusScan Enterprise icon in the Windows sy

• Start the service manually from the Services Control Panel.• Select Start | Run, then type Net Start McShield.• Set the service to start automatical

Access Protection tabConfigure access protection rules and prevent McAfee processes from being stopped.Option definitionsDefinitionOptionSelect Workst

DefinitionOption• Block — Blocks the process that is specified in the Rule Details. Select Blockto enable the rule or deselect it to disable the rule.

Additional Alerting Options tabConfigure filter and local alerting options.Option definitionsDefinitionOptionSelect Workstation or Server from the dro

Alerts tabSelect the components that you want to generate alerts and configure Alert Manager if it isinstalled.See theAlert Manager 4.7.1 Product Guid

Reports tabEnable logging to track activity on your network and record which settings you used to detectand respond to any potential threat that the s

Blocking tabBlock connections from remote computers that have files with potential threats or unwantedprograms in a shared folder.Option definitionsDe

McAfee HeadquartersMcAfee Headquarters, home to McAfee Labs and McAfee Technical Support, provides thefollowing VirusScan Enterprise services:• DAT up

Reports tabEnable logging to track detections on the local system of any code execution from heap or stackoverruns for certain processes.Option defini

Buffer Overflow Protection tabPrevent buffer overflow exploits from executing arbitrary code on your computer.Option definitionsDefinitionOptionSelect

Display Options tabConfigure which system tray options users can access and the preferred language.Option definitionsDefinitionOptionSelect Workstatio

Actions tabConfigure which actions to take when a threat or potentially unwanted program is detected.Option definitionsDefinitionOptionSelect Workstat

DefinitionOptionNo secondary action is allowed for this option.• Continue scanning — Continue scanning when an attachment with a threat isdetected.No

Alerts tabConfigure the alert settings for the on-delivery email scanner.Option definitionsDefinitionOptionSelect Workstation or Server from the drop-

Reports tabEnable logging to track activity on your network and record which settings you used to detectand respond to any potential threat that the s

Scan Items tabConfigure detection options for the email scanner.Option definitionsDefinitionOptionSelect Workstation or Server from the drop-down list

DefinitionOptionScan email message body — Scan the body of Microsoft Outlook email messages.Email message body (forMicrosoft Outlook only)Configure th

Scan Items tabConfigure detection options for the on-demand email scanner.Option definitionsDefinitionOptionMessages to scan • All highlighted items —

Detection — finding threatsDevelop an effective strategy to detect intrusions when they occur. Configure these featuresto detect threats:• Update Task

General tabConfigure general on-access scanning options.Option definitionsDefinitionOptionSelect Workstation or Server from the drop-down list.NOTE: T

DefinitionOptionSpecify one of the six sensitivity levels for Artemis between disabled and veryhigh.Default = very low.Artemis (Heuristic network chec

Messages tabConfigure message options for local users and users without administrative rights.Option definitionsDefinitionOptionSelect Workstation or

Notes Scanner Settings tabConfigure the Lotus Notes settings for the on-delivery email scanner.Lotus Notes password configurationWhen accessing a loca

Actions tabConfigure which actions to take when a threat or potentially unwanted program is detected. Ifyou are configuring different scanning policie

DefinitionOption• Deny access to files — Prevent users from accessing detected files andprograms.• Delete files automatically — Remove detected files

Exclusions tabSpecify what items to exclude from scanning. If you are configuring different scanning policiesfor default, low-risk, and high-risk proc

Reports tabEnable logging to track activity on your network and record which settings you used to detectand respond to any potential threat that the s

Scan Items tabConfigure detection options. If you are configuring different scanning policies for default, low-risk,and high-risk processes, the optio

DefinitionOptionCompressed files • Scan inside archives — Examine archive (compressed) files and theircontents.• Decode MIME encoded files — Detect, d

high and low risk profile scanning, and when to disable scan on write can all improveperformance.CAUTION: Failure to enable When reading from disk sca

Actions tabConfigure which actions to take when a threat or potentially unwanted program is detected.Option definitionsDefinitionOptionPerform this ac

Exclusions tabSpecify what items to exclude from scanning.Option definitionsDefinitionOptionSelect the type of exclusion from the drop down list, then

Reports tabEnable logging to track activity on your network and record which settings you used to detectand respond to any potential threat that the s

Scan Items tabConfigure detection options.Option definitionsDefinitionOptionFile types to scan • All files — Scan all files regardless of extension.•

Task tabSpecify the platforms where this on-demand task runs.Option definitionsDefinitionOptionPlatforms where thistask will run• Run this task on ser

Password Options tabSet password security for the entire system or selected items. SeeHow setting a passwordaffects usersfor more information.Option d

Processes tabChoose whether to configure one scanning policy for all processes or different scanning policiesfor default, low-risk and high-risk proce

Processes tabSpecify the processes that you define as low-risk. This is a two-step process.Option definitions for step 1DefinitionOptionSelect Worksta

Processes tabSpecify the processes that you define as high-risk. This is a two step process.Option definitions for step 1DefinitionOptionSelect Workst

Scan Items tabSelect categories of potentially unwanted programs to detect and create exclusions for programsthat you do not want to detect.Option def

• Delete the selected task.• Configure alerting properties.• Launch the event viewer.• Access the Information Library on the McAfee Labs website.• Con

Quarantine Policy tabConfigure the quarantine location and the length of time to keep the quarantined items.Option definitionsDefinitionOptionSelect W

Policy tabConfigure the quarantine location and the length of time to keep the quarantined items.Option definitionsDefinitionOptionSelect Workstation

Manager tabSelect an item in the list , then right-click to access advanced options. You can rescan, checkfor false positive, restore, delete, or view

Task tabSpecify account information for the user who has access to the restore location. If no accountis entered here, the restore task runs under the

Scan Locations tabConfigure the item types and locations to scan.Option definitionsDefinitionOptionSelect the locations to scan.Default = Memory for r

DefinitionOptionWhen the On-Demand Scan Progress dialog appears, the locations to scan appearas a comma-separated string following Scanning in. As the

Performance tabSpecify scan deferral and system utilization options to improve performance.Option definitionsDefinitionOptionSelect the scan deferral

DefinitionOptionsystems. Detections found with this level are presumed to be malicious, but theyhaven’t been fully tested to confirm that they are not

ScriptScan tabPrevent unwanted scripts from executing.SeeScript scanning and how it worksfor more information.Option definitionsDefinitionOptionSelect

User-Defined Detection tabSpecify individual files or programs to treat as unwanted programs.Option definitionsDefinitionOptionSelect Workstation or S

• Status — This icon does not change to indicate access protection trigger alerts or if on-accessscanning is disabled on ePolicy Orchestrator managed

Repositories tabConfigure the repositories where you get updates.NOTE:This feature is not available from the ePolicy Orchestrator Console. Access this

Adding and editing repositoriesAdd new repositories or edit existing repositories.Option definitionsDefinitionOptionSpecify the name of the repository

DefinitionOptionon the repository, you ensure that the account has read permissions to the folderscontaining the update files.• Download credentials a

Proxy settings tabProxy servers are used as part of internet security to hide internet users’ computers from theinternet and improve access speed by c

Mirror taskConfigure the mirror taskVirusScan Enterprise 8.8 Console — Option definitionsDefinitionOptionEnable activity logging.Log FileSelect the fo

AutoUpdate taskConfigure the AutoUpdate taskOption definitionsDefinitionOptionEnable activity logging.Log FileSelect the format of the log file.Defaul

Schedule tabSpecify the schedule frequency and other settings for this task.Option definitionsDefinitionOptionRun task Select the frequency for this t

DefinitionOptionThe number of minutes.NOTE:The number of minutes available for selection depends on which options you have selected.For example:Minute

DefinitionOptionThis option is only available when scheduling the task At Startup or At Logon.Specify the number of minutes that the computer is idle

Task tabEnable the schedule for this task and specify user account settings.Option definitionsDefinitionOptionSchedule the task to run at a specified

•"V" in a shield with circle and line — Indicates on-access scanning is disabled.•"V" in a shield with red outline — Indicates on-

Advanced schedule optionsConfigure the schedule parameters.Option definitionsDefinitionOptionSpecify the date to start this task.Start DateSpecify the

Global Scan Settings tabSet scan cache options to save scan data during a system reboot and allow on-demand scansto use that clean cache data to impro

IndexAaccess protectiondisabling during troubleshooting 98access violations 25anti-virus and common rules 26common rules 23detections and actions 73ex

common rulesaccess protection, configuring 26preconfigured access protection 23standard and maximum protection 23comon protection rulesconfiguring acc

Llog files, VirusScan Enterpriseaccess violations 25email scanning and 69on-demand scanning and 66See activity logs, VirusScan Enterprise 84low-risk p

processesinclude and exclude 32Processes tab, VirusScan Enterpriseon-access scanning 58, 60processes, VirusScan Enterprisedefault, configuring 54in me

TtaskAutoUpdate 45mirror 45scheduling 50update 44Task list, VirusScan Console 13task scheduleconfiguring 50recommended on-demand interval 50Task tab,

• McAfee Agent Status Monitor — Displays the McAfee Security Status Monitor dialogbox.• About — Opens the About dialog box.What to do firstWhen the so

• Quarantine Manager Policy. Configure the location of the quarantine folder and thenumber of days to keep quarantined items before automatically dele

Part I - Prevention: Avoiding ThreatsPrevention is the first step in a protection strategy, to keep threats from gaining access to yoursystem.Contents

COPYRIGHTCopyright © 2010 McAfee, Inc. All Rights Reserved.No part of this publication may be reproduced, transmitted, transcribed, stored in a retrie

• Internet Relay Chat (IRC) messages — Files sent along with these messages can easilycontain malware as part of the message. For example, automatic s

DescriptionLog entryDate2/10/2010Time11:00AMAction takenBlocked by Access Protection ruleCredentialsTestDomain\TestUserProcess name that breeched the

Configure the General Options Policies user interface properties with these user interfaceconsoles.ePolicy Orchestrator 4.5 or 4.6Configure the Genera

a Click New Policy to open New Policy dialog box.b From the Create a new policy based on this existing policy list, select one of thesettings.c Type a

Rule type descriptionsDescriptionRule typeThese preconfigured rules protect your computer from common behaviors of malwarethreats. You can enable, dis

DescriptionProtection levelAnti-virus rules that block destructive code from accessing the computer until a DATfile is released. These rules are preco

Configuring access protection settingsUse Access Protection Policies to protect your system’s access points and prevent terminationof McAfee processes

ePolicy Orchestrator 4.5 or 4.6From the Access Protection Policies, configure the predefined access-protection rules.TaskFor option definitions, click

b From the Create a new policy based on this existing policy list, select one of thesettings.c Type a new policy name.d Click OK. The new policy appea

Edit an existing policya From the Category list, select the policy category.b From the Actions column, click Edit Setting to open the policy configura

ContentsPreface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

a Click New Policy to open New Policy dialog box.b From the Create a new policy based on this existing policy list, select one of thesettings.c Type a

5 Click OK.The new user-defined rule appears in the right-hand pane in the Rules column. To modifythe new rule, select it and click Edit.Port blocking

DefinitionOptionBlock files from being deleted from the specified folder.Files being deletedRegistry blocking rule optionsRegistry blocking rules prev

DescriptionOptionAllow access to these processes. Use the exact process name. For example, specify theseexclusions: avtask.exe, cfgwiz,exe, fssm32.exe

TaskFor option definitions, click ? or Help in the interface.1 Click Systems | Policy Catalog, then from the Product list select VirusScan Enterprise8

VirusScan Enterprise uses a Buffer Overflow and Access Protection DAT file to protectapproximately 30 applications, for example, Internet Explorer, Mi

ePolicy Orchestrator 4.5 or 4.6Configure the Buffer Overflow Protection Policies with this user interface consoles.TaskFor option definitions, click ?

2 Edit an existing policy or create a new policy:Edit an existing policya From the Category list, select the policy category.b From the Actions column

Restricting potentially unwanted programsVirusScan Enterprise protects your computer from potentially unwanted programs that are anuisance or present

1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScanEnterprise 8.8.0. The Category list displays the policy categories

Update tasks and how they work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Mirror tasks

3 From the Settings for list, select Workstation or Server.4 From the Unwanted Programs Policy page, click the Scan Items tab to configure:a Categorie

TaskFor option definitions, click ? in the interface.1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScanEnterprise 8.8

c Type a new policy name.d Click OK. The new policy appears in the list of existing policies.3 From the Settings for list, select Workstation or Serve

DAT files and how they workWhen the scanning engine searches through files looking for threats, it compares the contentsof the scanned files toknown t

Requirements for an efficient update strategyAn efficient updating strategy generally requires at least one client or server in your organizationto re

an update. By default, detection for the new potentially unwanted program in the EXTRA.DATis ignored once the new detection definition is added to the

The VirusScan Enterprise software relies on a directory structure to update itself. When mirroringa site, it is important to replicate the entire dire

Tab definitionsDefinitionsTabMirror • Specify the log file location and format.• Specify which executable to run after the mirror task has completed a

Tab definitionsDefinitionsTabRepositories • Specify the repositories where you get updates.• Configure the order to access the repositories.Specify wh

Specifying exclusionsSpecify files, folders, and drives to exclude from scanning operations. You can also remove anyexclusions you specified previousl

Unwanted program detections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73On-access

ContentsScheduling tasksConfiguring the task scheduleScheduling tasksYou have the option to schedule on-demand, AutoUpdate, and mirror tasks to run at

Part II - Detection: Finding ThreatsFinding threats is the second step in a protection strategy to detect malware attempting to gainaccess to your sys

2 If the file meets the scanning criteria, it is scanned by comparing the information in thefile to the known malware signatures in the currently load

When scanning Default + additional file types, the scanner examines a list of specific filesbased on the file types you select.• Default file types: T

Determine the number of scanning policiesFollow this process to determine whether to configure more than one on-access scanning policy.How general and

Configure the on-access general settings using the following user interface consoles.ePolicy Orchestrator 4.5 or 4.6Configure the general settings tha

6 On the Blocking tab, configure blocking connections from remote computers that writefiles with potential threats or unwanted programs.NOTE: By defau

5 On the ScriptScan tab, enable ScriptScan and configure any processes or URLs to excludefrom scanning.NOTE: With previous versions of VirusScan Enter

4 On the Blocking tab, configure blocking connections from remote computers that writefiles with potential threats or unwanted programs.NOTE: By defau

g From the Actions column of the new policy, click Edit Setting to open the policyconfiguration page.3 From the Settings for list, select Workstation

PrefaceTo use this document effectively you should understand who this document is written for, theconventions used, what's in it, and how to fin

4 From the On-Access Default, Low-Risk, or High-Risk Processes Policies page, configure theoptions on each tab. Refer toProcess setting tab options.Pr

ePolicy Orchestrator 4.5 or 4.6Enable on-network drives from the On-Access Default Processes Policies with this user interfaceconsole.TaskFor option d

c Type a new policy name.d Click OK. The new policy appears in the list of existing policies.3 From the Settings for list, select Workstation or Serve

• The file has not been cached.• The file has not been excluded.• The file has not been previously scanned.NOTE: The on-demand scanner uses heuristics

storage to local storage. When you need to access a file on a volume managed by remotestorage, open the file as usual. If the data for the file is no

TaskFor option definitions, click ? in the interface.1 Click Menu | System | System Tree and select Client Task.2 From the Client Task page that appea

TaskFor option definitions, click Help in the interface.1 Open the On-Demand Scan Properties page for an existing or new task:• Select and right-click

DefinitionsTab• Secondary action to take on an unwanted program detection if the first actionfails.For allowed actions in the prompt dialog box, selec

Create a new policya Click New Policy to open New Policy dialog box.b From the Create a new policy based on this existing policy list, select one of t

VirusScan ConsoleConfigure the scan cache feature with this user interface console.TaskFor option definitions, click Help in the interface.1 Click Too

How this guide is organizedThis document is meant as a reference to use along with the VirusScan Console and ePolicyOrchestrator user interfaces. It a

1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScanEnterprise 8.8.0. The Category list displays the policy categories

VirusScan ConsoleConfigure the On-Delivery Email Scan Policies using this user interface console.TaskFor option definitions, click ? in the interface.

Part III - Response: Handling ThreatsResponding to threats is the third step in a protection strategy to detect and clean malwarethat attempts to gain

System access point violationsWhen a system access point is violated, the action taken depends on how the rule wasconfigured.If the rule was configure

Review the information in the log file, then decide whether to take any of these additionalactions:• Fine-tune scanning items — This makes your scans

On-demand scan detectionsWhen an on-demand detection occurs, the scanner takes action according to how you configuredthe On-Demand Scan Properties, Ac

TasksePolicy Orchestrator 4.5 or 4.6ePolicy Orchestrator 4.0VirusScan ConsoleePolicy Orchestrator 4.5 or 4.6Configure the Quarantine Manager Policies

a From the Category list, select the policy category.b From the Actions column, click Edit to open the policy configuration page.Create a new policya

• View detection properties.3 A dialog box appears and describes the affect of your attempt.Configuring alerts and notificationsBeing notified when a

c From the Create a new policy based on this existing policy list, select one of thesettings.d Type a new policy name.e Type any notes, if required.f

Finding product documentationMcAfee provides the information you need during each phase of product implementation, frominstalling to using and trouble

2 Configure the alert policy tabs. Refer toAlert policy tab configuration.Alert policy tab configurationConfigurationTaskAlerts Policies 1 From the Ac

VSE: Top 10 Threats per Threat CategoryVSE: Spyware Detected in the Last 24 HoursVSE: Top 10 Users with the Most DetectionsVSE: Spyware Detected in th

EXTRA.DAT file, packaged in a SuperDAT (SDAT) executable file, is made available by McAfeeLabs until the normal VirusScan Enterprise DAT update is rel

TaskFor option definitions, click ? in the interface.1 To install the SuperDAT file on an ePolicy Orchestrator server, use one of the following:Steps.

Part IV - Monitoring, Analyzing, andFine-Tuning Your ProtectionAfter the initial configuration of your protection strategy, you should monitor, analyz

• For Microsoft Windows XP, Microsoft Vista, Microsoft 2000 Server, Microsoft 2003 Server,and Microsoft 2008 Server — C:\Documents and Settings\All Us

• A table with similar information and a total of the threats.NOTE: You can click on the bar chart or table information to open the ePolicy Orchestrat

ePolicy Orchestrator 4.5 or 4.6This example analysis is used as a framework for analyzing most VirusScan Enterprise protectionscenarios with ePolicy O

Threat Source IP Address and target are shown to help you determine what actionsto take.•• Threat Name and Threat Type describe what malware was used

AppendixThere are more configuration and troubleshooting features you can use to improve the protectionprovided by VirusScan Enterprise. These feature

Getting StartedUnderstanding the components of McAfee®VirusScan®Enterprise 8.8 software, and the orderyou should use to configure the software helps y

Before you beginYou must have Administrator privileges to update the ePolicy Orchestrator configuration.TaskFor option definitions, click ? in the int

Using the command line with VirusScan EnterpriseYou can use the Command Prompt to run some basic VirusScan Enterprise processes. You caninstall, confi

Definition with optionsCommand-linevalueCleans the detected target file when a potentially unwanted program is found.CLEANCleans the detected file whe

Definition with optionsCommand-linevaluePrompts the user for action when an unwanted program is detected and the primary actionhas failed.PROMPTA2Sets

Connecting to remote systemsYou can connect to remote systems with VirusScan Enterprise installed to perform operationssuch as modifying, scheduling s

WebImmune1 From the VirusScan Console, select Help | Submit a Sample to access the website. Thewebsite is located at: https://www.webimmune.net/defaul

DefinitionOptionReinstalls the VirusScan Enterprise program files.CAUTION: Hotfixes, Patches, and Service Packs might be overwritten.Reinstall all pro

2 From the On-Access Scanner Properties dialog box, click the Reports tab and click ViewLog. The OnAccessScanLog.txt file appears in a Notepad window.

• Download and install the tool from: http://mer.mcafee.com.NOTE: An ePolicy Orchestrator deployable version is also available. This version uses thee

3 Is the original system problem fixed by disabling Access Protection:• Yes — Go to the McAfee Technical Support ServicePortal at http://mysupport.mca