VirusScan Enterprise 8.5i Student Workbook 09062006

Student Workbook
revision 1.3
VirusScan Enterprise
with McAfee Anti-spyware Enterprise Module

Version 8.5i
McAfee
System Protection
Industry-leading intrusion prevention solutions
Student Workbook
revision 1.3
with McAfee Anti-spyware Enterprise Module

Version 8.5i
McAfee
System Protection
Industry-leading intrusion prevention solutions
COPYRIGHT
Copyright 2006 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without
the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN
(STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA),
INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN,
MCAFEE.COM, MCAFEE VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE,
PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN
KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the
US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are
the sole property of their respective owners.
Attributions
This product includes or may include:
Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). Cryptographic software written by Eric A. Young and software
written by Tim J. Hudson. Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free
Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code.
The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available
to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide
rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and
restrictions herein. Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Software originally written by Robert Nordier,
Copyright 1996-7 Robert Nordier. Software written by Douglas W. Sauder. Software developed by the Apache Software Foundation (http://www.apache.org/). A
copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. International Components for Unicode ("ICU") Copyright
1995-2002 International Business Machines Corporation and others. Software developed by CrystalClear Software, Inc., Copyright 2000 CrystalClear Software,
Inc. FEAD Optimizer technology, Copyright Netopsystems AG, Berlin, Germany. Outside In Viewer Technology 1992-2001 Stellent Chicago, Inc. and/or
Outside In HTML Export, 2001 Stellent Chicago, Inc. Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, 1998, 1999, 2000.
Software copyrighted by Expat maintainers. Software copyrighted by The Regents of the University of California, 1996, 1989, 1998-2000. Software copyrighted
by Gunnar Ritter. Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., 2003. Software copyrighted by
Gisle Aas. 1995-2003. Software copyrighted by Michael A. Chase, 1999-2000. Software copyrighted by Neil Winton, 1995-1996. Software copyrighted by
RSA Data Security, Inc., 1990-1992. Software copyrighted by Sean M. Burke, 1999, 2000. Software copyrighted by Martijn Koster, 1995. Software
copyrighted by Brad Appleton, 1996-1999. Software copyrighted by Michael G. Schwern, 2001. Software copyrighted by Graham Barr, 1998. Software
copyrighted by Larry Wall and Clark Cooper, 1998-2000. Software copyrighted by Frodo Looijaard, 1997. Software copyrighted by the Python Software
Foundation, Copyright 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. Software copyrighted by Beman Dawes,
1994-1999, 2002. Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek 1997-2000 University of Notre Dame. Software copyrighted by
Simone Bordet & Marco Cravero, 2002. Software copyrighted by Stephen Purcell, 2001. Software developed by the Indiana University Extreme! Lab
(http://www.extreme.indiana.edu/). Software copyrighted by International Business Machines Corporation and others, 1995-2003. Software developed by the
University of California, Berkeley and its contributors. Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http://
www.modssl.org/). Software copyrighted by Kevlin Henney, 2000-2002. Software copyrighted by Peter Dimov and Multi Media Ltd. 2001, 2002. Software
copyrighted by David Abrahams, 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. Software copyrighted by Steve Cleary, Beman
Dawes, Howard Hinnant & John Maddock, 2000. Software copyrighted by Boost.org, 1999-2002. Software copyrighted by Nicolai M. Josuttis, 1999.
Software copyrighted by Jeremy Siek, 1999-2001. Software copyrighted by Daryle Walker, 2001. Software copyrighted by Chuck Allison and Jeremy Siek,
2001, 2002. Software copyrighted by Samuel Krempp, 2001. See http://www.boost.org for updates, documentation, and revision history. Software copyrighted
by Doug Gregor (gregod@cs.rpi.edu), 2001, 2002. Software copyrighted by Cadenza New Zealand Ltd., 2000. Software copyrighted by Jens Maurer, 2000,
2001. Software copyrighted by Jaakko Jrvi (jaakko.jarvi@cs.utu.fi), 1999, 2000. Software copyrighted by Ronald Garcia, 2002. Software copyrighted by
David Abrahams, Jeremy Siek, and Daryle Walker, 1999-2001. Software copyrighted by Stephen Cleary (shammah@voyager.net), 2000. Software copyrighted
by Housemarque Oy <http://www.housemarque.com>, 2001. Software copyrighted by Paul Moore, 1999. Software copyrighted by Dr. John Maddock,
1998-2002. Software copyrighted by Greg Colvin and Beman Dawes, 1998, 1999. Software copyrighted by Peter Dimov, 2001, 2002. Software copyrighted
by Jeremy Siek and John R. Bandela, 2001. Software copyrighted by Joerg Walter and Mathias Koch, 2000-2002. Software copyrighted by Carnegie Mellon
University 1989, 1991, 1992. Software copyrighted by Cambridge Broadband Ltd., 2001-2003. Software copyrighted by Sparta, Inc., 2003-2004. Software
copyrighted by Cisco, Inc. and Information Network Center of Beijing University of Posts and Telecommunications, 2004. Software copyrighted by Simon
Josefsson, 2003. Software copyrighted by Thomas Jacob, 2003-2004. Software copyrighted by Advanced Software Engineering Limited, 2004. Software
copyrighted by Todd C. Miller, 1998. Software copyrighted by The Regents of the University of California, 1990, 1993, with code derived from software
contributed to Berkeley by Chris Torek.
Issued September 2006 /VirusScan Enteprise 8.5i
Table of Contents
Table of Contents
1
Overview
Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Installation
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Minimum System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
64-bit Installation of VirusScan Enterprise 8.5i - Differences . . . . . . . . . . . . . . . . . . . . . . . 9
McAfee Anti-spyware Enterprise Module - Additions to VirusScan Enterprise . . . . . . . . 10
McAfee VirusScan Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
McAfee Anti-spyware Enterprise Module Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Product Upgrade - Preserving Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Rule Preservation Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Uninstallation Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Student Lab - Installing VirusScan Enterprise 8.5i & Comparing

Protection Levels 21
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Lab Setup / Background Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Installation Steps - Standard Protection Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Installing the McAfee Anti-Spyware Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Viewing Access Protection Properties for Standard Protection Installs . . . . . . . . . . . . . . . 24
Installation Steps - Maximum Protection Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Installing the McAfee Anti-Spyware Enterprise Module . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Viewing Access Protection Properties for Maximum Protection Installs . . . . . . . . . . . . . . 26
Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Access Protection
28
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Standard and Maximum Protection Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Access Protection Rules Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
User-defined Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
AP Rule Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
VirusScan Self-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Student Lab - Access Protection Configuration and Detection
38
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Access Protection - Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Self-Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Demonstrate Self-Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Buffer Overflow Protection
47
What is Buffer Overflow? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Buffer Overflow Protection Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Student Lab - Buffer Overflow Protection Configuration and Detection

51
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Table of Contents
Buffer Overflow Protection - Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
On-Delivery E-Mail Scanner
55
On-Delivery E-mail Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Unwanted Programs Policy
67
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Unwanted Programs Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
10
Student Lab - Unwanted Programs Policy Configuration and Detection

72
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Unwanted Programs Policy Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Copy Test DATs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Detecting Unwanted Programs by Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Unwanted Program Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Detection of Multiple Unwanted Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
User-Defined Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
11
On-Access Scanner
80
On-Access Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Processes (All Processes, Low-Risk, and High-Risk Processes) . . . . . . . . . . . . . . . . . 88
12
Student Lab - On-Access Scanner Configuration and Detection
98
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
On-Access Scanner Configuration and Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Scanning for Unknown Threats (Heuristics) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
ScriptScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
13
On-Demand Scanner
107
On-Demand Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

A Brief Discussion of Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Configuring On-Demand Scan Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
New On-Demand Scan Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
14
Student Lab - On-Demand Scanning Configuration and Detection 120

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Lab Setup / Background Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Uninstall VirusScan Enterprise 8.5i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Installation Steps - Maximum Protection Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
On-Demand Scanning Configuration and Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Install McAfee Anti-spyware Enterprise Module . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Comparing ODS - Before and After ASE-M Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Scan Location Options Added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Targeted Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Reset to Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
On-Demand Scanning for Unwanted Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Table of Contents
Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
15
Quarantine Manager
133
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Quarantine Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
16
Student Lab - Quarantine Manager Policy
137
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Quarantine Manager Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Policy Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Manager Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
17
AutoUpdate
143
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
AutoUpdate Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Default Repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Adding a Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Mirror Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Creating a New Mirror Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
18
Student Lab - AutoUpdate
155
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
AutoUpdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Mirror Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
19
Troubleshooting
162
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Configuring Scanners to Record Session Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Enable Session Settings - Report Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Session Settings - Log File Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Default Log File Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Finding Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Minimum Escalation Requirements (MER) Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
20
Optional Student Lab - On-Delivery E-mail Scanner Configuration &

Detection 170
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Lab Setup Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
On-Delivery E-mail Scanner Configuration & Detection . . . . . . . . . . . . . . . . . . . . . . . . . 180
Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
21
Appendix - Architectural Component Breakdown
183
VirusScan Enterprise 8.5i Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Component Breakdown (by File): . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
VirusScan Enterprise 8.5i Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Anti-spyware Enterprise Module On-Access Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Anti-spyware Enterprise Module On-Demand Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Anti-spyware Enterprise Module On-Delivery E-mail Scan . . . . . . . . . . . . . . . . . . . . . . . 185
Table of Contents
Anti-spyware Enterprise Module On-Demand Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

VirusScan Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Component Breakdown (by file): . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Lotus Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
McAfee Installation Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
NAP/PLUGIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
VirusScan Enterprise 8.5i On-Demand Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
VirusScan Enterprise 8.5i On-Access Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Outlook Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
ScriptScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Self Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Updater . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
22
Appendix - Lab Requirements: Instructor Provided Files
201
Files and Folders Required for VirusScan Enterprise 8.5i Lab Exercises . . . . . . . . . . . . . 201
Overview
McAfee VirusScan Enterprise 8.5i & McAfee Anti-spyware
Enterprise Module
Product Overview
McAfee VirusScan 8.5i is the latest update to McAfees flagship virus-protection product.
Building upon the success of the blended-threat approach introduced in McAfee VirusScan
8.0i, 8.5i extends this concept by providing expanded threat protection and technology
integration into this release, and more.
McAfee VirusScan Enterprise 8.5i provides protection against a wide variety of potential threats
to enterprise desktop and server computers. The addition of the McAfee Anti-spyware
Enterprise Module to a McAfee VirusScan 8.5i installation broadens the scope of the protection
to include all unwanted program types, including spyware, adware, key loggers, etc.
Additionally, VirusScan Enterprise 8.5i also implements self-protection technology that protects
VirusScan Enterprise 8.5i components from being modified, and McAfee services from being
stopped by unauthorized sources.
The product can be deployed and managed using ePolicy Orchestrator 3.5 or above, and
Protection Pilot 1.5 or above, as with the previous versions of McAfee VirusScan. Custom
installation packages for VirusScan 8.5i can also be created using McAfee Installation Designer.
Feature Overview
Updates to existing features, and completely new features are included in this release of McAfee
VirusScan Enterprise.
The major features and protection modes available in VirusScan Enterprise 8.5i and the McAfee
Anti-spyware Enterprise module are:
Option to install with Standard or Maximum Access Protection Rules
Access Protection
On-Delivery E-mail Scanner
On-Access Scanner
On-Demand Scanner with new Targeted Scan feature
Quarantine Manager Policy
VirusScan Enterprise 8.5i Student Guide
Overview
Feature Overview
Autoupdate
Mirroring Task
General GUI updates and options
5000-series scan engine
The available options and configurations for each of these areas is covered in-depth in the
following chapters and most include lab exercises to help familiarize yourself with the product.
Please proceed to the next section; VirusScan Enterprise 8.5i Installation.
Installation
Enterprise Module
Objectives
At the end of this section, the student will be able to;
Identify the minimum system requirements for installing and running McAfee VirusScan
Enterprise 8.5i with McAfee Anti-spyware Enterprise module
Identify supported operating platforms for VirusScan Enterprise 8.5i
Describe the major differences between 32-bit and 64-bit installations of VirusScan
Enterprise 8.5i
Explain the options available when installing VirusScan Enterprise 8.5i and McAfee
Anti-spyware Enterprise module.
Minimum System Requirements

The following minimum system requirements must be met in order to install and run McAfee
VirusScan Enterprise 8.5i with McAfee Anti-spyware Enterprise module.
Intel compatible processor, Pentium or Celeron minimum 166Mhz
Microsoft Internet Explorer 5.0 or above
Microsoft Windows Installer (MSI), version 3.1 unless installing on a Windows NT platform
that uses MSI version 2.0.
Note
Microsoft Windows Installer (MSI) 3.1 provides the ability to remove a patch. Because Windows
NT platforms are limited to MSI version 2.0, removing patches on Windows NT is not possible.
Supported Platforms
McAfee VirusScan Enterprise 8.5i with the McAfee Anti-spyware Enterprise Module can be
installed and run with the following operating systems, on computers that meet the minimum
system requirements: (Note - Service Packs listed are the minimum level required)
Windows NT 4.0 SP6a
Windows XP Home Edition, SP 1 & SP2
Installation
Supported Platforms
Windows XP Professional, SP1 & SP2
Windows XP Tablet, SP1 & SP2
Windows XP 64-bit, SP1 & SP2
Windows 2000 Professional SP3 & SP4
Windows 2000 Server SP3 & SP4
Windows 2000 Server SP4 with Terminal Services
Windows 2000 Advanced SP3 & SP4
Windows 2000 Advanced SP4 with Cluster Services
Windows 2000 Advanced SP4 with Terminal Services
Windows 2000 Small Business Server SP4
Windows 2003 Server
Windows 2003 Server with Citrix MetaFrame 3.0/4.0
Windows 2003 Server with Citrix MetaFrame XP
Windows 2003 Server with Terminal Services
Windows 2003 Enterprise Server
Windows 2003 Enterprise Server with Citrix MetaFrame 3.0/4.0
Windows 2003 Enterprise Server with Citrix MetaFrame XP
Windows 2003 Enterprise Server with Terminal Services
Windows 2003 Enterprise Server with Cluster Services
Windows 2003 Web Server
Windows 2003 Data Center
Windows 2003 Small Business Server
Windows Storage Server 2003
Windows 2003 64-bit
Windows Vista 32-bit
Windows Vista 64-bit
Installation
64-bit Installation of VirusScan Enterprise 8.5i - Differences
64-bit Installation of VirusScan Enterprise 8.5i - Differences

When installing on 64-bit operating systems, some differences in the default installation folders
exist. Additionally, McAfee VirusScan Enterprise 8.5i will install 64-bit versions of certain
system components in order to operate on the 64-bit platform. Lastly, Buffer Overflow
Protection is not installed on 64-bit systems. See the examples that follow.
VirusScan Enterprise 8.5i Console on 64-bit O/S showing no Buffer Overflow Protection.
VirusScan Enterprise 8.5i installation folder on 64-bit. Note the Program Files (x86) folder.
VirusScan Enterprise 8.5i installation on 64-bit showing the x64 subfolder where VirusScan
Enterprise 8.5i 64-bit components will be installed.
Installation
McAfee Anti-spyware Enterprise Module - Additions to VirusScan Enterprise
McAfee Anti-spyware Enterprise Module - Additions to

The following additional features and functionality are enabled with the installation of the
McAfee Anti-spyware Enterprise module (ASE-M):
New Targeted Scan task added to VirusScan Console - this On-Demand scan is
pre-configured to scan common targets for unwanted programs, including;
Memory for rootkits
Registered Files
Registry
Cookies folder
Windows folder
Program Files Folder
Temp Folder
User Profile folder
The VirusScan Console before ASE-M installation is pictured above.
10
Installation
The VirusScan Console after ASE-M installation is pictured above. Note the new On-Demand
Scan task, Targeted Scan.
The Full Scan on-demand scan task is updated with new items to scan, adding common
targets for unwanted programs.
The Full Scan on-demand task properties before installing ASE-M is pictured above.
11
Installation
The Full Scan on-demand scan properties after installing ASE-M is pictured above. Note the
additional entries on the Items list.
12
Installation
The On-Access Scanner properties will have cookie scanning available and enabled after
installing ASE-M.
13
Installation
The On-Access Scan properties before installing ASE-M is pictured above.
The On-Access Scanner properties after ASE-M installation is pictured above. Note the addition
of the Scan cookie files option.
14
Installation
All Unwanted Program categories will be enabled after installing ASE-M.
Anti-spyware Access Protection rules are added to the Access Protection properties after
installing ASE-M. Anti-spyware Standard protection rules will be enabled by default.
Expanded detection of unwanted programs; Installing the McAfee Anti-spyware Enterprise

Module enhances the unwanted program scanning capability of VirusScan Enterprise from
detecting common threats to detecting all threats.
Note
Unless otherwise noted, all screen shots and options descriptions in this course assume that the
McAfee Anti-spyware Enterprise module has been installed.
15
Installation
McAfee VirusScan Installation Options

When installing VirusScan Enterprise 8.5i, the installer will provide common installation
options such as Typical or Custom installation, with the ability to select which program features
to install or not to install.
16
Installation
McAfee VirusScan Enterprise 8.5i also provides an option to install with Standard Protection,
or Maximum Protection. This selection determines which of the default Access Protection rules
will be enabled after installation.
After the installation of VirusScan Enterprise 8.5i is completed, the installer will allow you to
select to perform an immediate update (Update Now) of the program components and DAT files,
and also to perform an On-Demand scan of the system.
17
Installation
McAfee Anti-spyware Enterprise Module Installation
McAfee Anti-spyware Enterprise Module Installation

In order to enable the full functionality of VirusScan Enterprise 8.5i unwanted program
protection, end-users should install the McAfee Anti-spyware Enterprise module following the
successful installation of VirusScan.
It should be noted that all of the unwanted program protection features available are actually
installed with VirusScan Enterprise 8.5i, but in order to unlock all of the features, the
anti-spyware module must be installed.
When you install the McAfee Anti-spyware Enterprise module, the product is updated to use a
new product code when communicating with the Engine, enabling the expanded unwanted
programs detections available in the DATs
Product Upgrade - Preserving Settings

You can upgrade VirusScan Enterprise 7.1 or 8.0i installed on a computer, and option to
preserve the settings from the previous installation.
When upgrading VirusScan Enterprise 7.1/8.0i to VirusScan Enterprise 8.5i, and selecting the
Preserve Settings option, the following items are preserved:
Configuration settings for saved tasks
User-specified extensions
Exclusion settings
DAT files, if the existing DAT versions are later than the DATs in the installation package.
Scanning engine version, if the existing engine version is later than the engine in the
installation package.
Log file names and locations are preserved, but log format is updated from ANSI to UTF8.*
18
Installation
Product Upgrade - Preserving Settings
* Build 652.2 - Log file names/locations not preserved, new log files created, old files deleted. See
Troubleshooting for more information.
Note
VirusScan versions prior to 7.1 cannot preserve settings during an upgrade to 8.5i. McAfee
recommends that versions prior to 7.1 be removed before installing VirusScan Enterprise 8.5i.
Rule Preservation Logic

Access Protection Rules are preserved using the logic:
1 Read the current VirusScan Enterprise 8.0i rules from the registry.
2 Compare each of the local rules against all of the default VirusScan Enterprise 8.0i rules.
3 For each local rule, if no exact match is found in the default rules, then the rule is added to
the list of rules to preserve.
4 For port blocking rules, if the local rule differs from the default rule only in its white list, then
the rule is placed in a separate list of rules to be merged with their VirusScan Enterprise 8.5i
equivalents.
5 The white list for each of the port blocking rules from step 4 is merged with the white list of
the VirusScan Enterprise 8.5i equivalent rules, and the newly formed VirusScan Enterprise
8.5i port blocking rules are written to the registry.
6 The modified default rules (if any) from step 3 are converted to the new VirusScan Enterprise
8.5i rule format and written to the extra.rul file to be installed to the VirusScan Enterprise
8.5i program directory. They will appear as user-defined rules in VirusScan Enterprise 8.5i.
The decision to combine the white lists of port blocking rules that have only had their white list
modified is based on the assumption that the user has specific software that they do not want
blocked by the default port blocking rule. Adding the modified port blocking rule to the extra.rul
file would not have prevented the software from being blocked because the default port blocking
rule would still be triggered.
19
Installation
Uninstallation Notes
Uninstallation Notes
Note that McAfee VirusScan Enterprise 8.5i and McAfee Anti-spyware Enterprise module will
appear as separate programs in the Control Panel > Add or Remove Programs list.
If the end-user wishes to remove VirusScan Enterprise completely from the computer,
uninstalling VirusScan Enterprise will also remove the McAfee Anti-spyware Enterprise
Module. Sometimes the ASE-M program will still appear on the Add or Remove Programs list
after VSE 8.5 has been uninstalled. This is a refresh issue, close the Add or Remove Programs
window and open it again, ASE-M will not appear.
If the end-user wishes to re-install VirusScan Enterprise 8.5i, the McAfee Anti-spyware
Enterprise module will need to be re-installed as well.
Note
When re-installing McAfee VirusScan Enterprise 8.5i, it is recommended that the McAfee
Anti-spyware Enterprise module be uninstalled first using Control Panel > Add or Remove
Programs, and then uninstall VirusScan. Re-install VirusScan followed by the anti-spyware
module.
Please proceed to the next section - Student Lab - Installing VirusScan Enterprise 8.5i &
Comparing Protection Levels.
20
DesktopStudent Lab - Installing

VirusScan Enterprise 8.5i & Comparing
Protection Levels
Objectives
Upon completion of this lab, the student will be able to;
Perform Standard and Custom Installations of VSE 8.5i
Describe the difference in protection levels (standard & maximum) selected during
installation
Install the McAfee Anti-Spyware module for VSE 8.5i.
Lab Setup / Background Information

This lab can be conducted with each computer acting as a stand-alone workstation.
This lab is intended to install VirusScan Enterprise 8.5i and the McAfee Anti-Spyware module
for VirusScan Enterprise 8.5i, onto a computer running Windows XP Professional, SP1 or later.
The installation files for this lab should be located on your Desktop, if you do not have the setup
files please notify your instructor.
Installation Steps - Standard Protection Installation

1 Navigate to the VirusScan Enterprise 8.5i installation files on your Desktop. Double-click the
.zip file to view its contents.
2 Double-click Setup.exe.
3 If you receive a Security Warning, click Run.
4 You may receive a McAfee VirusScan Enterprise Setup dialog box indicating that you can
enable a crash dump file by clicking Yes. Click No at this prompt.
21
McAfee VirusScan Enterprise 8.5i Lab
DesktopStudent Lab - Installing VirusScan Enterprise 8.5i & Comparing Protection Levels
Installation Steps - Standard Protection Installation
5 Once the Setup Wizard launches, click Next.

6 If you receive a Beta/Field Test screen, click OK.
7 Click I accept the terms in the license agreement and click OK.
8 When the Select Setup Type screen appears, select Custom and click Next.
9 When the Select Access Protection Level screen appears, select Standard Protection and
click Next.
10 The Feature Selection screen will appear. Note the various VirusScan Enterprise 8.5i features
that are available for installation. Click Next.
11 When the Install McAfee Products screen appears, select Next (Do not install Alert Manager
or Desktop Firewall).
12 When the Product Configuration screen appears, remove the check from Import AutoUpdate
repository list and click Next.
13 When the Security Configuration screen appears, DO NOT enter a password for accessing
the user interface. Note the Start menu and System tray icon and menu options at the bottom
of this dialog. Click Next.
14 When the Ready to Install screen appears, click Install.
22
Installing the McAfee Anti-Spyware Module
15 The Installing McAfee VirusScan Enterprise screen appears with a status bar displaying the
installation progress.
16 When the McAfee VirusScan Enterprise setup has completed successfully screen appears,
REMOVE the check from Update Now and Run On-Demand Scan, and then click Finish.
17 Note the appearance of the VirusScan Enterprise 8.5i VShield icon in System Tray. You have
successfully installed VirusScan Enterprise 8.5i with Standard Protection. Close the
installation files .zip window.
Installing the McAfee Anti-Spyware Module

18 Navigate to the McAfee Anti-Spyware Module installation files on your Desktop.
19 Double-click the .zip file package to view the installation files.
20 Double-click the VSE85MAS.EXE setup file.
21 Select the Extract All option to extract the setup files. (Some install files must be
decompressed before use).
22 On the Extraction Wizard dialog, Click Next. Click the Browse button.
23 Use the Make New Folder button to create a Desktop folder called ASE-M.
24 Select the ASE-M folder, and select OK to extract the install files to this folder. Click Next.
25 Click Finish.
26 Once the ASE-M folder opens, double-click VSE85MAS.Exe to launch setup.
27 If a Security Warning appears, click Run.
23
Viewing Access Protection Properties for Standard Protection Installs
28 The Installer welcome screen appears, click Next.

29 If a Beta/Field test screen appears, click OK.
30 Accept the license agreement and click OK.
31 The install progress screen appears briefly.
32 Click Finish. You have successfully installed the McAfee Anti-Spyware Module.
33 Close the ASE-M folder and the .zip file window containing the anti-spyware installation
files.
Viewing Access Protection Properties for Standard Protection

Installs
34 Right-click the System Tray VShield icon and select VirusScan Console.
35 If a McAfee VirusScan Beta dialog appears, click OK.
36 Right-click Access Protection in the console window and select Properties.
37 The Access Protection Properties screen will appear. Examine the following:
Note the checkbox which can be used to disable Access Protection
Click on each of the Categories. Note the rules selected for each category listed on the
right. For Standard Protection installations notice that maximum protection rules have
not been enabled.
Note on the lower-left portion of the screen is a checkbox to Prevent McAfee services
from being stopped. This option is not enabled by default for Standard Protection
installations.
38 Click on the Anti-virus Standard Protection category.

39 In the Rules window, highlight the top rule, Prevent registry editor and Task Manager from
being disabled.
40 Click the Edit button.
24
Installation Steps - Maximum Protection Installation
41 The Rules Details dialog will appear. Note the wildcard asterisk (*) in the Processes to
include field, indicating that this rule will apply to all processes. Individual process
executables may be listed here with comma separators.
42 Note that the Processes to exclude field lists several processes to be excluded from this rule.
43 Click Cancel.
44 Click OK.
45 Close the VirusScan Console.
46 Select Start > Control Panel > Add or Remove Programs.
47 Select McAfee VirusScan Enterprise and click Remove.
48 When prompted if you really want to uninstall, click Yes.
49 McAfee VirusScan Enterprise 8.5i will uninstall.
50 Close the Add or Remove Programs window.
51 Close Control Panel.

52 Navigate to the VirusScan Enterprise 8.5i installation files on your Desktop. Double-click the
55 You may receive a McAfee VirusScan Enterprise Setup dialog box indicating that you can
enable a crash dump file by clicking Yes. Click No at this prompt.
59 When the Select Setup Type screen appears, select Typical and click Next.
60 When the Select Access Protection Level screen appears, select Maximum Protection and
click Next.
REMOVE the check from Update Now and Run On-Demand Scan, and then click Finish.
successfully installed VirusScan Enterprise 8.5i with Maximum Protection.
65 Close the .zip window containing the VirusScan Enterprise installation files.
25
Installing the McAfee Anti-Spyware Enterprise Module
Installing the McAfee Anti-Spyware Enterprise Module

66 Navigate to the ASE-M folder created previously. Double-click VSE85MAS.Exe to launch
setup.
72 Click Finish. You have successfully installed the McAfee Anti-Spyware Enterprise Module.
73 Close the ASE-M folder window.
Viewing Access Protection Properties for Maximum Protection

Installs
74 Right-click the System Tray VShield icon and select VirusScan Console.
75 If a McAfee VirusScan Beta dialog appears, click OK.
76 Right-click Access Protection in the console window and select Properties.
77 The Access Protection Properties screen will appear. Examine the following:
Note
Click on each of the Categories. Note the rules selected for each category listed on the
right. Notice that the Maximum Protection rules have now been enabled with the
exception of the Anti-spyware Maximum Protection category.
Note that the selection for Prevent McAfee services from being stopped is not enabled by
default for Maximum Protection installations.
When installing VirusScan Enterprise 8.5i with Maximum Protection, the Anti-spyware
Maximum Protection rules and the McAfee Services protection will NOT be enabled
automatically. The user will have to select these maximum protection options in order to
enable them.
78 Click on the Reports Tab. Note the logging options for recording violations of access
protection rules, including enable/disable logging, log file location, and maximum log file
size settings.
79 Click the Browse button to display the Select Log File dialog. Activate the Look In: pulldown menu. Note the path to the log file from the directory tree displayed. Click Cancel.
80 Click Cancel.
81 Close the VirusScan Console.
26
Review
Review
1. When installing VirusScan Enterprise 8.5i, users have the option to install with
_____________ or ______________ protection levels.
2. When installing with Standard Protection, the Maximum Protection rules are disabled /
enabled by default. (circle one)
3. Processes to include or exclude for Access Protection rules can be modified by selecting
the rule and clicking the ________ button on the Access Protection Properties page.
4. Access Protection logging options are configured on the __________ tab of the Access
Protection Properties page.
27
Access Protection
Enterprise Module
Objectives
Identify the default Access Protection rules for Standard and Maximum Protection
installations of McAfee VirusScan Enterprise 8.5i
Explain how to turn individual Access Protection blocking and reporting on and off.
Explain what self-protection is
List the types of User-defined rules that can be created
Configure Access Protection report log options
Overview
VirusScan Enterprise 8.5i offers enhanced Access Protection features that can prevent intrusion
by restricting access to ports, files, folders, and shares. You can block access to ports and port
ranges, lock down shares, files, and directories to read-only, block execution of a specific file,
and generate log entries and/or Alert Manager and ePolicy Orchestrator events when attempts
are made to access blocked items.
The Access Protection features will also allow you to prevent McAfee processes from being
stopped by unauthorized sources.
During virus outbreaks, Access Protection rules can be enabled to block destructive code from
accessing the computer until a DAT update is available.
28
Access Protection
Standard and Maximum Protection Installations
Access Protection rules can be configured to Block access, or Report access attempts, or both.

During installation, selecting Standard Protection will enable only the Anti-virus Standard
Protection, and Common Standard Protection rules for blocking.
Maximum Protection installations will enable the standard protection rules listed above, as well
as the Common Maximum Protection Rules.
Caution
When installing VirusScan Enterprise 8.5i with Maximum Protection rules enabled, the
Anti-spyware Maximum Protection rules will not be enabled after installing the McAfee
Anti-spyware Enterprise module. These rules must be enabled by the end-user or administrator.
The following tables shows each of the Access Protection rules and their default status for
Standard and Maximum Protection installations.
Category
Rule
Standard
Protection
Default
Status
Maximum
Protection
Default
Status
Anti-spyware
Standard Protection
Protect Internet Explorer favorites and settings
Block +
Report
Block +
Report
Prevent installation of CLSIDs, APPIDs and

TYPELIBs (HKEY_CLASSES_ROOT registry key)
NONE
NONE
Prevent all programs from running files from the

Temp folder
NONE
NONE
Prevent execution of scripts from the Temp folder
NONE
NONE
Prevent registry editor and Task Manager from being

disabled
Block +
Report
Block +
Report
Available only with ASE-M

installed
Anti-spyware
Maximum Protection
Available only with ASE-M
installed
Anti-virus Standard
Protection
29
Access Protection
Category
Anti-virus Maximum
Protection
Anti-virus Outbreak
Control
Common Standard
Protection
Rule
Standard
Protection
Default
Status
Maximum
Protection
Default
Status
Prevent user rights policies from being altered
Block +
Report
Block +
Report
Prevent remote creation/modification of executable

and configuration files
Block +
Report
Block +
Report
Prevent remote creation of autorun files
Block +
Report
Block +
Report
Prevent hijacking of .EXE and other executable

extensions
Block +
Report
Block +
Report
Prevent svchost executing non-Windows

executables
Block +
Report
Block +
Report
Prevent Windows Process spoofing
Block +
Report
Block +
Report
Protect phonebook files from password and email

address stealers
Block +
Report
Block +
Report
Prevent mass mailing worms from sending mail
Block +
Report
Block +
Report
Prevent IRC communication
Block +
Report
Block +
Report
Prevent use of tftp.exe
Block +
Report
Block +
Report
Prevent alteration of all file extension registrations
NONE
Block +
Report
Protect cached files from password and email

address stealers
NONE
Block +
Report
Make all shares read-only
NONE
NONE
Block read and write access to all shares
NONE
NONE
Prevent modification of McAfee files and settings
Block +
Report
Block +
Report
Prevent modification of McAfee Common

Management Agent files and settings
Block +
Report
Block +
Report
Prevent modification of McAfee Scan Engine files

and settings
Block +
Report
Block +
Report
Protect Mozilla and FireFox files and settings
Block +
Report
Block +
Report
Protect Internet Explorer settings
Block +
Report
Block +
Report
Prevent installation of Browser Helper Objects and

Shell Extensions
Block +
Report
Block +
Report
Protect network settings
Block +
Report
Block +
Report
Prevent common programs from running files from

the Temp folder
Block +
Report
Block +
Report
30
Access Protection
Access Protection Rules Configuration Options
Category
Rule
Standard
Protection
Default
Status
Maximum
Protection
Default
Status
Common Maximum
Protection
Prevent programs registering to autorun
None
Block +
Report
Prevent programs registering as a service
None
Block +
Report
Prevent creation of new executable files in the

Windows folder
None
Block +
Report
Prevent creation of new executable files in the

Program Files folder
None
Block +
Report
Prevent launching of files from the Downloaded

None
Block +
Report
Prevent FTP communication
None
Block +
Report
Prevent HTTP communication
None
Block +
Report
NONE
NONE
NONE
User-Defined Rules
Warning
Maximum Protection rules should be used with caution as they can block common activities such
as installation or execution of certain applications or processes. It is recommended that maximum
protection rules be initially enabled for Report only in order to determine if exclusions will be
required for that rule.
Access Protection Rules Configuration Options

Any Access Protection rule can be enabled or disabled for blocking or reporting, simply by
clicking in the Block or Report box and toggling the checkmark for that rule.
Each pre-defined Access Protection rule, as well as User-defined rules can be configured to
include and exclude specific processes for the AP rule. Select a rule and click the Edit button to
access the Rule Details dialog box.
31
Access Protection
User-defined Rules
Wildcard characters are allowed in both the Processes to include, and Processes to exclude
fields, as shown below.
In the example, the rule; Prevent registry editor and Task Manager from being disabled, contains
an asterisk (*) wildcard in the Processes to include field, indicating that it applies to all
processes.
In the Processes to exclude field, we see specific process names that have been excluded from
this rule, as well as a process name with the asterisk (*) wildcard character to exclude variants
on the process name; gianantispywar.
Additional exclusions may be added by typing the process name, or partial name and wildcard
characters into the Processes to exclude field. Process names are separated with a comma (,).
Warning
End-user changes to the exclusion list of any pre-defined Access Protection rule will not be
overwritten by McAfee updates to the Access Protection rules definitions. Once the end-user
modifies the exclusions for any Access Protection rule, they become responsible for maintaining
the exclusions list from that point forward.
User-defined Rules
Users can define custom Access Protection rules to meet their specific needs.
Users can create three types of rules;
Port Blocking Rule: These rules can block program from accessing the network, or they can
prevent other computers from accessing this computer.
File/Folder Blocking Rule: These rules prevent unauthorized programs from altering,
opening, or deleting files that they shouldnt.
Registry Blocking Rule: These rules prevent unauthorized programs from altering, opening,
or deleting registry keys and values that they shouldnt.
Options for each of the rules types are:
Port Blocking Rules:

Rule Name - any name can be used
32
Access Protection
User-defined Rules
Processes to include - you can use specific process name or wildcard variants to specify the
processes to include in the rule. Examples: process.exe, pro*.exe, pro*, pro????.exe. Use a
single asterisk (*) in this field to include all processes.
Processes to exclude - you can use specific process name or wildcard variants to specify the
processes to exclude in the rule. Use a single asterisk (*) in this field to exclude all processes.
Ports to Block - specify a single port to be blocked or a range of ports to be blocked. Enter
the starting and ending port range to block an inclusive range of ports.
Direction - Select whether this rule will apply to Inbound connections, Outbound
connections, or both, by clicking the appropriate box(es).
File/Folder Blocking Rule:

Rule name - any name can be used
Process to include - processes to include in this rule. Wildcards are allowed.
Processes to exclude - processes to exclude from this rule. Wildcards are allowed.
File or folder name to block. Wildcards are allowed - Complete path to the folder, or file this
rule will affect. Partial folder/file names with wildcards can protect multiple, similar
folders/files with a single rule. Examples: C:\Folder, C:\Fol*, C:\Folder\*.exe
33
Access Protection
User-defined Rules
File actions to prevent - specify which action or actions you wish to block for the selected
folder/file, with this rule; Read access, Write access, File execution, File creation, File
deletion or any combination of these options.
34
Access Protection
AP Rule Processing
Registry Blocking Rule:

Rule name - any name can be used.
Processes to include - processes to include in this rule. Wildcards are allowed.
Processes to exclude - processes to exclude from this rule. Wildcards are allowed.
Registry key or value to protect - drop-down menu provides registry key roots. Type the rest
of the registry key path and value in the field provided. Wildcards are allowed.
Rule type - registry key, or registry value.
Registry actions to block - select the actions you want the rule to block; Read key/value,
Write key/value, Create key/value, Delete key/value, or any combination of actions.
AP Rule Processing
The Access Protection rules can be located in 5 different locations (vscan.bof, registry, test.rul,
extra.rul, and mcafee.rul), and the processing of the rules will vary based on these rules:
If test.rul is present in the product folder:
-test.rul is read and all remaining rule sources are skipped.
Otherwise:
-vscan.bof is read from the product folder.
-extra.rul (if present) is read from the product folder and appended.
-User rules are read from the registry and appended.
-mcafee.rul (if present) is read from %windir% and appended.
35
Access Protection
VirusScan Self-protection
VirusScan Self-protection
In addition to the Access Protection rules that prevents the modification of McAfee files and
settings by unauthorized sources, an additional option; Prevent McAfee services from being
stopped, is also available on the Access Protection screen.
When the Prevent McAfee services from being stopped option is selected under Access
Protection, VirusScan Enterprise will implement an Access Control List against McAfee
processes that will prevent anyone except the SYSTEM account from terminating the process or
service. This protects VirusScan from being disabled by malicious programs that seek to
circumvent virus protection programs by killing their services.
Warning
When the Prevent McAfee services from being stopped option is selected under Access
Protection, VirusScan Enterprise will implement an Access Control List against McAfee
processes that only allows the SYSTEM account to NET STOP McAfee Services. An
Administrator (or anybody with debug privileges) can still use Task Manager to terminate
processes and services.
Prevent McAfee services from being stopped is not enabled by default for Standard or Maximum
Protection installations. This option must be enabled by the end-user or Administrator.
Reports
The Access Protection Properties page has a Reports tab that allows configuration of access
protection event logging options. The available options are:
Log to file (default: enabled) - allows you to enable/disable logging of attempts to violate
access protection.
Log file location (path) - by default the log will be created in;
%DEFLOGDIR%\AccessProtectionLog.txt. A custom path and name for the log file can be
entered here.
Limit size of log file (default: enabled) - This option allows VirusScan to limit the log file
size to a user-configured maximum size in order to prevent excessive disk usage.
Maximum log file size (MB): By default this is set to 1MB with a maximum setting available
of 100MB.
Format - determines the text encoding method used when creating the log. By default,
Unicode (UTF8) is selected. Other options are ANSI and Unicode (UTF16).
36
Access Protection
Reports
View Log - This button will open the log in Notepad, or the application that is associated with
.txt files on the computer.
Please proceed to the next section; Student Lab - Access Protection Configuration and
Detection.
37
Student Lab - Access Protection

Configuration and Detection
Objectives
Configure and demonstrate Access Protection Rules
Create a custom Access Protection Rule
Demonstrate Self-Protection features

This lab is intended to demonstrate the Access Protection features of VirusScan Enterprise 8.5i.
This lab requires the McAfee Anti-spyware Module folder (ASE-M) and files created in Lab 1
- Installing VirusScan Enterprise 8.5i and Comparing Protection Levels.
This lab is intended to use the existing installation and configuration created in Lab 1 - Installing
VirusScan Enterprise 8.5i and Comparing Protection Levels. If you are performing this lab out
of order, install VirusScan Enterprise 8.5i with maximum protection, and then install the
McAfee Anti-spyware module before proceeding with this lab.
38

Access Protection - Configuration

1 Right-click the VirusScan Enterprise VShield icon in the System Tray, and select VirusScan
Console.
2 Right-click on Access Protection and select Properties.
3 The Access Protection Properties page is displayed.
4 Examine the Categories in the left column. Note that for each category, a rule or rules is
displayed in the right column.
5 Each rule may be enabled to Block, or Report, or both by clicking in the appropriate selection
column. Removing the checkmark disables that function for the current rule.
6 In the category column, select Anti-Spyware Maximum Protection.
39

7 Notice that the three rules for this category are not enabled for blocking or reporting.
Caution
When installing VirusScan Enterprise 8.5i with Maximum Protection, the Anti-spyware
Maximum Protection rules under Access Protection will NOT be enabled automatically.
The user will have to select these maximum protection rules in order to enable them.
8 Click in the Block and Report fields for each rule. A checkmark should appear indicating that
these rules have been enabled.
9 In the right column, select the rule, Prevent all programs from running files from the Temp
folder.
11 Notice the processes to exclude listed for this rule. These exclusions will allow the Windows
MSI Installer (msiexec.exe) to run files from the Temp folder, and will also allow the
McAfee Framework installer (frminst.exe) to run files from the Temp folder. Other processes
may also be specified here to allow Temp folder file execution.
12 Click Cancel.
13 In the Categories column, select User-defined Rules.
14 Click the New button.
15 The Select New Rule Type dialog appears.
16 Select File/Folder Blocking Rule.

17 Click OK.
40

18 The File/Folder Access Protection Rule dialog appears.
19 In the Rule Name field, type File Blocking Rule (no quotes).
20 In the Processes to include field, type * (an asterisk) (no quotes).
21 Leave the Processes to exclude field blank.
22 In the File or Folder name to block field, use the Browse file button to navigate to the ASE-M
installation folder on your desktop. Select the readme.txt file in that folder and click Open.
41

23 In the File Actions to prevent section, select Read access to files and Write access to files.
24 Click OK.
25 Click OK on the Access Protection Properties dialog.
26 Navigate to the ASE-M folder on your desktop.
27 Double-click the readme.txt to open it.
28 Note the Access is Denied error message. Access Protection has prevented read-access to this
file. Click OK. Close Notepad.
29 Navigate back to the VirusScan Console and right-click Access Protection. Select Properties.
30 Select User-defined rules in the Categories column.
31 Select the File Blocking Rule you created, and click the Edit button.
42

32 Remove the checkmark from Read access to files, under File actions to prevent.
33 Click OK.
34 Click OK on the Access Protection Properties dialog.
36 Double-click the readme.txt to open it. Note that you now have read-access to this file.
37 Select File > Save. Note the error indicating that you cannot create this file in the folder
specified. Access Protection has blocked the write-access to this file. Click OK.
38 The File > Save As dialog will automatically appear. Navigate to your Desktop and save this
file as readme.txt.
39 Note that you are able to successfully create a new copy of this file in a new location. Access
Protection is only blocking write-access to the original file specified in the rule (located in
the ASE-M folder).
40 Close the readme.txt file.
41 Navigate to VirusScan Console. Right-click Access Protection and choose Properties.
42 Select User-defined rules in the Categories column.
43 Select the File Blocking Rule you created.
45 In the Processes to exclude field, type notepad.exe (no quotes)
43

Self-Protection
46 Select OK.
47 Select OK on the Access Protection Properties dialog.
49 Double-click the readme.txt to open it.
50 Select File > Save.
51 Note that although write-access is still disabled for this file, Notepad is now excluded from
this blocking rule and can save changes to the file.
52 Close Notepad.
53 Right-click on readme.txt and select Open With.
54 Select WordPad (if WordPad is not listed, select Choose Program and select WordPad from
the list).
55 Once the readme.txt file has opened in WordPad, select File >Save.
56 Note the error indicating that access is denied. WordPad is not excluded from this rule and
therefore does not have write-access to this file. Click OK.
57 Close WordPad.
58 Navigate to VirusScan Console and right-click Access Protection, select View Log.
59 Examine the log entries. Note the Blocked by Access Protection entries created during our
readme.txt experiments, including read and create blocking.
60 Once you have examined the log entries, close the log file by exiting Notepad.
61 Close the ASE-M folder.
Self-Protection
VirusScan Enterprise 8.5i Access Protection includes features and rules intended to protect itself
from being modified or stopped without proper authority.
Some of the Self-protection features include;
Prevent McAfee files and folders from being changed
Prevent McAfee product components from being renamed, moved, or deleted,
Prevent McAfee registry keys from being modified
Prevent McAfee services from being stopped
Demonstrate Self-Protection
Adding or Removing files from the McAfee Folder
1 Navigate to VirusScan Console.
2 Double-click the Access Protection Policy task to open its Properties page.
44

Self-Protection
3 Place a checkmark in the option, Prevent McAfee services from being stopped.
4 Click OK.
5 Ensure that the On-Access Scanner and the Access Protection Policy are both enabled.
6 Navigate to the C:\Program Files\Common Files\McAfee\Engine folder.
7 Right-click on any of the files in this folder and select Delete.
8 Note the error message indicating that you are denied access to this function. Click OK.
9 Right-click in an empty space of the McAfee\Engine folder and select New > Text
Document.
10 Note the error message indicating that you are denied access to this function. Click OK.
Changing Files in the McAfee Folder

1 In the McAfee\Engine folder, right-click on license.dat and choose Open With.
2 Click the Open With button.
3 Choose, Select the program from a list.
4 Select Notepad and click OK.
5 Place the insertion point anywhere in the file and type random characters.
6 Select File > Save.
7 Note the error message indicating that you are denied access to this function.
8 The Save As dialog automatically appears. Click Cancel.
9 Close Notepad. Answer No to the save prompt.
10 Close the McAfee\Engine folder window.
Stopping McAfee Services

1 From the Windows Task Bar, select Start > Control Panel > Administrative Tools > Services.
45

Review
2 In the Services windows, scroll down to the McAfee Services.
3 Right-click on McAfee Framework Service and click Stop.

4 Note the error indicating that you are denied access to this function. Click OK.
5 Attempt to stop the other McAfee Services - note the error message.
6 Close the Services Windows. Close the Administrative Tools Window.
Review
In order to enable, disable, configure, or create an access protection rule, you must go to the
Access Protection _______________ dialog page, in VirusScan Console.
T / F - You cannot set access protection rules for Anti-Spyware using Access Protection
rules. (select true or false)
Enabling and disabling both blocking and reporting for a particular rule is easily performed
by clicking the _______ or _________ field for the rule. A checkmark will appear when
blocking and/or reporting has been enabled for the rule.
T / F - You can include processes to include (block) for a given rule by using wildcards,
including asterisk (*) for all processes, or the question mark (?) for variable characters in a
process name (for example, ???setup.exe). (select true or false)
46

Review
You can exclude processes (do not block) for a particular rule by listing the process name, or
wildcard variant, in the _____________ ______ ____________ field of the Rule Details
screen.
47

McAfee VirusScan Enterprise 8.5i
Objectives
Explain what a buffer overflow condition is and why it is a concern
Describe the configuration options for Buffer Overflow Protection
Configure Buffer Overflow Protection report logging
What is Buffer Overflow?

A buffer overflow, also known as a buffer overrun, is a programming error which may result in
a malicious breach of system security.
A buffer overflow is a condition where a process attempts to write data beyond a fixed length
memory buffer. The result is that the extra data overwrites adjacent memory locations. The
overwritten data can include other memory buffers, variables and application data being
processed. Programmers can exploit known application buffer overflow issues to execute the
code written to an adjacent memory location bypassing normal system security precautions.
48

Buffer Overflow Protection Overview
Buffer Overflow Protection Overview

Buffer Overflow protection in VirusScan Enterprise 8.5i is essentially unchanged from the
previous 8.0i version. Protection against buffer overflow attacks is provided for a specific list of
processes, defined in the Buffer Overflow protection definition file; vscan.bof.
Configuration
VirusScan Enterprise 8.5i offers these options for configuring Buffer Overflow Protection:
Enable buffer overflow protection (default: enabled) - Allows Buffer Overflow Protection to
be turned on and off and set for Warning or Protection mode.
Show the messages dialog box when a buffer overflow is detected (default: enabled) Allows
you to suppress the VirusScan Alert message dialog when a buffer overflow detection occurs.
Buffer overflow exclusions - Clicking the Add button allows you to exclude specific
processes from buffer overflow scanning. Wildcards are not allowed in the process name
field and the process name must be exact.
Note
When adding exclusions that are due to unwanted buffer overflow detections, check
the VirusScan Alert messages dialog, the Buffer Overflow log file, or ePO event report
to determine the exact process name for exclusion.
49

Reports
Reports
The Buffer Overflow Protection Properties page has a Reports tab that allows configuration of
buffer overflow event logging options. The available options are:
Log to file (default: enabled) - allows you to enable/disable logging of buffer overflow
detections.
Log file location (path) - by default the log will be created in;
%DEFLOGDIR%\Mcafee\DesktopProtection\BufferOverflowProtectionLog.txt. A custom
path and name for the log file can be entered here.
Maximum log file size (MB): By default this is set to 1MB with a maximum setting available
of 999MB.
50

Reports
View Log - This button will open the log in Notepad, or the application that is associated with
.txt files on the computer.
Note
User who have associated .txt files with WordPad may receive an error indicating that the log file
is in use and cannot be opened, when using the View Log button or context menu selection. To
resolve the issue, re-associate Notepad to .txt file extensions on the computer.
Please proceed to the next section; Student Lab - Buffer Overflow Protection Configuration
and Detection.
51
Student Lab - Buffer Overflow Protection

Objectives
Configure and demonstrate Buffer Overflow Protection

This lab is intended to demonstrate the Buffer Overflow Protection features of VirusScan
Enterprise 8.5i.
This lab requires the Buffer Overflow Testing tool (Botest2new.zip) which should be located on
your desktop. If you do not have this tool, please notify your instructor.
of order, install VirusScan Enterprise 8.5i with standard or maximum protection, and then install
the McAfee Anti-spyware module before proceeding with this lab.
Using the Buffer Overflow Test Tool on Microsoft Windows 2003 Operating System:
Note
Windows 2003 includes the Data Execution Prevention feature for preventing buffer overflow
conditions. As a result, the Buffer Overflow Test Tool used in this lab will not generate buffer
overflow conditions running under this O/S. To allow the Buffer Overflow Test Tool to function
with Windows 2003, disable Data Execution Prevention under System Properties > Advanced >
Performance Settings.
Buffer Overflow Protection - Configuration

1 Right-click the VirusScan Enterprise VShield icon in the System Tray, and select VirusScan
Console. If you receive a Beta dialog box, click OK.
52

2 Right-click on Buffer Overflow Protection and select Properties.
3 The Buffer Overflow Protection Properties dialog page will appear.
4 Note that there are only four main configuration options for Buffer Overflow:
Enable or disable Buffer Overflow Protection
Warning mode (notify) or Protection mode (block)
Enable or disable messages dialog on detection
Processes to exclude from Buffer Overflow scanning
5 Click OK.
53

6 Navigate to the Buffer Overflow Test Tool on your Desktop (Botest2new.zip).

7 Right-click the Botest2new.zip file and select Extract All.
8 Click Next on the Extraction Wizard dialog.
9 When prompted to select a folder to extract files to, click Browse and select the root of drive
C: (Local Disk (C:)).
10 Click Next. Click Finish.
11 The Extraction Wizard will automatically open the folder containing the extracted files.
12 Double-click on botest.bat
13 VirusScan Enterprise will display the On-Access Scan Messages dialog, reporting the Buffer
Overflow detection.
14 Clear the alert messages from the On Access Scan Messages dialog.
15 Close the On-Access Scan Messages dialog.
16 Open the Buffer Overflow Protection Properties dialog page.
17 Under Buffer overflow exclusions, click the Add button.
18 The Buffer Overflow Exclusion dialog will appear.
54

Review
19 In the Process name field, type Botest2.exe.

20 Click OK.
21 Click OK on the Buffer Overflow Protection Properties dialog.
22 Navigate to the drive C:\ window.
23 Double-click on botest.bat
24 Note that VirusScan did not report a Buffer Overflow detection. The process, Botest2.exe,
has been excluded from Buffer Overflow scanning.
25 Close the drive C:\ window.
27 Right-click on Buffer Overflow Protection and choose View Log.
28 Examine the buffer overflow detections logged for this lab.
29 When finished, close Notepad to exit the log.
Review
The four configuration options for Buffer Overflow Protection are:
Enable/Disable ____________ ___________ ____________
_____________ mode or _______________ mode
Enable/Disable _______________ dialog box on detection
Buffer Overflow ___________________
A customer that reports false or unwanted Buffer Overflow Detections from a known, trusted
application should list the application process name in the Buffer Overflow ______________
section of the Buffer Overflow Properties, in order to prevent future detections of this
application.
55

Objectives
Configure On-Delivery e-mail attachment scanning
Describe the advanced e-mail scanning configuration options
Configure actions for e-mail threat detection
Describe how to configure a detection alert e-mail
Specify Unwanted Program detection option for e-mail scanning
Explain the Notes Scanner Settings options
Configure On-Delivery E-mail Scan report logging options
On-Delivery E-mail Scanner Overview

The VirusScan Enterprise 8.5i On-Delivery E-mail Scanner provides protection from viruses
and unwanted programs delivered in e-mail messages, for users with Microsoft Outlook on
Exchange servers, and in database attachments for users with Lotus Notes clients on Lotus
Domino servers.
Additionally, the On-Delivery Email Scanner can scan for and detect unwanted scripts contained
within the body of e-mail messages (Outlook only), perform heuristic scanning for unknown
viruses and trojans, detect unknown macro viruses, and scan inside of archive files (example:
.ZIP files).
POP3 e-mail used with Microsoft Outlook or the Lotus Notes client is not supported with this
release of VirusScan Enterprise, although the detection of infected attachments in POP3
environments is possible.
56

Configuration
Configuration
The On-Delivery E-mail Scanner has 7 tabs on its properties page. The tabs and their options are:
Detection Tab - Specify on-delivery scanning of e-mail and

attachments
Attachments to scan
All file types (default) - Specifies scanning of all files regardless of type or extension.
Default + additional file types (#) - Specifies that scanning will occur only for the default
file types/extension list, and those types specifically added by the end-user. To view the
default types/extension list, click Additions and examine the Scanned by default list on
the Additional File Types dialog. This dialog is also used to add file types by extension
by selecting or typing the extension in the Add File Type field and clicking the Add
button.
57

Configuration
Clicking the Select button will provide a comprehensive list of file type extensions that
you can choose to add to the scanning list.
Check the Also scan for macros in all attachments to allow the e-mail scanner to look for
macro viruses inside of file attachments.
58

Configuration
Specified File Types - User-specified file types by extension only will be scanned with
this option. Clicking the Specified button allows the end-user to add files types to the scan
list. A Select button listing known file types is also available for this option.
Advanced Tab - Specify advanced e-mail scanning options

Heuristics
Find unknown program viruses and trojans (default: enabled) - Allows the e-mail scanner
to perform heuristic scanning for viruses and trojans in e-mail attachments.
Find unknown macro viruses (default: enabled) - Allows the e-mail scanner to perform
heuristic scanning for macro viruses in e-mail attachments.
Find attachments with multiple extensions (default: disabled) - When enabled, will cause
detections on attachments that have multiple file extensions, for example file.com.txt.
Compressed files
Scan inside archives (e.g. .ZIP) (default: enabled) - Specifies whether the e-mail scanner
will attempt to scan the files within compressed archives such as those created by WinZip
and WinRAR. Password-protected and encrypted archives cannot be scanned.
Decode MIME encoded files (default: enabled) - Allows the e-mail scanner to scan
attachments encoded by e-mail systems that use MIME encoding for mail and
attachments.
59

Configuration
E-mail message body (Setting for Outlook Scanner only)
Scan e-mail message body (Outlook Scanner only) (default: enabled) - Indicates whether
the e-mail scanner will scan Outlook message bodies for unwanted scripts. As the name
of this option suggests, it is supported for the Outlook client only.
Actions Tab - Specify how to respond when a threat is detected

When a threat is found
Primary Action - When a threat is found (default: Clean attachments) - Specifies the first
action that the e-mail scanner should attempt to take when a threat is detected. Primary
Action options are:
a Prompt for action

b Move attachments to a folder
c Delete attachments
d Continue scanning (no action)
e Clean attachments (default)
f
Delete mail (Outlook only)
60

Configuration
Secondary Action if the first action fails - Specifies what action the e-mail scanner should
take if the Primary Action fails (example: uncleanable virus infection). Secondary Action
options are:
a Prompt for action

b Move attachments to a folder (default)
c Delete attachments
d Continue scanning (no action)
e Delete mail (Outlook only)
Move to Folder
Move to Folder - specifies the mailbox folder that infected e-mail will be moved to, if the
action to Move attachments to a folder is selected as the Primary Action or Secondary
Action and other actions fail. The default folder is Quarantine.
Allowed actions in Prompt dialog box

When the Primary or Secondary Action is set to Prompt for Action, this section defines which
action will be available to the end-user on the prompt dialog when a detection occurs.
Clean attachment (default: enabled)
Delete attachment (default: enabled)
Move attachment (default: enabled)
Delete mail (for Outlook Scan only) (default: enabled)
61

Configuration
Alerts Tab - Configure alert e-mails and messages

Email Alert
Send alert mail to user (default: disabled) - allows you to specify an email alert message
to be sent to a user or users when a detection occurs. Selecting this option and clicking
the Configure button will allow you to set recipients, subject, and body text for the alert
mail message.
62

Configuration
If Prompt for Action is selected
Display custom message (default: disabled) - Selecting this option allows the end-user to
provide custom text that will appear on the prompt dialog, if Prompt for Action is selected
as one of the actions to take on detection. The default message is; McAfee VirusScan
Enterprise E-mail Scanner: Alert!.
Unwanted Programs Tab - Specify detection options for unwanted

programs
Detection
Detect unwanted programs (default: enabled) - Selecting this option will apply the
Unwanted Programs Policy configured in VirusScan Console, to e-mail scanning. (See
Unwanted Programs Policy section for information on configuring scanning for
unwanted programs)
When an unwanted attachment is found
Primary Action-When an unwanted program is found (default: Clean attachments) Specifies the action to take when unwanted programs are detected by the e-mail scanner.
Available options are identical to the Detection options on the Actions tab.
Secondary Action-if the first action fails (default: Move attachments to a folder) Specified the action to take when the Primary Action fails. Available options are identical
to the Detection option on the Actions tab.
63

Configuration
Reports Tab - Configure the E-mail Scan activity log

Log file
Log to file (default: enabled) - allows you to enable/disable logging of e-mail scanner
detections.
Log file location (path) - by default the log will be created in; [install
path]\Mcafee\DesktopProtection\EmailOnDeliveryLog.txt. A custom path and name for
the log file can be entered here.
Maximum log file size (MB): By default this is set to 1MB with a maximum setting
available of 100MB.
View Log - This button will open the log in Notepad, or the application that is associated
with .txt files on the computer.
64

Configuration
Session settings (default: disabled) - Selecting this option will cause VirusScan
Enterprise 8.5i to include a dump of its option settings to the log, whenever an entry is
made. This can be a valuable troubleshooting tool when attempting to diagnose issues
with the On-Delivery E-mail scanner. The On-Access Scanner and the On-Demand
Scanner may also be configured to record session settings on their respective Report tabs.
User who have associated .txt files with WordPad may receive an error indicating that the log file
is in use and cannot be opened, when using the View Log button or context menu selection. To
resolve the issue, re-associate Notepad to .txt file extensions on the computer.
Note
Session summary (default: enabled) - Specifies that summary information will be written
to the log when detection events are recorded, including; Engine version, AV DAT
version, number of signatures in extra.dat, names of signatures in extra.dat.
Failure to scan encrypted files (default: enabled) - species that an entry will be made in
the log file when the e-mail scanner is unable to scan a file because it is encrypted.
Notes Scanner Settings

Server Scanning Settings
Scan all server databases (default: disabled) - allows the scanner to scan all attachments
being read or written to any Notes database located on the Domino server. It should be
noted that Notes email files are nothing more than special Notes databases.
Scan server mailboxes (default: enabled - !!mail\) - By default the Mailbox Root Folder
is set to !!mail\ which means to scan any files on the Domino server whose name includes
!!mail\ (the default mail folder on the server). Setting this value to is the same as
saying Scan all server databases. Setting this to a value like !!mail\username.nsf would
say to only scan only that particular database (.nsf) file on the server.
Advanced Options
Databases to ignore (default: names.nsf, log.nsf, headline.nsf, bookmark.nsf) - Indicates

which databases will not be scanned for attachment read or writes. Currently this field is
non-editable.
Notes Applications to Exclude (default: none) - Specifies Notes/Domino applications and

processes that can read and write from databases without triggering a scan. Example:
UPDALL (database indexing service).
65

Detection
Detection
When the On-Delivery E-mail Scanner detects a threat in an email message, the original email
will be placed in the Quarantine folder and the recipient will receive a McAfee E-mail Scan Alert
message in their inbox.
The alert email will include:
Sender name/address
Intended recipient name/address
MCAFEE E-MAIL SCAN ALERT! subject line
Name of the infected attachment file
The threat detected by the scanner
The action that was taken. If the Primary Action failed, the reason is also listed.
Items detected by the e-mail scanner will appear in the Quarantine folder (or user-defined folder)
in the Outlook or Notes mail client.
66

Detection
Please proceed to the next section; Unwanted Programs Policy
Note
This Student Guides contains an optional lab for configuring and detecting threats using the
On-Delivery E-mail Scanner, utilizing a POP3 server tool. Please note that although detections
of infected attachments will occur using this environment, it is not supported by VirusScan
Enterprise 8.5i and customers should be discouraged from using the On-Delivery E-mail Scanner
in this manner. See Student Lab - On-Delivery E-mail Scanner Configuration and Detection.
67

Enterprise Module
Objectives
Configure Unwanted Programs Policy categories for scanning
Explain how to create Unwanted Program Policy scanning exclusions
Describe the process for creating User-Defined Detections of Unwanted Programs
Unwanted Programs Policy Overview
Note
The Unwanted Programs Policy descriptions and screenshots used in this section are for an
installation of VirusScan Enterprise 8.5i with the McAfee Anti-spyware Enterprise module.
VirusScan Enterprise 8.5i with the McAfee Anti-spyware Enterprise module provides
comprehensive protection from unwanted programs, including;
Spyware
Adware
Remote Administration Tools
Dialers
Password Crackers
Joke programs
Key loggers
Other Potentially Unwanted Programs
The Unwanted Program Policy configuration can be individually enabled or disabled for each of
the scanners (On-Delivery E-mail Scanner, On-Access Scanner, and On-Demand Scanner) on
each scanners properties page.
68

Configuration
Additionally, after installation of the McAfee Anti-spyware Enterprise module, the VirusScan
Enterprise 8.5i On-Access and On-Demand scanners are capable of scanning cookie files for
potentially unwanted content. (See the Installation section for detailed information on features
unlocked/enabled by the McAfee Anti-spyware Enterprise module installation in VirusScan
Enterprise 8.5i.)
Configuration
The Unwanted Programs Policy provides the following configuration options:
Detections Tab - Configure unwanted programs to be detected

Detections from DATs
Provides selection checkboxes for categories of unwanted programs. With McAfee
Anti-spyware Enterprise module installed, the default is for all categories to be enabled.
Category selections are:
Spyware
Adware
Remote Administration Tools
Dialers
Password Crackers
Joke programs
Key loggers
Other Potentially Unwanted Programs
69

Configuration
Unwanted Program Exclusions

This section contains the Exclusions button, which will activate the Set Unwanted Program
Exclusions dialog. By clicking the Add button, end-users can type the specific detection to
exclude or browse to the detection name and select it.
70

Configuration
Note
Wildcard characters are not valid for Unwanted Programs Policy exclusions. At the time of this
writing, the Unwanted Program Exclusion dialog allowed the entry of wildcard characters as part
of an excluded program name (e.g. *.com), however, the exclusion entry is invalid and will not
exclude files from scanning for unwanted programs. Exact detection names are required for
exclusion from unwanted program scanning.
User-Defined Detections Tab - Configure user-defined unwanted

programs
User-Defined Detection
User-Defined Detection allows end-users to specify specific programs to be detected by the
Unwanted Programs Policy.
Clicking the Add button activates the User-Defined Unwanted Program dialog, where
end-users can type the exact file name of the program they wish to detect, along with
Description text to be displayed in the detected as field of the VirusScan Alert Message
dialog box. Wildcard characters are not allowed and cannot be entered in the Filename field.
71

Configuration
Please proceed to the next section; Student Lab - Unwanted Programs Policy Configuration
and Detection.
72
10
Student Lab - Unwanted Programs Policy

Objectives
Configure the Unwanted Programs Policy
Create User Defined Detection Policy
Demonstrate Unwanted Programs Detection

This lab is intended to demonstrate the Unwanted Programs Policy features of VirusScan
Enterprise 8.5i.
This lab requires the definition files and Unwanted Programs samples located in the ASDAT
folder on your desktop. If you do not have these files, please notify your instructor.
the McAfee Anti-spyware module before proceeding with this lab.
Unwanted Programs Policy Lab

Copy Test DATs
1 Right-click on the VirusScan Shield in the System Tray and choose Disable On-Access Scan.
2 Navigate to the ASDAT folder on your desktop. Double-click to open the folder.
3 Select the following files and copy them; avvclean.dat, avvnames.dat, avvscan.dat,
mcscan.vlt.
4 Navigate to your desktop and double-click on the My Computer icon.
5 Navigate to the following path: C:\Program Files\Common Files\McAfee\Engine
73

6 Paste the files in the Engine folder. When prompted with an overwrite warning, click Yes to
All. The definition files needed to detect our test samples are now in place.
7 Close all folder windows and return to your desktop.
Detecting Unwanted Programs by Category

9 Right-click on Unwanted Programs Policy and select Properties.
10 Under Detections from DATs, note the categories of unwanted programs that are included in
the DAT files.
11 Remove the checkmark from the Spyware category. Click OK.
12 Enable the On-Access Scanner.

13 In VirusScan Console, right-click on On-Access Scanner and choose Properties.
14 In the left pane, select All Processes.
15 Select the Unwanted Programs tab.
16 Under Detection, ensure that there is a checkmark in Detect unwanted programs. Click OK.
17 Navigate to your desktop and open the ASDAT folder.
74
10

18 Right-click on the file AVT_SPYWARE.COM and choose copy.

19 Place your cursor on your desktop. Right-click and select Paste. Note that you did not receive
a detection alert for this spyware.
20 Delete the AVT_SPYWARE.COM file from your desktop.
21 In VirusScan Console, open the Unwanted Programs Policy Properties.
22 Place a checkmark in the Spyware category. Click OK.
23 Navigate to the ASDAT folder.
24 Right-click on the file AVT_SPYWARE.COM and choose copy.
25 Place your cursor on your desktop. Right-click and select Paste.
26 You will receive a VirusScan On-Access Scan Message Alert indicating detection of the
spyware sample AVT_SPYWARE.COM. Note that this sample was uncleanable and
therefore was deleted.
27 When youre finished examining the alert dialog, click Remove Message until all alert
messages have been deleted. Close the On-Access Scan Messages window.
28 Click OK on the Error Copying File or Folder dialog.
Unwanted Program Extensions

29 Right-click on the VShield icon in the System Tray and choose Disable On-Access Scan.
30 Navigate to the ASDAT folder on your desktop.
31 Right-click on AVT_ADWARE.COM and choose Rename.
32 Rename this file to AVT_ADWARE.txt. If you receive a rename warning, click Yes.
34 Right-click on the AVT_ADWARE.txt file and select Copy.
75
10

35 Right-click on your desktop and select Paste.

36 You will receive a VirusScan On-Access Scan Message Alert indicating detection of the
adware sample AVT_ADWARE.txt. Note that the unwanted program was detected
regardless of the change in the filename extension.
37 When youre finished examining the alert dialog, remove the message and close the
On-Access Scan Messages window.
Exclusions
39 Disable the On-Access Scanner.
40 Open the Unwanted Programs Policy Properties.
41 At the bottom of the Detection tab, click the Exclusions button.
42 In the Set Unwanted Program Exclusions dialog, click the Add button.
43 On the Unwanted Program Exclusion dialog, click Browse.
76
10

44 This will activate the Detection Exclusion dialog. Here, you can select a detection type from
a list of possible detection contained within the DATs or you can search for a detection by
substring and display only those detections that contain the substring text that you supply.
45 From the DAT detection list, select PWCracker-AVT_PWCRACK. Click OK.

46 Click OK on the Unwanted Program Exclusion dialog.
47 Click OK on the Set Unwanted Programs Exclusions dialog.
48 Click OK on the Unwanted Programs Policy dialog.
50 Navigate to the ASDAT folder. Right-click on the AVT_PWCRACKER.COM file and
select Copy.
51 Right-click on your desktop and select Paste. Note that because the unwanted program has
been excluded from Unwanted Programs Policy scanning, no detection occurs.
52 Delete AVT_PWCRACKER.COM from your Desktop.
Detection of Multiple Unwanted Programs

53 Close all open windows.
77
10


55 Navigate to the ASDAT folder on your Desktop and right-click on AS-SAMPLE.zip. Select
Extract All.
56 Use the Extraction Wizard to extract all files to the ASDAT folder. Click the Password
button; the password to extract is spycar. If you receive an overwrite warning, click Yes to
All.
57 Once the files have extracted, close the ASDAT folder window.
59 Right-click on the ASDAT folder on your Desktop and choose copy.
60 Right-click on your Desktop and choose paste.
61 You will receive a VirusScan On-Access Scan Message Alert indicating detection of
multiple unwanted program samples that were located in the ASDAT folder.
62 Remove the detection messages and close the On-Access Scan Message Alert window. Click
OK on the Error Copying File or Folder dialog.
63 Close the ASDAT folder window.
64 Locate and open the Copy of ASDAT folder on your Desktop. Note that only the
password-protected archive AS-SAMPLE.zip remains because the On-Access Scanner
cannot scan inside password-protected archives, and AVT_PWCRACKER.COM because
we have excluded it from detection.
Note
The DAT files that were located in the ASDAT folder were not copied because the copy process
was terminated by the On-Access Scanner prior to completing the operation.
65 Delete the Copy of ASDAT folder from your Desktop.
User-Defined Detection
67 Open the ASDAT folder on your Desktop.
68 Right-click in the window, click New, click Text Document.
69 Name the document UDDTEST.txt.
70 Open the UDDTEST.txt file and enter random characters. Save the document.
71 Rename UDDTEST.txt to UDDTEST.COM. Click OK on the extension warning.
72 Navigate to the VirusScan Console.
73 Open Unwanted Programs Policy Properties.
74 Click the User-Defined Detection tab.
75 Click the Add button.
76 On the User-Defined Unwanted Program dialog, in the Filename field, type
UDDTEST.COM.
78
10

77 In the Description field, type MY USER DEFINED PROGRAM. Click OK.
78 Click OK on the Unwanted Programs Policy dialog.

80 Navigate to the ASDAT folder on your Desktop.
81 Right-click and Copy; UDDTEST.com.
82 Navigate to your Desktop and Paste.
83 The On-Access Scan Messages alert dialog will appear indicating a User-Defined Detection
has occurred. Note that because the file was uncleanable, it was deleted.
84 Remove the detection messages from the alert window and click Close Window.
85 Close all open windows.
79
10

Review
Review
Spyware, Adware, Dialers and Password Crackers are examples of _____________
_______________ categories.
T / F When excluding files from Unwanted Programs Policy scanning, you may use wildcard
characters in the filename to exclude. (Circle True or False)
T / F Unwanted programs such as Spyware or Adware can be made immune to scanning simply
by changing the file extension to a non-executable file type. (Circle True or False)
Unwanted programs contained within ______________-protected archives cannot be detected
by the On-Access Scanner.
80
10
11
On-Access Scanner
Objectives
Configure On-Access General and All Processes settings
Explain how to define Low-Risk and High-Risk processes
Configure On-Access settings for Low-Risk and High-Risk processes
On-Access Scanner Overview

The On-Access Scanner component of VirusScan Enterprise 8.5i provides real-time protection
against a variety of threats. The On-Access Scanner not only scans for viruses, trojans and
worms, but also provides the scanner for Access Protection rules, Buffer Overflow Protection,
as well as script and cookie scanning.
The introduction of the 5000-series scanning engine into VirusScan Enterprise 8.5i expands the
products capabilities by providing registry deep-scanning, native cookie scanning, and
improved heuristics.
By defining low and high risk processes, end-users can customize the configuration of the
On-Access Scanner to use different options for low-risk, and high-risk threats, providing greater
flexibility in securing computer systems.
81
On-Access Scanner
Configuration
Configuration
Configuration options for the On-Access Scanner are separated into two categories; General
Settings, which apply to all On-Access Scanning, and Processes which apply either to all
processes, or low-risk and high-risk processes, depending upon your option configuration.
General Settings
The General Settings Section of the On-Access Scanner properties page has the following
options available;
General Tab - Configure general On-Access Scan settings

Scan
Boot sectors (default: enabled) - instructs the on-access scanner to scan the boot sector of
hard and floppy disks for boot sector viruses.
Floppy during shutdown (default: enabled) - specifies that the on-access scanner will scan
disks in the floppy disk drive when Windows shuts down.
General
Enable on-access scanning at system startup (default: enabled) - specifies that the
on-access scanner will be activated when Windows starts.
82
11
On-Access Scanner
Configuration
Scan Time
Maximum archive scan time (seconds) (default: 15) - specifies the number of seconds the
On-Access Scanner may attempt to scan an archive file before timing out.
Enforce a maximum scanning time for all files (default: enabled) - selecting this option
applies the Maximum scan time (seconds) setting to the On-Access Scanner.
Maximum scan time (seconds) (default: 45) - specifies the number of seconds the On-Access
Scanner may attempt to scan any file before timing out.
There are two types of timeouts, graceful timeouts and fatal timeouts. In the case of graceful
timeouts, once the maximum scan time has been exceeded by the On-Access Scanner, the scan
will be abandoned and the time-out will be recorded in the On-Access Scan Log. In the event of
a fatal timeout, the first timeout value is reached but the scan fails to abandon, so McShield
terminates itself to avoid locking up the system. This will be recorded in the System event log,
indicating that McShield terminated unexpectedly.
Note
Cookies
Scan cookie files (default: enabled) - Indicates that the On-Access Scanner should scan for
unwanted cookie files.
ScriptScan Tab - Configure settings for On-Access script scanning

ScriptScan detects unwanted Java and VBScript scripts that are executed by the Windows
Scripting Host.
ScriptScan
Enable ScriptScan (default: enabled) - enables/disables the script scanning function of the
On-Access Scanner
83
11
On-Access Scanner
Configuration
ScriptScan exclusions (default: none) - allows the end-user to add process names to exclude
from script scanning. Clicking the Add button will activate the ScriptScan Exclusion dialog
where you can type the full process name. Wildcards are not allowed in this field.
84
11
On-Access Scanner
Configuration
Why cant VirusScan Enterprise 8.5i ScriptScan exclude scripts by site? Because it is not
technically possible. This is because ScriptScan intercepts a function that is analogous to "run
this script". If the function was "run this script from this source", then we could implement
exclusions based upon source.
Note
With the VSE 8.5i release, we expect see about a 60% ScriptScan performance improvement,
primarily due to improvements in the 5100 engine, but we can only exclude by process, not URL.
However, disabling ScriptScan does not leave the customer completely vulnerable. Scripts can
run in memory before they access the hard drive. Once they are written to the disk, the On-Access
Scanner will detect them, and also triggers a memory scan to then terminate the running process.
However, there is that small window of possibility between when a script runs in memory and it
is written to the disk - ScriptScan was created to help close this gap. But if the customer is having
performance problems they should consider disabling ScriptScan because in their case the
protection may be less desirable than the risk.
Blocking Tab - Configure scanner actions when remote computer

writes a threat to the system
Message
Send a message (default: disabled) - Select this option to have the On-Access Scanner
generate an alert message when a remote system writes a threat to the current system. Type
the desired alert text in the field provided.
Block
Block the connection (default: enabled) - Instructs the On-Access Scanner to block the
incoming connection from computers that write threats to the system.
Unblock connections after (minutes) (default: 10) - specifies how long the remote computer
connection will be blocked after detection of a threat written from the remote computer.
85
11
On-Access Scanner
Configuration
Block if an unwanted program is detected (default: disabled) - Instructs the On-Access

Scanner to block the incoming from computers that write unwanted programs to the system.
The Unblock connections after (minutes) applies to this setting if enabled.
Messages tab - Configure alert messages and available user actions

This tab is used to configure whether the messages dialog box displays when a detection occurs
and what actions users can take on the items in the list.
Messages for local users
Show the messages dialog when a detection occurs (default: enabled) - Specifies whether the
Alert Message dialog will appear when an On-Access detection occurs.
Alert when a cookie detection occurs (default: disabled) - Specifies that the Alert Message
dialog will appear when an unwanted cookie detection occurs.
Text to display in message (default: VirusScan Alert!) - Allows for a custom message to
appear in the Alert Message dialog when a detection occurs. Type the desired text into the
field provided.
Specify what actions users without administrative rights can perform on messages in the list
(default: Remove messages, Clean files) - Defines the actions that end-users are allowed to
take on the Alert Messages dialog. Available options are:
Remove messages from the list (delete the alert message from the alert dialog)
Clean files
Delete files
86
11
On-Access Scanner
Configuration
Reports tab - Configure scan activity logging

Log file
Log to file (default: enabled) - Specifies whether the On-Access Scanner will record
scanning activity to the log file. You can specify a custom path for log files in the field
provided. By default, the On-Access Scan log will be written to
%DEFLOGDIR%\Mcafee\DesktopProtection\OnAccessScanLog.txt.
Limit size of log file (default: enabled) - Instructs the On-Access Scanner to limit the
maximum log file to the size specified.
Maximum log file size (MB) (default: 1Mb) - specifies the size limit for the On-Access log.
Maximum entry: 999MB
Format (default: Unicode (UTF8)) - Indicates the encoding format for the text file containing
the On-Access log entries. Options are: ANSI, Unicode (UTF8) and Unicode (UTF16).
What to log in addition to scanning activity
Session settings (default: disabled) - When enabled, instructs the On-Access Scanner to
provide a dump of all VirusScan Enterprise configuration settings to the log, whenever an
event is logged. This option is primarily used as a troubleshooting tool. Leaving this option
enabled will cause the log to reach maximum size more quickly.
87
11
On-Access Scanner
Configuration
Session summary (default: enabled) - Instructs the On-Access Scanner to provide a summary
of VirusScan core components such as scan engine version, DAT version, signatures in
extra.dat, etc.
Failure to scan encrypted files (default: enabled) - Specifies that a log entry will be made
whenever the On-Access Scanner is unable to scan a file because it is encrypted.
88
11
On-Access Scanner
Configuration
Processes (All Processes, Low-Risk, and High-Risk Processes)

Processes Tab - Configure all processes, or processes by risk
By default, VirusScan Enterprise 8.5i will be configured to use the processes settings for All
Processes. However, you can choose to set different process configuration options for processes
that you define as either low-risk, or high-risk, providing for greater flexibility in your
environment.
The screenshot above shows the On-Access Scan Properties page with its default setting; Use
the settings on these tabs for all processes. In this configuration, the options configured for All
Processes will apply to all process scanning performed by the On-Access Scanner.
89
11
On-Access Scanner
Configuration
The screenshot above shows the Low-Risk and High-Risk Processes section selections when
choosing Use different settings for high-risk and low-risk processes. Note that All Processes has
now become Default Processes.
When selecting the option; Use different setting for high-risk and low-risk processes, three
separate configurations are enabled; configuration for low-risk processes, configuration for
high-risk processes, and configuration for default (undefined risk) processes.
Note
Processes not listed as either high-risk, or low-risk, will be handled according to the Default
Processes settings.
90
11
On-Access Scanner
Configuration
Although the default values for some options are different for low-risk and high-risk processes,
the configuration options for each risk level are identical, with the exception of the list used to
define high-risk and low-risk processes.
The Low-Risk processes tab is shown above, with the default low-risk process list.
91
11
On-Access Scanner
Configuration
The High-Risk processes tab is shown above with the partial default high-risk process list.
You may add processes to the Low-Risk or High-Risk list by clicking the Add button on the
Process tab (either Low-Risk or High-Risk). This will activate the Select Application dialog
where you can select an application from the list or browse to the application you wish to define
as high-risk or low-risk.
92
11
On-Access Scanner
Configuration
You may also remove processes from the low-risk and high-risk lists by selecting the process in
the list and clicking the Remove button. Once removed, the process will be scanned according
to the Default Processes settings, unless it is assigned a risk level by adding it to the appropriate
process risk list.
Detection tab - Specify when and what will be scanned

Scan Files
When writing to disk (default: enabled, all risk) - Instructs the On-Access Scanner to scan all
write operations on all local disk drives.
When reading from disk (default: enabled, all risk) - Instructs the On-Access Scanner to scan
all read operation on all local disk drives.
On network drives (default: disabled, all risk) - Instructs the On-Access Scanner to scan files
located on network drives, based upon the scan on write and scan on read options configured
above.
What to scan
All files (default) - Instructs the On-Access Scanner to scan all files types that fit within the
scan parameters.
Default + additional file types (count) - When selected, instructs the On-Access Scanner to
scan only file types with the extensions listed on the default scan type list, plus any end-user
additions to that list. The count value will display the number of user-defined types on the
list.
Specified file types (count) - When selected, instructs the On-Access Scanner to scan only
file types with the extensions defined by the end-user. The count value will display the
number of user-defined types on the list.
What not to scan
Exclude disks, files, and folders (count) - specifies a list of disk drives, folders, and/or files
that will be excluded from On-Access Scanning.
Defaults:
Default Processes / All Processes: Exclude files protected by Windows File Protection
(exclude on read)
Low-Risk Processes: Exclude files protected by Windows File Protection (exclude on

read)
High-Risk Processes: No default exclusions
93
11
On-Access Scanner
Configuration
Windows File Protection (WFP) prevents programs from replacing critical Windows system
files. Programs must not overwrite these files because they are used by the operating system and
by other programs. Protecting these files prevents problems with programs and the operating
system.
Note
WFP protects critical system files that are installed as part of Windows (for example, files with
a .dll, .exe, .ocx, and .sys extension and some True Type fonts). WFP uses the file signatures and
catalog files that are generated by code signing to verify if protected system files are the correct
Microsoft versions.
Source: http://support.microsoft.com/default.aspx?scid=kb;EN-US;222193
Advanced Tab - Specify advanced scanning options

Heuristics
Find unknown program viruses and trojans - Allows the On-Access Scanner to perform
heuristic scanning for viruses and trojans.
Defaults:
Default Processes and High-Risk Processes: enabled
Low-Risk Processes: disabled
Find unknown macro viruses - Allows the On-Access Scanner to perform heuristic scanning
for macro viruses.
94
11
On-Access Scanner
Configuration
Defaults:
Default Processes and High-Risk Processes: enabled
Low-Risk Processes: disabled
Compressed files
Scan inside archives (e.g. .ZIP) (default: disabled, all risk) - Specifies whether the On-Access
Scanner will attempt to scan the files within compressed archives such as those created by
WinZip and WinRAR. Password-protected and encrypted archives cannot be scanned.
Decode MIME encoded files (default: disabled, all risk) - Allows the On-Access Scanner to
scan files encoded by e-mail systems that use MIME encoding for mail and file attachments.
Miscellaneous
Scan files opened for Backup (default: enabled, all risk) - This setting instructs the
On-Access scanner to scan the read/write operations used by backup programs when
performing system backups. Backup programs use a special Windows API for these
operations which is distinctive from standard file read/write operations.
Note
Customers who report that system backups are taking too long to complete may want to disable
this feature to improve system performance. Trusted backup programs should present a low-risk
of delivering threats to the systems on which they operate.
95
11
On-Access Scanner
Configuration
Actions Tab - Specify how to respond when a threat is detected

Primary Action - When a threat is found (default: Clean files automatically, all risk)
Options:
Deny access to files
Delete files automatically
Clean files automatically (default for all risk levels)
Secondary Action - if the first action fails (default: Delete files automatically, all risk)
Options:
Delete files automatically (default for all risk levels)
96
11
On-Access Scanner
Configuration
Unwanted Programs tab - Specify options for unwanted programs

Detection
Detect unwanted programs (default: enabled, all risk) - Instructs the On-Access Scanner to
apply the Unwanted Programs Policy to On-Access scanning.
When an unwanted program is found
Primary Action (default: Clean files automatically, all risk)

Options:
Allow access to files
Delete files automatically
Clean files automatically (default for all risk levels)
Secondary Action - if the first action fails (default: Delete files automatically, all risk)
Options:
Allow access to files
Delete files automatically (default for all risk levels)
97
11
On-Access Scanner
Configuration
Please proceed to the next section: Student Lab - On-Access Scanner Configuration and
Detection
98
11
12
Student Lab - On-Access Scanner

Objectives
Set configuration options for the On-Access Scanner
Demonstrate On-Access detection of threats

This lab is intended to demonstrate the On-Access Scanner (OAS) for VirusScan Enterprise 8.5i.
Because EICAR detection by OAS is common, this lab will focus on the OAS heuristic, and
script scanning functionality.
the McAfee Anti-spyware module before proceeding with this lab. You will then also need to
copy the DAT files from the ASDAT folder to the C:\Program Files\Common
Files\McAfee\Engine folder before proceeding.
This lab requires the test DAT and samples contained within the OASDAT folder located on
your Desktop. If these files are unavailable, please notify your instructor.
On-Access Scanner Configuration and Detection

Scanning for Unknown Threats (Heuristics)
1 Right-click on the VirusScan VShield icon in System Tray and select Disable On-Access
Scanner.
2 Navigate to the OASDAT folder located on your Desktop.
3 Right-click on CleansetSubset.zip and select Extract All.
4 The Extraction Wizard dialog will display. Click Next.
99

5 Select a destination of the OASDAT folder located on your Desktop.
6 Click the Password button. The password to extract this file is cleanset. Enter the password
and click Next.
7 You have successfully extracted the cleanset test package for this lab. Click Cancel.
9 Double-click On-Access Scanner in order to open its Properties page.
10 In the left pane, click All Processes.
11 Click the Advanced tab.
100
12

12 Remove the checkmarks from; Find unknown unwanted programs and trojans, and, Find
unknown macro viruses.
13 Click OK.
14 Enable the VirusScan On-Access Scanner.
15 Navigate to the OASDAT folder on your Desktop.
16 Select and copy the files; MANALYSE.COM and PANALYSE.COM.
17 Paste them to your Desktop.
18 Notice that you did not receive a detection from the On-Access Scanner when copying these
files.
19 Delete the files MANALYSE.COM and PANALYSE.COM from your Desktop.
21 Open the On-Access Scanner Properties page.
22 Click on All Processes.
24 Place a checkmark in front of; Find unknown unwanted programs and trojans.
25 Click OK.
26 Navigate to the OASDAT folder from your Desktop.
101
12

27 Select and copy the files; MANALYSE.COM and PANALYSE.COM.

28 Paste them to your Desktop.
29 Notice that only PANALYSE.COM was detected. PANALSYSE.COM is a test heuristic
virus and was detected by the Heuristic scanner (Find unknown unwanted programs and
trojans).
30 Notice that MANALYSE, which is a test heuristic macro virus, was not detected and was
copied to your Desktop.
31 Click Remove Message. Close the On-Access Scan Message window.
33 Delete MANALYSE.COM from your Desktop.
36 Click on All Processes.
37 Click on the Advanced tab.
38 Place a checkmark in front of; Find unknown macro viruses.
39 Click OK.
41 Copy and paste MANALYSE.COM to your Desktop.
42 Note that this file is now detected because we have enabled scanning for heuristic macro
viruses.
43 Click the Remove Message button on the On-Access Scan Messages alert dialog and then
close the alert dialog window.
102
12

ScriptScan
1 Disable the VirusScan On-Access Scanner.
2 Navigate to VirusScan Console and open the On-Access Scanner Properties page.
3 Click on All Processes and go to the Detection tab.
4 Click the Exclusions button.
5 This will open the Set Exclusions dialog. Click Add.
6 This will open the Add Exclusion Item dialog.
7 Use the Browse button to navigate to your Desktop.
8 Select the OASDAT folder and click OK.
9 On the Add Exclusion Item dialog, under What to exclude, place a checkmark in Also
exclude subfolders.
10 Note that When to exclude is set to exclude on read and write actions.
11 Click OK.
12 Click OK on the Set Exclusions dialog.
13 Click OK on the On-Access Scanner Properties dialog.
15 Right-click on ScriptSet.zip and select Extract All.
16 Using the Extraction Wizard, select a destination of the OASDAT folder located on your
Desktop.
17 Enter the extraction password; scriptscan.
18 Once the files are extracted, click Cancel on the Extraction Wizard dialog.
19 In the OASDAT folder, open the subfolder ScriptSet.
20 Copy the EXTRA.DAT file and paste it to C:\Program Files\Common Files\McAfee\Engine.
Close the McAfee\Engine folder window.
103
12

21 Right-click on the VirusScan VShield icon in System Tray, and select About VirusScan
Enterprise.
22 Note that VirusScan now reports Number of signatures in extra.dat (5).

23 Click OK to close the About VirusScan Enterprise dialog box.
24 In VirusScan Console, double-click On-Access Scanner to open its Properties page.
25 Click on the ScriptScan tab.
26 Remove the checkbox from Enable ScriptScan.
27 Click OK.
28 Enable the VirusScan On-Access Scanner.
29 Navigate to the ScriptSet folder located in the OASDAT folder.
30 Double-click scriptscan_noid.vbs to execute the script.
31 If a Security Warning dialog appears, click Run.
32 The script will execute and present a dialog box with the EICAR Test String characters
indicating that the script successfully executed. Note that the On-Access Scanner did not
detect this script execution.
33 Click OK.
34 In VirusScan Console, open the Properties page for On-Access Scanner.
104
12

35 Click the ScriptScan tab.

36 Place a checkmark in front of Enable ScriptScan.
37 Click OK. Note that the OAS folder and subfolder are still excluded from On-Access
Scanning.
38 In the ScriptSet folder, double-click on scriptscan_noid.vbs
39 You will receive a detection warning indicating that this script has been blocked.
Additionally, you may receive a Windows Script Host error dialog indicating that the script
cannot be found. Click OK on this warning dialog to close it.
40 Note that even though the On-Access Scanner was excluded from scanning the folder
containing the test script, ScriptScan detected the script process execution and blocked the
threat.
41 Click the Remove Message button to remove the detection message from the On-Access
Scan Messages dialog. Click Close Window.
42 In VirusScan Console, right-click On-Access Scanner and select View Log.
43 Look at the detection information for scriptscan_noid.vbs. Note that the process executed
was WScript.exe, the Windows Scripting Host.
44 In VirusScan Console, Open the On-Access Scanner Properties page. Click the ScriptScan
tab.
45 Under ScriptScan exclusions, click the Add button.
105
12

Review
46 In the Process name field, type WScript.exe. Note that wildcard characters are not allowed.
47 Click OK.
48 Click OK on the On-Access Scanner Properties dialog.
49 In the ScriptScan folder, double-click scriptscan_qhit.vbs to execute.
50 Note that the script was not detected because the WScript.exe process has been excluded
from script scanning.
Note
By excluding the process WScript.exe from ScriptScan, we have excluded detection for most
scripts executed on this computer. However, the On-Access Scanner will continue to detect most
scripts that are executed, as long as the folders they are executed from are not excluded from
On-Access Scanning.

52 On the ScriptScan tab, remove the exclusion for WScript.exe by highlighting it and clicking
the Remove button.
53 Click OK.
54 In the ScriptScan folder, double-click scriptscan_qhit.vbs to execute the script.
55 Note that ScriptScan detected and blocked this script file execution.
Review
Heuristic scanning is another way of saying that VirusScan On-Access Scanner can scan for
_____________ unwanted programs and trojans.
T / F Scanning for unknown macro viruses is a separate heuristic scanning function. (Circle
True or False)
Script scanning is enabled and disabled on the ____________ tab of the On-Access Scanner
Properties page.
T / F When setting ScriptScan Exclusions, you may use a wildcard character to specify
multiple scripts for exclusion. (Circle True or False)
106
12
13
On-Demand Scanner
Objectives
Explain what a rootkit is and what scanning memory for rootkit does
Configure On-Demand scan tasks
Describe the basic scheduling options for On-Demand Scans
On-Demand Scanner Overview

The integration of the 5000-series scan engine into VirusScan Enterprise 8.5i provides more
comprehensive scanning capabilities than its predecessor. Native cookie scanning and deep
registry scanning are examples of the added capabilities in this release of VirusScan.
VirusScan Enterprise 8.5i with McAfee Anti-spyware Enterprise module adds the Targeted Scan
concept to allow for a more frequent scan focused on those areas of the system most likely to
contain malware, especially spyware and other unwanted programs.
A further addition to the On-Demand Scanner is the option to Scan memory for rootkits, a
method for detecting malware that can hide itself, or self-installing malware that is difficult to
permanently remove.
A Brief Discussion of Rootkits

Excerpted from Rootkits, Part 1 of 3, The Growing Threat, written by McAfee AVERT Labs.
http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_akapoor_rootkits1.pdf
Originally, a rootkit was simply a collection of tools that enabled administrator-level access
(also known as root access in the Unix world) to a computer or network. The term referred
to a set of recompiled Unix tools, including ps, netstat, ls, and passwd. Because these same
tools could be used by an attacker to hide any trace of intrusion, the term rootkit became
associated with stealth. When these same strategies were applied to the Windows
environment, the rootkit name transferred with them. Today, rootkit is a term commonly used
to describe malware - such as Trojans, worms, and viruses - that actively conceals its
existence and actions from users and other system processes.
107
On-Demand Scanner
Configuring On-Demand Scan Tasks
As the computing environment has evolved, so have stealth technologies. Deceptive naming
conventions, network manipulation, and other techniques have been developed to hide
malware in plain sight. Renaming an infected file so that it appears to be a legitimate system
or user file is one of the simplest, yet most effective of these approaches.
In short, rootkits are malware that evade detection and/or removal by using a variety of
techniques, including stealth and misdirection. Some malware will automatically reinstall itself,
or re-write registry keys that have been removed by a malware scanner. Increasingly, unwanted
programs such as spyware and adware are taking advantage of these types of technologies in
order to remain active on computer systems for as long as possible.
McAfee VirusScan Enterprise 8.5i detects rootkit-type malware by scanning the memory of the
computer for unwanted processes associated with rootkit-type malware. Once identified, the
process is blocked each time it attempts to load into memory, negating the effect of the malware
infection. In some instances, VirusScan Enterprise 8.5i can trace the process threads back to
hidden files and remove them from the system entirely. Used in conjunction with Access
Protection rules, memory scanning for rootkits can provide near-total protection from
rootkit-type infections.

New On-Demand Scan Tasks
To create a new On-Demand Scan Task, you would select Task > New On-Demand Scan Task
from the VirusScan Console menu bar.
108
13
On-Demand Scanner
You can also create a new On-Demand Scan Task by right-clicking any empty space in
VirusScan Console, and selecting New On-Demand Scan Task from the context menu, or by
clicking the Create a new On-Demand Scan task toolbar button.
109
13
On-Demand Scanner
Configuration Options
Where tab - Specify where scanning will take place
The Where tab lists the locations that the On-Demand Scan will look for infections. Each
location is listed as an item on the list, with the location Type listed to the right.
By default, a new On-Demand Scan Task will have the following location items listed;
Memory for rootkits - scan processes in memory for known rootkits
Running processes - scan processes in memory for known malicious processes
All local drives - scan all disk drives attached to this computer
Registry - scan the registry for malware entries
Cookies - scan the cookies folder for unwanted cookie objects
You can remove any of these location items by highlighting the item and clicking the Remove
button.
110
13
On-Demand Scanner
To add a location, click the Add button to activate the Add Scan Item dialog. Select a location
item from the pull-down menu to add it to the scan list.
Location items available for On-Demand Scanning are:
Memory for rootkits
Running processes
Registered files
My computer
All local drives
All fixed drives
All removable drives
All mapped network drives
Home folder
User profile folder
Windows folder
Temp folder
Recycle bin
Drive or folder (specify)
File (specify)
Cookies
111
13
On-Demand Scanner
Registry
Scan Options
Include subfolders (default: enabled) - Instructs the On-Demand Scanner to scan in any
subfolders of location items that may exist.
Scan boot sectors (default: enabled) - Instructs the On-Demand Scanner to scan in the boot
sector of all disks listed as a location item, if it exists.
Detection tab - Specify which items are scanned

What to scan
These are the standard configuration option for file types;
All files (default setting)
Default + additional file types
Specified file types
What not to scan (exclusions)

Add files, folders and/or drives to be excluded from the On-Demand scan. There are no default
exclusions for a new On-Demand scan.
Compressed files
Allows you to select; Scan inside archives (for example, ZIP) and Decode MIME encoded files.
Both options are disabled by default for new On-Demand scans.
Advanced tab - Specify advanced scan options

Heuristics
Here, the options to scan for unknown unwanted programs and trojans, and unknown macro
viruses can be configured. Both options are enabled by default for new On-Demand scans.
Miscellaneous
Scan files that have been migrated to storage (default: disabled) - When files are transferred
to network storage devices (network filers), a stub is left on the local drive to represent the
stored file. When this option is enabled, VirusScan will attempt to restore the files to the local
drive location and then perform a scan against them. Note that this option can have a
detrimental effect on the performance of On-Demand scans.
112
13
On-Demand Scanner
System utilization
This section provides a slider-bar where end-users can specify the maximum system utilization,
from 10% to 100%, when performing On-Demand scans. The default setting is 100%. The
following points should be considered regarding System utilization:
1 The System utilization setting only affects Files/Folders that are specified as targets, not
Cookie Scan or Registry Scan, etc.
2 The On-Demand Scanner uses what CPU usage is available for processes running at normal
priority, meaning, CPU use is shared if other processes of equal priority need it. If nothing
else is happening then we get all the CPU. For real-time systems, where any CPU use impact
can be detrimental, the engineers for those systems should have their critical processes
running at a higher priority level and thus CPU cycles will be theirs and our scan will get
what is left over.
3 Registry scan performance in VirusScan Enterprise 8.5i is markedly slower than the 8.0i
version, because 8.0i only scanned a small portion of the registry, specific problematic areas,
whereas 8.5 takes advantage of the 5000+ engine to scan more, and to scan it more
thoroughly. Adjusting System utilization will have no effect on this performance.
Actions tab - Specify how to respond when a threat is found

These are the standard Primary and Secondary action settings seen in previous sections.
Defaults:
Primary action - Clean
Secondary action - Delete
113
13
On-Demand Scanner
Available action options - Primary Action:
Prompt for action
Continue scanning (do nothing)
Clean (default)
Delete
Available action options - Secondary Action:
Prompt for action
Continue scanning (do nothing)
Delete (default)
Allowed actions in Prompt dialog box

If the Primary or Secondary action is set to Prompt for action, these options determine which
actions are available to the end-user when the prompt dialog appears.
Clean file (default: enabled)
Delete file (default: enabled)
114
13
On-Demand Scanner
Unwanted Programs tab - Specify options for unwanted programs

Detection
Detect unwanted programs is enabled by default. This option instructs the On-Demand Scanner
to use the Unwanted Programs Policy configured in VirusScan Console, when performing this
scan.
When an unwanted program is found

Primary action default is Clean. The Secondary action default is Delete. These options are
identical to the Action options configured earlier for the On-Demand Scan task.
Reports tab - Configure logging of scan activity

Log file
Log to file (default: enabled) - Specifies whether the On-Demand Scanner will record
scanning activity to the log file. You can specify a custom path for log files in the field
provided. By default, the On-Demand Scan log will be written to
%DEFLOGDIR%\Mcafee\DesktopProtection\OnDemandScanLog.txt.
Limit size of log file (default: enabled) - Instructs the On-Demand Scanner to limit the
maximum log file to the size specified.
Maximum log file size (MB) (default: 1Mb) - specifies the size limit for the On-Demand log.
Maximum entry: 999MB
Format (default: Unicode (UTF8)) - Indicates the encoding format for the text file containing
the On-Demand log entries. Options are: ANSI, Unicode (UTF8) and Unicode (UTF16).
What to log in addition to scanning activity
Session settings (default: disabled) - When enabled, instructs the On-Demand Scanner to
provide a dump of all VirusScan Enterprise configuration settings to the log, whenever an
event is logged. This option is primarily used as a troubleshooting tool. Leaving this option
enabled will cause the log to reach maximum size more quickly.
Session summary (default: enabled) - Instructs the On-Demand Scanner to provide a

summary of VirusScan core components such as scan engine version, DAT version,
signatures in extra.dat, etc.
Failure to scan encrypted files (default: enabled) - Specifies that a log entry will be made
whenever the On-Demand Scanner is unable to scan a file because it is encrypted.
115
13
On-Demand Scanner
Schedule Settings
To schedule an On-Demand Scan to run periodically, click the Schedule button on the
On-Demand Scan Properties page.
116
13
On-Demand Scanner
This will activate the Schedule Settings dialog.
Task tab - Enable schedules and user account settings

Schedule Settings
Enable (schedule task runs at specified time) - by default, this option is disabled for new
On-Demand Scan tasks. You must enable the Schedule Settings in order to configure any of
the available scheduling options for this task.
User Account Settings (default: none) - Allows the end-user to supply a set of credentials to
be used by the scheduled task in the event that there is no logged-on user when the scan event
is scheduled to occur. Supply a username, domain name, and user password in the fields
provided.
117
13
On-Demand Scanner
Schedule tab - Configure scheduling options
Run task (interval) (default: daily) - Provides a pull-down menu with preset intervals for
scheduled tasks. Options are:
Daily
Weekly
Monthly
Once
At Startup
At Logon
When Idle
Immediately
On Dialup
Start Time (default: current system time) - This field is available for most of the Run task
intervals, but becomes unavailable when it is not an appropriate parameter (for example, At
Startup). It can be set in either local time, or Coordinated Universal Time (UTC), also known
as Greenwich Mean Time (GMT) or Zulu Time (Z).
118
13
On-Demand Scanner
Enable randomization (default: disabled) - For tasks scheduled on a time interval, enabling
randomization ensures that multiple machines with the same schedule settings will not
activate at the exact same moment. Randomization allows the scheduler to offset the
schedule time by a random value within the Hours and Minutes settings provided, to help
prevent simultaneously invoking this task on multiple computers.
Run if missed (default: disabled) - If the task was unable to run on schedule (for example, the
computer was shut down at the scheduled scan time), enabling this option will allow you to
run the missed task after a delay interval that you configure.
Schedule Task [Interval] (default varies by interval) - Depending upon the Run task interval
you have selected, this section will provide different options each interval selection, at the
bottom of this screen.
Daily, Weekly, and Monthly options for the Schedule Task [Interval] feature, are shown above.
Please proceed to the next section: Student Lab - On-Demand Scanning: Full Scan and
Targeted Scan Configuration and Detection.
119
13
14
Student Lab - On-Demand Scanning

Objectives
Configure Full, Targeted, and Custom Scan Tasks
Demonstrate On-Demand Scan Detection

This lab is intended to demonstrate the On-Demand scanning features of VirusScan Enterprise
8.5i.
In order to demonstrate the added ODS scan functionality provided by the McAfee Anti-spyware
Module, this lab requires the student to perform a reinstallation VirusScan Enterprise 8.5i and
the McAfee Anti-Spyware module for VirusScan Enterprise 8.5i, onto a computer running
Windows XP Pro, SP2 or later. NOTE: Please install only as instructed in the lab below.
The installation files for this lab should be located on your desktop, if you do not have the setup
files please notify your instructor.
This lab requires the unwanted programs samples contained within the ASDAT folder on your
Desktop. If these files are not available, please notify your instructor.
Uninstall VirusScan Enterprise 8.5i

1 Launch Control Panel and open Add or Remove Programs.
2 Once the installed programs list has been populated, click on McAfee VirusScan Enterprise
8.5i and select Remove.
3 Once the uninstall is complete, close the Add or Remove Programs window. Close Control
Panel.
120
Student Lab - On-Demand Scanning Configuration and Detection


4 Navigate to the VirusScan Enterprise 8.5i installation files on your desktop. Double-click the
6 If you receive a Security Warning dialog, click Run.
7 If you receive a McAfee VirusScan Enterprise Setup dialog indicating that selecting yes will
create a dump file if a crash occurs. Click No.
11 When the Select Setup Type screen appears, select Typical and click Next.
12 When the Select Access Protection Level screen appears, select Maximum Protection and
click Next.
REMOVE the checkmark from Update Now and Run On-Demand Scan, and then click
Finish.
successfully installed VirusScan Enterprise 8.5i with Maximum Protection.
17 Close the VirusScan installation .zip file window.
18 DO NOT INSTALL THE MCAFEE ANTI-SPYWARE MODULE AT THIS TIME.
121
14

On-Demand Scanning Configuration and Detection
On-Demand Scanning Configuration and Detection

1 Right-click the VirusScan VShield icon in the System Tray and select VirusScan Console.
2 Note the On-Demand scan task available; Full Scan.

3 Double-click the Full Scan task to open its Properties page.
4 On the Where tab, note the default scan locations provided.

122
14

Comparing ODS - Before and After ASE-M Install
6 In the Item to Scan field, activate the pull-down menu and view the scan locations available
for selection.
7 On the Add Scan Item dialog, click Cancel.

8 Close the Full Scan Properties page.
9 Close the VirusScan Console window.
Install McAfee Anti-spyware Enterprise Module

10 Install the McAfee Anti-spyware module using the following instructions.
11 Navigate to the McAfee Anti-Spyware Module installation files in the ASE-M folder on your
desktop.
12 Once the ASE-M folder opens, double-click VSE85MAS.Exe to launch setup.
18 Click Finish. You have successfully installed the McAfee Anti-Spyware Module.
19 Close the ASE-M folder window.

20 Open VirusScan Console.
21 From the menu bar, select View >Refresh.
22 Note the addition of another On-Demand Scan task; Targeted Scan.
123
14

23 Double-click the Full Scan task to open its Properties page. Note the additional, default scan
locations listed on the Where tab.
24 Double-click the Targeted Scan task to open its Properties page.
25 Arrange the Properties windows so that you can view them side-by-side.
26 Note the differences, and similarities in the scanning location defaults for both scan tasks.
124
14

27 Close the Targeted Scan Properties page.
Scan Location Options Added

28 On the Full Scan Properties page Where tab, click the Add button.
29 In the Item to Scan field, activate the pull-down menu and view the scan locations available
for selection. Note the additional scan locations that are now available (Cookies and
Registry).
30 Click Cancel.
31 Click Cancel on the Full Scan Properties page.
Targeted Scan
32 Disable the On Access Scanner.
33 Right-click on the eicar.zip file on your Desktop and select Extract All. The password to
extract this file is eicar. Extract to your Desktop.
34 Double-click the Targeted Scan task to open its Properties page.
35 On the Where tab, select each scan location item and click the Remove button. Answer Yes
to the Notification dialog. Repeat until all tasks have been removed.

37 From the Item to scan pull-down menu, select Drive or Folder.
38 Click the Browse button.
125
14

39 Select the Desktop folder. Click OK.

40 Click OK.
41 On the Targeted Scan Properties page, select the Actions tab.
42 Under Primary Action, select Prompt for action from the pull-down menu.
43 Click OK.
44 In VirusScan Console, right-click on Targeted Scan and select Start.
45 The On-Demand Scan Progress - Targeted Scan dialog will appear displaying the progress
of the scan.
46 The Targeted Scan will find and detect the EICAR test file (eicar.txt) located on your
Desktop. Because we have configured the primary scan action as Prompt, the ODS Alert
dialog will appear indicating the detection and recommending action to take.
47 Click the Stop button.

48 Once the scan stops, click the Close button.
49 Right-click the Targeted Scan task in VirusScan Console and select View Log.
50 Examine the log entries for the Targeted Scan lab just completed. When you are finished
viewing the entries, close Notepad to close the log file.
126
14

On-Demand Scanning for Unwanted Programs
Reset to Default
51 Double-click the Targeted Scan task to open its Properties Page.
52 Click the Reset to Default button on the right side of the dialog.
53 Note that the scanning locations have been reset to the default locations that are available for
VirusScan Enterprise 8.5i with the Anti-spyware Module installed.
54 Click on the Actions Tab. Note that the Primary Action has been reset to the default value of
Clean.
55 Click OK.
Note
All On-Demand Scan tasks (Full Scan, Targeted Scan, or Custom On-Demand Scan) can be
configured as in the above lab. All ODS configuration options are available for all ODS scan
tasks.

57 Navigate to the ASDAT folder on your Desktop.
58 Right-click on AS-SAMPLES.ZIP and select Extract All.
59 Using the Extraction Wizard, extract the files to the ASDAT folder on your Desktop. Click
the password button. The password to extract is spycar. If you receive file overwrite
warnings, click Yes to All. Click Finish.
60 Select the files, avvclean.dat, avvnames.dat, avvscan.dat, and mcscan.vlt, right-click and
Copy.
61 From your Desktop, double-click My Computer.
62 Navigate to the folder; C:\Program Files\Common Files\McAfee\Engine.
63 Paste the files into the Engine folder.
64 Answer Yes to All on the overwrite warning dialog.
65 Close all windows.
127
14

67 Create a new On-Demand Scan Task by either; 1) right-click inside VirusScan Console and
select New On-Demand Scan Task or, 2) From the VirusScan Console menu bar select Task
> New On-Demand Scan Task.
68 A new scan task will appear named New Scan. Rename this task to My Scan Task.
69 Double-click My Scan Task to open its Properties page.

70 On the Where tab, remove all of the current locations from the Item name list, by using the
Remove button.
72 Under Items to Scan, select Drive or folder.
73 Click the Browse button and select the ASDAT folder located on your Desktop. Click OK.
74 Click OK on the Add Scan Item dialog.
75 Click on the Unwanted Programs tab.
128
14

76 Verify that there is a checkmark in Detect unwanted programs.
77 Click OK.
78 Right-click on My Scan Task and select Start. (You may also start tasks by selecting the task
and clicking the green arrow icon on the VirusScan toolbar.)
79 If you receive an Old DAT files warning dialog, click OK.
129
14

Review
80 The On-Demand Scan Progress dialog will appear. Notice that because the scan action is
configured to clean, no additional alert dialog was presented for the unwanted program
detections found in the ASDAT folder. All uncleanable files will be deleted and listed at the
bottom of the progress screen.
81 Click the Close button.

82 Right-click on My Scan Task in VirusScan Console and select View Log.
83 Examine the log entries for the unwanted program detections generated during the
On-Demand Scan.
84 Once you have finished viewing the entries, close Notepad to close the log file.
85 Navigate to the ASDAT folder on your Desktop and examine the files it contains. Notice that
all of the extracted unwanted program samples have been deleted by the On-Demand Scan.
Note
The AS-SAMPLE.ZIP file was not deleted by the On-Demand Scan because it is a
password-protected archive and cannot be scanned.
86 Close the ASDAT folder window.

87 Close the VirusScan Console window.
Review
If the McAfee Anti-spyware module has not been installed with VirusScan Enterprise 8.5i,
how many default scan locations are listed on the Full Scan Properties, Where tab?
What On-Demand Scan task is added to VirusScan Console after installing the McAfee
Anti-spyware module?
130
14

Review
T / F Installing the McAfee Anti-spyware module with VirusScan Enterprise 8.5i adds
additional default on-demand scan locations on the Where tab, and adds additional location
options for selection when adding a scan location. (Circle True or False)
In order for an on-demand scan to detected unwanted programs, you must select (checkmark)
the Detect unwanted programs entry on the ______________ _____________ tab of the
On-Demand Scan properties dialog.
T / F The Targeted Scan configuration options are unique to the Targeted Scan task, and are
not available for other on-demand scan tasks. (Circle True or False)
131
14
15
Quarantine Manager
Objectives
Describe the functions available in Quarantine Manager
Configure a custom Quarantine folder
Configure Quarantine Manager to automatically delete quarantined data after a

pre-determined interval
Quarantine Manager Overview

Before the On-Access or On-Demand scanners cleans or deletes a file, it creates a backup copy
of the original file in the quarantine folder. These backed-up items can be rescanned, checked
for false positives, restored to their original locations, and automatically deleted after a specified
number of days.
Configuration
Policy tab - Configure quarantine folder and auto-delete interval
Quarantine Folder (default: [install drive]\QUARANTINE) - This option allows the end-user
to specify a folder location for quarantined items to be stored.
Automatically delete quarantined data (default: enabled) - This selection instructs

Quarantine Manager to delete backed-up files in the quarantine at the interval you specify.
132
Quarantine Manager
Configuration
Number of days to keep backed-up data in the quarantine manager (default: 28) - Specifies
the length of time to keep quarantined files before automatically deleting them. Maximum
setting is 999 days.
Manager tab - View infection data, perform actions on backed-up files

The Manager tab consists of a table listing the contents of the Quarantine folder. Each listing
will provide information regarding the infected file such as;
Date/Time quarantined
Detection type
Detected as
Number of objects
DAT Version
133
15
Quarantine Manager
Configuration
Engine Version
You can take actions on the items in the quarantine folder by right-clicking on an item and
selecting an action from the context menu. You can act on multiple items by first shift-selecting
the items to be acted upon, and then choosing an option from the context menu.
Action items on the context menu are:
Rescan - rescan the selected item(s) and report the results
Check for false positive - If the DATs have been updated, rescan this item and if it is not
infected, automatically restore it.
134
15
Quarantine Manager
Configuration
Restore - Restore the file to its original location.
Delete - Permanently delete the item(s).
Properties - Show the Quarantine Item Details dialog for the (single) selected item.
Please proceed to the next section; Student Lab - Quarantine Manager Policy.
135
15
16
Objectives
Configure Quarantine Manager Policy
Manage quarantined items

This lab is intended to demonstrate the Quarantine Manager features of VirusScan Enterprise
8.5i.
This lab is intended to use the existing installation and configuration created in Lab 6 On-Demand Scan Configuration and Detection, and quarantined detections from Lab 5 On-Access Scanner Configuration and Detection. As a result, this lab cannot be easily performed
out of order. Please perform the On-Access Scanner and On-Demand Scanner labs before
proceeding with this exercise.
136


Policy Tab
2 Double-click on Quarantine Manager Policy in order to open its Properties page.
3 On the Policy tab, notice that here you can define the folder used as the Quarantine Folder.
4 This tab also provides an option to Automatically delete quarantined data, and configure the
Number of days to keep backed up data in the quarantine folder.
137
16

5 Navigate through My Computer to drive C:, double-click the Quarantine folder to open and
view its contents as shown in the example below.
6 Note that the Quarantine folder contains a list of files with the .bup (backup) extension. These
files contain the aggregate components of single detection events combined into a single file
with a .bup extension. For example, if an unwanted program detection removed registry keys
and files from your computer, both the registry keys and files for that detection will be
backed-up into a single .bup file in the Quarantine folder.
7 Close the C:\Quarantine folder window.
Manager Tab
8 Click on the Manager tab. Here you will see the programs detected in earlier labs and placed
in quarantine.
138
16

9 Right-click on any of the detections listed on the Manager tab. Select Rescan.
10 The Rescan Quarantined Items dialog will appear reporting the result of rescanning the item.
In this instance, Rescan will report that the item is still detected as an unwanted program.
Note
If you selected AVT_PWCRACKER.COM to rescan, you will not receive a detection message
because we have excluded this sample from unwanted program detection.
11 Click OK on the Rescan Quarantined Items dialog.

13 On the Quarantine Manager Policy, Manager tab, right-click any entry and click Restore.
14 You will receive a Restore Quarantined Items Confirmation dialog. Click Yes.
15 Quarantine Manager will notify you that the selected items were restored. Click OK.
16 Open the ASDAT folder on your Desktop. Note that the unwanted program that you selected
has been restored to its original location.
Note
Disabling the On-Access Scanner was required before restoring the unwanted program file to
prevent OAS from detecting and deleting the file during the restore operation.
139
16

Review
17 Close the ASDAT folder.

18 Navigate back to the Quarantine Manager Policy, Manager tab.
19 Right-click on any item in the quarantine list and click Properties.
20 Examine the details for the item that you selected. When finished, click Close.
21 Close the Quarantine Manager Policy window.
Review
T / F The Quarantine Folder must be [drive]:\QUARANTINE and cannot be changed. (Circle
True or False)
T / F You can configure Quarantine Manager Policy to automatically delete quarantined data
after a predetermined interval. (Circle True or False)
To rescan an item in quarantine, you can select the _____________ command by
right-clicking on any item in the quarantine list.
In order to restore an item from the quarantine list, it may be necessary to disable the
____-___________ ____________ before selecting Restore, to prevent re-detection.
140
16

Review
To see details for any item in the quarantine list, right-click the item and select
_______________.
141
16
17
AutoUpdate
Objectives
Configure AutoUpdate options
Add repositories to the AutoUpdate Repository List
Create a Mirror Task
AutoUpdate Overview
The AutoUpdate task is used to automatically update DATs and scan engines for VirusScan
Enterprise 8.5i. Additionally, AutoUpdate can be used to automatically get other updates such
as service packs and product upgrades.
AutoUpdate can be configured to search for updates from different locations called repositories,
located locally, on the network, and on the Internet.
Configuration
Log File
Log file location (default: [install path]\McAfee\DesktopProtection\UpdateLog.txt) indicates the location of the AutoUpdate log file.
Format (default: UTF8) - log file encoding method
Update Options
Get newer detection definition files if available (default: enabled) - Instructs AutoUpdate to
look for new DAT packages at update.
Get newer detection engine and dats if available (default: enabled) - Instructs AutoUpdate to
look for new engine updates, as well as DAT packages at update.
142
AutoUpdate
Repositories
Get other available updates (service packs, upgrades, etc.) (default: enabled) - Instructs
AutoUpdate to look for other updates, fixes, patches, etc. at update.
Update Options (2)
Enter the executable to be run after the Update is completed (default: none) - Enter the
complete path to any executable that you want to run after AutoUpdate completes.
Only run after successful update (default: disabled) - When selected, instructs AutoUpdate
to run the executable specified in the previous field, only when AutoUpdate was successful.
Schedule Button - This button will activate the scheduling options for AutoUpdate. The
available options are identical to the scheduling options for the On-Demand Scan task. Please
refer to the On-Demand Scan section for details of these options.
Update Now Button - Click this button to initiate an immediate AutoUpdate attempt.
Repositories
When AutoUpdate runs, it checks the AutoUpdate Repository list for a list of locations to check
for updates from. By default, the McAfee Repository is listed as the source for DAT and
component updates.
143
17
AutoUpdate
Repositories
Default Repositories
To edit the AutoUpdate Repository list, select Tools > Edit AutoUpdate Repository List from
VirusScan Console.
This will activate the Edit AutoUpdate Repository List dialog.
The screenshot above shows the default AutoUpdate Repository List for the beta version of
VirusScan Enterprise 8.5i. The release version will list standard default repositories like NAIhttp
and NAIftp.
144
17
AutoUpdate
Repositories
If you select the repository item and click the Edit button, the Repository Settings dialog will
appear, displaying information regarding the repository item.
Adding a Repository
There are four types of repository connections supported by AutoUpdate:
HTTP - Hypertext Transfer Protocol site (default for new repositories)
FTP - File Transfer Protocol site
UNC - Universal Naming Convention path (network share)
Local path
Administrators can setup a repository on an HTTP or FTP server, or on a local network share,
to allow updating from an internal source that has mirrored the update files. This can be useful
for environments where only selected computers have access to the Internet.
To add a repository to the AutoUpdate Repository list, click the Add button on the Edit
AutoUpdate Repository List dialog. This will activate the Repository Settings dialog for a New
Repository.
In the following example, a new repository named Network Share has been created to update
from a UNC path (network share). The UNC path has been entered under Repository Details in
the Path field.
145
17
AutoUpdate
Repositories
Note that UNC updates can access the network path using the logged-on account or you can
supply a set of credentials to authenticate with the network share (default for new UNC
repositories). In our example, credentials have been supplied for this connection.
Once the Repository Settings are complete, clicking OK will cause the new repository to appear
on the Repository list.
146
17
AutoUpdate
Repositories
You can change the order in which AutoUpdate will check repositories by using the Move up
and Move down buttons on the Edit AutoUpdate Repository List dialog. You can also disable a
repository from being checked for updates by removing the checkmark in front of the repository
name or by deleting it from the list altogether using the Delete button.
The example above shows the new UNC repository moved to the top of the list, and the McAfee
Beta repository disabled (no checkmark before the repository name).
147
17
AutoUpdate
Repositories
Proxy Settings
If your network uses a proxy server, you can specify which proxy settings to use, the address of
the proxy server, and whether to use authentication. Proxy information is stored in the
AutoUpdate repository list (SITELIST.XML). The proxy settings you configure here apply
to all the repositories in this repository list except for those defined as exceptions. The table
below describes the options for AutoUpdate Proxy settings.
* System variables are supported
Source: VirusScan Enterprise 8.5i Product Guide
148
17
AutoUpdate
Mirror Tasks
The AutoUpdate Proxy settings tab is shown above. Note the default setting; Use Internet
Explorer proxy settings. The Exceptions button is used to list repositories that will not use these
proxy settings.
Mirror Tasks
The Mirror Task allows end-users to create a replica of the update files from the updater site, to
a specified location. This allows an Internet-connected computer, for example, to place update
files on a local share location which can be used as an AutoUpdate repository by other
computers. This is one available AutoUpdate solution for environments where many computers
do not have Internet access.
For systems completely disconnected from a network resource, the Mirror Task can be used to
create a local mirror of the update files on an Internet-connected machine, which can be
transferred to CD or other removable media. The disconnected system can then copy the files to
a local respository for updating or the removable media itself can be configured as a repository,
as long as the drive and path information remain constant between uses.
Mirror Tasks can be launched manually, or scheduled to occur at intervals, in exactly the same
manner as On-Demand Scan tasks.
149
17
AutoUpdate
Mirror Tasks
Creating a New Mirror Task

To create a new Mirror Task, either select Task > New Mirror Task from the VirusScan Console
menu bar or right-click into an empty space in VirusScan Console and select New Mirror Task
from the context menu.
This will create a New Mirror Task entry in VirusScan Console. You can rename the task at this
time if you wish. NOTE: You may right-click on the entry at any time and select Rename.
150
17
AutoUpdate
Mirror Tasks
To configure the mirror task, either; double-click the New Mirror Task entry or right-click on
the New Mirror Task entry and select Properties or click the Display Task Properties icon from
the VirusScan Console toolbar. This will activate the McAfee AutoUpdate Properties - [Mirror
Task Name] properties dialog.
Log File
These are the standard log file options available in VirusScan Enterprise 8.5i. The default log
file location is [install path]\McAfee\DesktopProtection\MirrorLog.txt. You can modify the log
file path and name, as well as the text file encoding method used, in this section.
Update Options
This section of the Mirror Task properties is not used, and is a result of the re-use of the
AutoUpdate GUI elements for this dialog box. They have no function for mirror tasks.
Update Options (2)

This section allows you to enter the full path and executable name that will run after the Mirror
Task completes (default: none). The option to run this executable only after a successful mirror
task is provided here and is disabled by default.
Buttons
Schedule - allows you to schedule the Mirror Task for pre-defined intervals. Scheduling
options are identical to On-Demand Scan task scheduling.
151
17
AutoUpdate
Mirror Tasks
Mirror Location - provides a field to enter or browse to the location you want to create the
mirror copy files in. Only existing local drives and paths are allowed in this field.
Mirror Now - Launches the current Mirror Task immediately.
Output
The following shows the results of a successful mirror task;
The following table provides a brief overview of the files found in the mirror task repository
folder, after the mirror task is complete.
152
17
AutoUpdate
Mirror Tasks
Please proceed to the next section; Student Lab - AutoUpdate.
153
17
18
Objectives
Configure AutoUpdate Repository List
Configure AutoUpdate Properties
Configure and run Mirror Task
Schedule AutoUpdate Task
Perform AutoUpdate

This lab is intended to demonstrate the updating features of VirusScan Enterprise 8.5i.
This lab is intended to use the existing installation and configuration created in Lab 7On-Demand Scan Configuration and Detection. If you are performing this lab out of order,
install VirusScan Enterprise 8.5i with maximum protection, and then install the McAfee
Anti-spyware module before proceeding with this lab.
This lab requires the definition files located in the UPDATE folder located on your Desktop. If
the files are not available on your Desktop, notify your instructor.
AutoUpdate
2 From the menu bar, select Tools > Edit AutoUpdate Repository List ...
154

AutoUpdate
3 This will open the Edit AutoUpdate Repository List dialog.

5 The Repository Settings dialog will appear.
6 In the Repository description field, type Local Repository.
7 In the Retrieve files from section, select Local path.
8 In the Repository details section, click the Browse button.
9 Select the UPDATE folder. Click OK.
155
18

AutoUpdate
10 Place a checkmark in the Use logged-on account option.
11 Click OK.
12 In the Edit AutoUpdate Repository List dialog, remove the checkmark from McAfee
Repository.
156
18

Mirror Task
13 Click OK.
14 You have now successfully configured AutoUpdate to update from a local repository
(folder).
16 Right-click on AutoUpdate and click Start.
17 The McAfee AutoUpdate Progress dialog will appear.
18 Note the messages indicating the files being updated. Once the update has completed, click
Close.
19 You have successfully updated VirusScan Enterprise 8.5i from a local repository.
Mirror Task
20 Navigate to the MIRROR folder on your Desktop and note that it contains no files.
21 In VirusScan Console, from the menu bar select Task > New Mirror Task.
22 Press Enter to accept the name New Mirror Task.
157
18

Mirror Task
23 The AutoUpdate Properties for the New Mirror Task dialog opens.
24 Click the Mirror Location button.

25 The Mirror Location Settings dialog will appear.
26 Click the Browse button and select the MIRROR folder on your Desktop - Click OK.
27 Click OK.
28 On the AutoUpdate Properties for the New Mirror Task dialog click the Mirror Now button.
Wait a few minutes to allow the mirror task to complete. You can view the status of the New
Mirror Task in VirusScan Console.
29 Navigate to the MIRROR folder on your Desktop. You can see the update files being
replicated into the folder. This folder could be shared on a network and act as a repository for
other computers running VirusScan Enterprise 8.5i.
30 In VirusScan Console, right-click on New Mirror Task and click View Log.
158
18

Mirror Task
31 Examine the log entries for the update tasks.

32 When finished, close Notepad to close the log file.
33 In VirusScan Console, double-click on New Mirror Task to open its Properties page.
34 Click the Schedule button.
35 On the Task tab, verify there is a checkmark in front of Enable (scheduled task runs at
specified time).
36 Click the Schedule tab, under Run task, select Daily from the pull-down menu.
37 In the Start Time field, enter a time that is three minutes ahead of the current time displayed
in Windows.
38 Click OK.
39 Click OK on the AutoUpdate Properties for New Mirror Task dialog.
40 Navigate to VirusScan Console and wait three minutes.You should see the status of the
AutoUpdate Task change to Running ... at the time you scheduled the update to run.
Note
Because we are updating from a local repository, the AutoUpdate status message; Running ...
may appear and disappear too quickly to observe. View the AutoUpdate log to confirm that your
update task ran as scheduled. You can also view the Status and Last Run items in VirusScan
Console.
159
18

Review
Review
In order to edit the AutoUpdate Repository List, select ______________> Edit AutoUpdate
Repository List.
T / F The Edit AutoUpdate Repository List dialog allows you to enable or disable available
repositories as valid update locations for AutoUpdate. (Circle True or False)
When adding a new repository, you can configure AutoUpdate to retrieve files from; HTTP
repository, FTP repository, UNC path, and ___________ ___________.
The ____________ ____________ replicates update files, then stores them in a location you
specify for use by other computers.
If you want to make the AutoUpdate Task always run at a specific time, you must disable the
_______________________ feature under Schedule Settings.
160
18
19
Troubleshooting
Enterprise Module
Objectives
Configure scanners to record configuration information in log reports
Locate and examine log files
Identify output files from the MER Tool for VirusScan Enterprise 8.5i
Configuring Scanners to Record Session Settings

There are three scanners that can be configured to record the current configuration options for
the scanner when making log entries; On-Delivery E-Mail Scanner, On-Access Scanner, and
On-Demand Scanner.
161
Troubleshooting
Enable Session Settings - Report Tab

To configure a session settings dump to the log file when a scanner reports an event, open the
properties page for the scan task that wish to setup for Session Settings. In this example we will
use the On-Access Scanner.
To enable Session Settings, go to the Reports tab and place a checkmark in front of Session
settings, as shown above. This will instruct the scanner to dump the session configuration data
for the Scanner to the log file the next time it logs an event.
162
19
Troubleshooting
Session Settings - Log File Output

An example of the On-Access Scanner session settings recorded to the OnAccessScanLog.txt
file:
In many cases, the keys and values written by the session settings output is self-explanatory, for
example, bScanFloppyOnShutdown = 1 indicates that the option to scan floppy disks on system
shutdown is enabled. The number 0 would indicate the option is disabled. Some scanner keys
are in plain English, for example the On-Demand Scanner session settings.
Other keys are not as easily understandable, and in some cases may appear to contradict the
setting they represent. For example, bDontScanBootSectors = 1 would seem to indicate that
NOT scanning boot sectors is enabled, but in fact, the key indicates that the option to Scan Boot
Sectors is enabled for the On-Access Scanner.
The following table lists the keys and possible values for the On-Access Scanner Session
Settings shown in the previous log example:
163
19
Troubleshooting
Log Files
Note
In order to prevent the scanner log from reaching maximum size too quickly, it is
recommended that Session settings be enabled for a particular scanner only when
troubleshooting an issue, or other situation where a dump of the scanner settings are
required.
Log Files
Default Log File Directory
When troubleshooting customer issues with VirusScan Enterprise 8.5i, collecting the log files
created by the product are a necessary first step in determining the source of a problem.
During installation, VirusScan Enterprise 8.5i defines a System Variable; %DEFLOGDIR%, as
the default path to create log files.
This System Variable does not appear in the System Variables list on the Environment Variables
page in Windows, nor will performing a SET command at a DOS prompt reveal this variable or
its value because in most cases, the variable is not defined until logging occurs.
Each executable that does logging checks for DEFLOGDIR. If it does not exist then the process
creates it. The variable DEFLOGDIR is created by reading the name of the common directory
from; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Common AppData, and appending McAfee\DesktopProtection. For Windows XP Professional
users with a standard installation, this would translate to; C:\Documents and Settings\All
Users\Application Data\McAfee\DesktopProtection.
The following table lists the default log file locations and names for VirusScan Enterprise 8.5i
tasks:
Note
If you upgrade over a previous version of VirusScan Enterprise, the variable used for the default
log path will remain VSEDEFLOGDIR as it was in the previous installation, however, the log
file path will be changed to the new VirusScan Enterprise 8.5i location, and log files in the
previous versions directory (%VSEDEFLOGDIR%\Network Associates\VirusScan) will be
deleted.
164
19
Troubleshooting
Log Files
Finding Log Files

The easiest method for determining the location of the current log file for any given task, is to
open the properties page for the task and go to the Reports tab. Click the Browse button next to
the log file path. When the file browser window opens, expand the Look in: pull-down menu.
The folder tree will represent the path to the log file, as shown below.
This method will allow you to find the location of any of the log files, even if the path or log file
name has been customized.
165
19
Troubleshooting
Minimum Escalation Requirements (MER) Tool

The Minimum Escalation Requirements Tool, or MER Tool, is a utility that can be used to
collect detailed information regarding a computer and how it is configured, as well as
information regarding McAfee products installed on the machine.
The MER Tool for VirusScan Enterprise 8.5i, expected to be available near the product release
date, will be modified to collect new information based on additional features and new binary
files included in this release.
The information that will be collected by the MER Tool for VirusScan Enterprise 8.5i, is listed
in the following table, along with additional information on the usage of many of the files
collected.
.
166
19
Troubleshooting
167
19
Troubleshooting
168
19
Troubleshooting
169
19
20
Optional Student Lab - On-Delivery

E-mail Scanner Configuration &
Detection
Objectives
Configure On-Delivery E-mail Scanning
Demonstrate detection using the On-Delivery E-mail Scanner

This is an optional lab that allows students to observe the configuration and detection of the
On-Delivery E-mail Scanner using a POP3 server.
Note
POP3 email is not supported by VirusScan Enterprise 8.5i and customers should be
discouraged from using the On-Delivery E-Mail Scanner in POP3 environments. This lab
setup is designed solely to provide hands-on configuration and detection without the need
for an elaborate mail server setup.
This lab is intended to demonstrate the On-Demand E-mail Scanning features of VirusScan
Enterprise 8.5i.
This lab requires the FT Gate E-mail server tool (ftgate.zip) which should be located on your
desktop. If you do not have this tool, please notify your instructor.
This lab is intended to use the existing installation and configuration created in Lab 6 On-Demand Scanner Configuration & Detection. If you are performing this lab out of order,
install VirusScan Enterprise 8.5i with maximum protection, and then install the McAfee
Anti-spyware module before proceeding with this lab.
Note
The Lotus Notes E-mail Scanner will not be demonstrated during this lab. Please refer to the
VirusScan Enterprise 8.5i Courseware or User Guide for more information on this feature.
170
Optional Student Lab - On-Delivery E-mail Scanner Configuration & Detection

Lab Setup Instructions

Disable On-Access Scanner and Collect Information
1 Right-click on the VirusScan Shield in the System Tray and choose Disable On-Access
Scanner.
2 From the Start bar, select Start > Run.
3 In the command line type CMD and click OK.
4 A DOS command prompt will appear. Type IPCONFIG and press Enter.
5 Record the IP address for this computer here:_______._______._______._______
6 Type exit and press Enter to close the DOS command prompt window.
Install FTGate Mail Gateway Server

7 Navigate to the FTGate E-mail server tool located on your desktop (ftgate.zip).
8 Double-click the ftgate.zip file.
9 Double-click the ftgate22_with_license.zip
10 Double-click ftgate22.exe.
11 Click Run.
12 Click Yes.
13 FT Gate setup will now install the FT Gate E-mail server tool.
14 At the FT Gate Welcome Screen, click Next.
15 Click Yes at the Software License Agreement.

16 Click Next.
171
20

17 Allow FTGate to install to its default path, click Next.

18 At the Setup Type dialog, select Typical and click Next.
19 Click Next.
20 Click Next.
21 FTGate E-mail server will now install.
22 The SMTP Gateway configuration screen will appear. In the Gateway machine field, enter
the IP Address of your computer as recorded above. Click Next.
23 At the Remote Access dialog, select Use a direct LAN connection and click Next.
172
20

24 In the Primary Domain Name field type mcafee.com. Click Next.
25 In the Postmaster Account field, type admin (lowercase), and a password of mcafee
(lowercase). Click Next.
26 Click Finish.
27 Click Finish.
Configure FTGate Mail Gateway Server and Mailboxes

28 In the FTGate Program Folders window, double-click FTGate Properties.
29 Click the SMTP Server tab.
30 In the SMTP Server section, in the Address field, select your computer IP address from the
pull down menu.
31 Click Ok on the FTGate Properties dialog.
32 In the FTGate Program Folders window, double-click Mailbox Manager.
173
20

34 The Add Mailbox or Alias dialog will appear.

35 In the Mailbox/Alias field, type student1.
36 Click Create...
37 On the User Mailbox Configuration dialog, under Security, click Change Password.
38 In the New Password and Confirm Password fields type mcafee (lowercase).
174
20

39 Click OK.
40 In the FTGate Mailbox Manager, click the Add button.
41 The Add Mailbox or Alias dialog will appear.
42 In the Mailbox/Alias field, type student2.
43 Click Create...
44 On the User Mailbox Configuration dialog, under Security, click Change Password.
45 In the New Password and Confirm Password fields type mcafee (lowercase).
46 Click OK.
47 Click OK.
48 Click OK in the FTGate Mailbox Manager.
49 In the FTGate Program Files Folder window, double-click FTGate Server.
50 The FTGate Mail Gateway will initialize.
175
20

51 Resize the window by dragging the right border until the Operation buttons are visible.
52 Click the Hide Button.

53 Note the FTGate Mail Gateway Server icon in the System Tray.
54 The FTGate Mail Gateway Server is now running in the background.
55 Close all open windows on your desktop.
Configure Outlook E-mail Client

56 From the Start bar, select Start > Control Panel.
57 In Control Panel, double-click the Mail icon.
176
20

58 On the Mail dialog, click the Add button.

59 In the Profile Name field type student1 and click OK.
60 On the E-mail Accounts dialog, select Add a new e-mail account. Click Next.
61 On the E-mail Accounts dialog, select POP3 and click Next.
62 On the Internet E-mail Settings (POP3) dialog, enter the following information:
Your Name: student1
E-mail Address: student1@mcafee.com
Incoming mail server (POP3): enter your ip address as recorded above
Outgoing mail server (SMTP): enter your ip address as recorded above
User Name: student1
177
20

Password: mcafee
63 Click the Test Account Settings button. You should receive the message Congratulations!
All tests completed successfully. Click Close to continue. If you do not receive this
message, verify that you have followed the above setup steps correctly and try again. If this
still fails, please notify your instructor.
64 Click Close.
65 Click Next.
66 Click Finish.
67 This should return you to the Mail dialog. In the lower portion of this dialog, select Always
use this profile and select student1 from the pull down menu. Click OK.
68 Outlook E-mail client configuration for student1 is now complete. You will now configure
Outlook for student2.
69 From the Start bar select E-mail Microsoft Office Outlook.
70 From the Menu bar select Tools > E-mail Accounts.
71 Select View or Change Existing e-mail accounts and click Next.
178
20

72 On the E-mail Accounts dialog, click Add.
73 On the E-mail Accounts dialog, select POP3 and click Next.

74 On the Internet E-mail Settings (POP3) dialog, enter the following information:
Your Name: student2
E-mail Address: student2@mcafee.com
Incoming mail server (POP3): enter your ip address as recorded above
Outgoing mail server (SMTP): enter your ip address as recorded above
User Name: student2
Password: mcafee
75 Click the Test Account Settings button. You should receive the message Congratulations!
All tests completed successfully. Click Close to continue. If you do not receive this
message, verify that you have followed the above setup steps correctly and try again. If this
still fails, please notify your instructor.
76 Click Close.
77 Click Next.
78 Click Finish.
79 This should return you to the E-mail Accounts dialog. Click Finish.
80 Click the Send/Receive toolbar button. You should now see a Microsoft Office Outlook Test
Message for both student1@mcafee.com and student2@mcafee.com.
81 Minimize Microsoft Outlook.
179
20

On-Delivery E-mail Scanner Configuration & Detection
82 Outlook E-mail client configuration is now complete

1 Ensure the VirusScan On-Access Scanner is still disabled. If OAS is disabled, you should see
the circle cross symbol on the VirusScan VShield icon in System Tray. If OAS is not
disabled, right-click the VShield icon and click Disable On-Access Scan.
2 Right-click the VirusScan VShield icon in the System Tray and click VirusScan Console.
3 If a Beta/Field Test screen appears, click OK.
4 Right-click on On-Delivery E-mail Scanner and click Properties.
5 On the Detection tab, select Default + additional file types. Click OK.
6 Restore the Outlook window by clicking on Inbox Microsoft Outlook in the Start bar.
7 Click New to create a new mail message.
8 In the To field, type student2@mcafee.com.
9 In the Subject field, enter test.
10 From the Menu bar, select Insert > File.
11 Navigate to your desktop and select eicar.txt. Click Insert.
12 Click Send.
180
20

13 Click the Send/Receive toolbar button.

14 You should receive a McAfee E-mail Scan alert e-mail indicating that an unwanted message
body has been detected. Note that even though .txt files are not part of the default file scan
list, the e-mail message body scanner detected the EICAR Test String contained within the
attachment.
16 Open the On-Delivery E-mail Scanner Properties.
18 Near the bottom of this dialog, remove the check mark from Scan e-mail message body
(Outlook Scanner only). Click OK.
19 Navigate back to the Microsoft Outlook Client and click New to create a new mail message.
20 In the To field, type student2@mcafee.com.
21 In the Subject field, type Test 2.
22 From the menu bar, select Insert File.
23 Navigate to your desktop and select the eicar.txt file. Click Insert.
24 Click Send.
25 Click the Send/Receive toolbar button. Note that the eicar.txt attachment containing the
EICAR Test String did not generate a detection. This is because the Default file list to scan
does not contain the .txt file extension and the Outlook Message Body Scanner is disabled.
26 Delete all messages from your Inbox.
27 Open the VirusScan Console.
28 Right-click on On-Delivery E-mail Scanner and click View Log.
29 Examine the log entries for the e-mail detections that occurred during our lab.
30 When youve completed examining the entries, close Notepad to close the log file.
31 Navigate to your Microsoft Outlook E-mail client.
32 In the left folder pane, click Quarantine.
33 Note the quarantined e-mail messages from our lab experiments.
35 Right-click on Quarantine Manager Policy and click Properties.
36 Click the Manager tab.
37 Note that there are no entries for the quarantined e-mail detected during our lab.
Note
Files detected by the On-Delivery E-mail Scanner are placed only in the Outlook
Quarantine folder. As a result they will not appear in Quarantine Manager.
38 Click OK to close Quarantine Manager.

39 Close all windows.
181
20

Review
Review
Infections in files with extensions that are not on the current scan list may still generate
detections during e-mail delivery if the Outlook _______________ ________________
Scanner is enabled.
T/F Infections detected by the On-Delivery E-mail Scanner are manageable using
Quarantine Manager Policy (select True or False)?
182
20
21
Appendix - Architectural Component

Breakdown
Portions of the contents of this document are Confidential and for Internal Use Only.
Warning
This document is intended for distribution to McAfee employees only.
VirusScan Enterprise 8.5i Access Protection

The following functions are contained within Access Protection:
Port Blocking
File-Share-Folder Protection
Exclusions
Alerting Rules
Registry-Value-Key Protection
Component Breakdown (by File):
test.rul (Located in the VirusScan directory, manually created. Expected to be used by Tier
III Support/AVERT) Definition and the rules (file, registry, port blocking) that Access
Protection enforces. test.rul will take precedence over any existing Access Protection rules,
including user-defined. Any preexisting rules will not apply when test.rul is applied. Test.rul
is not commonly used. However, one should be aware that this is an extremely powerful file.
vscan.bof (Located in the VirusScan directory, created at installation) Definition and the
rules (file, registry, port blocking) that Access Protection enforces; this file will be the default
rule file upon VirusScan installation.
extra.rul (Located in the VirusScan directory, manually created. Expected to be used by Tier
III Support/AVERT) Same as vscan.bof, except extra.rul will be part of DAT updates as
necessary. Note: extra.rul will not replace all McAfee defined rules contained in vscan.bof
and will not replace user-defined rules.
mcafee.rul (Located in the Windows system directory, manually created. Expected to be

used by Tier III Support/AVERT) An additional location for Access Protection rules, the
function will be the same as extra.rul, except the location of mcafee.rul is in the Windows
system directory.
183
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only

VirusScan Enterprise 8.5i Alerting
mcshield.exe Process that drives the On-Access Scan, which drives the Access Protection
functionality.
mfapfk.sys (based on Syscore build) Driver that allows Access Protection to function.
Shstat.exe - System Tray Icon glow, Right-Click Functionality for log files
VirusScan Enterprise 8.5i Alerting
Alert Manager Alerting

Alerts of OAS, Unwanted program Policy, ScriptScan, Buffer Overflow, ODS,
AutoUpdate, Access Protection, and Email scan
Centralized Alerting
Generation of .ALR files for OAS, Unwanted program Policy, ScriptScan, Buffer
Overflow, ODS, AutoUpdate, Access Protection, and Email scan
Alert Filtering
Alerts are filtered according to severity levels (All, Sev1, Sev2, Sev3, Sev4)
Event Log
VirusScan Enterprise events are logged to Local Application Log (Event Viewer)
SNMP Traps
Alerts are generated in the form of SNMP traps
Logging Functions
Specific log files of all the components OAS (Unwanted program Policy & ScriptScan),
Buffer Overflow, ODS, AutoUpdate, Access Protection, and Email scan
Variant Alerting
Enable VirusScan Enterprise to respond to variant detections
NaEvent.Dll - VSCore Alert Manager Interface (installed to \VirusScan folder)
Mcvssnmp.dll - VSCore Alert Manager Interface - SNMP Support (installed to \VirusScan

folder)
AdsLokUU.Dll - VSCore Alert Manager Interface - Active Directory Support (installed to

\VirusScan folder)
Naiann.dll - VirusScan Enterprise Announcer (installed to \VirusScan folder)
NaiEvent.dll - McShield event logging resources (installed to \VirusScan folder)
mytilus.dll - Send alerts and ILogger for ODS and both mail scanners (installed to
\VirusScan folder)
184
21

Anti-spyware Enterprise Module On-Access Scanner
VsTskMgr.exe - Task Manager: scheduling and OAS alerting service (installed to

\VirusScan folder)
Anti-spyware Enterprise Module On-Access Scanner

The on-access scanner provides the primary protection from spyware by detecting potentially
unwanted spyware files as they are accessed.
File Scan - The file scan detects potentially unwanted files.
Cookies Scan - The cookies scan detects potentially unwanted cookies in the cookies folder.
On Detections (File & Cookies Scan) allows user to set the primary (Clean, Delete, Move,
Prompt, Continue and Delete Mail) and secondary (Prompt, Move, Delete, Continue and
Delete mail) action.
Note: Clean maps to delete.
On Exclusions (File & Cookies Scan) - If the module detects a file that you legitimately
use, you can exclude it from detection.
Anti-spyware Enterprise Module On-Demand Tasks

On-demand scan tasks are configured to scan files, registry and the cookies folder for potentially
unwanted cookies.
File Scan - The file scan detects potentially unwanted files.
Registry Scan - he registry scan detects potentially unwanted spyware-related registry entries
that were not previously cleaned.
Cookies Scan - The cookies scan detects potentially unwanted cookies in the cookies folder.
On Detections (File, Registry & Cookies Scan) allows user to set the primary (Clean,
Delete, Move, Prompt, Continue and Delete Mail) and secondary (Prompt, Move, Delete,
Continue and Delete mail) action.
On Exclusions (File, Registry & Cookies Scan) if the module detects a cookie that you
legitimately use, you can exclude it from detection.
Anti-spyware Enterprise Module On-Delivery E-mail Scan

On-Delivery E-mail Scan scans for PUP e-mail attachments when e-mails are delivered in users
mailbox.
On Detections allows user to set the primary (Clean, Delete, Move, Prompt, Continue and
Delete Mail) and secondary (Prompt, Move, Delete, Continue and Delete mail) action.
185
21

Anti-spyware Enterprise Module On-Demand Scan

On Exclusions if the module detects a cookie that you legitimately use, you can exclude
it from detection.
Anti-spyware Enterprise Module On-Demand Scan

On-Demand E-mail Scan scans the PUP email attachments that are already in the users mailbox,
personal folders, when activated by the user.
On Detections allows user to set the primary (Clean, Delete, Move, Prompt, Continue and
Delete Mail) and secondary (Prompt, Move, Delete, Continue and Delete mail) action.
On Exclusions if the module detects a cookie that you legitimately use, you can exclude
it from detection.

Anti-Spyware Enterprise Module installer doesnt install new binaries; it only installs the
Anti-Spyware Enterprise Module license and changes settings in the registry. The list of binaries
directly or indirectly affected by Anti-Spyware Enterprise Module installation:
McShield.exe
mytilus2.dll
scriptproxy.dll
scanotlk.dll
NCScan.dll
vsplugin.dll
shutil.dll
ShCfg32.exe
vsodscpl.dll
vstskmgr.exe
shstat.exe
graphics.dll
BBCpl.dll
NVPCpl.dll
186
21

VirusScan Console
VirusScan Console
Plug-ins
Provide features in the console. Plug-ins exist for the following:
OAS, ODS, AutoUpdate, Buffer Overflow, Access Protection, On-Delivery Email scan,
Unwanted program Policy
Statistics Displays
Plug-in Integration, providing access to latest count of each scanner
Interface Options
Password & Display options applied to all interfaces in product
Remote Console
Access other client consoles(one at a time) from local system
Local System Alerting

Enables product event generation (local) or interface with Alert Manager Product
Interface Testing
Menu items, Toolbars, Status messages (of console)
Licensing
<Nothing>
Scheduling
Task scheduling is a function in console, with integration of CMA Agent - applies to tasks
only
Mcconsole - provides the interface
Coptcpl.dll - passwords and alerting setup
Vstskmgr - Pushes task schedule configuration to CMA for remotely configured tasks
Plug-ins - Each feature provides a plug-in for use in the console. These are always installed,
even when install is console only. This is necessary for Remote console feature to work.
Requirement Check
Installer
Check the minimum requirements for installing VirusScan Enterprise application
Universal Uninstaller (UNI)
187
21

Lotus Scan
To remove some previously existing competitor anti virus products
Setup Parameters
Feature, Switches, Path, interface, additional Product Selection
Over-install methods
Various upgrade of our legacy Anti-Virus Products
Deployment Methods
Remotely installing the VirusScan applications using 1st party ePolicy Orchestrator &
Protection Pilot 3rd Party management products
Installation
Typical Install
Installs all components
Custom Install
Allows a user to select the components to be installed, and other customizations
Uninstallation
Uninstallation of VirusScan Enterprise Application
Repair Installation
Allows the user to modify/repair VirusScan Enterprise features/files/registry
License Application
Allows the user to select Licensing options for the application
Component Breakdown (by file):
Setup.exe - VirusScan Enterprise setup
Setup.ini - Configuration setting, customize an installation (see McAfee Installation

Designer).
Nailite.dll
Lotus Scan
The Lotus Notes component has two Scanner features On Access Scanner and On Demand
Scanner.
Lotus Notes uses SMTP and POP3 when configured at server level. However, client uses
TCP/IP for transmitting the messages to and from Domino server; Lotus-On Access will scan
any attachment (mail or otherwise) and based on configuration will default to local access for
mail, and server side for any others.
To Scan the Open Local databases, On Demand Scanner can be used.
188
21

McAfee Installation Designer
Both On Access and On Demand have the similar property page for scanning. Except that
options under Server Scanning Settings of Notes Scanner Settings tab is grayed out for On
Demand Scan. These pages are from the control panel applet for the Outlook scanner and in
general issues that affect the Notes Scanner will also affect the Outlook scanner. One page of the
setup is exclusive to the Notes scanner and only affects our Notes scanner application.
The notes.ini file is searched by VirusScan Enterprise installer for the Lotus Notes scanner
installation. It updates the notes.ini file with required details so that, Actions menu is populated
with On-Access and On-Demand Scan properties on the Lotus Client. The .ini file will also
identify the server location, and helps the Lotus email scanner identify the default mail path. This
is needed so that the scan server settings can be matched to filter scanning on the server side.
If the notes.ini file is missing then VirusScan Enterprise does not update and hence the Actions
menu will not list the menu items required to set Lotus-OA and Lotus-OD properties.
Also, the Lotus installer will search for .ini files in multiple locations including User Profile
and Lotus Program file locations unless those .ini files reside in shared profile areas such as all
users.
On demand scan can be launched from Lotus client only, whereas Lotus-On-Access Scanner can
be viewed in two ways VirusScan Enterprise console and Action Menu.

The following Files are copied in to two locations:a \Program Files\VirusScan Enterprise
b \Program Files\Lotus\Notes\
NCExtMgr.dll - Notes Scanner Hook for Open and Save
NCInstall.dll - Notes Scanner Installer Helper. Not used once installed for uninstall.
NCMenu.dll - Notes Scanner Hook for Menus
NCScan.dll - Notes Scanner
NCTrace.dll - Notes Scanner Diagnostics - Not used by the application unless special trace
registry keys are set.
NCDaemon.exe - Notes Scanner Central Coordinator. Also used to launch

installs/uninstalls.
Notes Scanner Settings Tab

On installation of Lotus Notes Scanner, this tab will be active in the On-Delivery email scanner.
Which helps user to configure scanning of the Server databases; and Advanced settings like
Databases to Ignore and Notes Application to Exclude.
Several Databases and Notes applications are defined within the products executable as
excluded, and will not appear in the list despite the fact that they will be excluded from scanning.

McAfee Installation Designer 8.5 supports following Products:
189
21

Virus Scan Enterprise 8.5
Virus Scan Enterprise 8.0i
Anti-spyware Enterprise 8.5sa.
Anti-spyware Enterprise Module 8.5
Anti-spyware Enterprise Module 8.0
Desktop Firewall 8.5.
Alert Manager 4.7.0
Alert Manager 4.7.1
The functional decomposition at a high level has been broken down into the following scenarios:
Legend:
Screens displayed when the product is not on the system

X Screens displayed when the product is already installed on system
Configuration File
MID Feature
Packages
ASE
VSE
(80i/8.5)
(.cab for VSE,ASE) and (DFWapp.exe for

DFW).
VSE+
DFW
(AMG)
X
DFW
ASE+
(AMG)
DFW
Source And
Destination
Features
Source for
Configuration
Install Options
ASE
VSE
DFW
8.0i/8.5
VSE+
ASE+
DFW
DFW
On-Access
Scanner
Scheduled Scans
AutoUpdate
Schedule
Alert Properties
X
X
Alert Manager
Installation
McAfee Desktop
Firewall
User Interface
Properties
Add/Remove
Options
DAT and Engine
Files
Patch Files
AutoUpdate
Configuration
Programs
Additional Files
Registry Settings
Installation
Designer
Password
X
X
190
21

NAP/PLUGIN
Configuration File
Packages
(.cab for VSE,ASE) and (DFWapp.exe for

DFW).
Upgrade License
Post-Installation
Options
Finish
YX
YX
YX
YX
Destination
Type
On-Delivery
Scanner
Midutil.dll -VirusScan Enterprise/Anti-Spyware Enterprise Module file which talk with

McAfee Installation Designer to set the applied settings done by McAfee Installation
Designer.
VSECFG.CAB - File which needs to copy into McAfee Installation Designer folder of
installed product for applying the customized settings.
ASECFG.CAB - File which needs to copy into McAfee Installation Designer folder of
installed product for applying the customized settings.
DFWAPP.EXE - File generated by McAfee Installation Designer when DFW is packaged

with customized settings. This file needs to be executed in order to apply the settings in
installed DFW.
C:\program files\McAfee\VirusScan Enterprise\MID\ - Folder in which the

VSECFG.cab needs to be copied in order to apply the customized settings done by McAfee
Installation Designer.
C:\program files\McAfee\Antispyware Enterprise\MID\ - Folder in which the

VSECFG.cab needs to be copied in order to apply the customized settings done by McAfee
Installation Designer.
MID.log - Log generated when McAfee Installation Designer Customized package is

created.
NAP/PLUGIN
Point Product (Pkgcatalog.z) :

(Pkgcatalog.z)- Checking in this file will make the Server ready to deploy/Remove the point
product on its clients
Configuration NAP (VSE850.Nap):

Provides following UI Pages for configuring settings in Administrative Console
OAS-General
OAS-Default processes
OAS Low-Risk Processes
191
21

NAP/PLUGIN
OAS High-Risk Processes
On Delivery E-mail scan
User Interface
Alert
Access Protection,
Buffer Overflow Protection,
Unwanted Programs and Error Reporting
Provides User-interface Pages for creating managed Tasks like ODS, Update, and Mirror
Extended NAP (VSE850Reports.Nap):

Provides UI for viewing VirusScan Enterprise event Reports
Provides formatted UI for Report Queries
VSplugin.dll:
Policy is defined at the ePolicy Orchestrator server.
Policy is sent by the ePolicy Orchestrator server to the client ePolicy Orchestrator agent
Agent receives policy
The agent calls a VSplugin.dll to enforce the policy
The vsplugin.dll applies the policy to the point product
Vsupdate.dll:
VirusScan Enterprise plug-in for updates, it communicates to the rest of the VirusScan
Enterprise product when it receives notification of an update from the agent
Vsebll.dll:
VirusScan Enterprise event parser .dll which is included in the extended NAP
Mfeapfa.dll:
ActiveX control included in the NAP to display access protection rules from vscan.bof
Mytilus.dll:
Sends events to agent
ePOPolicyMigration.exe:
This file should be run to copy the VSE80i and VSE7.1 rules into VSE8.5 when VSE8.5
NAP is checked-in over VSE80i or VSE7.1
Pkgcatalog.z
192
21

NAP/PLUGIN
Product Check-in file. This is an encrypted form of file which ePolicy

Orchestrator/Protection Pilot can understand. Once the file is checked-into ePolicy
Orchestrator/Protection Pilot Repository Database, the Management console is now capable
of deploying the product onto its clients.
Following is some Verification information carried by pkgcatalog.z regarding the deployable
package.
E.g.: Product ID, Size of each file in package, Product Version, Build number, Managed
Platforms (supported), Language, etc.
VSE850.Nap
Once this file is checked into ePolicy Orchestrator/Protection Pilot Repository Database, the
product is now ready for management. This NAP file will give a set of web pages. Using
these web pages, Policies for configuration settings as well as creating/scheduling the
Managed Tasks can be applied and enforced onto clients.
VSE850Reports.Nap
Once this file is checked-into ePolicy Orchestrator/Protection Pilot Repository Database, the
Management console is now ready to capture and show up the events generated in Point
Product. This file will give a GUI (charts, graphs) so that an administrator can view the
statistics of Clients.
Sitelist.xml
This file contains the server routing information and the update repository list. Sitelist.xml is
also shared by the Common Updater. It contains all the repositories (ftp, http, etc.) created
by Management Server and shoots up the common updater to update from the selected
repository (in priority) at given scheduled time.
C:\Program Files\Network
Associates\ePO\(version)\DB\Software\Current\VIRUSCAN8600
Directory created in e-Policy Orchestrator server when a Pkgcatalog.z file is checked-in.
This directory consists of the files needed by ePolicy Orchestrator to deploy the product.
E.g.: Setup.exe, setup.ini, uninst.dll, uninst.ini, vse850.msi.
C:\Program Files\Network Associates\ePO\(version)\DB\Reports\

Directory created once the Reports Nap is checked into ePolicy Orchestrator Repository.
This directory consists of information files used by ePolicy Orchestrator in reporting.
C:\documents and settings\All users\Application Data\Network Associates\Common
Framework\AgentEvents\ - Client side Directory where encrypted event files (.xml) are
stored temporarily until they are sent back to the server.
Vsplugin.dll
Each Point Product will have its own Plug-in to communicate with the agent. VirusScan
Enterprise has this file which has a Plug-in program that will communicate with the common
agent and apply the policy settings to point product.
ePOPolicyMigration.exe
This file comes with the VSe8.5 Build. This file should be run to copy the VSE80i and
VSE7.1 rules into VSE8.5 when VSE8.5 NAP is checked-in over VSE80i or VSE7.1
193
21

VirusScan Enterprise 8.5i On-Demand Scan
VirusScan Enterprise 8.5i On-Demand Scan

The on-demand scanner consists of the following function in VirusScan 8.5i:
Full Scan Included in the default installation. The scanned items are: Memory for rootkits,
Running Processes, and All local drives
Right-Click Scan All Local and Network Drives can be scanned by right-clicking on the
specific drive or folder. The root, and all the folders and subfolders within the scanned drive
or folder will be scanned.
Schedule Scan User can have the ability to schedule an on-demand scan at a specified time
and reoccurrence. This scheduled scan can also be performed anytime in the VirusScan
console.
ePolicy Orchestrator scheduled task Scheduled on demand scans can also be scheduled
through the ePolicy Orchestrator console where schedule tasks will deploy to clients via
ePolicy Orchestrator.
Scan32.exe
ODS interface
Shext.dll
ShellExtensions Right-Click Scan interface
On Demand Scanner Settings

Registry: HKLM\SOFTWARE\McAfee\Desktop Protection\Default Task
VirusScan Enterprise 8.5i On-Access Scan

Users can enable per process scanning, which allows them to configure scanning policies
differently for processes that you define as default, low-risk, or high-risk.
The On-Access Scanner is a component of VSCore.
Mcshield.exe
Description: On-Access Scanner Service
File Location: C:\Program Files\McAfee\VirusScan Enterprise
Registry Locations:
HKLM\System\CurrentControlSet\Services\McShield
HKLM\Software\McAfee\VSCore\On Access Scanner\McShield
194
21

Outlook Scan
As the diagram of VSCore above shows, McShield, the file responsible for On-Access Scan
activity is a component of VSCore, not an individual application.
McShield essentially has no UI. It does all of its scanning in the background. When it needs to
alert the user of detection or allow the user to change its properties, the user isnt really accessing
McShield, but other elements of VSCore, such as the Announcer which launches when detection
has occurred or the Common Shell when you want to access the properties.
Outlook Scan
The On-Delivery E-Mail Scanner settings (except for the settings in the Notes Scanner Settings
tab) are shared by Outlook On-Delivery scanner and Notes On-Access scanner.
Outlook On-Delivery Scanner and On-Demand Scanner are the two components of Outlook
Scan, both of them use the outlook plug-in.
Outlook Scan uses MAPI (Messaging Applications Programming Interface) API to talk to
Exchange Server. On-Delivery Scan scans the email at time of delivery (Inbox or to local .pst
folder) provided Outlook is running.
On-Delivery and On-Demand have a similar property page for scanning. Though Outlook
On-Delivery property screen has a Lotus Scan configuration tab, changes made to this do not
affect the On-Delivery outlook scan functionality.
NOTES:
No matter what the order of installation is of Outlook, VirusScan Enterprise Outlook scanner
functionality will be available as long this component is selected to install.
ScanOTLK.dll - VSCore Outlook E-Mail Scan scanning functionality is managed by this

DLL which is a part of VSCore.
OTLKUI.dll - This will be installed when we switch to VSCORE 13.2. This DLL contains
the UI part of the Outlook Scan (Prompt dialog box, On-Demand Scan UI, etc.)
195
21

ScriptScan
EmAbout.dll - Outlook Scan About Box.
EmCfgCpl.dll - VirusScan e-mail Scan UI configuration file
The following registry keys are created for the outlook Email scan:
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\Alerts
bSendToAlertManagerEmail
On-Delivery Settings:
SOFTWARE\McAfee\VSCore\Email Scanner\Outlook\OnDelivery
On-Demand Settings:
SOFTWARE\McAfee\VSCore\Email Scanner\Outlook\OnDemand
ASE-M:
SOFTWARE\McAfee\VSCore\NVP
Outlook:
SOFTWARE\Microsoft\Exchange\Client\Extensions
ScriptScan
ScriptScan functions by acting as a proxy between the script and Windows actual script
interpreters. It does what is referred to as hooking functions that are started when a script is
executed.
Without ScriptScan in place, a script uses Active X to call a DLL that then calls another DLL
which creates a ClassFactory object. This object then creates an ActiveScript object, which then
loads and runs the script. If the script contains malicious code, then it is run just like any other
non-malicious code would be run.
With ScriptScan in place, the process running the vbscript or jscript code loads the ScriptScan
scanner components, and the following functions are hooked:
IActiveScriptParse32:: AddScriptlet
IActiveScriptParse32:: ParseScriptText
IActiveScriptParseProcedure2_32::ParseProcedureText
In very basic terms, if the script is clean, ScriptScan passes it on to the Windows interpreter to
finish the job.
If the script is infected, then the original function is still called, but instead of passing the infected
script, ScriptScan will pass an empty string. By default an OAS message will appear saying the
script was blocked. However, the alerting is solely dependent on the users configuration.
There is also an option to exclude processes from ScriptScan. These are comma-separated
values; ScriptScan will exclude specified processes in the "Processes to exclude:" textbox.
196
21

Self Protection
Scriptproxy.dll - VSCores script scanning engine
Self Protection
Self-Protection is VirusScans ability to protect its own files (McAfee files) from vulnerability
from VirusScans advanced protection characteristics. Self-Protection is essentially a set of rules
designed to prevent the user, whether it is an administrator or user with limited privileges, from
altering VirusScan Enterprises files, configuration or services. This ensures that the protection
VirusScan Enterprise is providing (access protection, McAfee cleaning, etc.) is not
compromised in any way.
Of course, a user with administrator privileges can alter these settings in the Access Protection
Properties.
Self-Protection is considered a value added service. That is, instead of being an actual
component, it is more a presentation of already present features in a way that the user will see
that they are getting added value from our product.
Self-Protection is made up of two components:
Lockdown.dll - Lockdown.dll is an Access Control List (ACL) that protects services such
as Mcshield.exe, VsTskMgr.exe, naPrdMgr.exe & FrameworkService.exe. Because ACLs
do not work when the user is an administrator lockdown.dll cannot be used to protect
VirusScan Enterprise 8.5s files and settings.
Access Protection Rules - VirusScan Enterprise 8.5s Access Protection rules prevent
access to objects by intercepting requests in the kernel instead of relying on the objects
security descriptors. These rules will protect all of VirusScan Enterprise 8.5s files and
registry settings. Through the use of exclusions they allow some of the management
functions that need to be allowed.
The specific Access Protection rules that will be detached from the AP properties and moved
to the Self-Protection UI have yet to be definitively identified.
Lockdown.dll - Provides Self-Protection functionality
Access Protection Functional files:
vscan.bof
mcshield.exe
mfapfk.sys (Access Protection kernel driver)
197
21

Exclusions
Exclusions
The exclusion information is written to the registry in the following keys:
For OAS:
HKLM\Software\McAfee\VSCore\On Access Scanner\McShield\Configuration\Default
HKLM\Software\McAfee\VSCore\On Access Scanner\McShield\Configuration\High
HKLM\Software\McAfee\VSCore\On Access Scanner\McShield\Configuration\Low
For ODS:
Default Task: HKLM\SOFTWARE\McAfee\Desktop Protection\Default Task
Other Tasks: HKLM\SOFTWARE\McAfee\Desktop Protection\Task\<Task ID>
In each key, the total number of exclusions is stored in the registry value NumExcludeItems.
Each exclusion item (ExcludedItem_x, where x is a zero-based number) is stored as a string

in this format: Type | Flags | Data
Type
0 Last modified date
1 Creation date
2 Last accessed date
3 Pattern
4 File Type
5 Windows File Protection
6 Recycle Bin
Flags (can be ORed)

1 Exclude on read
2 Exclude on write
4 Exclude subdirectories
8 Indicates that this exclusion item is set by ePolicy Orchestrator
Data (This field stores type-related in-formation)

0-2 (by age)Number of days
3 (by pattern)Pattern
4 (by file type)File extension name
198
21

Updater
5 (WFP)Not used
6 (Recycle Bin)Not used
Updater
Dats
AVVclean.dat
AVVnames.dat
AVVscan.dat
Engine
McScan32.dll
Messages.dat
License.dat
<filename>.ceuCEU (incremental engine update filename is dynamic)
Updater component
All framework service folders
Mcupdate.exe
Add help file

Checked-in to the repository and downloaded has a separate script than the engine and dats,
and will not download if in repository unless user selects help
The help files are no longer shipping with the product. They will be available in the Updater
repository, and retrieved by the point product when a user views the help file.
Framework Service/CMA
Schedules the update task, performs the actual updating, including the UI during the update
itself, processes the sitelist XML, sends log and alert information back to the McUpdate UI,
and shares its binaries with the common agent that is run by management tools.
Mirror Task
Performed by CMA using a special updating script. Creates a replica of a site that the user
points to - Whatever is in that site can be downloaded to a local server for easier access and
less network traffic.
Interface Testing
Menu items, Toolbars, agent update icon
199
21

Updater
UI Change (only when CMA 3.6 is added) so that Engine Updates will always include Dats
ecus (5000 engine team requirement).
Update Window
Shows progress of update and which DATs are being downloaded
Rollback Option
DATs and Engine should go back to previous version
Edit Sitelist
Repositories can be added, modified, deleted, and imported
Scheduler
Sets time and date and how often to run the update
200
21
22
Appendix - Lab Requirements: Instructor

Provided Files
Files and Folders Required for VirusScan Enterprise 8.5i Lab

Exercises
1 VirusScan Enterprise 8.5i Installation Files (.zip)
2 McAfee Anti-spyware Enterprise Module Installation Files (.zip)
3 FTGate Mail Gateway Server Installation Files (FTGate.zip) for optional lab
4 Buffer overflow test tool (Botest2new.zip)
5 EICAR Test file (EICAR.zip, pw: eicar)
6 Folder: ASDAT
AS-SAMPLE.ZIP (pw: spycar)
avvclean.dat (test dat)
avvnames.dat (test dat)
avvscan.dat (test dat)
mcscan.vlt (test)
AVT_ADWARE.COM (sample)
AVT_DIALER.COM (sample)
AVT_JOKE.COM (sample)
AVT_PWCRACKER.COM (sample)
AVT_REMOTEADMIN.COM (sample)
AVT_SPYWARE.COM (sample)
7 Folder: OASDAT
cleansetsubset.zip (heuristic & cookie dat + samples) (pw: cleanset)
scriptset.zip (script dat + sample) (pw: scriptscan)
8 Folder: C:\MIRROR (empty - mirror task target)
9 FOLDER C:\UPDATE
201
McAfee VirusScan Enterprise 8.5i Lab Requirements
Appendix - Lab Requirements: Instructor Provided Files

Files and Folders Required for VirusScan Enterprise 8.5i Lab Exercises
Contains latest updater mirror for AutoUpdate task
202
22
Copyright 2006 McAfee, Inc. All Rights Reserved.
mcafee.com

VirusScan Enterprise 8.5i Student Workbook 09062006

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

VirusScan Enterprise 8.5i Student Workbook 09062006

Enviado por

Direitos autorais:

Formatos disponíveis

Student Workbook

with McAfee Anti-spyware Enterprise Module

with McAfee Anti-spyware Enterprise Module

Issued September 2006 /VirusScan Enteprise 8.5i

Student Lab - Installing VirusScan Enterprise 8.5i & Comparing

Student Lab - Access Protection Configuration and Detection

Buffer Overflow Protection

What is Buffer Overflow? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Student Lab - Buffer Overflow Protection Configuration and Detection

Buffer Overflow Protection - Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

On-Delivery E-Mail Scanner

On-Delivery E-mail Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Unwanted Programs Policy

Student Lab - Unwanted Programs Policy Configuration and Detection

On-Access Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Student Lab - On-Access Scanner Configuration and Detection

On-Demand Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Student Lab - On-Demand Scanning Configuration and Detection 120

Student Lab - Quarantine Manager Policy

Student Lab - AutoUpdate

Optional Student Lab - On-Delivery E-mail Scanner Configuration &

Appendix - Architectural Component Breakdown

VirusScan Enterprise 8.5i Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Anti-spyware Enterprise Module On-Demand Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Appendix - Lab Requirements: Instructor Provided Files

Option to install with Standard or Maximum Access Protection Rules

Buffer Overflow Protection

On-Delivery E-mail Scanner

Unwanted Programs Policy

On-Demand Scanner with new Targeted Scan feature

Quarantine Manager Policy

VirusScan Enterprise 8.5i Student Guide

General GUI updates and options

5000-series scan engine

Identify supported operating platforms for VirusScan Enterprise 8.5i

Minimum System Requirements

Intel compatible processor, Pentium or Celeron minimum 166Mhz

Microsoft Internet Explorer 5.0 or above

Windows NT 4.0 SP6a

Windows XP Home Edition, SP 1 & SP2

VirusScan Enterprise 8.5i Student Guide

Windows XP Professional, SP1 & SP2

Windows XP Tablet, SP1 & SP2

Windows XP 64-bit, SP1 & SP2

Windows 2000 Professional SP3 & SP4

Windows 2000 Server SP3 & SP4

Windows 2000 Server SP4 with Terminal Services

Windows 2000 Advanced SP3 & SP4

Windows 2000 Advanced SP4 with Cluster Services

Windows 2000 Advanced SP4 with Terminal Services

Windows 2000 Small Business Server SP4

Windows 2003 Server

Windows 2003 Server with Citrix MetaFrame 3.0/4.0

Windows 2003 Server with Citrix MetaFrame XP

Windows 2003 Server with Terminal Services

Windows 2003 Enterprise Server

Windows 2003 Enterprise Server with Citrix MetaFrame 3.0/4.0

Windows 2003 Enterprise Server with Citrix MetaFrame XP

Windows 2003 Enterprise Server with Terminal Services

Windows 2003 Enterprise Server with Cluster Services

Windows 2003 Web Server

Windows 2003 Data Center

Windows 2003 Small Business Server

Windows Storage Server 2003