for use with epolicy orchestratordownloadcenter.mcafee.com/.../version_4.51sp1/vsc451cg.pdf ·...

C O N F I G U R A T I O N G U I D EC O N F I G U R A T I O N G U I D E

V E R S I O N 4 . 5 . 1

VirusScanVirusScanV E R S I O N 4 . 5 . 1

for use wi th ePolicy Orchestrator

COPYRIGHT© 2001 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 3965 Freedom Circle, Santa Clara, California 95054, or call +1-972-308-9960.

TRADEMARK ATTRIBUTIONSActive Security, ActiveHelp, ActiveShield, AntiVirus Anyware and design, Bomb Shelter, Building a World of Trust, Certified Network Expert, Clean-Up, CleanUp Wizard, Cloaking, CNX, CNX Certification Certified Network Expert and design, CyberCop, CyberMedia, CyberMedia UnInstaller, Data Security Letter and design, Design (logo), Design (Rabbit with hat), design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, Enterprise SecureCast, EZ SetUp, First Aid, ForceField, Gauntlet, GMT, GroupShield, Guard Dog, HelpDesk, HomeGuard, Hunter, I C Expert, ISDN TEL/SCOPE, LAN Administration Architecture and design, LANGuru, LANGuru (in Katakana), LANWords, Leading Help Desk Technology, LM1, M and design, Magic Solutions, Magic University, MagicSpy, MagicTree, MagicWord, McAfee Associates, McAfee, McAfee (in Katakana), McAfee and design, NetStalker, MoneyMagic, More Power To You, MultiMedia Cloaking, myCIO.com, myCIO.com design (CIO design), myCIO.com Your Chief Internet Officer & design, NAI & design, Net Tools, Net Tools (in Katakana), NetCrypto, NetOctopus, NetRoom, NetScan, NetShield, NetStalker, Network Associates, Network General, Network Uptime!, NetXray, NotesGuard, Nuts & Bolts, Oil Change, PC Medic, PC Medic 97, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, PowerLogin, PowerTelNet, Pretty Good Privacy, PrimeSupport, Recoverkey, Recoverkey – International, Registry Wizard, ReportMagic, RingFence, Router PM, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SniffMaster, SniffMaster (in Hangul), SniffMaster (in Katakana), SniffNet, Stalker, Stalker (stylized), Statistical Information Retrieval (SIR), SupportMagic, TeleSniffer, TIS, TMACH, TMEG, TNV, TVD, TNS, TSD, Total Network Security, Total Network Visibility, Total Service Desk, Total Virus Defense, Trusted MACH, Trusted Mail, UnInstaller, Virex, Virus Forum, ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker, WebWall, Who’s Watching Your Network, WinGauge, Your E-Business Defender, ZAC 2000, Zip Manager are registered trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

LICENSE AGREEMENTNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO NAI OR THE PLACE OF PURCHASE FOR A FULL REFUND.

Issued January, 2002 / VirusScan software version 4.5.1, Service Pack 1, for ePolicy Orchestrator version 2.5

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Section 1: On-Access Scanning . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 1. Deploying VirusScan 4.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 11What is the software Repository? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Enabling deployment of VirusScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Installing VirusScan on target computers . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Chapter 2. System Scan Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Configuring the on-access scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

The System Scan module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Detection options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Action options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Alert options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Report options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Exclusion options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

Status of infected files after scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

Chapter 3. E-mail Scan Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configuring e-mail scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33


Action options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

Alert options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

Report options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Chapter 4. Download Scan Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Configuring download scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45


Action options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

Alert options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Report options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

Configuration Guide iii

Contents

Chapter 5. Internet Filter Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Configuring Internet Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55


Action options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

Alert options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Report options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60

Chapter 6. Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Chapter 7. Alert Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Section 2: Scheduled Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Chapter 8. On-Demand Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Scheduling immediate or future scanning tasks . . . . . . . . . . . . . . . . . . . . . . .73

Configuring on-demand scanning tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Choosing detection options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Action options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

Choosing alert options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81

Choosing report options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

Choosing exclusion options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84

Setting a schedule for an on-demand scanning task . . . . . . . . . . . . . . .86

Chapter 9. Updating Virus Definition Files . . . . . . . . . . . . . . . . . . . . . . . 87Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87

Configuring automatic DAT updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Defining update sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

Configuring advanced update options . . . . . . . . . . . . . . . . . . . . . . . . . . .94

Configuring log activity options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95

Setting a schedule for AutoUpdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Deploying an EXTRA.DAT file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Independently of the weekly DAT update . . . . . . . . . . . . . . . . . . . . . . . .97

With the weekly DAT update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

iv VirusScan software version 4.5.1

Contents

Chapter 10. Mirroring the NAI Update Site . . . . . . . . . . . . . . . . . . . . . . 101Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

Configuring the Mirroring task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

Opening the Mirror utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

Defining mirror sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

Defining the destination folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Logging mirror activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108

Chapter 11. Upgrading the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Configuring automatic product upgrade options . . . . . . . . . . . . . . . . .109

Configuring advanced upgrade options . . . . . . . . . . . . . . . . . . . . . . . .113

Setting a schedule for AutoUpgrade . . . . . . . . . . . . . . . . . . . . . . . . . . .114

Chapter 12. Scheduling Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Scheduling immediate or future scanning tasks . . . . . . . . . . . . . . . . . . . . . .115

Setting basic schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115

Setting advanced schedule options . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

Selecting Schedule Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Configuration Guide v

Contents

vi VirusScan software version 4.5.1

Preface

PurposeThis Configuration Guide introduces McAfee VirusScan software version 4.5.1, with Service Pack 1, and provides the following information: descriptions of all product features, detailed instructions for configuring and deploying the software using McAfee ePolicy Orchestrator, and procedures for performing tasks. It also provides a roadmap for getting additional information or help.

What’s in this Guide?This Configuration Guide describes the procedures for using McAfee VirusScan version 4.5.1 in conjunction with McAfee ePolicy Orchestrator version 2.5 software. ePolicy Orchestrator is a scalable management tool that provides centralized software deployment, policy setting and enforcement, and event reporting for McAfee anti-virus software programs, as well as Norton Anti-Virus products, in an enterprise environment. This Configuration Guide includes the following information:

AudienceThis guide is designed for system and network administrators who are responsible for their company’s anti-virus program.

Getting more information

Related Documents

This Configuration Guide is a supplement to the documentation published with VirusScan version 4.5.0 and version 4.5.1, including:

• Administrator’s Guide (4.5.0)

• User’s Guide (4.5.0)

• Release Guide (4.5.1)

• Release Notes (README. files)

• Online Help

If you have a current grant number, you can download the earlier documentation from this web site:

http://www.mcafeeb2b.com/naicommon/download/upgrade/login.asp

If you do not have, or cannot find a current grant number, contact McAfee Customer Service.

Configuration Guide 7


Preface

Contacting McAfee and Network Associates

Technical Support http://knowledge.nai.com

McAfee Beta Site www.mcafeeb2b.com/beta/

AVERT Anti-Virus Research Site

www.mcafeeb2b.com/avert

Download Site

DAT File Updates

Product Upgrades

www.mcafeeb2b.com/naicommon/download/

www.mcafeeb2b.com/naicommon/download/dats/find.asp

www.mcafeeb2b.com/naicommon/download/upgrade/login.asp

Valid grant number required. Contact Network Associates Customer Service.

On-Site Training www.mcafeeb2b.com/services/mcafee-training/default.asp

Network Associates Customer Service:

E-mail [email protected]

Web www.nai.com

www.mcafeeb2b.com

US, Canada, and Latin America toll-free:

Phone +1-888-VIRUS NO or +1-888-847-8766

Monday – Friday, 8 a.m. – 8 p.m., Central Time

For additional information on contacting Network Associates and McAfee — including toll-free numbers for other geographic areas — see the Contact file that accompanied this product release.

8 VirusScan software version 4.5.1

http://knowledge.nai.com

http://www.mcafeeb2b.com/beta/

http://www.mcafeeb2b.com/avert

http://www.mcafeeb2b.com/naicommon/download/

http://www.mcafeeb2b.com/naicommon/download/dats/find.asp


http://www.mcafeeb2b.com/services/mcafee-training/default.asp

http://www.nai.com

http://mcafeeb2b.com

11Deploying VirusScan 4.5.1

What is the software Repository?The software repository (Figure 1-1) is the storehouse, located on the ePolicy Orchestrator server, that contains the files required to manage, deploy and update the anti-virus software products. These files are:

• Management Package (NAP) files — Contain the policy management pages that allow you to manage policies, create scheduled tasks, and view client properties.

• Package (PKG) files — Define the setup and binary files for deploying software via the ePolicy Orchestrator console.

• Plug-In Package (NAP) files — Allow you to update an application’s dynamic link library (DLL) files.

Figure 1-1. ePolicy Orchestrator console Repository


Deploying VirusScan 4.5.1

The NAP file for VirusScan 4.5.1 is already included in the ePolicy Orchestrator 2.5. Repository. However, in order to take advantage of the improvement included in Service Pack 1, released in November, 2001, you must replace that NAP file with the one included in the Service Pack. To do so, follow these steps:

1. Open the ePolicy Orchestrator console. For information on using ePolicy Orchestrator, see the ePolicy Orchestrator Product Guide for version 2.0.

2. In the console tree under ePolicy Orchestrator, right-click Repository, then select Configure Repository to open the Configure Software Repository window.

3. Select Add new software to be managed.

4. Click Continue to open the Select a Software Package window.

5. Navigate to the location containing the extracted contents of the Service Pack and select the VirusScan 451A.NAP file.

6. Click Open to add the product to the Repository. When the Reinstall window opens asking if you want to overwrite the NAP file that is already in the repository, click Yes.

Enabling deployment of VirusScanTo deploy VirusScan, you must associate the VirusScan NAP file with the appropriate PKG file, and indicate where the VirusScan program (binary) files are located on your system. These are the files that you extracted from the ZIP file that you downloaded from the web.

1. Right-click Repository and select Configure Repository to open Configure Software Repository.

2. Select Enable software deployment and click Continue to open Select a Software Package.

3. Locate INSTALL.PKG for VirusScan 4.5.1.

• If you are using the English, French, German, Japanese, or Spanish language version of VirusScan, you can find this file on the CD that contains ePolicy Orchestrator version 2.0 by browsing to the following location:

Products\2.0.0\Setup\NAP\VIRUSCAN4510\4.5.1\InstallFiles

If you are using any other language version of VirusScan, you can find the file at the following location on your hard drive after installing ePolicy Orchestrator:



<drive>:\ Program Files\McAfee\ePO\2.0\PKGs\VIRUSSCAN4510\4.5.1\InstallFiles

4. When Browse for Folder opens, navigate to the location containing the VirusScan 4.5.1 binaries that you extracted from the ZIP file, and click OK.

Installing VirusScan on target computers1. Under the ePolicy Orchestrator branch of the Tree, select Directory, then

select the hierarchical level that includes the site, group or computer for which you want to set policy.

2. In the upper details pane, select VirusScan v4.51 for Windows. The lower details pane displays the Install Options tab.

Figure 1-2. Install Options tab for VirusScan



3. Deselect Inherit if you intend to modify the policy configuration of VirusScan before installing it on the target computers. The options on this page are then available for selection. (For information on inheritance, see the ePolicy Orchestrator documentation.)

4. Select Enforce Policies for VirusScan v4.51 for Windows when you are ready to install VirusScan on the target computers. Ordinarily, you will have configured the policy settings for VirusScan before installing it on the targets.

5. Select Force Install VirusScan v4.51 for Windows, then click Select to locate the folder containing the VirusScan program (binary) file. This is the folder containing the VirusScan SETUP.EXE file.

6. If you want to install to a different directory, use the Command Line field to add system variables, or switches to the install command. For a list of available system variables, click .

7. Click Apply when you are ready to perform the installation and enforce the policies that you have configured.


Section 1

On-Access Scanning

Section 1

Chapter 2, “System Scan Options” page 15

Chapter 3, “E-mail Scan Options” page 33

Chapter 4, “Download Scan Options” page 45

Chapter 5, “Internet Filter Options” page 55

Chapter 6, “Security Options” page 63

Chapter 7, “Alert Options” page 67

22System Scan Options

System Scan is an on-access scanner that provides your workstation with continuous, real-time virus detection and response. The scanner checks for infections each time you open or copy a file from, save a file to, or otherwise use any file stored on your workstation. It starts when the workstation starts up, and stays in memory until the workstation is shut down.

Configuring the on-access scanner1. Open the ePolicy Orchestrator console. For information on using ePolicy

Orchestrator, see the ePolicy Orchestrator Product Guide for version 2.0.

2. Under the ePolicy Orchestrator branch of the Tree, select Directory, then select the hierarchical level that includes the site, group or computer for which you want to set policy.

3. In the upper details pane, click the next to the VirusScan v4.51 for Windows icon. The expanded list shows the six configurable modules:

• System Scan Options

• E-mail Scan Options

• Download Scan Options

• Internet Filter Options

• Security Options

• Alert Options

4. Select System Scan Options to display a series of tabs, each of which governs a set of options for on-access scanning. Select each of these in turn to display the corresponding property page, where you can specify how you want the on-access scanner to perform the operation.

The System Scan moduleThe System Scan module controls the workstation’s on-access scanner. It looks for viruses as you read files from your disk, or write files to your disk. This includes running, creating, changing, copying, moving, deleting, renaming, or otherwise accessing files. System Scan can also scan the boot sector of floppy disks and files on network drives mapped to your system.


System Scan Options

1. If you have not already done so, open the ePolicy Orchestrator console, and select the computers for which you are setting policy, (see Step 1 and Step 2 on page 15).

2. In the upper details pane, click the next to the VirusScan v4.51 for Windows icon. From the expanded list, select System Scan Options.

Figure 2-1. System Scan Options — Detection tab

3. Select the function that you want to configure. Your choices are:

• Detection

• Action

• Alert

• Report

• Exclusion

Detection optionsUse the Detection page to define scanning targets and the scope of heuristic scanning.

1. Deselect Inherit to change the product’s current configuration settings.

2. Select Enable System scan.

3. Under Scan files on, select the circumstances under which you want the scanner to examine files. Your options are:


System Scan Options

• Inbound — Files that are written to a hard drive or other data storage device.

• Outbound — Files that are read from a hard drive or other data storage device.

� NOTE: If you select both options, any file that you can open and change is scanned twice each time it is used — once when it is read from the disk (outbound), and again when it is written to the disk (inbound). This is the most comprehensive approach to scanning. For maximum protection, McAfee recommends that you retain the default setting, scanning both inbound and outbound files.

If you prefer to scan inbound files only, or outbound files only, it is important that all computers sharing files be configured identically. Otherwise, an infected file could be copied from a computer that scans only inbound files to a server that scans only outbound files.

Under most circumstances, scanning only outbound files provides adequate virus protection, while minimizing the total time spent scanning files. However, scanning only inbound files may not be equally effective. This is because there are some circumstances in which an infected file can be written to disk even if you have chosen to scan inbound files. This can occur when the action you want the scanner to take when it detects a virus, (deny access, move, delete, or clean) fails. For additional information, see the table under “Status of infected files after scanning” on page 30.

If you prefer to scan files in only one direction, McAfee recommends that you select outbound only for all the computers that share files. Then, even if an infected file is written to disk, or, if an infected file was already on the disk before the scanning software was installed, the scanner will find the virus when the user access the file by opening, moving, or deleting it.

4. Under Scan floppies on, select the events that will trigger scanning of a floppy disk. Your choices are:

• Access — When you access the disk in your floppy drive.

• Shutdown — When you shut down your computer.

5. Under What to scan, you can specify the scope of the files and file types that are subject to scanning.


System Scan Options

• Compressed files — Scans executable files that were compressed using utilities such as PkLite, LZexe, MS Compressed, Ice, Cryptcom, Com2Exe, Diet, and Teledisk.

• Network drives — Scans files on drives that the user maps to the workstation, or accessed using Universal Naming Convention (UNC) notation.

• Default files — Scans file types that McAfee AVERT (Anti-Virus Emergency Response Team) defines as vulnerable to infection from currently circulating viruses. The list of vulnerable file types is included with each release of virus definition (DAT) files. This option is the default selection. If you also select Compressed files, the scanner examines only those compressed file types that are defined in the current DAT files.

• All files — Scans every file, regardless of the type of file. If you also select Compressed files, the scanner examines those portions of compressed files that are actually compressed, as well as the portions of the files that are not compressed.

• User specified files — Scans only file types that have a file name extension that appears on the list of extensions. If you also select Compressed files, the scanner examines only those compressed file types that appear on the list of extensions. To see or designate the file name extensions that the scanner examines, click Extensions.

Figure 2-2. User specified file extensions

By default, the on-access scanner examines files that have no extensions and files with any of the following extensions:

??_ {?? 001 002 386 3GR ACM ADT AP?

ASD ASP AX? BAT BIN BO? CC? CDR CHM

CLA CMD CNV CO? CP? CSC D?B DAT DEV

DIF DL? DO? DRV EE? EX? FMT FO? GMS

GZ? HDI HLP HT? IM? IN? JS? LIB MB?


System Scan Options

The ? character is a wildcard.

– To add an extension to the list, type its three character designation in the text box and click Add.

– To remove an extension from the list, select it and click Delete.

– To restore the list to its original factory settings, click Default.

6. Under General, select one, both, or neither of the available choices:

• System scan can be disabled — Allows the user to disable on-access scanning.

• Show icon in the Taskbar — Displays the VirusScan icon in the workstation’s taskbar.

7. Select Enable heuristics scanning if you want the scanner to recognize new viruses based on their resemblance to similar viruses that the scanner already recognizes.

To do this, the scanner looks for certain “virus-like” characteristics in the files you’ve asked it to scan. The presence of a sufficient number of these characteristics in a file leads the module to identify the file as potentially infected with a new or previously unidentified virus.

Because the scanner looks simultaneously for file characteristics that rule out the possibility of virus infection, it rarely gives a false indication of a virus infection. Therefore, unless you know that the file does not contain a virus, you should treat “potential” infections with the same caution as you would confirmed infections.

The scanner starts out without any active heuristic scan options. To activate heuristics scanning, select the type of heuristic scanning you want to do. Under Heuristics scan settings select one of the following options:

MD? MHT MOD MPD MPP MPT MRC MS? OB?

OC? OL? OLE OTM OV? PCI PD? PHP PIF

PLG POT PP? PRC QLB QPW QTC REG RTF

SCR SH? SIS SMM SYS TD0 TGZ TLB TSP

VB? VS? VWP VXD WBK WIZ WP? WRI WS?

X32 XL? XML XSL XTP XX? ZL?


System Scan Options

• Enable macro heuristics scanning. — Identifies Microsoft Word, Microsoft Excel, other Microsoft Office files, or scripts that contain embedded macros, then compares the macro code to its virus definitions database. The utility identifies exact matches with the virus name. If it finds code signatures that resemble existing viruses, it will inform you that it has found a potential macro virus.

• Enable program file heuristics scanning. — Identifies new viruses in program files by examining file characteristics and comparing them against a list of known virus characteristics. Files with a sufficient number of these characteristics as considered potentially infected.

• Enable macro and program file heuristics scanning. — Enables both macro heuristics scanning and program file heuristics scanning. McAfee recommends that you use this option.

� NOTE: Heuristic scanning techniques will be applied to the file types that you have included in scanning activities — default files, all files, or only those files that have an extension that appears on the list of extensions.

8. Click Apply to accept your new policy settings.

Action optionsWhen the scanner detects a virus, it can respond either by prompting you to select an action, or by automatically taking an action that you set in advance. Use the Action tab to specify the action that you want the scanner to take when it finds a virus.

1. Select the Action tab.


System Scan Options

Figure 2-3. System Scan Options — Action tab


3. Under When a virus is found, select only one type of action for the scanner to perform. Your options are:

• Prompt for user action — Displays an alert message when the scanner finds a virus and offers you the full range of response options.

� NOTE: This option requires that a user be present at the workstation to choose an action.

Choosing Prompt for user action enables the list of action options.


System Scan Options

– Under Prompt Type (Windows 95/Windows 98 Only), select the type of prompt you want to occur.

Select GUI if you are running the VirusScan software on a Windows 95 or Windows 98 platform and want to see a standard graphical alert message that offers a range of response options. (The range will not include Continue access.) As the prompt awaits your selection, your system will continue with normal operations in the background

or

Select BIOS if you want to see a full-screen text-mode alert message that offers you a range of response options, including the option to continue without any action against the virus. This mode also brings your system to a complete halt until you choose a response option.

– Under Possible actions, select the actions from which the user can choose. Your choices are:

Clean file — Tries to remove the virus code from the infected file. If you have its reporting function enabled, the scanner will record a log event each time it successfully cleans, or fails to clean, an infected file.

Stop access — Prevents users from opening, moving, deleting, or otherwise accessing the infected file.

Delete file — Deletes the infected file immediately.

Exclude file — Skips the file during all scanning activities until a reboot occurs.

Move file — Moves the infected file to a quarantine folder. The GUI version of the alert message will display a Move file to button that allows you to locate a quarantine folder to use.

Continue access — Leaves the file intact and in its original location on your computer and does not prevent you from opening, copying, renaming, or otherwise modifying the file in the future. Use this option only when you know positively that the file is not infected. To preserve files as virus samples, McAfee recommends moving infected files to a quarantine folder.

� NOTE: The option is available only on computers that run Windows 95 or Windows 98 and only when you choose the BIOS prompt mode.


System Scan Options

• Move infected files automatically — Moves infected files to a quarantine folder as soon as the scanner finds them.

The default name of the quarantine folder is INFECTED, and it is located in the VirusScan program directory. You can enter a different name in the text box. Click for a list of system variables that you can include in the path.

• Clean infected files automatically — Removes the virus code from the infected file as soon as the scanner finds it. If the scanner cannot remove the virus, it will note the incident in its log file.

• Delete infected files automatically — Immediately deletes every infected file the scanner finds. Be sure to enable its reporting feature so that you have a record of the files the application deleted. You will need to restore deleted files from backup copies. If the scanner cannot delete an infected file, it will note the incident in its log file.

• Deny access to infected files and continue — Denies access to the infected file and continue scanning other files. Use this option only if you plan to leave your computer unattended while the scanning activity is in progress.



System Scan Options

Alert optionsUse the Alert tab if you want immediate notification that the on-demand scanner has found a virus and acted upon it based on your Action options.

1. Select the Alert tab.

Figure 2-4. System Scan Options — Alert tab


3. Under Network Alerts, select Notify Alert Manager to have the scanner send alert messages to Alert Manager for distribution.

Alert Manager is a separate McAfee software component, included with most McAfee anti-virus products for servers, such as NetShield for Windows NT and Windows 2000. Alert Manager collects alert messages and uses a variety of methods to send them to recipients that you specify. To have the VirusScan program send these alert messages successfully, you must also set up the Alert Manager Client Configuration utility, (see Chapter 7, “Alert Options,” starting on page 67. To learn how to install and configure the Alert Manager utility, see the Administrator’s Guide for the server product you are using.

You can pass alert messages directly to an Alert Manager server, or you can send alert messages as text (.ALR) files to a Centralized Alerting directory that the Alert Manager server checks periodically.


System Scan Options

� NOTE: If you clear this checkbox, the scanner will not send an alert message via Alert Manager. However, it will not affect other alert messages that you configure on this property page.

4. If you selected Prompt for user action on the Action Options page, you can create a custom notification message, and choose to be notified by means of an audible alert.

• Display custom message — Adds a custom message to the alert box that the scanner displays when it finds an infected file. Enter your message in the text box located directly beneath this checkbox. You can enter a maximum of 250 characters here.

• Sound audible alert — Produces the standard system warning beep or WAV file that you have your computer set to play when the scanner finds an infected file.

� IMPORTANT: These options function only if you have selected Prompt for user action in the Action tab.


Report optionsSystem Scan lists its current settings and summarizes all of the actions it takes during its scanning operations in a log file called VSHLOG.TXT. You can specify a different file name in the Log to File text box. The software will automatically create and use the file you specified. You can open and print the log file for later review. Use the Reports tab to detail the contents of the log file.

1. Select the Report tab.


System Scan Options

Figure 2-5. System Scan Options — Report tab


3. Select Log to file to save the log in a file you specify.

By default, the scanner writes log information to the file VSHLOG.TXT in the VirusScan program directory. You can enter a different name in the text box. You can enter a different path and file name in the text box. VirusScan creates the file, but the folder in which it is located must already exist. VirusScan does not create the new folder. Click for a list of system variables that you can include in the path.

4. To minimize the log file size, click Limit size of log file to, then enter a value for the file size, in kilobytes, in the text box. If you do not select this checkbox, the log file will continue to grow until your hard disk is full.

Enter a value between 10KB and 999KB. By default, the scanner limits the file size to 100KB. If the data in the log exceeds the file size you set, the scanner truncates the existing log to accommodate the new information.

5. Select the checkboxes that correspond to the information you want the scanner to record in its log file. Each checkbox you select here causes the scanner to record this information, usually when the scan operation ends, or when you shut your system down:

• Virus detection — Lists the infected files that the scanner found in each scan operation.

• Virus cleaning — Lists the infected files that the scanner cleans—or tries to clean—during each scan operation.


System Scan Options

• Infected file deletion — Lists the infected files that the scanner deletes during each scan operation.

• Infected file move. — Lists the infected files that the scanner moves to a quarantine folder during each scan operation.

• Session settings — Records the scanner’s configuration settings.

• Session summary — Summarizes the actions that the scanner took. The log will record:

– The number of files examined.

– The number of infected files that were cleaned.

– The number of infected files that were deleted.

– The number of infected files that were moved to a quarantine folder.

– Your scanner settings.

• Date and time — Records the date and time at which the scanner found an infection.

• User name — Records the name of the user logged into the workstation when the scanner found an infection.


Exclusion optionsUse this option if you want the scanner to ignore entire disks, folders, or individual files that you know cannot become infected.

Each entry in the exclusion list displays the item, notes whether the module will also exclude any nested folders within the target, and explains whether the application will exclude the item when it scans files, when it scans your hard disk boot sector, or both.

Once you have thoroughly scanned your system, using the on-demand scanner (see “Configuring on-demand scanning tasks” on page 73), you can configure the System Scan module to ignore those files and folders that do not change or that are not normally vulnerable to virus infection.

1. Click the Exclusion tab.


System Scan Options

Figure 2-6. System Scan Properties — Exclusion tab

2. Specify the items you want to exclude. You can

• Add files or folders to the exclusion list. Click Add to open the Add Exclusion Item dialog box.

Figure 2-7. Add Exclusion Item


System Scan Options

Next, follow these substeps to add items to the list:a. Select Enter a file name to exclude or Enter a folder name to

exclude.

b. Enter the path of the folder or file in the text box that corresponds to your selection. Click for a list of system variables that you can include in the path.

c. Select the Include subfolders checkbox to tell the module to ignore files stored in any subfolders within the folder you specified in Step b.

� NOTE: If you select this option, the scanner will not examine the files or the subfolders that are located within the target folder.If you deselect this option, the scanner will examine the subfolders but not the files that are located within the target folder. This feature is useful in situations where a folder contains a number of sensitive files that you do not want to scan. An alternative approach to achieving the same result would involve specifying individually each of the files that you want to exclude. You can specify up to eight exclusions.

• Change the exclusion list. To change the settings for an excluded item, select it in the Exclusions list, then click Edit to open the Add Exclusion Item dialog box. Make the changes you need, then click OK to close the dialog box.

• Remove an item from the list. To delete an excluded item, select it in the list, then click Remove.

3. Click Apply to save your changes.


System Scan Options

Status of infected files after scanningThe status of an infected file after scanning depends upon a number of factors:

*Success means that the scanner took the action that the administrator specified and the desired result was achieved, without incident.

**Failure means that the scanner was not able to take the action that the administrator specified, but took a different action instead.Failure can occur for a variety of reasons, such as: no driver yet exists for cleaning a new virus; the virus has characteristics that are uncleanable; timing conflicts exist between actions taken on a file by two different applications; timing conflicts exist relating to the way that an application, such as Microsoft Word deals with multiple versions of a file when it is in use.

The table on page 31 shows, by factor, the status of infected files after scanning:

Scanning action • Deny Access

• Delete

• Move

• Clean

Operating system • Windows 95 and Windows 98

• Windows NT and Windows 2000

Trigger • File read from disk

• File written to disk

Outcome • Success *

• Failure **


System Scan Options

There are cases where an infected file is written to disk intact even if you have selected When writing to disk on the scanner’s detec-tion property page. This includes the extremely rare circumstances where the deletion command fails. In those cases the virus cannot be activated until a user attempts to open, copy, or move the infected file. At that time, the file will be scanned if you have selected When reading from disk on the scanner’s detection property page.

Selected Action

Outcome

Status of Infected File

Windows 95 and Windows 98

Windows NT and Windows 2000

Read from disk Written to disk Read from disk Written to disk

Deny Access

Success• Left intact

• Access denied

Deleted* • Left intact

• Access denied

Deleted*

Failure Not applicable. Denial of access to the file is always available.

Delete

Success Deleted

Failure• Left intact

• Access Denied

Left intact* • Left intact

• Access denied

Left intact*

Move

Success Moved to quarantine folder

Failure• Left intact

• Access denied

Deleted* • Left intact

• Access denied

Left intact*

Clean

Success Cleaned

Failure*

• File name acquires VIR extension.

• Access denied.

Deleted* • File name acquires VIR extension.

• Access denied.

Deleted*


System Scan Options


33E-mail Scan Options

E-mail Scan examines e-mail messages and message attachments that you receive via intra-office e-mail systems, and the Internet. It scans your Microsoft Exchange or Outlook mailbox on your Microsoft Exchange server, and older cc:Mail e-mail systems.

E-mail Scan works in conjunction with the Download Scan to examine Internet mail that arrives via Simple Mail Transfer Protocol (SMTP) or Post Office Protocol (POP-3) sources. See Chapter 4, “Download Scan Options,” starting on page 45.

Configuring e-mail scanning1. If you have not already done so, open the ePolicy Orchestrator console,

and select the computers for which you are setting policy, (see Step 1 and Step 2 on page 15.)

2. In the upper details pane, click the next to the VirusScan v4.51 for Windows icon. From the expanded list, select E-mail Scan Options.

Figure 3-1. E-mail Scan Options — Detection tab


E-mail Scan Options


• Detection

• Action

• Alert

• Report

Detection options1. Deselect Inherit to change the product’s current configuration settings.

2. Select Enable Scanning of e-mail attachments.

Under E-mail system, select the type of e-mail message systems you use. You can select one or both types of systems. Your options are Corporate Mail and Internet Mail:

• Enable Corporate Mail — Scans mail attachments you receive via a mail system that runs within your office network. The scanner supports two types of corporate e-mail systems:

– Microsoft Exchange (MAPI). Select this option if you use an e-mail system that sends and receives mail via Microsoft’s Messaging Application Programming Interface (MAPI), a Windows mail protocol. Examples include Microsoft Exchange and Microsoft Outlook.

– Lotus cc:Mail. IBM, the current owner of cc:Mail, no longer supports that product. Consequently, McAfee can no longer support its use in conjunction with VirusScan. We have not removed this feature from the interface as a courtesy to customers who want to continue using the cc:Mail product currently running on their networks. However, you are solely responsible for the results.

• Internet Mail (Requires Download Scan) — Scans Internet mail attachments that you send and receive via the Post Office Protocol (POP-3) or the Simple Mail Transfer Protocol (SMTP). Choose this option if you work from home or through a dial-up Internet service provider with such software as Qualcomm Eudora Pro, Microsoft Outlook Express, or Netscape Mail.


E-mail Scan Options

� IMPORTANT: Because you receive Internet mail through the same pipe as any other downloaded file, the scanner uses the options that you set in the Download Scan module to determine how to respond to incoming Internet mail. To scan Internet mail attachments, therefore, you must also enable the Download Scan module and use those property pages to choose the settings you want. See Chapter 4, “Download Scan Options,” starting on page 45 for details.

Under Folders, enter the number of seconds the scanner should wait before it checks your cc:Mail Inbox for new mail. By default, the scanner checks once every minute. Be sure to set an interval shorter than the interval you set to receive your e-mail so that the scanner has an opportunity to detect any viruses before they reach your computer. This setting must be a minimum of 30 seconds.

3. Specify the types of e-mail attachments you want the scanner to examine. Your options are:

• Attachments with default extensions — Scans attachments that have file name extensions that McAfee AVERT (Anti-Virus Emergency Response Team) defines as vulnerable to infection from currently circulating viruses. The list of vulnerable file types is included with the release of updated virus definition (DAT) files. This option is the default selection. If you also select Compressed files, the scanner examines only those compressed file types that are defined in the current DAT files.

• All Attachments — Scans every file attachment regardless of the type of file. If you also select Compressed files, the scanner examines those portions of compressed files that are actually compressed, as well as the portions of the files that are not compressed.

• User specified attachments — Scans those file types that have a file name extension that appears on the list of extensions. If you also select Compressed files, the scanner examines only those compressed file types that appear on the list of extensions.

To see or designate the file name extensions the application examines, click Extensions to open the list of extensions.


E-mail Scan Options

Figure 3-2. User specified file extension

By default, the on-access scanner examines files that have no extensions and files with any of the following extensions: By default, the scanner examines files with the following extensions:





• Compressed files —Scans executable files that were compressed using utilities such as PkLite, LZexe, MS Compressed, Ice, Cryptcom, Com2Exe, Diet, and Teledisk.


??_ {?? 001 002 386 3GR ACM ADT AP?












E-mail Scan Options

To do this, the module looks for certain “virus-like” characteristics in the files you’ve asked it to scan. The presence of a sufficient number of these characteristics in a file leads the module to identify the file as potentially infected with a new or previously unidentified virus.

Because the scanner looks simultaneously for file characteristics that rule out the possibility of virus infection, it will rarely give you a false indication of a virus infection. Therefore, unless you know that the file does not contain a virus, you should treat “potential” infections with the same caution as you would confirmed infections.

The scanner starts out without any heuristic scan options active. To activate heuristics scanning, select the type of heuristic scanning you want to do. Under Heuristics scan settings, select one of the following options:

• Enable macro heuristics scanning — Identifies Microsoft Word, Microsoft Excel, and other Microsoft Office files that contain embedded macros, then compares the macro code to its virus definitions database. The utility identifies exact matches with the virus name. If it finds code signatures that resemble existing viruses, it will inform you that it has found a potential macro virus.

• Enable program file heuristics scanning — Identifies new viruses in program files by examining file characteristics and comparing them against a list of known virus characteristics. Files with a sufficient number of these characteristics as considered potentially infected.

• Enable macro and program file heuristics scanning — Enables both macro heuristics scanning and program file heuristics scanning. McAfee recommends that you use this option.

� NOTE: Heuristic scanning techniques applied to file types included in the scope of scanning activities — default files, all files, or only those files that have an extension that appears on the list of extensions.


Action optionsWhen the e-mail scanner detects a virus, it can respond either by asking you what to do with the infected file, or by automatically taking an action that you determine in advance. Use the Action tab to specify which response options you want the scanner to give you when it finds a virus, or which actions you want it to take on its own.


E-mail Scan Options


Figure 3-3. E-mail Scan Options — Action tab


3. Under When a virus is found select only one type of action for the scanner to perform. Your options are:

• Select Prompt for user action to select the following actions that users can take when a virus is found.

� NOTE: This option requires that a user be present at the workstation to choose an action.

– Delete file — Deletes the infected file immediately.

– Clean file (MAPI only) — Tries to remove the virus code from the infected file. If you have the reporting function enabled, the scanner will record a log event each time it successfully cleans, or fails to clean, an infected file.

– Move file — Moves the infected file to a quarantine folder. The alert message will display a Move file to button that allows you to send the infected item to a quarantine folder on your Microsoft Exchange server. You can move infected items to any other folder you've created in your Exchange or Outlook mailbox, or to any public folder on the Exchange server to which you have access. The item will remain on the Exchange server until you dispose of it — it will not be downloaded to your computer.


E-mail Scan Options

– Continue scan — Proceeds with scanning, but takes no other action. If you have its reporting options enabled, the scanner records the incident in its log file.

• Move infected files automatically — Moves infected files to a quarantine folder in your Microsoft Exchange mailbox. By default, the name of the quarantine folder is Infected, and it is located on your Microsoft Exchange server. You can enter a different location in the text box.

• Clean infected files (MAPI Only) — Tries to remove the virus code from the infected file. If Report is enabled, the scanner records a log event each time it successfully cleans, or fails to clean, an infected file. See “Report options” on page 42.

• Delete infected files automatically. — Deletes the infected attachment immediately. Be sure to enable Report so that you have a record of the files the scanner deleted. If the program cannot delete an infected file, it notes the incident in its log file.

• Continue scanning — Leaves the file intact and does not prevent you from opening, copying, renaming, or otherwise modifying the file in the future. If Report is enabled, the scanner records the names of any viruses it finds and the names of infected files so that you can delete them at your next opportunity.

� WARNING: E-mail Scan does not try to break encrypted messages to scan them.

If an infected attachment includes a digital signature, the scanner removes the digital signature to clean or delete the infected file.


Alert optionsOnce you configure it with the response options you want, you can let the e-mail scanner look for and remove viruses from your Exchange mailbox automatically, as it finds them, with almost no further intervention. To have the program inform you immediately when it finds a virus, configure it to send an alert message.

1. Select the Alert tab to display the alert options.


E-mail Scan Options

Figure 3-4. E-Mail Scan Options — Alert Options tab


3. Under Network Alerts, click Notify Alert Manager to send alert messages to Alert Manager for distribution.

Alert Manager is a separate McAfee software component, included with most McAfee anti-virus products for servers, such as NetShield for Windows NT and Windows 2000. Alert Manager collects alert messages and uses a variety of methods to send them to recipients that you specify. To have VirusScan send these alert messages successfully, you must also set up the Alert Manager Client Configuration utility, (see Chapter 7, “Alert Options,” starting on page 67. To learn how to install and configure the Alert Manager utility, see the Administrator’s Guide for the server anti-virus product you are using.

You can pass alert messages directly to an Alert Manager server, or you can send alert messages as text (ALR) files to a Centralized Alerting directory that the Alert Manager server checks periodically.

� NOTE: If you deselecting this checkbox, the scanner will not use Alert Manager, but will use any other alert messaging that you configure on this property page.

4. Under E-mail alert box, select the response you want when a virus is detected. Your options are:


E-mail Scan Options

• Return reply mail to sender — Notifies the sender that an infected e-mail message was transmitted. When you select this checkbox, these additional fields appear:

CC: Enter the e-mail address where a copy of the alert message should be sent.

Subject: Enter a subject for the alert message. The subject line should say something that is likely to draw the recipient’s attention to the seriousness of the message.

Message: Enter the message to be sent.

Send alert mail to user. This option allows you to send an e-mail message to warn others—a network administrator, for example—about an infected attachment. When you select this checkbox, these additional fields appear:

To: Enter the e-mail address where you want the alert message sent.

CC: Enter the e-mail address where a copy of the alert message should be sent.

Subject: Enter the subject line of the alert message.

Message: Enter the message to be sent.

As part of your anti-virus warning system, the e-mail scanner can reply directly with an alert message to anybody who sends you an infected message or attachment. You can copy that message to any other recipient in your organization, or any number of other recipients.

If you prefer not to send a reply, you can simply have the program send an e-mail notification, perhaps to a system administrator, whenever it detects a virus.

Sending reply messages can aid your ability to track virus sources and pinpoint where infectious agents enter your network; copies of these messages sent to system administrators can help track how infections spread.

You can also choose to send a message to any recipient without replying to the source of the infected attachment. The program can draw recipients directly from your Microsoft Exchange, Microsoft Outlook, or other MAPI-compliant address book, or from an equivalent Lotus cc:Mail directory. You can also enter recipient addresses directly.


E-mail Scan Options

The message you create for a response is a template. The program will send the message automatically to each recipient you designate. McAfee recommends that your message be a simple and clear explanation that all recipients can understand.

You may send one message to reply to the source of the infected message and a different message to other recipients, but you cannot tailor the same message for different recipients.

5. If you selected Prompt for user action on the Action tab, you can create a custom notification message, and choose to be notified by means of an audible alert.



� IMPORTANT: These options function only if you have selected Prompt for user action in the Action tab.


Report optionsE-mail Scan lists its current settings and summarizes the actions it takes during its scanning operations in a log file called WEBEMAIL.TXT. You can have the module write its log to this default file, or you can specify a different file name in the Log to file text box. The software will automatically create and use the file you specified. You can open and print the log file for later review.

You can use the WEBEMAIL.TXT file to track virus activity on your system and to note which settings the program used to detect infections and respond to them. You can also use the incident reports recorded in the file to determine which files you need to examine in quarantine, or delete from your computer.



E-mail Scan Options

Figure 3-5. E-mail Scan — Report tab



By default, the scanner writes log information to the file WEBEMAIL.TXT in the VirusScan program directory. You can enter a different name in the text box. If the file does not already exist, the program will create the file automatically. Click for a list of system variables that you can include in the path.

� NOTE: If you choose a different location for your log file on a Windows NT Workstation v4.0 or Windows 2000 Professional system, verify that you choose a location to which you have user-level access. Because the e-mail scanner runs with the same access rights that your e-mail client program does, it cannot write to this log file correctly if the file exists in a location that requires Administrator access rights, and you have logged in as a user to run your e-mail client program. Instead, the scanner will give you an “Activity Log Access Error” message when it detects a virus.



E-mail Scan Options



• Virus detection — Records the number of viruses the scanner finds during each scan operation.

• Infected file deletion — Records the number of viruses the scanner deletes during each scan operation.

• Infected file move — Records the number of viruses the scanner moves to a quarantine folder during each scan operation.



– The number of files examined.– The number of infected files that were cleaned.– The number of infected files that were deleted.– The number of infected files that were moved to a quarantine

folder.– Your scanner settings.

• Virus cleaning (MAPI Only) — Records the number of infected files the scanner cleans, or tries to clean.



44Download Scan Options

Download Scan examines files that you download from the Internet using a browser such as Internet Explorer or Netscape. In addition, if you have selected Internet Mail on the E-mail Scan Options tab, (see Step 2 on page 34,) Download Scan allows you set action options if you receive infected e-mail attachments via a POP-3 or SMTP e-mail client programs such as Eudora, Netscape Mail, or Microsoft Outlook Express.

Configuring download scanning1. If you have not already done so, open the ePolicy Orchestrator console,


2. In the upper details pane, click the next to VirusScan v4.5 for Windows icon. From the expanded list, select Download Scan Options. .

Figure 4-1. Download Scan Options — Detection tab


• Detection

• Action

• Alert

• Report


Download Scan Options

Detection options1. Deselect Inherit to change the product’s current configuration settings.

2. Select Enable internet download scanning.

• Default files — Scans file types that McAfee AVERT (Anti-Virus Emergency Response Team) defines as vulnerable to infection from currently circulating viruses. The list of vulnerable file types is included with the release of updated virus definition (DAT) files. This option is the default selection. If you also select Compressed files, the scanner examines only those compressed file types that are defined in the current DAT files.

• All files — Scans every file regardless of the type of file. If you also select Compressed files, the scanner examines those portions of compressed files that are actually compressed, as well as the portions of the files that are not compressed.

• User specified files — Scans only those file types that have a file-name extension that appears on the list of extensions. If you also select Compressed files, the scanner examines only those compressed file types that appear on the list of extensions. To see or designate the file name extensions the application examines, click Extensions to open the list of extensions.


By default, the on-access scanner examines files that have no extensions and files with any of the following extensions: By default, the scanner examines files with the following extensions:

??_ {?? 001 002 386 3GR ACM ADT AP?











• Compressed files — Scans executable files that were compressed using utilities such as PkLite, LZexe, MS Compressed, Ice, Cryptcom, Com2Exe, Diet, and Teledisk.


To do this, the module looks for certain “virus-like” characteristics in the files you’ve asked it to scan. The presence of a sufficient number of these characteristics in a file leads the module to identify the file as potentially infected with a new or previously unidentified virus.


The scanner starts out without any heuristic scan options active. To activate heuristics scanning, select the type of heuristic scanning you want to do. Under Heuristics scan settings, select one of the following options:

• Enable macro heuristics scanning. — Identifies Microsoft Word, Microsoft Excel, and other Microsoft Office files that contain embedded macros, then compares the macro code to its virus definitions database. The utility identifies exact matches with the virus name. If it finds code signatures that resemble existing viruses, it will inform you that it has found a potential macro virus.











� NOTE: Heuristic scanning techniques applied to file types included in the scope of scanning activities — default files, all files, or only those files that have an extension that appears on the list of extensions.


Action optionsWhen the scanner detects a virus, it can respond either by asking you what it should do with the infected file, or by automatically taking an action that you determine ahead of time. Use the Action tab to specify the action that you want the scanner to take when it finds a virus.


Figure 4-3. Download Scan Options — Action tab




3. Under When a virus is found select only one type of action for the scanner to perform. Your options are:

• Select Prompt for user action to select the following actions that users can take when a virus is found.

– Delete file — Deletes the infected file immediately.

– Continue scan — Proceeds with scanning, but takes no other action. If you have its reporting options enabled, the scanner records the incident in its log file.

• Delete infected files automatically — Deletes the infected file immediately. Be sure to enable the reporting feature so that you have a record of which files the scanner deleted. If the program cannot delete an infected file, it notes the incident in its log file.

• Continue scanning — Leaves the file intact and does not prevent you from opening, copying, renaming, or otherwise modifying the file in the future. If you also activate the reporting feature, the scanner records the names of any viruses it finds and the names of infected files so that you can delete them at your next opportunity.


Alert optionsOnce you configure it with the response options you want, the scanner looks for and remove viruses automatically, as it finds them, with almost no further intervention. However, you can configure the scanner to contact you immediately when it finds a virus, so that you can take appropriate action. It can send an alert message to a server that is running the Alert Manager utility.

1. Select the Alert Options tab.



Figure 4-4. Download Scan Options — Alert tab


3. Under Network Alerts, click Notify Alert Manager to send alert messages to Alert Manager for distribution.

Alert Manager is a separate McAfee software component, included with most McAfee anti-virus products for servers, such as NetShield for Windows NT and Windows 2000. Alert Manager collects alert messages and uses a variety of methods to send them to recipients that you specify. To have the VirusScan program send these alert messages successfully, you must also set up the Alert Manager Client Configuration utility. (See Chapter 7, “Alert Options,” starting on page 67.) To learn how to install and configure the Alert Manager utility, see the Administrator’s Guide for the server product you are using.


� NOTE: Clearing this checkbox tells the scanner not to send an alert message via Alert Manager, but does not affect other alert messages that you configure in this property page.






� IMPORTANT: These options function only if you have selected Prompt for user action in the Action Options page.


Report optionsDownload Scan lists its current settings and summarizes all of the actions it takes during its scanning operations in a log file called WEBINET.TXT. You can have the module write its log to this default file, or you can specify a different file name in the Log to File text box. The software will automatically create and use the file you specified. You can open and print the log file for later review.

You can use the WEBINET.TXT file to track virus activity on your system and to note which settings the program used to detect and respond to infections it found. You can also use the incident reports recorded in the file to determine which files you need to examine in quarantine, or delete from your computer.




Figure 4-5. Download Scan Options — Report tab



By default, the scanner writes log information to the file WEBINET.TXT in the VirusScan program directory. You can enter a different name in the text box provided. If the file does not already exist, the program will create the file automatically. Click for a list of system variables that you can include in the path.


Enter a value between 10KB and 999KB. By default, the scanner limits the file size to 100KB. If the data in the log exceeds the file size you set, the scanner erases the existing log and begins again from the point at which it left off.




55Internet Filter Options

Although both Java and ActiveX objects include safeguards designed to prevent harm to your computer system, determined programmers have developed objects that exploit arcane Java or ActiveX features to cause harm to your system.

Dangerous objects can often lurk on websites until you visit and download them to your system, usually without realizing that they exist. Most browser software includes a feature that allows you to block Java applets or ActiveX controls altogether, or to turn on security features that authenticate objects before downloading them to your system. But these approaches can deprive you of the interactive benefits of websites you visit by indiscriminately blocking all objects, dangerous or not.

The Internet Filter module allows a more judicious approach for users of Microsoft Internet Explorer, Netscape and NeoPlanet browsers. It uses an database of objects known to cause harm to screen Java classes and ActiveX controls you encounter as you browse.

Configuring Internet Filter1. If you have not already done so, open the ePolicy Orchestrator console,


2. In the upper details pane, click the next to VirusScan v4.5 for Windows icon. From the expanded list, select Internet Filter Options.


• Detection

• Action

• Alert

• Report


Internet Filter Options

.

Figure 5-1. Internet Filter Options — Detection tab

Detection optionsBy default, the Internet Filter module assumes that you want to block all of the harmful objects and sites it has listed in its database in order to prevent you from accidentally encountering them. This option provides tight security against harmful objects, but allows you to make use of other objects on the Internet sites you visit.


2. Select Enable Java and ActiveX scanning to enable the filter options.

3. Under Applet filters, select the objects you want to scan. Your options are:

• ActiveX Controls — Scans for and blocks harmful ActiveX or OCX controls.

• Java classes — Scans for and blocks harmful Java classes, or applets written in Java.

The scanner module compares the objects you encounter as you visit Internet sites with an internal database that lists the characteristics of objects known to cause harm. When it finds a match, the scanner can alert you and let you decide what to do, or it can automatically keep the object from downloading.

4. Under Site filters, specify the IP addresses or URLs to ban.



• IP Addresses to block — The scanner identifies dangerous Internet sites by using their Internet Protocol (IP) addresses.

The text box in the middle of the window identifies which IP addresses you want the scanner to block whenever you or someone else tries to connect to them. By default, the list includes two sites that download hostile Java or ActiveX objects to your machine as soon as you connect. You can add other sites.

Each address consists of four numeric groups of one to three digits each, formatted in this manner:

123.123.123.123

The Internet Filter module can use this number to identify a specific computer or network of computers on the Internet and prevent your browser from connecting to it. Each group of numbers can range between zero and 255. The first number series is the banned site’s domain address—the number you use to find it on the Internet—and the second is a “subnet mask.”

A subnet mask is a way to “remap” a range of computer addresses within an internal network. The module lists a default subnet mask of 255.255.255.255. In most circumstances, you will not need to change this number, but if you know that a particular network node at the site you visit is the source of danger, you might need to enter a subnet mask to preserve your access to other machines at this site.

5. To change the list, you can:

• Click Add to open the Add IP Address dialog box.

a. Type the IP address you want to add to the Banned IP Addresses list in the text box on the left.

b. Type the subnet mask associated with the IP address you want to add to the Banned IP Addresses list in the text box, if you know the correct subnet mask value for the site you want to avoid.

c. Click Add to place the IP address on the list of banned IP addresses.

• Remove an item from the list by selecting it, then clicking Delete.

6. Select the Internet URLs to block to identify dangerous Internet sites by using their Uniform Resource Locator (URL) designation.



The Banned URLs dialog box identifies which URLs you want the scanner to block whenever you or someone else tries to connect to them. By default, the list includes two domain names that download hostile Java or ActiveX objects to your machine as soon as you connect. You can add other domain names.

To add a site to this list, you must enter the domain name by itself, since the module will assume you mean the Hyper Text Transport Protocol (HTTP). To change the list, you can:

• Enter the address in the Internet URLs to block box, then click Add.

• Select an item, then click Delete to remove the item from the list.


Action optionsWhen the scanner encounters a dangerous object or a banned site, it can respond either by asking you if it should block the object or site, or by automatically blocking it. Use the Action tab to specify your choice.

1. Select the Action Options.

Figure 5-2. Internet Filter Options — Action tab


2. Choose a response under When a potentially harmful object is found. Your choices are:



• Prompt for user action — Asks you whether to block a harmful object or site, or to permit access to it.

• Deny access to objects — Blocks objects or sites automatically. The scanner’s action is based on information in its database, plus any site information you added.


Alert optionsOnce you configure the scanner with the response options you want, it can look for and block harmful objects or dangerous Internet sites from your system. However, you can configure the scanner to send you or others an alert message as soon as it finds a harmful object.

1. Select the Alert Options tab.

Figure 5-3. Internet Filter Options — Alert tab


2. Under Network Alerts box, select Notify Alert Manager to send alert messages to Alert Manager for distribution.



Alert Manager is a separate McAfee software component, included with most McAfee anti-virus products for servers, such as NetShield for Windows NT and Windows 2000. Alert Manager collects alert messages and uses a variety of methods to send them to recipients that you specify. To have the VirusScan program send these alert messages successfully, you must also set up the Alert Manager Client Configuration utility. To learn how to install and configure the Alert Manager utility, see the Administrator’s Guide for the server product you are using.


� NOTE: Clearing this checkbox tells the scanner not to send an alert message via Alert Manager, but does not affect other alert messages that you configure in this property page.




� IMPORTANT: These options function only if you have selected Prompt for user action in the Action Options page.


Report optionsThe scanner records how many Java and ActiveX objects it scanned, and how many it blocked in a log file called WEBFILTR.TXT. This file also records the number of dangerous sites the program kept your browser from visiting.



You can have the module write its log to this default file, or you can specify a different file name in the Log to file text box. The software will automatically create and use the file that you specified. You can open and print the log file for later review. Use the Report tab to designate the file you want to serve as the Internet Filter log, and to determine that file’s permissible size.

The WEBFLTR.TXT file can serve as an important management tool for you to track malicious activity and to note which settings you used to detect and block the harmful objects or sites that the scanner found.

1. Select the Report Options tab on the Internet Filter Options page to display the report options.

Figure 5-4. Internet Filter Options — Report tab


2. Select Log to file to save the log in a file that you specify.

By default, the scanner log information to the file WEBFILTR.TXT in the VirusScan program directory. You can enter a different path and file name in the text box. VirusScan creates the file, but the folder in which it is located must already exist. VirusScan does not create the new folder. Click for a list of system variables that you can include in the path.



66Security Options

To keep the settings you chose for each scanning module safe from unauthorized changes, you can protect any or all module property pages with a password. System administrators can prevent users from disabling the scanner by deselecting System scan can be disabled on the System Scan Detection page (see Step 6 on page 19,) and protecting that setting with a password. This combination of actions enforces a strict anti-virus security policy.

Configuring Security properties1. If you have not already done so, open the ePolicy Orchestrator console,


2. In the upper details pane, click the next to VirusScan v4.5 for Windows icon. From the expanded list, select Security Options..

Figure 6-1. Security Properties — Password page


2. Select Enable password protection for all property pages.


Security Options

3. Decide whether to protect the property pages for all modules, or whether to protect individual pages. Your choices are:

• Password-protect all options on all property pages — Password-protects all options on all property pages in all modules. This is the default condition when you select Enable password protection for all property pages.

• Password-protect selected property pages only — Password-protects property pages that you do not deselect. By default, all property pages for all modules are password protected when you select Enable password protection for all property pages. To apply password protection selectively, you must deselect the property pages that you do not want to protect.

• Lets you choose which property pages you want to lock and in which module. The remaining tabs in the Security Properties dialog box let you designate the individual pages in each module.

4. Under Password, enter and confirm a password of up to 20 characters.

5. If you chose Password-protect selected property pages only select the tab for each module that has property pages you want to protect. The following figure shows the System Scan tab selected. Each System Scan feature is represented by a checkbox.

Figure 6-2. Security Properties dialog box — System Scan page


Security Options

6. Remove the checkmark from any property page that you do not want to password protect.

7. Select another tab and perform the same operation with respect to each of the modules.



Security Options


77Alert Options



VirusScan software includes a simple client configuration utility that allows you to choose the Alert Manager server that you want to receive alert events, or designate a Centralized Alerting directory to receive alert messages. You can also use DMI (Desktop Management Interface) if a DMI client application, such as Hewlett-Packard OpenView, is installed on your local computer and DMI administrative software is running somewhere on your network.

Configuring Alert properties1. If you have not already done so, open the ePolicy Orchestrator console,


2. In the upper details pane, click the next to VirusScan v4.5 for Windows icon. From the list, select Alert Options.


Alert Options

.

Figure 7-1. Alert Options tab


2. By default, alerting is enabled. If you do not want to use this feature, select Disable Alerting. If you want to use the alerting feature, verify that the Disable Alerting checkbox is empty.

3. Select Allow User Changes if you want to permit users to make modifications to the configuration choices you make on this property page.

4. Select Use DMI if you want to use this service, and have the necessary server and client software running on your network.

5. Select the alerting method you want to use. Your choices are:

• Enable Alert Manager alerting — Sends alert events to an Alert Manager server somewhere on your network.

a. By default, on Windows 2000 and Windows XP systems that have Active Directory Services installed, the client utility will use Active Directory lookup to locate a published Alert Manager server. To prevent the client utility from doing so, select Disable Active Directory Lookup (Windows 2000 Only).


Alert Options

b. In the Destination for alerts box, enter the path of the directory that hosts the Alert Manager server you want to use. You can use Universal Naming Convention (UNC) notation, or you can enter just the computer name. The Alert Manager Client Configuration utility will validate the form of the name you enter here, but will not verify that the Alert Manager server exists on the target computer. This allows laptop and other remote users to designate an Alert Manager server even when they are not connected to your network.

or

• Enable Centralized alerting — Sends alert messages to a Centralized Alerting directory somewhere on your network.

a. The scanner sends alert messages as text files with the extension ALR to the target directory. If the target directory contains the CENTALRT.TXT file, any Alert Manager server can be configured to check this directory periodically for ALR files. If it finds one, it extracts the contents of the alert message from the file, distributes the message via one of its pre-configured notification methods, then deletes the ALR file.

b. In the Destination for alerts box, enter the path to the Centralized Alerting directory you want to use.



Alert Options


Section 2

Scheduled Tasks

Section 2

Chapter 8, “On-Demand Scanning” page 73

Chapter 9, “Updating Virus Definition Files” page 87

Chapter 10, “Mirroring the NAI Update Site” page 101

Chapter 11, “Upgrading the Software” page 109

Chapter 12, “Scheduling Tasks” page 115

88On-Demand Scanning

Scheduling immediate or future scanning tasks Three types of tasks can be scheduled:

• On-demand scanning, discussed in this chapter.

� NOTE: For information about setting policy for on-access scanning activities, see Chapter 2, “System Scan Options,” starting on page 15

• Updating of virus definitions (DAT) files, see Chapter 9, “Updating Virus Definition Files,” starting on page 73.

• Creating a mirror of the Network Associates download site for DAT files and scanning engine, see Chapter 10, “Mirroring the NAI Update Site,” starting on page 101.

• Upgrading of McAfee anti-virus software, see Chapter 11, “Upgrading the Software,” starting on page 109.

Configuring on-demand scanning tasksThe on-demand scanning component provides a method for scanning all or parts of a workstation for viruses, at convenient times or at regular intervals. Use it to supplement the continuous protection that the on-access scanner provides, or to schedule regular scan operations when they won’t interfere with ongoing work.

The program does not come with any pre-scheduled scan tasks because the variety of server setups and network environments within which VirusScan runs makes it impossible to anticipate your needs.

1. Open the ePolicy Orchestrator Console. For information on using ePolicy Orchestrator, see the ePolicy Orchestrator Product Guide for version 2.0.

2. Under the ePolicy Orchestrator branch of the Tree, select Directory, then select the hierarchical level that includes the site, group or computer for which you want to schedule on-demand scanning.

� NOTE: Scheduled tasks can be run immediately, or at some future time. Scheduled tasks run based on the client's clock time, not the server's.


On-Demand Scanning

3. In the upper details pane, select the Tasks tab.

4. Right-click and select Schedule New Task to select a task type and name it.

Figure 8-1. Schedule New Task

5. Enter a descriptive name for the task. All the tasks you create will appear in a catalog available for subsequent reuse or editing.

6. Select VirusScan v4.51 for Windows On-Demand Scan from the list.

7. Click OK. The task name appears in the catalog.

8. Select your new task, then right-click and select Edit Task to open the scheduler.

Figure 8-2. Scheduler — On-Demand Scanner

� TIP: You can also open the Scheduler by selecting Schedule Task from the Action menu.

9. Select the Task tab to define the activity you are configuring.


On-Demand Scanning

� NOTE: The Task tab that appears on the Scheduler does not have the same function as the Tasks tab in the upper details pane. The Task tab allows you to configure a scanning, updating or upgrading event. The Tasks tab is a catalog of already scheduled events.

10. In the Name box, you can change the name of the task by replacing the name you first gave it with a new name.

11. The Software and Task Type boxes display the information you provided when you created the task.

12. Click Settings. The Task Settings dialog box opens, displaying the on-demand scanning options pages, each of which governs an aspect of the on-demand scanning operation. Click each tab to display the corresponding property page and to specify how you want the scanner to perform the operation.

Figure 8-3. On-Demand Scan properties — Detection tab

Choosing detection optionsUse the Detection page to define scanning targets and the scope of heuristic scanning.



On-Demand Scanning

2. Click the near the top of the Detection page and select a scan target from the list provided. Your choices are:

• My Computer — Scans all drives physically attached to your computer or logically mapped via Windows Explorer to a drive letter on the computer where the task is run.

• All removable media — Scans only floppy disks, CD-ROMs, Iomega ZIP disks, or similar storage devices physically attached to your computer.

• All fixed disks — Scans hard disks physically connected to your computer.

• All network drives — Scans all drives logically mapped via Windows Explorer to a drive letter on your computer.

• Drive or folder — Scans the specified drive or folder.

3. Click Add to include the selected scanning target in the list box.

4. If you selected Drive or folder, an additional text box appears, in which you can type the path of the target drive or folder and specify whether to include subfolders in the scanning activity.

5. Select the Include subfolders checkbox to have the VirusScan application look for viruses in any folders inside your scan target.

� NOTE: To remove a target from the list, select it, then click Delete.

6. Specify additional scanning options under What to scan.

• Scan Memory and Scan boot sectors: Boot-sector viruses load themselves into your computer's memory and conceal themselves in the boot blocks or master boot record on your hard drive. To detect those types of viruses, select the Scan Memory and Scan boot sectors checkboxes.

• Select Compressed files to include executable files that were compressed using the following utilities: PkLite, LZexe, MS Compressed, Ice, Cryptcom, Com2Exe, Diet, and Teledisk. If you select All files on this page, every compressed file will be scanned. If you select Program files on this page, the scanner will examine only those compressed file types that appear on the list of extensions.


On-Demand Scanning

• Default files — Scans file types that McAfee AVERT (Anti-Virus Emergency Response Team) defines as vulnerable to infection from currently circulating viruses. The list of vulnerable file types is included with the release of updated virus definition (DAT) files. This option is the default selection. If you also select Compressed files, the scanner examines only those compressed file types that are defined in the current DAT files.

• All files — Scans every file regardless of the type of file. If you also select Compressed files, the scanner examines those portions of compressed files that are actually compressed, as well as the portions of the files that are not compressed.

� NOTE: McAfee recommends that you choose this option for your first scan operation, and periodically thereafter, to ensure that your system is virus-free. You can then limit the scope of later scan operations.

• User specified files — Scans only those file types that have a file-name extension that appears on the list of extensions. If you also select Compressed files, the scanner examines only those compressed file types that appear on the list of extensions. To see or designate the file name extensions the application examines, click Extensions to open the list of extensions.


By default, the on-access scanner examines files that have no extensions and files with any of the following extensions:

??_ {?? 001 002 386 3GR ACM ADT AP?






On-Demand Scanning





� NOTE: The scanner can also examine archive files with the following extensions: ARC, ARJ, CAB, LZH, ZIP, RAR, or TAR, and their contents. If you select Clean file on the Action tab, the scanner can clean an infected ZIP file. As in the case of compressed files, if you selected All files, the scanner examines every archive file. If you selected Default files, the scanner examines the archive file types that are specified by the virus definition (DAT) files currently in use. If you selected User specified files, the scanner examines the file types that appear on the list that is visible by clicking Extensions.


To do this, the scanner looks for certain “virus-like” characteristics in the files you’ve asked it to scan. The presence of a sufficient number of these characteristics in a file leads the module to identify the file as potentially infected with a new or previously unidentified virus.


8. The scanner starts out without any active heuristic scan options. To activate heuristics scanning, select the type of heuristic scanning you want to do. Under Heuristics scan settings select one of the following options:








On-Demand Scanning

• Enable macro heuristics scanning. — Identifies Microsoft Word, Microsoft Excel, and other Microsoft Office files that contain embedded macros, then compares the macro code to its virus definitions database. The utility identifies exact matches with the virus name. If it finds code signatures that resemble existing viruses, it will inform you that it has found a potential macro virus.



� NOTE: Heuristic scanning techniques will be applied to the file types that you have included in scanning activities — either all files, or only those files that have an extension that appears on the list of extensions.

9. Click Apply to accept your new policy settings

Action optionsWhen the scanner detects a virus, it can respond by automatically taking an action that you set in advance. Use the Action tab to specify the action that you want the scanner to take when it finds a virus.



On-Demand Scanning

Figure 8-5. On-Demand Scan properties — Action tab


3. Choose a response from the When a virus is found list. Your choices are:

• Move infected files automatically — Moves infected files to a quarantine folder as soon as the scanner finds them.

The default name of the quarantine folder is INFECTED, and it is located in the root of the drive being scanned. You can enter a different name in the text box. Click for a list of system variables that you can include in the path

• Clean infected files automatically — Removes the virus code from the infected file as soon as the scanner finds it. If the scanner cannot remove the virus, it will note the incident in its log file.

• Delete infected files automatically — Immediately deletes every infected file the scanner finds. Be sure to enable its reporting feature so that you have a record of the files the application deleted. You will need to restore deleted files from backup copies. If the scanner cannot delete an infected file, it will note the incident in its log file.


On-Demand Scanning

• Continue scanning — Does not interfere with the scanning activity in progress. Use this option if you plan to leave your computer unattended while the scanning activity is in progress. If you activate the reporting feature, the scanner will record the names of any viruses it finds, and the names of infected files so that you can delete them at your next opportunity.

4. Click OK when you have finished configuring the task.

Choosing alert optionsIf you want immediate notification that the on-demand scanner has found a virus and acted upon it based on your Action options, you must be running Alert Manager on your network.

1. Select the Alert tab.

Figure 8-6. On-Demand Scan properties — Alert tab


3. Select Notify Alert Manager to have the scanner send alert messages to Alert Manager for distribution.


On-Demand Scanning




Choosing report optionsThe on-demand scanner lists its current settings and summarizes all of the actions it takes during its scan operations in a log file called VSCLOG.TXT. You can specify a different file name in the Log to File text box. You can open and print the log file for later review. Use the Reports tab to detail the contents of the log file.


Figure 8-7. On-Demand Scan properties — Report tab


On-Demand Scanning


3. Select the Log to file checkbox.

By default, the VirusScan application writes log information to the file VSCLOG.TXT in the VirusScan program directory. You can enter a different name in the text box provided. You may use a different file, but the text file must already exist. The application will not create a new file.


Enter a value between 10KB and 999KB. By default, the scanner limits the file size to 100KB. If the data in the log exceeds the file size you set, the scanner erases the existing log and begins again from the point at which it left off.



• Virus cleaning — Lists the infected files that the scanner cleans—or tries to clean—during each scan operation.


• Infected file move. — Lists the infected files that the scanner moves to a quarantine folder during each scan operation.






– The number of infected files that were moved to a quarantine folder.

– Your scanner settings.

• Date and time — Records the date and time at which the scanner found an infection.


On-Demand Scanning

• User name — Records the name of the user logged into the workstation when the scanner found an infection.


Choosing exclusion optionsUse this option to if you want the scanner to ignore entire disks, folders, or individual files that you know cannot become infected.

Each entry in the exclusion list displays the item, notes whether the module will also exclude any nested folders within the target.

� NOTE: By default, the scanner does not examine the contents of the Restore folder on Windows XP or Windows Millennium systems.

1. Click the Exclusion tab.

Figure 8-8. On-Demand Scan properties — Exclusion tab


3. Specify the items you want to exclude. You can

• Add files or folders to the exclusion list. Click Add to open the Add Exclusion Item dialog box.


On-Demand Scanning

Figure 8-9. Add Exclusion Item

Next, follow these substeps to add items to the list:

a. Select Enter a file name to exclude or Enter a folder name to exclude.

b. Enter a path of the folder or file in the text box that corresponds to your selection. Click for a list of system variables that you can include in the path

c. Select the Include subfolders checkbox to tell the module to ignore files stored in any subfolders within the folder you specified in Step b.

� NOTE: If you select this option, the scanner will not examine the files or the subfolders that are located within the target folder.

If you deselect this option, the scanner will examine the subfolders but not the files that are located within the target folder.

This feature is useful in situations where a folder contains a number of sensitive files that you do not want to scan. An alternative approach to achieving the same result would involve specifying individually each of the files that you want to exclude. You can specify up to eight exclusions.

• Change the exclusion list. To change the settings for an excluded item, select it in the Exclusions list, then click Edit to open the Add Exclusion Item dialog box. Make the changes you need, then click OK to close the dialog box.

• Remove an item from the list. To delete an excluded item, select it in the list, then click Remove. This means that the scanner will examine this file or folder during this scan session.


On-Demand Scanning


Setting a schedule for an on-demand scanning taskSet a schedule for the on-demand scanning task that you have configured. See Chapter 12, “Scheduling Tasks,” starting on page 115.


99Updating Virus Definition Files

OverviewTo function efficiently, the VirusScan software needs regular updates of its virus definition data files (DAT files). Without updated files, VirusScan might not detect new virus strains or respond to them effectively. New viruses appear at the rate of more than 100 per week. Updating your virus definition files at least this often can prevent unpleasant surprises.

Virus definition files appear on the Network Associates FTP site at ftp.nai.com/virusdefs/4.x. The site includes three types of DAT files:

• Ordinary DAT files, labeled DAT-XXXX.ZIP where XXXX is a series number that changes with each DAT file release.

• SuperDAT files, labeled SDATXXXX.EXE. SuperDAT is a utility that updates your DAT files to the version represented by XXXX, and also upgrades your scanning engine if the engine on the Network Associates site is newer than the one currently in use on your computer.

• Incremental DAT files, labeled XXXXXXXX.UPD. Incremental DAT files are the files released between the DAT files now in use on your system and the most current DAT files available. Here, the first four X characters represent the DAT version now in use on your computer. The second four X characters represent the most current DAT files available.

The FTP site also contains two INI files. AutoUpdate uses these files to choose the most efficient update pattern based on the scope of updating required and on your AutoUpdate configuration choices. The update patterns include:

• Replacing all the DAT files currently in use, but not upgrading the scanning engine.

• Replacing all the DAT files, and simultaneously upgrading the scanning engine.

• Inserting only the incremental changes required to make your system current.

The INI files are:

• UPDATE.INI, which lists the current DAT files and engine available on the Network Associates FTP site. AutoUpdate reads this file to determine its updating objectives and the files available.


ftp.nai.com/virusdefs/4.x

Updating Virus Definition Files

• DELTA.INI, which lists the incremental DAT files available to fill the gap between the files now in use and the most current files.

The Automatic DAT Update utility downloads the necessary files, stops the on-access scanner, installs the revised files, then restarts the on-access scanner. The scanner then uses the revised files immediately.

This release includes an interface for creating a mirror of the Network Associates FTP site. The new mirroring function is described in Chapter 10, “Mirroring the NAI Update Site,” starting on page 101.

If you plan to use a mirror site on your network, you must:

• Configure the AutoUpdate and Mirroring tasks. The order in which you configure these tasks is not important.

• Schedule the AutoUpdate and Mirroring tasks to run at convenient times. To ensure that AutoUpdate selects the current DAT files, it is essential that the Mirroring task run first, and that it be completed before the AutoUpdating task begins. See Chapter 12, “Scheduling Tasks,” starting on page 115.

Configuring automatic DAT updates 1. If you have not already done so, open the ePolicy Orchestrator console,

and select the computers for which you are defining a task. (see Step 1 on page 73 through Step 5 on page 74.)

2. Select VirusScan v4.51 for Windows AutoUpdate from the list.





Figure 9-1. Scheduler — AutoUpdate






8. Click Settings. The Task Settings dialog box opens, displaying the AutoUpdate options pages, each of which governs an aspect of the updating. Click each tab to display the corresponding property page and to specify how you want AutoUpdate to perform the operation.



Figure 9-2. AutoUpdate Options — Update tab

Defining update sitesYou can designate a maximum of 16 uniquely named locations from which your workstations can download the DAT files and scanning engine.


2. Click Add to open the Site Options page. By default, FTP Site is selected as the source of the update files. You can chose UNC or Local paths as alternatives to FTP.



Figure 9-3. AutoUpdate Site Options

3. Select a file retrieval method. For detailed information, see:

• “Configuring an FTP site,” starting on page 91.

• “Configuring a UNC path,” starting on page 92.

• “Configuring a local path” on page 93

The order in which the sites are listed on the AutoUpdate Update tab is the order in which AutoUpdate accesses them.

� IMPORTANT: Typically, the update sites that appear in the list are replicas of the Network Associates FTP site. The replication is created using the mirroring function, which allows a server to download files from a source location specified in the Mirror utility. See Chapter 10, “Mirroring the NAI Update Site,” starting on page 101.

Configuring an FTP site

1. Enter a name for the site that you are defining, and select Enable site. Click for a list of system variables that you can include in the site name.

Source files on an FTP Site Source files on a UNC or Local path



2. Enter the URL of the FTP server and the directory containing the file or files. For example, if the source is the Network Associates FTP site, enter ftp.nai.com/virusdefs/4.x. If the source is a server on your network to which you have copied the DAT files, enter server.com/install. Click for a list of system variables that you can include in the URL.

� IMPORTANT: The Automatic DAT Update task expects to find new DAT files in their original ZIP archives and with their original file names. If you save the new files on a central server so that other servers can download them, be sure that you do not extract the files or rename them.

3. Select passive or active FTP.

• The default connection is passive FTP, where the client opens both the command session and the data session. As a result, a firewall is unlikely to interfere with the transmission, which can occur with active FTP.

• To use an active FTP connection, deselect this checkbox.

4. Supply user credentials.

• If the FTP location accepts anonymous logins (like the Network Associates FTP site), select Use Anonymous FTP Login.

• If the FTP location requires login credentials, deselect Use Anonymous FTP Login, then enter the User Name and Password required for access to the server.

5. Supply proxy information.

• If your network requires a proxy server, select Use Proxy Server, then enter the name of the proxy server and the port it uses.

• If you are using proxy software, be certain that you have the most current version, including any service packs.

6. Click OK when you have finished making your selections.

Configuring a UNC path


2. Select UNC Path.



3. Using UNC notation, (\\servername\path), enter the path of the site where the update files are located.

� NOTE: In order to copy files from a Novell NetWare server, you must first create a login user on the NetWare server with read- only rights to the folder that contains the update files.


• in the User Name field enter the user name for an account that is to have access the UNC site.

• If the user has rights to the resources in a particular domain that includes the server that contains the update files, enter the name of the domain in the Domain or Server field.

• If the user has rights only to the particular server that contains the update files, but not to other resources in the server’s domain, enter the name of the server in the Domain or Server field.

• Enter and then re-enter the password required for access to the UNC shared folder.

� NOTE: Click for a list of system variables that you can include in the User Name or Domain or Server fields.


Configuring a local path

1. Enter a name for the site that you are defining, and select Enable site.

2. Select Local Path.

3. Enter the path of the local folder (for example, C:\DATS\).




Configuring advanced update options1. Click the Advanced tab.

Figure 9-4. AutoUpdate Options — Advanced tab

2. Select one or more of the available choices:

• Backup the existing virus definition (DAT) files — Renames existing DAT files before installing new files. To rename each file, the utility appends the extension SAV to the existing file name and extension. For example, CLEAN.DAT becomes CLEAN.DAT.SAV.

• Update scanning engine if new scanning engine exists — Replaces the scanning engine you are currently using with a more recent one, if one exists.

• Force-Update DAT files and scanning engine. Select this checkbox:

– To downgrade the current DAT files or engine to an earlier version that you have preserved. You might want to take this action as a temporary step if the newer DAT files or engine are not behaving as expected.

– If the current DAT files on a particular workstation have been corrupted or rendered ineffective because an essential file, such as CLEAN.DAT, has been deleted.



� TIP: To force an update of the DAT files without updating the engine, select Force-Update the DAT files and scanning engine, and deselect Update scanning engine if newer scanning engine exists.

• Run a Program after a successful Update — Starts another program after running AutoUpdate. You might want to use this option, for example, to start an e-mail client program or a network message utility that notifies a system administrator that the update operation has run.

Next, enter only the file name for the executable that you want to run. Do not enter the entire path of the executable. The executable must be located in the same folder as MCUPDATE.EXE.

• Only run if the update completes successfully — If you want the program to run only after the DAT files have been updated successfully, select this checkbox. If you do not select this checkbox, the program run after every attempt of AutoUpdate to update the DAT files whether successful or not.


Configuring reporting options AutoUpdate summarizes the actions it takes log file called UPDATE.TXT.




Figure 9-5. AutoUpdate Options — Report tab

2. Select the Log to file checkbox.

By default, AutoUpdate writes log information to the file UPDATE.TXT in the VirusScan program directory. You can enter a different path and file name in the text box. AutoUpdate creates the file, but the folder in which it is located must already exist. AutoUpdate does not create the new folder.



4. Select Enable verbose logging if you want the log to report every step in a procedure. If you do not select this option, the log will report only the start and stop or end of a procedure. Verbose logging can greatly expand the size of your log file. However, it is especially useful when troubleshooting.




Setting a schedule for AutoUpdateSet a schedule for the AutoUpdate task that you have configured. See Chapter 12, “Scheduling Tasks,” starting on page 115.

Deploying an EXTRA.DAT fileThe McAfee AVERT research organization sometimes provides EXTRA.DAT files to combat high-risk viruses between regular DAT and SuperDAT releases. In ordinary circumstances, McAfee researchers publish these files when they determine that these situations warrant one:

• A virus presents a “medium on-watch, “high” risk threat of infection, or “high” risk outbreak situation. To learn about what constitutes a medium on-watch or high risk, or to learn about McAfee AVERT risk assessment in general, visit the AVERT website at:

http://www.mcafeeb2b.com/asp_set/anti_virus/alerts/ara.asp

• A high-prevalence virus threatens an outbreak situation.

When AVERT publishes an EXTRA.DAT file, they announce its availability and a location where you can download the file. If you subscribe to the Enterprise SecureCast update service, you can receive all such alert messages.

Independently of the weekly DAT updateThe procedure for deploying EXTRA.DAT independently of the weekly DAT updates is a six step process:

1. Download EXTRA.DAT from the location designated in the AVERT announcement.

2. Place EXTRA.DAT in the following location on all client machines:

<drive>:\Program Files\Common Files\McAfee\VirusScan Engine\4.0.xx\

This is the location that the scanner is programmed to look for EXTRA.DAT

3. Disable the on-access scanner temporarily. To do so:

• Select a target Directory in the ePolicy Orchestrator console tree.

• Deselect Enable On-Access Scan on the scanner’s Detection tab (see Figure 2-1 on page 16), and click Apply. This new policy will allow the scanner to stop operating while EXTRA.DAT is installing itself.


http://www.mcafeeb2b.com/asp_set/anti_virus/alerts/ara.asp


4. Perform an agent wakeup call so that the agent enforces the new policy, and the scanner stops. To do so:

• Verify that the target Directory is still selected in the Directory.

• Right-click and select Agent Wakeup Call.

• Configure the agent wakeup call. See Agent Wakeup Call in the ePolicy Orchestrator administrator’s guide for detailed information.

5. Re-enable the on-access scanner. To do so, select Enable On-Access Scan on the System Scan Detection tab, and click Apply. This re-sets the policy for the scanner.

6. Repeat step 4. This second agent wakeup call enforces the new policy and the scanner restarts.

With the weekly DAT updateYou can also add an EXTRA.DAT file to the ZIP file that contains the weekly updates. When you then run AutoUpdate, EXTRA.DAT is deployed with the other contents of the ZIP file. The following procedure uses the example of a weekly update file named DAT-4085. Substitute the number of the DATs you are currently installing.

To deploy EXTRA.DAT with a weekly DAT file, follow these steps:

1. Select the Advanced tab on the AutoUpdate property pages. For information on navigating to this tab, see “Configuring automatic DAT updates” on pages 88 to 95.

2. Select Force-update DAT files. This will ensure that all DAT files are included in the update activity.

3. Deselect Update scanning engine if newer scanning engine exists.

4. Add EXTRA.DAT to the weekly.ZIP file containing the DATs. To do so:

a. Place DAT-4085.ZIP and EXTRA.DAT in the same folder.

b. Create a new archive that contains the two files. If you are using the command line version of PKZip, you can use the command line:

pkzip dat-4085.zip extra.dat.

If you are using a Windows-enabled version of PKZip such as Winzip or Pkzip32, you can double-click the DAT-4085.ZIP file and then drag-and-drop the EXTRA.DAT file into the package. Close and save the archive to complete this operation.



5. Edit the UPDATE.INI file so that the file size and Checksum entries for the new archive correspond to the actual values that resulted from the addition of the EXTRA.DAT file to the DAT-4085.ZIP file.

� NOTE: UPDATE.INI is located in the folder on the FTP site where you found DAT-4085.ZIP.

You must have the McAfee VALIDATE program in order to retrieve this information. If VALIDATE.EXE is in your Windows directory or path, you can determine the new file size and checksum by typing the following at the command line:

validate dat-4085.zip

The output from that command includes the file size and Checksum for the original DAT file plus EXTRA.DAT. The output is:

Validate v3.0.1

(c)1994-1999 Network Associates, Inc. and its Affiliated Companies.

All Rights Reserved.

Directory of C:\BLD\BUILDS\DATS

DAT-4085 ZIP 1707954 04-26-00 4:07a 9120 9B2F dat-4085.zip

1 file(s) were validated

6. In the UPDATE.INI file, change the FileSize and Checksum fields to match the information in the output described in Step 2, above. To do so, use a text editor, open the file UPDATE.INI, and edit it, as follows:

Original text Edited text[ZIP]

EngineVersion=0

DATVersion=4085

FileName=dat-4085.zip

FileSize=1707214

Checksum=42BE,D02E

[ZIP]

EngineVersion=0

DATVersion=4085

FileName=dat-4085.zip

FileSize=1707954

Checksum=9120,9B2F


1010 Mirroring the NAI Update Site

OverviewThis chapter describes a new interface for creating a mirror image of the Network Associates FTP update site on your network. Ordinarily, setting up a mirror site is the responsibility of the network administrator. End-users may be responsible for configuring AutoUpdate, but are not usually in a position to configure the mirroring task.

In relatively small networks where every computer has unlimited access to the Internet, each computer can retrieve the update files directly from the Network Associates FTP site. However, such an approach is impractical in situations where some computers do not have access to the Internet, and inefficient in situations where many computers are downloading files from a remote, external source, such as the Network Associates FTP site.

This release of VirusScan allows an alternative approach for larger networks, including those managed by ePolicy Orchestrator software. This approach involves creating one or more mirror sites on your network. Each mirror site replicates the Network Associates FTP site that contains the DAT files. Computers on your network then download the files from a mirror site. This approach is practical because you can update any computer on your network, whether or not it has Internet access, and efficient because your workstations are communicating with a server that is probably closer than a Network Associates FTP server, thus economizing access and download time.

The Mirror utility incorporates the functionality previously available in the AutoUpdate option, Retrieve update but save for later usage.

If you plan to use mirror sites on your network, you must:

• Configure the AutoUpdate and Mirroring tasks. The order in which you configure these tasks is not important.

• Schedule the AutoUpdate and Mirroring tasks to run at convenient times. To ensure that AutoUpdate selects the current DAT files, it is essential that the Mirroring task run first, and that it be completed before the AutoUpdating task begins.


Mirroring the NAI Update Site

Configuring the Mirroring taskThere are four parts to configuring the Mirroring task:

• “Opening the Mirror utility.” See below for information.

• “Defining mirror source sites.” For information, see page 103.

• “Defining the destination folder.” For information, see page 107.

• “Configuring reporting options.” For information, see page 108.

Opening the Mirror utility1. If you have not already done so, open the ePolicy Orchestrator console,

and select the computers for which you are defining a task. (see Step 1 on page 73 through Step 5 on page 74.)

2. Select VirusScan v4.51 for Windows Mirror AutoUpdate Site from the list.



Figure 10-1. Scheduler — Mirror








8. Click Settings. The Task Settings dialog box opens, displaying the AutoUpdate options pages, each of which governs an aspect of the updating. Click each tab to display the corresponding property page and to specify how you want AutoUpdate to perform the operation.

Figure 10-2. Mirror Options — Source Sites tab

Defining mirror source sitesYou can define a maximum of 16 uniquely named locations from which your designated mirror server can download the DAT files and scanning engine.


2. Click Add. The Site Options tab opens.



Figure 10-3. Mirror Options — Site Options tab

3. Select a file retrieval method. For detailed information, see:

• “Configuring an FTP site,” starting on page 104.

• “Configuring a UNC path,” starting on page 105.

• “Configuring a local path” on page 106

The order in which the sites are listed on the Mirror Source Sites tab is the order in which the Mirroring utility accesses them.

Configuring an FTP site


2. Enter the URL of the FTP server and the directory containing the file or files. For example, if the source is the Network Associates FTP site, enter ftp.nai.com/virusdefs/4.x. If the source is a server on your network to which you have copied the DAT files, enter ftp.myserver.com/install. Click for a list of system variables that you can include in the URL.

� IMPORTANT: The Automatic DAT Update task expects to find new DAT files in their original ZIP archives and with their original

Source files on an FTP Site Source files on a UNC or Local path



file names. If you save the new files on a central server so that other servers can download them, be sure that you do not extract the files or rename them.

3. Select passive or active FTP.

• The default connection is passive FTP, where the client opens both the command session and the data session. As a result, a firewall is unlikely to interfere with the transmission, which can occur with active FTP.

• To use an active FTP connection, deselect this checkbox.


• If the FTP location accepts anonymous logins (like the Network Associates FTP site), select Use Anonymous FTP Login.

• If the FTP location requires login credentials, deselect Use Anonymous FTP Login, then enter the User Name and Password required for access to the server.

5. Supply proxy information.

• If your network requires a proxy server, select Use Proxy Server, then enter the name of the proxy server and the port it uses.

• If you are using proxy software, be certain that you have the most current version, including any service packs.


Configuring a UNC path


2. Select UNC Path.

3. Using UNC notation, (\\servername\path), enter the path of the site where the update files are located.

� NOTE: In order to copy files from a Novell NetWare server, you must first create a login user on the NetWare server with read- only rights to the folder that contains the update files.




• in the User Name field enter the user name for an account that is to have access the UNC site.

• If the user has rights to the resources in a particular domain that includes the server that contains the update files, enter the name of the domain in the Domain or Server field.

• If the user has rights only to the particular server that contains the update files, but not to other resources in the server’s domain, enter the name of the server in the Domain or Server field.

• Enter and then re-enter the password required for access to the UNC shared folder.

� NOTE: Click for a list of system variables that you can include in the User Name or Domain or Server fields.


Configuring a local path

1. Enter a name for the site that you are defining, and select Enable site.

2. Select Local Path.

3. Enter the path of the local folder (for example, C:\DATS\).




Defining the destination folderSpecify the local path of the folder that will contain the update files:

1. Select the Destination tab.

Figure 10-4. Mirror Options — Destination tab

The Destination tab lets you designate the path of a local folder where the Mirror utility deposits the DAT files that it retrieves from a designated site (listed on the Source Sites page). Files are retrieved only if they are either:

• New files that do not yet exist in the destination folder.

• Newer than files with the same name already present in the destination folder.

2. Repeat the configuration procedure for each mirror server that you want to define.

� IMPORTANT: If the destination is not on the local computer, it should be on a mapped network drive. Because mapped network drives are available only when a user is logged on to the system, the Mirror task cannot run successfully unless a user is logged on at the time the task is scheduled to run. Alternatively, the destination might be a NullSsessionShare folder. However, this approach can compromise network security. See IMPORTANT note on page 112.




Configuring reporting optionsYou can set up a logging file to record the mirroring events:

1. Select the Log Activity tab to enable and configure the logging function.

2. Verify that Log to file is selected to enable the logging function.

• The name of the log file is Mirror.TXT. Its default path is:

<drive>:\Program Files\Network Associates\VirusScan\

• If you prefer, you can enter a different name or path.

3. Specify the size of the log file.

• The maximum size for the log file is set to 1,024KB (1MB). Enter any value between 10KB and 32,767KB.

• If the data in the log exceeds the file size you set, the oldest 20% of the log text is deleted to make room for new information. If you place no size restriction on the log file, you run the risk of it consuming all available space on the drive where it is located.

4. Specify the scope of the logging.

• Select Enable verbose logging to log every step in a procedure.

• Deselect this checkbox if you want to log only the starting and stopping of the task.



1111Upgrading the Software

Configuring automatic product upgrade optionsNetwork Associates revises the VirusScan software frequently to add new detection and repair capabilities, new features for manageability and flexibility, and other enhancements that make it a better anti-virus security tool. In addition, McAfee introduces enhancements to the scan engine, separate from the more general upgrades of the program.

� NOTE: Users who are running version 1.2 of SuperDAT are able to use the Automatic Upgrade feature to download and distribute upgrades to the scan engine.

The Automatic Product Upgrade utility is designed specifically to look for and download these new versions as they become available. It connects automatically to a central server on your network or to a designated FTP site, downloads the new files, extracts and verifies them, backs up the existing files, then begins installing the new files. After the utility finishes, it restarts all the required services and resumes its scan operations. By default, the utility does not come configured with the site information necessary to download new versions of the program. Registered users can obtain this information from their sales representatives or from other McAfee sources.

1. If you have not already done so, open the ePolicy Orchestrator console, and select the computers for which you are defining a task. (see Step 1 on page 73 through Step 5 on page 74.)

2. Select VirusScan v4.51 for Windows AutoUpgrade from the list.




Upgrading the Software

Figure 11-1. Scheduler — AutoUpgrade






8. lick Settings. The Task Settings dialog box opens, displaying the AutoUpgrade options pages, each of which governs an aspect of the upgrading. Click each tab to display the corresponding property page and to specify how you want AutoUpgrade to perform the operation.



Figure 11-2. AutoUpgrade Options — Site Options tab


10. Choose the method you want to use to connect to the download server. Your choices are:

• Copy from a local network computer — Transfers the upgrade files from a computer somewhere on your network via whichever common network protocol you have active. The settings for this protocol will govern how AutoUpgrade attempts the connection and the length of the time-out period that must pass before it stops the connection attempt.

– Using Universal Naming Convention (UNC) notation in the text box, enter the path of the location of the update files.

– If you want the Upgrade feature to use the account under which it is running at the time that the update takes place, select the Use Logged In Account.

– If you want to specify a different account for the Upgrade feature to use, deselect the Use Logged In Account checkbox. Three fields become available where you can enter the domain or server, followed by the user name. Then provide the password information required by the domain or server to which you want to connect

FTP option selected-Default Copy option selected



� IMPORTANT: Very careful planning is required to assure that workstations have easy access to the shared folder, using SYSTEMACCOUNT, without compromising overall network security. Achieving this combination requires that you a) designate the shared folder as a NullSessionShare, and b) take advantage of appropriate Windows securities measure for NTFS systems to protect the NullSessionShare.

a. Designate the shared folder as a NullSessionShare. This allows the workstations to have easy access to the shared folder without providing login credentials. To do so, create a name for the shared folder, and add the name to the value NullSessionShares located in the following registry key:

HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services LanmanServer Parameters

b. Because a NullSessionShare can result in a security vulnerability, McAfee strongly recommends that you take advantage of all of the following security features available for Windows NTFS systems including:

• granting clients only “read” and “search” privileges to the shared folder.

• granting the server that houses the shared folder “write” privileges to the shared folder.

• using the NTFS auditing feature

� NOTE: AutoUpgrade expects to find an unzipped disk image of the new upgrade files on your server. This allows you to customize your installation before deploying new files.

If you store upgrade files on a server that uses case-sensitive file names, you must rename the file PKGDESC.INI, which comes with program upgrades, so that it uses only lower-case letters. Otherwise, the upgrade utility will not find the file on the server and therefore will not install the new software version on client computers.



• FTP from a remote network computer (default) — Transfers the update files via File Transfer Protocol (FTP) from an internal FTP server. The URL that you see in the default configuration is an example of the string that you will have to enter in this field representing your internal FTP server.

– Enter the path of the location of the upgrade files on the local FTP server to which you want to connect.

– If the target server accepts anonymous FTP logins, select the Use anonymous FTP login checkbox. If you use a specific FTP account that requires a user name and password, clear this checkbox. Three fields become available where you can enter the domain or server, followed by the user name. Then provide the password information required by the domain or server to which you want to connect.

– If you route FTP requests from your network through a proxy server, select the Use proxy server checkbox. The Upgrade Options page expands to display two additional fields in which you can enter the proxy server’s name and port.

– Select passive or active FTP. The default connection is passive FTP, where the client opens both the command session and the data session. As a result, a firewall is unlikely to interfere with the transmission, which can occur with active FTP. To use an active FTP connection, deselect this checkbox.

Configuring advanced upgrade optionsTo do additional pre- or post-processing on the files, or to take other actions, click Advanced to open the Advanced Upgrade Options dialog box.



Figure 11-3. AutoUpgrade Options — Advanced tab

To complete the advanced settings, follow these steps:

1. Select Run a program.

2. Enter only the file name for the executable that you want to run. Do not enter the entire path of the executable. The executable must be located in the same folder as MCUPDATE.EXE. The program will run only if the upgrade completed successfully.


Setting a schedule for AutoUpgradeSet a schedule for the AutoUpgrade task that you have configured. See Chapter 12, “Scheduling Tasks,” starting on page 115.


1212Scheduling Tasks

Scheduling immediate or future scanning tasks Four types of tasks can be scheduled:

• On-demand scanning (see Chapter 8, “On-Demand Scanning,” starting on page 73.)

• Updating of virus definitions files (see Chapter 9, “Updating Virus Definition Files,” starting on page 87.)

• Creating a mirror of the NAI update site (see Chapter 10, “Mirroring the NAI Update Site,” starting on page 101.)

• Upgrading of McAfee anti-virus software (see Chapter 11, “Upgrading the Software,” starting on page 109.)

Scheduled tasks can be run immediately, or at some future time. Scheduled tasks run based on the client's clock time, not the server's.

� NOTE: For information about setting policy for on-access scanning activities, see Chapter 2, “System Scan Options,” starting on page 15.

Setting basic scheduleAfter you have configured one of the tasks listed above, you must set a schedule for that task.

To set a schedule for a task, follow these steps:

1. From the list that appears on the ePolicy Orchestrator console’s Tasks tab, select the task for which you want to set a schedule.

2. Right-click and select Edit Task. The ePolicy Orchestrator Scheduler appears.

3. Select the Schedule tab.


Scheduling Tasks

Figure 12-1. Scheduler — Schedule tab


4. In the box labeled Schedule Task, click to select the frequency for the task. Depending on your selection, the display in the lower portion of the dialog box changes, allowing you to further specify the scheduling details.

• If you select Daily, click to specify the number of days that intervene between repetitions of this activity.

• If you select Weekly, specify the number of weeks that intervene between repetitions of the scanning activity. Then specify the days of the week on which the task is to run.

• If you select Monthly, select either the Day option or the The __ __ of the month option.

– If you select Day, use to specify the day of the month on which the task will run.

– If you select The __ __ of the month, use the in both boxes and select the monthly pattern that you want to apply to the scanning activity.

Next, click Select Months, and place a checkmark next to every month during which you want to apply the specified pattern.

• If you select Once, use to select a day and date from the calendar that appears.


Scheduling Tasks

• If you select At System Startup, you can also select Only run this task once a day, regardless of how many times the system may start during the day. In order to avoid potential conflicts among various routines that run at startup, use the Delay task by field to set a number of minutes that you want VirusScan to wait before running the task.

• If you select At Logon, you can also select Only run this task once a day, regardless of how many times the user may log on during the day. In order to avoid potential conflicts among various routines that run at logon, use the Delay task by field to set a number of minutes that you want VirusScan to wait before running the task.

• If you select When Idle, use the When computer has been idle for field to specify the number of minutes of idleness that will trigger the task.

• If you select Run Immediately, there is nothing more to configure. The task will run when you click Apply or OK.

• If you select Run On Dialup, you can also select Only run this task once a day, regardless of how many times the client may dial in during the day.

5. In the Start Time box, specify the starting time for the task.

• Select the two-digit figure in front of the colon, representing the hour, then use to select a different hour.

• Select the two-digit figure following the colon, representing the minutes, then use to select a different minute setting on the clock.

• Select either GMT (Greenwich Mean Time) or Local Time.

6. If you selected Daily, Weekly, Monthly, Once, Run Immediately, or Run on Dialup, in Step 4 on page 116, you can randomize the time that the task runs. Randomization means that the event may not start at the time specified, but rather at a time, randomly selected by the program, within a specified time frame. This is especially useful if, for example, you want to update multiple servers, but do not want all of the servers to attempt to connect simultaneously to the server where the update files are stored. If you want to employ randomization, follow these steps:

• Select Enable Randomization.

• In the adjoining boxes, enter the time frame within which you want the task to run. If you enter “1” in the hours field, and “0” in the minutes field, the task may run an hour preceding or following the time specified in the Start Time field.


Scheduling Tasks

7. If you selected Daily, Weekly, Monthly, Once, Run Immediately, or Run on Dialup, in Step 4 on page 116, you can assure that the task runs even if the target computer is off-line at the scheduled time. To do so, select Run missed task. The task will run the next time the target computer is on line. In order to avoid potential conflicts among various routines that run when the target computer comes on line, use the Delay missed task by field to set a number of minutes that you want VirusScan to wait before running the missed task.

Setting advanced schedule options1. If you selected Daily, Weekly, Monthly, or Once in Step 4 on page 116, you

can define a range of dates during which the task will run, and set a repetition pattern for the scanning task. To do so, click Advanced.

2. If you want to specify a range of calendar time during which you want the task to run, select the End Date checkbox. Next, use the in the adjacent boxes to specify a starting date and an end date.

3. If you want the task to be repeated on a regular basis:

– Select the Repeat Task checkbox.

– Use the two boxes adjoining the word Every to specify the repetition pattern in hours or minutes.

– Select either a specific local time on which the task will run, or the number of hours and minutes that the scanning activity will run.

4. When you have finished setting Advanced options, click OK.

Selecting Schedule SettingsAfter you have set a schedule for a task, return to the ePolicy Orchestrator Scheduler page to complete the Schedule Settings portion of that dialog box.


Scheduling Tasks

Figure 12-2. Scheduler dialog box

There are three settings available:

• Enable (scheduled task runs at specified time) — Runs the task at the times and under the circumstances that you specified on the Schedule tab.

• Delete the scheduled task when finished — Deletes the task definition after the task has run.

• Stop the task if it runs for __hour(s) __minutes — Limits the duration of the scheduled activity. Use the buttons to specify the maximum number of hours and minutes that the task can run.


Scheduling Tasks


Index

Aaction options

in Download Scan module, 48 to 49

in E-Mail Scan module, 37 to 39

in Internet Filter module, 58 to 59

in On-Demand scanning tasks, 79 to 81

in System Scan module, 20 to 23

active FTP

AutoUpdate, 92

AutoUpgrade, 113

Mirror, 105

ActiveX controls, detecting with Internet Filter, 55 to 56

Agent Wakeup Call, 98

Alert Manager

Centralized Alerting, 69

configuring, 67 to 69

alert options




in On-Demand scanning tasks, 81


All Files, scanning of

Download Scan, 46

E-Mail (attachments) Scan, 35

On-Demand Scanning, 77

System (on-access) Scan, 18

ALR files, 67

anonymous FTP login

AutoUpdate, 92

AutoUpgrade, 113

Mirror, 105

AutoUpdate, configuring, 87 to 99

Advanced tab, 94 to 95

Report tab, 95 to 96

Update tab, 90 to 93

AutoUpgrade, configuring, 109 to 114

Advanced tab, 113 to 114

Site Options tab, 111 to 113

Bbatch files, running after update, 95

blocking access to Internet sites, 57 to 58

boot sector, scanning, 76

Ccc:Mail, 33, 41

CD

locating INSTALL.PKG on, 10

scanning, 76

CENTALRT.TXT, 69

Centralized Alerting, 67, 69

enabling for use with Alert Manager, 69

need for CENTALRT.TXT file, 69


Index

clean infected file

E-Mail Scan

automatically, 39

in response to prompt, 38


System Scan

automatically, 23


command line, 12

compressed files, scanning

Download Scan, 47

E-Mail Scan, 36


System Scan, 18

configuring

policy

Alerting, 67 to 69

Download Scan, 45 to 53

E-Mail Scan, 33 to 44

Internet Filter, 55 to 62

Security, 63 to 65

System Scan, 15 to 29

tasks

AutoUpdate, 87 to 97

AutoUpgrade, 109 to 114

Mirror, 101 to 108

On-Demand Scanning, 73 to 86

DDAT files

mirrored from FTP site, 101

contents, 87

deploying EXTRA.DAT, 97 to 99

downgrade to earlier version, 94

incremental, 87

mirrored from FTP site, 101

Network Associates download site for, 87

SuperDAT, 87

updating, 87 to 99

ZIP file, 87

default files

restoring factory list of user-specified types

Download Scan, 47

E-Mail Scan, 36


System Scan, 19

scanning types defined by weekly DAT files

Download Scan, 46



System Scan, 18

delete infected file

Download Scan

automatically, 49


E-Mail Scan

automatically, 39



System Scan

automatically, 23


DELTA.INI file, 88

deploying

EXTRA.DAT file, 97 to 99

VirusScan 4.5.1, 9 to 12

Desktop Management Interface See DMI


Index

destination folder, 107

Destination tab, 102

detection options




in On-Demand scanning tasks, 75, 79


DMI, 67 to 68

Download Scan, 45 to 53

action options, 48 to 49

alert options, 49 to 51

detection options, 46

report options, 51 to 53

EE-Mail

protocols and systems

cc:Mail, 33, 41

MAPI, 34, 38 to 39, 41, 44

POP-3, 33 to 34

SMTP, 34

Scan module, 33 to 44



detection options, 34 to 48


enabling

Alert Manager module, 68

Download Scan module, 46

Internet Filter module, 56

password protection, 63

Security module, 63

software deployment, 10

System Scan module, 16

enforce policies, 12

exclude infected file, System Scan, in response to prompt, 22

exclusion options



extensions, file name. See default files

EXTRA.DAT, deploying during a virus outbreak, 97 to 99

Ffile types See default files

floppy disks, scanning

On-Demand Scanning, 17, 76

force install, 12

FTP

active

AutoUpdate, 92

AutoUpgrade, 113

Mirror, 105

anonymous

AutoUpdate, 92

Mirror, 105

configuring retrieval of files via, 91

creating a mirror of the Network Associates download site, 101

credentials required

AutoUpdate, 92, 105

default to Network Associates site

AutoUpdate, 91

distributing from internal site

upgrade files, 113

downloading from Network Associates site

upgrade files, 109, 113

logging on to download site, 92, 105


Index

Network Associates site for DAT updates, 87, 101

passive, 92, 105, 113

Hheuristic scanning



in On-Demand tasks, 78 to 79


Iinbound files, scanning, compared with

scanning outbound files, 17

incremental DAT files, 87

infected files, status of after scanning, 30 to 31

INSTALL.PKG, 10

Internet Filter, 55 to 62





Iomega ZIP drive, scanning, 76

JJava classes, detecting with Internet

Filter, 55 to 56

Llaunching a program after update, 95

local path, retrieving files for

AutoUpdate, 93

Mirror, 106

log file size

AutoUpdate, 96

Download Scan, 52

E-Mail Scan, 43

Internet Filter, 61

Mirror, 108

On-Demand Scanner, 83

System Scan, 26

log files

AutoUpdate, UPDATE.TXT, 96

Download Scan, WEBINET.TXT, 51

E-mail Scan, WEBMAIL.TXT, 42

Internet Filter, WEBFILTR.TXT, 60

Mirror, MIRROR.TXT, 108

On-Demand Scanning, VSCLOG.TXT, 82

System Scan, VSHLOG.TXT, 25

Lotus cc:Mail, 33, 41

Mmacro viruses, setting heuristic scanning

options

Download Scan, 47

E-Mail Scan, 37


System Scan, 20

MAPI, 34

McAfee, contacting, 8

media, removable, scanning, 76

memory, scanning, 76

Messaging Application Programming Interface. See MAPI

Mirror, configuring, 102 to 108

Destination tab, 107 to 108

Report tab, 108

Source Sites tab, 103 to 106


Index

MIRROR.TXT, Mirror log, 108move infected file

E-Mail Scan

automatically, 39



System Scan

automatically, 23


NNAP file, defined, 9

Network Associates, contacting, 8

network drives, scanning


System Scan, 18

null session share, as source of product upgrade files, 112

Oon-access scanning

Download Scan module





E-Mail Scan module





Internet Filter module





System Scan module




exclusion options, 27 to 29


on-demand scanning

action options, 79

alert options, 81


exclusion options, 84

report options, 82

outbound files, scanning, compared with scanning inbound files, 17

outbreak

dealing with, 97 to 99

high-prevalence virus threat, 97

using EXTRA.DAT to control, 97 to 99

Ppassive FTP

AutoUpdate, 92

AutoUpgrade, 113

Mirror, 105

password protection, 63 to 65

ping. See Agent Wakeup call, 98

PKG file, defined, 9

POP-3 e-mail clients, choosing options

in E-Mail Scan dialog box, 34

Post Office Protocol. See POP-3

program file viruses, setting heuristic scanning options

Download Scan, 48

E-Mail Scan, 37


System Scan, 20


Index

program, launching after update, 95

proxy server, used in downloading

AutoUpdate, 92

AutoUpgrade, 113

Mirror, 105

Qquarantine. See move infected file

RRAM, scanning, 76

report files

AutoUpdate, UPDATE.TXT, 96

Download Scan, WEBINET.TXT, 51

E-mail Scan, WEBMAIL.TXT, 42

Internet Filter, WEBFILTR.TXT, 60

Mirror, MIRROR.TXT, 108

On-Demand Scanning, VSCLOG.TXT, 82

System Scan, VSHLOG.TXT, 25

report options

in AutoUpdate, 95

in Download Scan module, 51





Mirror, 108

Mirror task, 108

repository, 9

SSave the Update file for later usage, option

incorporated into new Mirror utility See Mirror, configuring

Security module, configuring, 63

Simple Mail Transfer Protocol. See SMTP

Site Options page

AutoUpdate, 90

Mirror, 103

SMTP, choosing options, 34

software repository, 9

stop access to infected file

System Scan

automatically, 23


SuperDAT files, 87

System Scan, 15 to 29




exclusion options, 27 to 29, 84


Ttask

AutoUpdate, 87 to 97

AutoUpgrade, 109 to 114

Mirror, 101 to 108

On-Demand Scanning, 73 to 86

scheduling, 115 to 119

Task tab, distinguished from Tasks tab, See NOTE on, 75, 89, 103, 110

UUNC (Universal Naming Convention),

retrieving files from shared folder

AutoUpdate, 92

AutoUpgrade, 111

Mirror, 105

update. See AutoUpdate


Index

UPDATE.INI file, 87

UPDATE.TXT, AutoUpdate log, 96

upgrade. See AutoUpgrade

user credentials

FTP

AutoUpdate, 92

AutoUpgrade, 113

Mirror, 105

UNC

AutoUpdate, 93

AutoUpgrade, 111

Mirror, 105

User specified files, scanning of

Download Scan, 46



System (on-access) Scan, 18

Vverbose logging

AutoUpdate, 96

Mirror, 108

VSCLOG.TXT, On-Demand scanner log, 82

VSHLOG.TXT, System Scan log, 25

Wwakeup call, 98

WEBFILTR.TXT, Internet Filter log, 60

WEBINET.TXT, Download Scan log, 51

WEBMAIL.TXT, E-mail Scan log, 42

ZZIP drive, scanning, 76


Index
