Escolar Documentos
Profissional Documentos
Cultura Documentos
revision 1.3
VirusScan Enterprise
McAfee
System Protection
Industry-leading intrusion prevention solutions
Student Workbook
revision 1.3
VirusScan Enterprise
McAfee
System Protection
Industry-leading intrusion prevention solutions
COPYRIGHT
Copyright 2006 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without
the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN
(STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA),
INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN,
MCAFEE.COM, MCAFEE VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE,
PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN
KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the
US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are
the sole property of their respective owners.
Attributions
This product includes or may include:
Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). Cryptographic software written by Eric A. Young and software
written by Tim J. Hudson. Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free
Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code.
The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available
to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide
rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and
restrictions herein. Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Software originally written by Robert Nordier,
Copyright 1996-7 Robert Nordier. Software written by Douglas W. Sauder. Software developed by the Apache Software Foundation (http://www.apache.org/). A
copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. International Components for Unicode ("ICU") Copyright
1995-2002 International Business Machines Corporation and others. Software developed by CrystalClear Software, Inc., Copyright 2000 CrystalClear Software,
Inc. FEAD Optimizer technology, Copyright Netopsystems AG, Berlin, Germany. Outside In Viewer Technology 1992-2001 Stellent Chicago, Inc. and/or
Outside In HTML Export, 2001 Stellent Chicago, Inc. Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, 1998, 1999, 2000.
Software copyrighted by Expat maintainers. Software copyrighted by The Regents of the University of California, 1996, 1989, 1998-2000. Software copyrighted
by Gunnar Ritter. Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., 2003. Software copyrighted by
Gisle Aas. 1995-2003. Software copyrighted by Michael A. Chase, 1999-2000. Software copyrighted by Neil Winton, 1995-1996. Software copyrighted by
RSA Data Security, Inc., 1990-1992. Software copyrighted by Sean M. Burke, 1999, 2000. Software copyrighted by Martijn Koster, 1995. Software
copyrighted by Brad Appleton, 1996-1999. Software copyrighted by Michael G. Schwern, 2001. Software copyrighted by Graham Barr, 1998. Software
copyrighted by Larry Wall and Clark Cooper, 1998-2000. Software copyrighted by Frodo Looijaard, 1997. Software copyrighted by the Python Software
Foundation, Copyright 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. Software copyrighted by Beman Dawes,
1994-1999, 2002. Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek 1997-2000 University of Notre Dame. Software copyrighted by
Simone Bordet & Marco Cravero, 2002. Software copyrighted by Stephen Purcell, 2001. Software developed by the Indiana University Extreme! Lab
(http://www.extreme.indiana.edu/). Software copyrighted by International Business Machines Corporation and others, 1995-2003. Software developed by the
University of California, Berkeley and its contributors. Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http://
www.modssl.org/). Software copyrighted by Kevlin Henney, 2000-2002. Software copyrighted by Peter Dimov and Multi Media Ltd. 2001, 2002. Software
copyrighted by David Abrahams, 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. Software copyrighted by Steve Cleary, Beman
Dawes, Howard Hinnant & John Maddock, 2000. Software copyrighted by Boost.org, 1999-2002. Software copyrighted by Nicolai M. Josuttis, 1999.
Software copyrighted by Jeremy Siek, 1999-2001. Software copyrighted by Daryle Walker, 2001. Software copyrighted by Chuck Allison and Jeremy Siek,
2001, 2002. Software copyrighted by Samuel Krempp, 2001. See http://www.boost.org for updates, documentation, and revision history. Software copyrighted
by Doug Gregor (gregod@cs.rpi.edu), 2001, 2002. Software copyrighted by Cadenza New Zealand Ltd., 2000. Software copyrighted by Jens Maurer, 2000,
2001. Software copyrighted by Jaakko Jrvi (jaakko.jarvi@cs.utu.fi), 1999, 2000. Software copyrighted by Ronald Garcia, 2002. Software copyrighted by
David Abrahams, Jeremy Siek, and Daryle Walker, 1999-2001. Software copyrighted by Stephen Cleary (shammah@voyager.net), 2000. Software copyrighted
by Housemarque Oy <http://www.housemarque.com>, 2001. Software copyrighted by Paul Moore, 1999. Software copyrighted by Dr. John Maddock,
1998-2002. Software copyrighted by Greg Colvin and Beman Dawes, 1998, 1999. Software copyrighted by Peter Dimov, 2001, 2002. Software copyrighted
by Jeremy Siek and John R. Bandela, 2001. Software copyrighted by Joerg Walter and Mathias Koch, 2000-2002. Software copyrighted by Carnegie Mellon
University 1989, 1991, 1992. Software copyrighted by Cambridge Broadband Ltd., 2001-2003. Software copyrighted by Sparta, Inc., 2003-2004. Software
copyrighted by Cisco, Inc. and Information Network Center of Beijing University of Posts and Telecommunications, 2004. Software copyrighted by Simon
Josefsson, 2003. Software copyrighted by Thomas Jacob, 2003-2004. Software copyrighted by Advanced Software Engineering Limited, 2004. Software
copyrighted by Todd C. Miller, 1998. Software copyrighted by The Regents of the University of California, 1990, 1993, with code derived from software
contributed to Berkeley by Chris Torek.
Table of Contents
Table of Contents
1
Overview
Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Installation
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Minimum System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
64-bit Installation of VirusScan Enterprise 8.5i - Differences . . . . . . . . . . . . . . . . . . . . . . . 9
McAfee Anti-spyware Enterprise Module - Additions to VirusScan Enterprise . . . . . . . . 10
McAfee VirusScan Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
McAfee Anti-spyware Enterprise Module Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Product Upgrade - Preserving Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Rule Preservation Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Uninstallation Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Access Protection
28
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Standard and Maximum Protection Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Access Protection Rules Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
User-defined Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
AP Rule Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
VirusScan Self-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
38
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Lab Setup / Background Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Access Protection - Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Self-Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Demonstrate Self-Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
47
Table of Contents
55
67
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Unwanted Programs Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
10
11
On-Access Scanner
80
12
98
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Lab Setup / Background Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
On-Access Scanner Configuration and Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Scanning for Unknown Threats (Heuristics) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
ScriptScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
13
On-Demand Scanner
107
14
Table of Contents
Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
15
Quarantine Manager
133
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Quarantine Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
16
137
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Lab Setup / Background Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Quarantine Manager Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Policy Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Manager Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
17
AutoUpdate
143
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
AutoUpdate Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Default Repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Adding a Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Mirror Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Creating a New Mirror Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
18
155
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Lab Setup / Background Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
AutoUpdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Mirror Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
19
Troubleshooting
162
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Configuring Scanners to Record Session Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Enable Session Settings - Report Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Session Settings - Log File Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Default Log File Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Finding Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Minimum Escalation Requirements (MER) Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
20
21
183
Table of Contents
22
201
Files and Folders Required for VirusScan Enterprise 8.5i Lab Exercises . . . . . . . . . . . . . 201
Overview
McAfee VirusScan Enterprise 8.5i & McAfee Anti-spyware
Enterprise Module
Product Overview
McAfee VirusScan 8.5i is the latest update to McAfees flagship virus-protection product.
Building upon the success of the blended-threat approach introduced in McAfee VirusScan
8.0i, 8.5i extends this concept by providing expanded threat protection and technology
integration into this release, and more.
McAfee VirusScan Enterprise 8.5i provides protection against a wide variety of potential threats
to enterprise desktop and server computers. The addition of the McAfee Anti-spyware
Enterprise Module to a McAfee VirusScan 8.5i installation broadens the scope of the protection
to include all unwanted program types, including spyware, adware, key loggers, etc.
Additionally, VirusScan Enterprise 8.5i also implements self-protection technology that protects
VirusScan Enterprise 8.5i components from being modified, and McAfee services from being
stopped by unauthorized sources.
The product can be deployed and managed using ePolicy Orchestrator 3.5 or above, and
Protection Pilot 1.5 or above, as with the previous versions of McAfee VirusScan. Custom
installation packages for VirusScan 8.5i can also be created using McAfee Installation Designer.
Feature Overview
Updates to existing features, and completely new features are included in this release of McAfee
VirusScan Enterprise.
The major features and protection modes available in VirusScan Enterprise 8.5i and the McAfee
Anti-spyware Enterprise module are:
Access Protection
On-Access Scanner
Overview
Feature Overview
Autoupdate
Mirroring Task
The available options and configurations for each of these areas is covered in-depth in the
following chapters and most include lab exercises to help familiarize yourself with the product.
Please proceed to the next section; VirusScan Enterprise 8.5i Installation.
Installation
McAfee VirusScan Enterprise 8.5i & McAfee Anti-spyware
Enterprise Module
Objectives
At the end of this section, the student will be able to;
Identify the minimum system requirements for installing and running McAfee VirusScan
Enterprise 8.5i with McAfee Anti-spyware Enterprise module
Describe the major differences between 32-bit and 64-bit installations of VirusScan
Enterprise 8.5i
Explain the options available when installing VirusScan Enterprise 8.5i and McAfee
Anti-spyware Enterprise module.
Microsoft Windows Installer (MSI), version 3.1 unless installing on a Windows NT platform
that uses MSI version 2.0.
Note
Microsoft Windows Installer (MSI) 3.1 provides the ability to remove a patch. Because Windows
NT platforms are limited to MSI version 2.0, removing patches on Windows NT is not possible.
Supported Platforms
McAfee VirusScan Enterprise 8.5i with the McAfee Anti-spyware Enterprise Module can be
installed and run with the following operating systems, on computers that meet the minimum
system requirements: (Note - Service Packs listed are the minimum level required)
Installation
Supported Platforms
Installation
64-bit Installation of VirusScan Enterprise 8.5i - Differences
VirusScan Enterprise 8.5i Console on 64-bit O/S showing no Buffer Overflow Protection.
VirusScan Enterprise 8.5i installation folder on 64-bit. Note the Program Files (x86) folder.
VirusScan Enterprise 8.5i installation on 64-bit showing the x64 subfolder where VirusScan
Enterprise 8.5i 64-bit components will be installed.
Installation
McAfee Anti-spyware Enterprise Module - Additions to VirusScan Enterprise
New Targeted Scan task added to VirusScan Console - this On-Demand scan is
pre-configured to scan common targets for unwanted programs, including;
Registered Files
Registry
Cookies folder
Windows folder
Temp Folder
10
Installation
McAfee Anti-spyware Enterprise Module - Additions to VirusScan Enterprise
The VirusScan Console after ASE-M installation is pictured above. Note the new On-Demand
Scan task, Targeted Scan.
The Full Scan on-demand scan task is updated with new items to scan, adding common
targets for unwanted programs.
The Full Scan on-demand task properties before installing ASE-M is pictured above.
11
Installation
McAfee Anti-spyware Enterprise Module - Additions to VirusScan Enterprise
The Full Scan on-demand scan properties after installing ASE-M is pictured above. Note the
additional entries on the Items list.
12
Installation
McAfee Anti-spyware Enterprise Module - Additions to VirusScan Enterprise
The On-Access Scanner properties will have cookie scanning available and enabled after
installing ASE-M.
13
Installation
McAfee Anti-spyware Enterprise Module - Additions to VirusScan Enterprise
The On-Access Scanner properties after ASE-M installation is pictured above. Note the addition
of the Scan cookie files option.
14
Installation
McAfee Anti-spyware Enterprise Module - Additions to VirusScan Enterprise
Anti-spyware Access Protection rules are added to the Access Protection properties after
installing ASE-M. Anti-spyware Standard protection rules will be enabled by default.
Note
Unless otherwise noted, all screen shots and options descriptions in this course assume that the
McAfee Anti-spyware Enterprise module has been installed.
15
Installation
McAfee VirusScan Installation Options
16
Installation
McAfee VirusScan Installation Options
McAfee VirusScan Enterprise 8.5i also provides an option to install with Standard Protection,
or Maximum Protection. This selection determines which of the default Access Protection rules
will be enabled after installation.
After the installation of VirusScan Enterprise 8.5i is completed, the installer will allow you to
select to perform an immediate update (Update Now) of the program components and DAT files,
and also to perform an On-Demand scan of the system.
17
Installation
McAfee Anti-spyware Enterprise Module Installation
User-specified extensions
Exclusion settings
DAT files, if the existing DAT versions are later than the DATs in the installation package.
Scanning engine version, if the existing engine version is later than the engine in the
installation package.
Log file names and locations are preserved, but log format is updated from ANSI to UTF8.*
18
Installation
Product Upgrade - Preserving Settings
* Build 652.2 - Log file names/locations not preserved, new log files created, old files deleted. See
Troubleshooting for more information.
Note
VirusScan versions prior to 7.1 cannot preserve settings during an upgrade to 8.5i. McAfee
recommends that versions prior to 7.1 be removed before installing VirusScan Enterprise 8.5i.
19
Installation
Uninstallation Notes
Uninstallation Notes
Note that McAfee VirusScan Enterprise 8.5i and McAfee Anti-spyware Enterprise module will
appear as separate programs in the Control Panel > Add or Remove Programs list.
If the end-user wishes to remove VirusScan Enterprise completely from the computer,
uninstalling VirusScan Enterprise will also remove the McAfee Anti-spyware Enterprise
Module. Sometimes the ASE-M program will still appear on the Add or Remove Programs list
after VSE 8.5 has been uninstalled. This is a refresh issue, close the Add or Remove Programs
window and open it again, ASE-M will not appear.
If the end-user wishes to re-install VirusScan Enterprise 8.5i, the McAfee Anti-spyware
Enterprise module will need to be re-installed as well.
Note
When re-installing McAfee VirusScan Enterprise 8.5i, it is recommended that the McAfee
Anti-spyware Enterprise module be uninstalled first using Control Panel > Add or Remove
Programs, and then uninstall VirusScan. Re-install VirusScan followed by the anti-spyware
module.
Please proceed to the next section - Student Lab - Installing VirusScan Enterprise 8.5i &
Comparing Protection Levels.
20
Objectives
Upon completion of this lab, the student will be able to;
Describe the difference in protection levels (standard & maximum) selected during
installation
21
DesktopStudent Lab - Installing VirusScan Enterprise 8.5i & Comparing Protection Levels
Installation Steps - Standard Protection Installation
11 When the Install McAfee Products screen appears, select Next (Do not install Alert Manager
or Desktop Firewall).
12 When the Product Configuration screen appears, remove the check from Import AutoUpdate
repository list and click Next.
13 When the Security Configuration screen appears, DO NOT enter a password for accessing
the user interface. Note the Start menu and System tray icon and menu options at the bottom
of this dialog. Click Next.
14 When the Ready to Install screen appears, click Install.
22
DesktopStudent Lab - Installing VirusScan Enterprise 8.5i & Comparing Protection Levels
Installing the McAfee Anti-Spyware Module
15 The Installing McAfee VirusScan Enterprise screen appears with a status bar displaying the
installation progress.
16 When the McAfee VirusScan Enterprise setup has completed successfully screen appears,
REMOVE the check from Update Now and Run On-Demand Scan, and then click Finish.
17 Note the appearance of the VirusScan Enterprise 8.5i VShield icon in System Tray. You have
successfully installed VirusScan Enterprise 8.5i with Standard Protection. Close the
installation files .zip window.
23
DesktopStudent Lab - Installing VirusScan Enterprise 8.5i & Comparing Protection Levels
Viewing Access Protection Properties for Standard Protection Installs
37 The Access Protection Properties screen will appear. Examine the following:
Click on each of the Categories. Note the rules selected for each category listed on the
right. For Standard Protection installations notice that maximum protection rules have
not been enabled.
Note on the lower-left portion of the screen is a checkbox to Prevent McAfee services
from being stopped. This option is not enabled by default for Standard Protection
installations.
24
DesktopStudent Lab - Installing VirusScan Enterprise 8.5i & Comparing Protection Levels
Installation Steps - Maximum Protection Installation
41 The Rules Details dialog will appear. Note the wildcard asterisk (*) in the Processes to
include field, indicating that this rule will apply to all processes. Individual process
executables may be listed here with comma separators.
42 Note that the Processes to exclude field lists several processes to be excluded from this rule.
43 Click Cancel.
44 Click OK.
45 Close the VirusScan Console.
46 Select Start > Control Panel > Add or Remove Programs.
47 Select McAfee VirusScan Enterprise and click Remove.
48 When prompted if you really want to uninstall, click Yes.
49 McAfee VirusScan Enterprise 8.5i will uninstall.
50 Close the Add or Remove Programs window.
51 Close Control Panel.
25
DesktopStudent Lab - Installing VirusScan Enterprise 8.5i & Comparing Protection Levels
Installing the McAfee Anti-Spyware Enterprise Module
Note
Click on each of the Categories. Note the rules selected for each category listed on the
right. Notice that the Maximum Protection rules have now been enabled with the
exception of the Anti-spyware Maximum Protection category.
Note that the selection for Prevent McAfee services from being stopped is not enabled by
default for Maximum Protection installations.
When installing VirusScan Enterprise 8.5i with Maximum Protection, the Anti-spyware
Maximum Protection rules and the McAfee Services protection will NOT be enabled
automatically. The user will have to select these maximum protection options in order to
enable them.
78 Click on the Reports Tab. Note the logging options for recording violations of access
protection rules, including enable/disable logging, log file location, and maximum log file
size settings.
79 Click the Browse button to display the Select Log File dialog. Activate the Look In: pulldown menu. Note the path to the log file from the directory tree displayed. Click Cancel.
80 Click Cancel.
81 Close the VirusScan Console.
26
DesktopStudent Lab - Installing VirusScan Enterprise 8.5i & Comparing Protection Levels
Review
Review
1. When installing VirusScan Enterprise 8.5i, users have the option to install with
_____________ or ______________ protection levels.
2. When installing with Standard Protection, the Maximum Protection rules are disabled /
enabled by default. (circle one)
3. Processes to include or exclude for Access Protection rules can be modified by selecting
the rule and clicking the ________ button on the Access Protection Properties page.
4. Access Protection logging options are configured on the __________ tab of the Access
Protection Properties page.
27
Access Protection
McAfee VirusScan Enterprise 8.5i & McAfee Anti-spyware
Enterprise Module
Objectives
At the end of this section, the student will be able to;
Identify the default Access Protection rules for Standard and Maximum Protection
installations of McAfee VirusScan Enterprise 8.5i
Explain how to turn individual Access Protection blocking and reporting on and off.
Overview
VirusScan Enterprise 8.5i offers enhanced Access Protection features that can prevent intrusion
by restricting access to ports, files, folders, and shares. You can block access to ports and port
ranges, lock down shares, files, and directories to read-only, block execution of a specific file,
and generate log entries and/or Alert Manager and ePolicy Orchestrator events when attempts
are made to access blocked items.
The Access Protection features will also allow you to prevent McAfee processes from being
stopped by unauthorized sources.
During virus outbreaks, Access Protection rules can be enabled to block destructive code from
accessing the computer until a DAT update is available.
28
Access Protection
Standard and Maximum Protection Installations
Access Protection rules can be configured to Block access, or Report access attempts, or both.
Caution
When installing VirusScan Enterprise 8.5i with Maximum Protection rules enabled, the
Anti-spyware Maximum Protection rules will not be enabled after installing the McAfee
Anti-spyware Enterprise module. These rules must be enabled by the end-user or administrator.
The following tables shows each of the Access Protection rules and their default status for
Standard and Maximum Protection installations.
Category
Rule
Standard
Protection
Default
Status
Maximum
Protection
Default
Status
Anti-spyware
Standard Protection
Block +
Report
Block +
Report
NONE
NONE
NONE
NONE
NONE
NONE
Block +
Report
Block +
Report
Anti-spyware
Maximum Protection
Available only with ASE-M
installed
Anti-virus Standard
Protection
29
Access Protection
Standard and Maximum Protection Installations
Category
Anti-virus Maximum
Protection
Anti-virus Outbreak
Control
Common Standard
Protection
Rule
Standard
Protection
Default
Status
Maximum
Protection
Default
Status
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
NONE
Block +
Report
NONE
Block +
Report
NONE
NONE
NONE
NONE
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
Block +
Report
30
Access Protection
Access Protection Rules Configuration Options
Category
Rule
Standard
Protection
Default
Status
Maximum
Protection
Default
Status
Common Maximum
Protection
None
Block +
Report
None
Block +
Report
None
Block +
Report
None
Block +
Report
None
Block +
Report
None
Block +
Report
None
Block +
Report
NONE
NONE
NONE
User-Defined Rules
Warning
Maximum Protection rules should be used with caution as they can block common activities such
as installation or execution of certain applications or processes. It is recommended that maximum
protection rules be initially enabled for Report only in order to determine if exclusions will be
required for that rule.
Each pre-defined Access Protection rule, as well as User-defined rules can be configured to
include and exclude specific processes for the AP rule. Select a rule and click the Edit button to
access the Rule Details dialog box.
31
Access Protection
User-defined Rules
Wildcard characters are allowed in both the Processes to include, and Processes to exclude
fields, as shown below.
In the example, the rule; Prevent registry editor and Task Manager from being disabled, contains
an asterisk (*) wildcard in the Processes to include field, indicating that it applies to all
processes.
In the Processes to exclude field, we see specific process names that have been excluded from
this rule, as well as a process name with the asterisk (*) wildcard character to exclude variants
on the process name; gianantispywar.
Additional exclusions may be added by typing the process name, or partial name and wildcard
characters into the Processes to exclude field. Process names are separated with a comma (,).
Warning
End-user changes to the exclusion list of any pre-defined Access Protection rule will not be
overwritten by McAfee updates to the Access Protection rules definitions. Once the end-user
modifies the exclusions for any Access Protection rule, they become responsible for maintaining
the exclusions list from that point forward.
User-defined Rules
Users can define custom Access Protection rules to meet their specific needs.
Users can create three types of rules;
Port Blocking Rule: These rules can block program from accessing the network, or they can
prevent other computers from accessing this computer.
File/Folder Blocking Rule: These rules prevent unauthorized programs from altering,
opening, or deleting files that they shouldnt.
Registry Blocking Rule: These rules prevent unauthorized programs from altering, opening,
or deleting registry keys and values that they shouldnt.
32
Access Protection
User-defined Rules
Processes to include - you can use specific process name or wildcard variants to specify the
processes to include in the rule. Examples: process.exe, pro*.exe, pro*, pro????.exe. Use a
single asterisk (*) in this field to include all processes.
Processes to exclude - you can use specific process name or wildcard variants to specify the
processes to exclude in the rule. Use a single asterisk (*) in this field to exclude all processes.
Ports to Block - specify a single port to be blocked or a range of ports to be blocked. Enter
the starting and ending port range to block an inclusive range of ports.
Direction - Select whether this rule will apply to Inbound connections, Outbound
connections, or both, by clicking the appropriate box(es).
33
Access Protection
User-defined Rules
File actions to prevent - specify which action or actions you wish to block for the selected
folder/file, with this rule; Read access, Write access, File execution, File creation, File
deletion or any combination of these options.
34
Access Protection
AP Rule Processing
AP Rule Processing
The Access Protection rules can be located in 5 different locations (vscan.bof, registry, test.rul,
extra.rul, and mcafee.rul), and the processing of the rules will vary based on these rules:
If test.rul is present in the product folder:
-test.rul is read and all remaining rule sources are skipped.
Otherwise:
-vscan.bof is read from the product folder.
-extra.rul (if present) is read from the product folder and appended.
-User rules are read from the registry and appended.
-mcafee.rul (if present) is read from %windir% and appended.
35
Access Protection
VirusScan Self-protection
VirusScan Self-protection
In addition to the Access Protection rules that prevents the modification of McAfee files and
settings by unauthorized sources, an additional option; Prevent McAfee services from being
stopped, is also available on the Access Protection screen.
When the Prevent McAfee services from being stopped option is selected under Access
Protection, VirusScan Enterprise will implement an Access Control List against McAfee
processes that will prevent anyone except the SYSTEM account from terminating the process or
service. This protects VirusScan from being disabled by malicious programs that seek to
circumvent virus protection programs by killing their services.
Warning
When the Prevent McAfee services from being stopped option is selected under Access
Protection, VirusScan Enterprise will implement an Access Control List against McAfee
processes that only allows the SYSTEM account to NET STOP McAfee Services. An
Administrator (or anybody with debug privileges) can still use Task Manager to terminate
processes and services.
Prevent McAfee services from being stopped is not enabled by default for Standard or Maximum
Protection installations. This option must be enabled by the end-user or Administrator.
Reports
The Access Protection Properties page has a Reports tab that allows configuration of access
protection event logging options. The available options are:
Log to file (default: enabled) - allows you to enable/disable logging of attempts to violate
access protection.
Log file location (path) - by default the log will be created in;
%DEFLOGDIR%\AccessProtectionLog.txt. A custom path and name for the log file can be
entered here.
Limit size of log file (default: enabled) - This option allows VirusScan to limit the log file
size to a user-configured maximum size in order to prevent excessive disk usage.
Maximum log file size (MB): By default this is set to 1MB with a maximum setting available
of 100MB.
Format - determines the text encoding method used when creating the log. By default,
Unicode (UTF8) is selected. Other options are ANSI and Unicode (UTF16).
36
Access Protection
Reports
View Log - This button will open the log in Notepad, or the application that is associated with
.txt files on the computer.
Please proceed to the next section; Student Lab - Access Protection Configuration and
Detection.
37
Objectives
Upon completion of this lab, the student will be able to;
38
4 Examine the Categories in the left column. Note that for each category, a rule or rules is
displayed in the right column.
5 Each rule may be enabled to Block, or Report, or both by clicking in the appropriate selection
column. Removing the checkmark disables that function for the current rule.
6 In the category column, select Anti-Spyware Maximum Protection.
39
7 Notice that the three rules for this category are not enabled for blocking or reporting.
Caution
When installing VirusScan Enterprise 8.5i with Maximum Protection, the Anti-spyware
Maximum Protection rules under Access Protection will NOT be enabled automatically.
The user will have to select these maximum protection rules in order to enable them.
8 Click in the Block and Report fields for each rule. A checkmark should appear indicating that
these rules have been enabled.
9 In the right column, select the rule, Prevent all programs from running files from the Temp
folder.
10 Click the Edit button.
11 Notice the processes to exclude listed for this rule. These exclusions will allow the Windows
MSI Installer (msiexec.exe) to run files from the Temp folder, and will also allow the
McAfee Framework installer (frminst.exe) to run files from the Temp folder. Other processes
may also be specified here to allow Temp folder file execution.
12 Click Cancel.
13 In the Categories column, select User-defined Rules.
14 Click the New button.
15 The Select New Rule Type dialog appears.
40
19 In the Rule Name field, type File Blocking Rule (no quotes).
20 In the Processes to include field, type * (an asterisk) (no quotes).
21 Leave the Processes to exclude field blank.
22 In the File or Folder name to block field, use the Browse file button to navigate to the ASE-M
installation folder on your desktop. Select the readme.txt file in that folder and click Open.
41
23 In the File Actions to prevent section, select Read access to files and Write access to files.
24 Click OK.
25 Click OK on the Access Protection Properties dialog.
26 Navigate to the ASE-M folder on your desktop.
27 Double-click the readme.txt to open it.
28 Note the Access is Denied error message. Access Protection has prevented read-access to this
file. Click OK. Close Notepad.
29 Navigate back to the VirusScan Console and right-click Access Protection. Select Properties.
30 Select User-defined rules in the Categories column.
31 Select the File Blocking Rule you created, and click the Edit button.
42
32 Remove the checkmark from Read access to files, under File actions to prevent.
33 Click OK.
34 Click OK on the Access Protection Properties dialog.
35 Navigate to the ASE-M folder on your desktop.
36 Double-click the readme.txt to open it. Note that you now have read-access to this file.
37 Select File > Save. Note the error indicating that you cannot create this file in the folder
specified. Access Protection has blocked the write-access to this file. Click OK.
38 The File > Save As dialog will automatically appear. Navigate to your Desktop and save this
file as readme.txt.
39 Note that you are able to successfully create a new copy of this file in a new location. Access
Protection is only blocking write-access to the original file specified in the rule (located in
the ASE-M folder).
40 Close the readme.txt file.
41 Navigate to VirusScan Console. Right-click Access Protection and choose Properties.
42 Select User-defined rules in the Categories column.
43 Select the File Blocking Rule you created.
44 Click the Edit button.
45 In the Processes to exclude field, type notepad.exe (no quotes)
43
46 Select OK.
47 Select OK on the Access Protection Properties dialog.
48 Navigate to the ASE-M folder on your desktop.
49 Double-click the readme.txt to open it.
50 Select File > Save.
51 Note that although write-access is still disabled for this file, Notepad is now excluded from
this blocking rule and can save changes to the file.
52 Close Notepad.
53 Right-click on readme.txt and select Open With.
54 Select WordPad (if WordPad is not listed, select Choose Program and select WordPad from
the list).
55 Once the readme.txt file has opened in WordPad, select File >Save.
56 Note the error indicating that access is denied. WordPad is not excluded from this rule and
therefore does not have write-access to this file. Click OK.
57 Close WordPad.
58 Navigate to VirusScan Console and right-click Access Protection, select View Log.
59 Examine the log entries. Note the Blocked by Access Protection entries created during our
readme.txt experiments, including read and create blocking.
60 Once you have examined the log entries, close the log file by exiting Notepad.
61 Close the ASE-M folder.
Self-Protection
VirusScan Enterprise 8.5i Access Protection includes features and rules intended to protect itself
from being modified or stopped without proper authority.
Some of the Self-protection features include;
Demonstrate Self-Protection
Adding or Removing files from the McAfee Folder
1 Navigate to VirusScan Console.
2 Double-click the Access Protection Policy task to open its Properties page.
44
3 Place a checkmark in the option, Prevent McAfee services from being stopped.
4 Click OK.
5 Ensure that the On-Access Scanner and the Access Protection Policy are both enabled.
6 Navigate to the C:\Program Files\Common Files\McAfee\Engine folder.
7 Right-click on any of the files in this folder and select Delete.
8 Note the error message indicating that you are denied access to this function. Click OK.
9 Right-click in an empty space of the McAfee\Engine folder and select New > Text
Document.
10 Note the error message indicating that you are denied access to this function. Click OK.
45
5 Attempt to stop the other McAfee Services - note the error message.
6 Close the Services Windows. Close the Administrative Tools Window.
Review
In order to enable, disable, configure, or create an access protection rule, you must go to the
Access Protection _______________ dialog page, in VirusScan Console.
T / F - You cannot set access protection rules for Anti-Spyware using Access Protection
rules. (select true or false)
Enabling and disabling both blocking and reporting for a particular rule is easily performed
by clicking the _______ or _________ field for the rule. A checkmark will appear when
blocking and/or reporting has been enabled for the rule.
T / F - You can include processes to include (block) for a given rule by using wildcards,
including asterisk (*) for all processes, or the question mark (?) for variable characters in a
process name (for example, ???setup.exe). (select true or false)
46
You can exclude processes (do not block) for a particular rule by listing the process name, or
wildcard variant, in the _____________ ______ ____________ field of the Rule Details
screen.
47
Objectives
At the end of this section, the student will be able to;
48
Configuration
VirusScan Enterprise 8.5i offers these options for configuring Buffer Overflow Protection:
Enable buffer overflow protection (default: enabled) - Allows Buffer Overflow Protection to
be turned on and off and set for Warning or Protection mode.
Show the messages dialog box when a buffer overflow is detected (default: enabled) Allows
you to suppress the VirusScan Alert message dialog when a buffer overflow detection occurs.
Buffer overflow exclusions - Clicking the Add button allows you to exclude specific
processes from buffer overflow scanning. Wildcards are not allowed in the process name
field and the process name must be exact.
Note
When adding exclusions that are due to unwanted buffer overflow detections, check
the VirusScan Alert messages dialog, the Buffer Overflow log file, or ePO event report
to determine the exact process name for exclusion.
49
Reports
The Buffer Overflow Protection Properties page has a Reports tab that allows configuration of
buffer overflow event logging options. The available options are:
Log to file (default: enabled) - allows you to enable/disable logging of buffer overflow
detections.
Log file location (path) - by default the log will be created in;
%DEFLOGDIR%\Mcafee\DesktopProtection\BufferOverflowProtectionLog.txt. A custom
path and name for the log file can be entered here.
Limit size of log file (default: enabled) - This option allows VirusScan to limit the log file
size to a user-configured maximum size in order to prevent excessive disk usage.
Maximum log file size (MB): By default this is set to 1MB with a maximum setting available
of 999MB.
Format - determines the text encoding method used when creating the log. By default,
Unicode (UTF8) is selected. Other options are ANSI and Unicode (UTF16).
50
View Log - This button will open the log in Notepad, or the application that is associated with
.txt files on the computer.
Note
User who have associated .txt files with WordPad may receive an error indicating that the log file
is in use and cannot be opened, when using the View Log button or context menu selection. To
resolve the issue, re-associate Notepad to .txt file extensions on the computer.
Please proceed to the next section; Student Lab - Buffer Overflow Protection Configuration
and Detection.
51
Objectives
Upon completion of this lab, the student will be able to;
Windows 2003 includes the Data Execution Prevention feature for preventing buffer overflow
conditions. As a result, the Buffer Overflow Test Tool used in this lab will not generate buffer
overflow conditions running under this O/S. To allow the Buffer Overflow Test Tool to function
with Windows 2003, disable Data Execution Prevention under System Properties > Advanced >
Performance Settings.
52
4 Note that there are only four main configuration options for Buffer Overflow:
5 Click OK.
53
14 Clear the alert messages from the On Access Scan Messages dialog.
15 Close the On-Access Scan Messages dialog.
16 Open the Buffer Overflow Protection Properties dialog page.
17 Under Buffer overflow exclusions, click the Add button.
18 The Buffer Overflow Exclusion dialog will appear.
54
Review
The four configuration options for Buffer Overflow Protection are:
A customer that reports false or unwanted Buffer Overflow Detections from a known, trusted
application should list the application process name in the Buffer Overflow ______________
section of the Buffer Overflow Properties, in order to prevent future detections of this
application.
55
Objectives
At the end of this section, the student will be able to;
56
Configuration
The On-Delivery E-mail Scanner has 7 tabs on its properties page. The tabs and their options are:
All file types (default) - Specifies scanning of all files regardless of type or extension.
Default + additional file types (#) - Specifies that scanning will occur only for the default
file types/extension list, and those types specifically added by the end-user. To view the
default types/extension list, click Additions and examine the Scanned by default list on
the Additional File Types dialog. This dialog is also used to add file types by extension
by selecting or typing the extension in the Add File Type field and clicking the Add
button.
57
Clicking the Select button will provide a comprehensive list of file type extensions that
you can choose to add to the scanning list.
Check the Also scan for macros in all attachments to allow the e-mail scanner to look for
macro viruses inside of file attachments.
58
Specified File Types - User-specified file types by extension only will be scanned with
this option. Clicking the Specified button allows the end-user to add files types to the scan
list. A Select button listing known file types is also available for this option.
Find unknown program viruses and trojans (default: enabled) - Allows the e-mail scanner
to perform heuristic scanning for viruses and trojans in e-mail attachments.
Find unknown macro viruses (default: enabled) - Allows the e-mail scanner to perform
heuristic scanning for macro viruses in e-mail attachments.
Find attachments with multiple extensions (default: disabled) - When enabled, will cause
detections on attachments that have multiple file extensions, for example file.com.txt.
Compressed files
Scan inside archives (e.g. .ZIP) (default: enabled) - Specifies whether the e-mail scanner
will attempt to scan the files within compressed archives such as those created by WinZip
and WinRAR. Password-protected and encrypted archives cannot be scanned.
Decode MIME encoded files (default: enabled) - Allows the e-mail scanner to scan
attachments encoded by e-mail systems that use MIME encoding for mail and
attachments.
59
Scan e-mail message body (Outlook Scanner only) (default: enabled) - Indicates whether
the e-mail scanner will scan Outlook message bodies for unwanted scripts. As the name
of this option suggests, it is supported for the Outlook client only.
Primary Action - When a threat is found (default: Clean attachments) - Specifies the first
action that the e-mail scanner should attempt to take when a threat is detected. Primary
Action options are:
60
Secondary Action if the first action fails - Specifies what action the e-mail scanner should
take if the Primary Action fails (example: uncleanable virus infection). Secondary Action
options are:
Move to Folder
Move to Folder - specifies the mailbox folder that infected e-mail will be moved to, if the
action to Move attachments to a folder is selected as the Primary Action or Secondary
Action and other actions fail. The default folder is Quarantine.
61
Send alert mail to user (default: disabled) - allows you to specify an email alert message
to be sent to a user or users when a detection occurs. Selecting this option and clicking
the Configure button will allow you to set recipients, subject, and body text for the alert
mail message.
62
Display custom message (default: disabled) - Selecting this option allows the end-user to
provide custom text that will appear on the prompt dialog, if Prompt for Action is selected
as one of the actions to take on detection. The default message is; McAfee VirusScan
Enterprise E-mail Scanner: Alert!.
Detect unwanted programs (default: enabled) - Selecting this option will apply the
Unwanted Programs Policy configured in VirusScan Console, to e-mail scanning. (See
Unwanted Programs Policy section for information on configuring scanning for
unwanted programs)
Primary Action-When an unwanted program is found (default: Clean attachments) Specifies the action to take when unwanted programs are detected by the e-mail scanner.
Available options are identical to the Detection options on the Actions tab.
Secondary Action-if the first action fails (default: Move attachments to a folder) Specified the action to take when the Primary Action fails. Available options are identical
to the Detection option on the Actions tab.
63
Log to file (default: enabled) - allows you to enable/disable logging of e-mail scanner
detections.
Log file location (path) - by default the log will be created in; [install
path]\Mcafee\DesktopProtection\EmailOnDeliveryLog.txt. A custom path and name for
the log file can be entered here.
Limit size of log file (default: enabled) - This option allows VirusScan to limit the log file
size to a user-configured maximum size in order to prevent excessive disk usage.
Maximum log file size (MB): By default this is set to 1MB with a maximum setting
available of 100MB.
Format - determines the text encoding method used when creating the log. By default,
Unicode (UTF8) is selected. Other options are ANSI and Unicode (UTF16).
View Log - This button will open the log in Notepad, or the application that is associated
with .txt files on the computer.
64
Session settings (default: disabled) - Selecting this option will cause VirusScan
Enterprise 8.5i to include a dump of its option settings to the log, whenever an entry is
made. This can be a valuable troubleshooting tool when attempting to diagnose issues
with the On-Delivery E-mail scanner. The On-Access Scanner and the On-Demand
Scanner may also be configured to record session settings on their respective Report tabs.
User who have associated .txt files with WordPad may receive an error indicating that the log file
is in use and cannot be opened, when using the View Log button or context menu selection. To
resolve the issue, re-associate Notepad to .txt file extensions on the computer.
Note
Session summary (default: enabled) - Specifies that summary information will be written
to the log when detection events are recorded, including; Engine version, AV DAT
version, number of signatures in extra.dat, names of signatures in extra.dat.
Failure to scan encrypted files (default: enabled) - species that an entry will be made in
the log file when the e-mail scanner is unable to scan a file because it is encrypted.
Scan all server databases (default: disabled) - allows the scanner to scan all attachments
being read or written to any Notes database located on the Domino server. It should be
noted that Notes email files are nothing more than special Notes databases.
Scan server mailboxes (default: enabled - !!mail\) - By default the Mailbox Root Folder
is set to !!mail\ which means to scan any files on the Domino server whose name includes
!!mail\ (the default mail folder on the server). Setting this value to is the same as
saying Scan all server databases. Setting this to a value like !!mail\username.nsf would
say to only scan only that particular database (.nsf) file on the server.
Advanced Options
65
Detection
When the On-Delivery E-mail Scanner detects a threat in an email message, the original email
will be placed in the Quarantine folder and the recipient will receive a McAfee E-mail Scan Alert
message in their inbox.
Sender name/address
The action that was taken. If the Primary Action failed, the reason is also listed.
Items detected by the e-mail scanner will appear in the Quarantine folder (or user-defined folder)
in the Outlook or Notes mail client.
66
Note
This Student Guides contains an optional lab for configuring and detecting threats using the
On-Delivery E-mail Scanner, utilizing a POP3 server tool. Please note that although detections
of infected attachments will occur using this environment, it is not supported by VirusScan
Enterprise 8.5i and customers should be discouraged from using the On-Delivery E-mail Scanner
in this manner. See Student Lab - On-Delivery E-mail Scanner Configuration and Detection.
67
Objectives
At the end of this section, the student will be able to;
Note
The Unwanted Programs Policy descriptions and screenshots used in this section are for an
installation of VirusScan Enterprise 8.5i with the McAfee Anti-spyware Enterprise module.
VirusScan Enterprise 8.5i with the McAfee Anti-spyware Enterprise module provides
comprehensive protection from unwanted programs, including;
Spyware
Adware
Dialers
Password Crackers
Joke programs
Key loggers
The Unwanted Program Policy configuration can be individually enabled or disabled for each of
the scanners (On-Delivery E-mail Scanner, On-Access Scanner, and On-Demand Scanner) on
each scanners properties page.
68
Additionally, after installation of the McAfee Anti-spyware Enterprise module, the VirusScan
Enterprise 8.5i On-Access and On-Demand scanners are capable of scanning cookie files for
potentially unwanted content. (See the Installation section for detailed information on features
unlocked/enabled by the McAfee Anti-spyware Enterprise module installation in VirusScan
Enterprise 8.5i.)
Configuration
The Unwanted Programs Policy provides the following configuration options:
Spyware
Adware
Dialers
Password Crackers
Joke programs
Key loggers
69
70
Note
Wildcard characters are not valid for Unwanted Programs Policy exclusions. At the time of this
writing, the Unwanted Program Exclusion dialog allowed the entry of wildcard characters as part
of an excluded program name (e.g. *.com), however, the exclusion entry is invalid and will not
exclude files from scanning for unwanted programs. Exact detection names are required for
exclusion from unwanted program scanning.
71
Please proceed to the next section; Student Lab - Unwanted Programs Policy Configuration
and Detection.
72
10
Objectives
Upon completion of this lab, the student will be able to;
73
6 Paste the files in the Engine folder. When prompted with an overwrite warning, click Yes to
All. The definition files needed to detect our test samples are now in place.
7 Close all folder windows and return to your desktop.
74
10
27 When youre finished examining the alert dialog, click Remove Message until all alert
messages have been deleted. Close the On-Access Scan Messages window.
28 Click OK on the Error Copying File or Folder dialog.
75
10
Exclusions
39 Disable the On-Access Scanner.
40 Open the Unwanted Programs Policy Properties.
41 At the bottom of the Detection tab, click the Exclusions button.
42 In the Set Unwanted Program Exclusions dialog, click the Add button.
76
10
44 This will activate the Detection Exclusion dialog. Here, you can select a detection type from
a list of possible detection contained within the DATs or you can search for a detection by
substring and display only those detections that contain the substring text that you supply.
77
10
Note
The DAT files that were located in the ASDAT folder were not copied because the copy process
was terminated by the On-Access Scanner prior to completing the operation.
User-Defined Detection
66 Disable the On-Access Scanner.
67 Open the ASDAT folder on your Desktop.
68 Right-click in the window, click New, click Text Document.
69 Name the document UDDTEST.txt.
70 Open the UDDTEST.txt file and enter random characters. Save the document.
71 Rename UDDTEST.txt to UDDTEST.COM. Click OK on the extension warning.
72 Navigate to the VirusScan Console.
73 Open Unwanted Programs Policy Properties.
74 Click the User-Defined Detection tab.
75 Click the Add button.
76 On the User-Defined Unwanted Program dialog, in the Filename field, type
UDDTEST.COM.
78
10
84 Remove the detection messages from the alert window and click Close Window.
85 Close all open windows.
79
10
Review
Spyware, Adware, Dialers and Password Crackers are examples of _____________
_______________ categories.
T / F When excluding files from Unwanted Programs Policy scanning, you may use wildcard
characters in the filename to exclude. (Circle True or False)
T / F Unwanted programs such as Spyware or Adware can be made immune to scanning simply
by changing the file extension to a non-executable file type. (Circle True or False)
Unwanted programs contained within ______________-protected archives cannot be detected
by the On-Access Scanner.
80
10
11
On-Access Scanner
McAfee VirusScan Enterprise 8.5i
Objectives
At the end of this section, the student will be able to;
81
On-Access Scanner
Configuration
Configuration
Configuration options for the On-Access Scanner are separated into two categories; General
Settings, which apply to all On-Access Scanning, and Processes which apply either to all
processes, or low-risk and high-risk processes, depending upon your option configuration.
General Settings
The General Settings Section of the On-Access Scanner properties page has the following
options available;
Boot sectors (default: enabled) - instructs the on-access scanner to scan the boot sector of
hard and floppy disks for boot sector viruses.
Floppy during shutdown (default: enabled) - specifies that the on-access scanner will scan
disks in the floppy disk drive when Windows shuts down.
General
Enable on-access scanning at system startup (default: enabled) - specifies that the
on-access scanner will be activated when Windows starts.
82
11
On-Access Scanner
Configuration
Scan Time
Maximum archive scan time (seconds) (default: 15) - specifies the number of seconds the
On-Access Scanner may attempt to scan an archive file before timing out.
Enforce a maximum scanning time for all files (default: enabled) - selecting this option
applies the Maximum scan time (seconds) setting to the On-Access Scanner.
Maximum scan time (seconds) (default: 45) - specifies the number of seconds the On-Access
Scanner may attempt to scan any file before timing out.
There are two types of timeouts, graceful timeouts and fatal timeouts. In the case of graceful
timeouts, once the maximum scan time has been exceeded by the On-Access Scanner, the scan
will be abandoned and the time-out will be recorded in the On-Access Scan Log. In the event of
a fatal timeout, the first timeout value is reached but the scan fails to abandon, so McShield
terminates itself to avoid locking up the system. This will be recorded in the System event log,
indicating that McShield terminated unexpectedly.
Note
Cookies
Scan cookie files (default: enabled) - Indicates that the On-Access Scanner should scan for
unwanted cookie files.
ScriptScan
Enable ScriptScan (default: enabled) - enables/disables the script scanning function of the
On-Access Scanner
83
11
On-Access Scanner
Configuration
ScriptScan exclusions (default: none) - allows the end-user to add process names to exclude
from script scanning. Clicking the Add button will activate the ScriptScan Exclusion dialog
where you can type the full process name. Wildcards are not allowed in this field.
84
11
On-Access Scanner
Configuration
Why cant VirusScan Enterprise 8.5i ScriptScan exclude scripts by site? Because it is not
technically possible. This is because ScriptScan intercepts a function that is analogous to "run
this script". If the function was "run this script from this source", then we could implement
exclusions based upon source.
Note
With the VSE 8.5i release, we expect see about a 60% ScriptScan performance improvement,
primarily due to improvements in the 5100 engine, but we can only exclude by process, not URL.
However, disabling ScriptScan does not leave the customer completely vulnerable. Scripts can
run in memory before they access the hard drive. Once they are written to the disk, the On-Access
Scanner will detect them, and also triggers a memory scan to then terminate the running process.
However, there is that small window of possibility between when a script runs in memory and it
is written to the disk - ScriptScan was created to help close this gap. But if the customer is having
performance problems they should consider disabling ScriptScan because in their case the
protection may be less desirable than the risk.
Send a message (default: disabled) - Select this option to have the On-Access Scanner
generate an alert message when a remote system writes a threat to the current system. Type
the desired alert text in the field provided.
Block
Block the connection (default: enabled) - Instructs the On-Access Scanner to block the
incoming connection from computers that write threats to the system.
Unblock connections after (minutes) (default: 10) - specifies how long the remote computer
connection will be blocked after detection of a threat written from the remote computer.
85
11
On-Access Scanner
Configuration
Show the messages dialog when a detection occurs (default: enabled) - Specifies whether the
Alert Message dialog will appear when an On-Access detection occurs.
Alert when a cookie detection occurs (default: disabled) - Specifies that the Alert Message
dialog will appear when an unwanted cookie detection occurs.
Text to display in message (default: VirusScan Alert!) - Allows for a custom message to
appear in the Alert Message dialog when a detection occurs. Type the desired text into the
field provided.
Specify what actions users without administrative rights can perform on messages in the list
(default: Remove messages, Clean files) - Defines the actions that end-users are allowed to
take on the Alert Messages dialog. Available options are:
Remove messages from the list (delete the alert message from the alert dialog)
Clean files
Delete files
86
11
On-Access Scanner
Configuration
Log to file (default: enabled) - Specifies whether the On-Access Scanner will record
scanning activity to the log file. You can specify a custom path for log files in the field
provided. By default, the On-Access Scan log will be written to
%DEFLOGDIR%\Mcafee\DesktopProtection\OnAccessScanLog.txt.
Limit size of log file (default: enabled) - Instructs the On-Access Scanner to limit the
maximum log file to the size specified.
Maximum log file size (MB) (default: 1Mb) - specifies the size limit for the On-Access log.
Maximum entry: 999MB
Format (default: Unicode (UTF8)) - Indicates the encoding format for the text file containing
the On-Access log entries. Options are: ANSI, Unicode (UTF8) and Unicode (UTF16).
Session settings (default: disabled) - When enabled, instructs the On-Access Scanner to
provide a dump of all VirusScan Enterprise configuration settings to the log, whenever an
event is logged. This option is primarily used as a troubleshooting tool. Leaving this option
enabled will cause the log to reach maximum size more quickly.
87
11
On-Access Scanner
Configuration
Session summary (default: enabled) - Instructs the On-Access Scanner to provide a summary
of VirusScan core components such as scan engine version, DAT version, signatures in
extra.dat, etc.
Failure to scan encrypted files (default: enabled) - Specifies that a log entry will be made
whenever the On-Access Scanner is unable to scan a file because it is encrypted.
88
11
On-Access Scanner
Configuration
The screenshot above shows the On-Access Scan Properties page with its default setting; Use
the settings on these tabs for all processes. In this configuration, the options configured for All
Processes will apply to all process scanning performed by the On-Access Scanner.
89
11
On-Access Scanner
Configuration
The screenshot above shows the Low-Risk and High-Risk Processes section selections when
choosing Use different settings for high-risk and low-risk processes. Note that All Processes has
now become Default Processes.
When selecting the option; Use different setting for high-risk and low-risk processes, three
separate configurations are enabled; configuration for low-risk processes, configuration for
high-risk processes, and configuration for default (undefined risk) processes.
Note
Processes not listed as either high-risk, or low-risk, will be handled according to the Default
Processes settings.
90
11
On-Access Scanner
Configuration
Although the default values for some options are different for low-risk and high-risk processes,
the configuration options for each risk level are identical, with the exception of the list used to
define high-risk and low-risk processes.
The Low-Risk processes tab is shown above, with the default low-risk process list.
91
11
On-Access Scanner
Configuration
The High-Risk processes tab is shown above with the partial default high-risk process list.
You may add processes to the Low-Risk or High-Risk list by clicking the Add button on the
Process tab (either Low-Risk or High-Risk). This will activate the Select Application dialog
where you can select an application from the list or browse to the application you wish to define
as high-risk or low-risk.
92
11
On-Access Scanner
Configuration
You may also remove processes from the low-risk and high-risk lists by selecting the process in
the list and clicking the Remove button. Once removed, the process will be scanned according
to the Default Processes settings, unless it is assigned a risk level by adding it to the appropriate
process risk list.
When writing to disk (default: enabled, all risk) - Instructs the On-Access Scanner to scan all
write operations on all local disk drives.
When reading from disk (default: enabled, all risk) - Instructs the On-Access Scanner to scan
all read operation on all local disk drives.
On network drives (default: disabled, all risk) - Instructs the On-Access Scanner to scan files
located on network drives, based upon the scan on write and scan on read options configured
above.
What to scan
All files (default) - Instructs the On-Access Scanner to scan all files types that fit within the
scan parameters.
Default + additional file types (count) - When selected, instructs the On-Access Scanner to
scan only file types with the extensions listed on the default scan type list, plus any end-user
additions to that list. The count value will display the number of user-defined types on the
list.
Specified file types (count) - When selected, instructs the On-Access Scanner to scan only
file types with the extensions defined by the end-user. The count value will display the
number of user-defined types on the list.
Exclude disks, files, and folders (count) - specifies a list of disk drives, folders, and/or files
that will be excluded from On-Access Scanning.
Defaults:
Default Processes / All Processes: Exclude files protected by Windows File Protection
(exclude on read)
93
11
On-Access Scanner
Configuration
Windows File Protection (WFP) prevents programs from replacing critical Windows system
files. Programs must not overwrite these files because they are used by the operating system and
by other programs. Protecting these files prevents problems with programs and the operating
system.
Note
WFP protects critical system files that are installed as part of Windows (for example, files with
a .dll, .exe, .ocx, and .sys extension and some True Type fonts). WFP uses the file signatures and
catalog files that are generated by code signing to verify if protected system files are the correct
Microsoft versions.
Source: http://support.microsoft.com/default.aspx?scid=kb;EN-US;222193
Find unknown program viruses and trojans - Allows the On-Access Scanner to perform
heuristic scanning for viruses and trojans.
Defaults:
Find unknown macro viruses - Allows the On-Access Scanner to perform heuristic scanning
for macro viruses.
94
11
On-Access Scanner
Configuration
Defaults:
Compressed files
Scan inside archives (e.g. .ZIP) (default: disabled, all risk) - Specifies whether the On-Access
Scanner will attempt to scan the files within compressed archives such as those created by
WinZip and WinRAR. Password-protected and encrypted archives cannot be scanned.
Decode MIME encoded files (default: disabled, all risk) - Allows the On-Access Scanner to
scan files encoded by e-mail systems that use MIME encoding for mail and file attachments.
Miscellaneous
Scan files opened for Backup (default: enabled, all risk) - This setting instructs the
On-Access scanner to scan the read/write operations used by backup programs when
performing system backups. Backup programs use a special Windows API for these
operations which is distinctive from standard file read/write operations.
Note
Customers who report that system backups are taking too long to complete may want to disable
this feature to improve system performance. Trusted backup programs should present a low-risk
of delivering threats to the systems on which they operate.
95
11
On-Access Scanner
Configuration
Primary Action - When a threat is found (default: Clean files automatically, all risk)
Options:
Secondary Action - if the first action fails (default: Delete files automatically, all risk)
Options:
96
11
On-Access Scanner
Configuration
Detect unwanted programs (default: enabled, all risk) - Instructs the On-Access Scanner to
apply the Unwanted Programs Policy to On-Access scanning.
Secondary Action - if the first action fails (default: Delete files automatically, all risk)
Options:
97
11
On-Access Scanner
Configuration
Please proceed to the next section: Student Lab - On-Access Scanner Configuration and
Detection
98
11
12
Objectives
Upon completion of this lab, the student will be able to;
99
6 Click the Password button. The password to extract this file is cleanset. Enter the password
and click Next.
7 You have successfully extracted the cleanset test package for this lab. Click Cancel.
8 Navigate to VirusScan Console.
9 Double-click On-Access Scanner in order to open its Properties page.
10 In the left pane, click All Processes.
11 Click the Advanced tab.
100
12
12 Remove the checkmarks from; Find unknown unwanted programs and trojans, and, Find
unknown macro viruses.
13 Click OK.
14 Enable the VirusScan On-Access Scanner.
15 Navigate to the OASDAT folder on your Desktop.
16 Select and copy the files; MANALYSE.COM and PANALYSE.COM.
17 Paste them to your Desktop.
18 Notice that you did not receive a detection from the On-Access Scanner when copying these
files.
19 Delete the files MANALYSE.COM and PANALYSE.COM from your Desktop.
20 Navigate to VirusScan Console.
21 Open the On-Access Scanner Properties page.
22 Click on All Processes.
23 Click the Advanced tab.
24 Place a checkmark in front of; Find unknown unwanted programs and trojans.
25 Click OK.
26 Navigate to the OASDAT folder from your Desktop.
101
12
30 Notice that MANALYSE, which is a test heuristic macro virus, was not detected and was
copied to your Desktop.
31 Click Remove Message. Close the On-Access Scan Message window.
32 Click OK on the Error Copying File or Folder dialog.
33 Delete MANALYSE.COM from your Desktop.
34 Navigate to VirusScan Console.
35 Open the On-Access Scanner Properties page.
36 Click on All Processes.
37 Click on the Advanced tab.
38 Place a checkmark in front of; Find unknown macro viruses.
39 Click OK.
40 Navigate to the OASDAT folder on your Desktop.
41 Copy and paste MANALYSE.COM to your Desktop.
42 Note that this file is now detected because we have enabled scanning for heuristic macro
viruses.
43 Click the Remove Message button on the On-Access Scan Messages alert dialog and then
close the alert dialog window.
44 Click OK on the Error Copying File or Folder dialog.
102
12
ScriptScan
1 Disable the VirusScan On-Access Scanner.
2 Navigate to VirusScan Console and open the On-Access Scanner Properties page.
3 Click on All Processes and go to the Detection tab.
4 Click the Exclusions button.
5 This will open the Set Exclusions dialog. Click Add.
6 This will open the Add Exclusion Item dialog.
7 Use the Browse button to navigate to your Desktop.
8 Select the OASDAT folder and click OK.
9 On the Add Exclusion Item dialog, under What to exclude, place a checkmark in Also
exclude subfolders.
10 Note that When to exclude is set to exclude on read and write actions.
11 Click OK.
12 Click OK on the Set Exclusions dialog.
13 Click OK on the On-Access Scanner Properties dialog.
14 Navigate to the OASDAT folder on your Desktop.
15 Right-click on ScriptSet.zip and select Extract All.
16 Using the Extraction Wizard, select a destination of the OASDAT folder located on your
Desktop.
17 Enter the extraction password; scriptscan.
18 Once the files are extracted, click Cancel on the Extraction Wizard dialog.
19 In the OASDAT folder, open the subfolder ScriptSet.
20 Copy the EXTRA.DAT file and paste it to C:\Program Files\Common Files\McAfee\Engine.
Close the McAfee\Engine folder window.
103
12
21 Right-click on the VirusScan VShield icon in System Tray, and select About VirusScan
Enterprise.
33 Click OK.
34 In VirusScan Console, open the Properties page for On-Access Scanner.
104
12
40 Note that even though the On-Access Scanner was excluded from scanning the folder
containing the test script, ScriptScan detected the script process execution and blocked the
threat.
41 Click the Remove Message button to remove the detection message from the On-Access
Scan Messages dialog. Click Close Window.
42 In VirusScan Console, right-click On-Access Scanner and select View Log.
43 Look at the detection information for scriptscan_noid.vbs. Note that the process executed
was WScript.exe, the Windows Scripting Host.
44 In VirusScan Console, Open the On-Access Scanner Properties page. Click the ScriptScan
tab.
45 Under ScriptScan exclusions, click the Add button.
105
12
46 In the Process name field, type WScript.exe. Note that wildcard characters are not allowed.
47 Click OK.
48 Click OK on the On-Access Scanner Properties dialog.
49 In the ScriptScan folder, double-click scriptscan_qhit.vbs to execute.
50 Note that the script was not detected because the WScript.exe process has been excluded
from script scanning.
Note
By excluding the process WScript.exe from ScriptScan, we have excluded detection for most
scripts executed on this computer. However, the On-Access Scanner will continue to detect most
scripts that are executed, as long as the folders they are executed from are not excluded from
On-Access Scanning.
Review
Heuristic scanning is another way of saying that VirusScan On-Access Scanner can scan for
_____________ unwanted programs and trojans.
T / F Scanning for unknown macro viruses is a separate heuristic scanning function. (Circle
True or False)
Script scanning is enabled and disabled on the ____________ tab of the On-Access Scanner
Properties page.
T / F When setting ScriptScan Exclusions, you may use a wildcard character to specify
multiple scripts for exclusion. (Circle True or False)
106
12
13
On-Demand Scanner
McAfee VirusScan Enterprise 8.5i
Objectives
At the end of this section, the student will be able to;
Explain what a rootkit is and what scanning memory for rootkit does
Originally, a rootkit was simply a collection of tools that enabled administrator-level access
(also known as root access in the Unix world) to a computer or network. The term referred
to a set of recompiled Unix tools, including ps, netstat, ls, and passwd. Because these same
tools could be used by an attacker to hide any trace of intrusion, the term rootkit became
associated with stealth. When these same strategies were applied to the Windows
environment, the rootkit name transferred with them. Today, rootkit is a term commonly used
to describe malware - such as Trojans, worms, and viruses - that actively conceals its
existence and actions from users and other system processes.
107
On-Demand Scanner
Configuring On-Demand Scan Tasks
As the computing environment has evolved, so have stealth technologies. Deceptive naming
conventions, network manipulation, and other techniques have been developed to hide
malware in plain sight. Renaming an infected file so that it appears to be a legitimate system
or user file is one of the simplest, yet most effective of these approaches.
In short, rootkits are malware that evade detection and/or removal by using a variety of
techniques, including stealth and misdirection. Some malware will automatically reinstall itself,
or re-write registry keys that have been removed by a malware scanner. Increasingly, unwanted
programs such as spyware and adware are taking advantage of these types of technologies in
order to remain active on computer systems for as long as possible.
McAfee VirusScan Enterprise 8.5i detects rootkit-type malware by scanning the memory of the
computer for unwanted processes associated with rootkit-type malware. Once identified, the
process is blocked each time it attempts to load into memory, negating the effect of the malware
infection. In some instances, VirusScan Enterprise 8.5i can trace the process threads back to
hidden files and remove them from the system entirely. Used in conjunction with Access
Protection rules, memory scanning for rootkits can provide near-total protection from
rootkit-type infections.
108
13
On-Demand Scanner
Configuring On-Demand Scan Tasks
You can also create a new On-Demand Scan Task by right-clicking any empty space in
VirusScan Console, and selecting New On-Demand Scan Task from the context menu, or by
clicking the Create a new On-Demand Scan task toolbar button.
109
13
On-Demand Scanner
Configuring On-Demand Scan Tasks
Configuration Options
Where tab - Specify where scanning will take place
The Where tab lists the locations that the On-Demand Scan will look for infections. Each
location is listed as an item on the list, with the location Type listed to the right.
By default, a new On-Demand Scan Task will have the following location items listed;
Memory for rootkits - scan processes in memory for known rootkits
Running processes - scan processes in memory for known malicious processes
All local drives - scan all disk drives attached to this computer
Registry - scan the registry for malware entries
Cookies - scan the cookies folder for unwanted cookie objects
You can remove any of these location items by highlighting the item and clicking the Remove
button.
110
13
On-Demand Scanner
Configuring On-Demand Scan Tasks
To add a location, click the Add button to activate the Add Scan Item dialog. Select a location
item from the pull-down menu to add it to the scan list.
Running processes
Registered files
My computer
Home folder
Windows folder
Temp folder
Recycle bin
File (specify)
Cookies
111
13
On-Demand Scanner
Configuring On-Demand Scan Tasks
Registry
Scan Options
Include subfolders (default: enabled) - Instructs the On-Demand Scanner to scan in any
subfolders of location items that may exist.
Scan boot sectors (default: enabled) - Instructs the On-Demand Scanner to scan in the boot
sector of all disks listed as a location item, if it exists.
Compressed files
Allows you to select; Scan inside archives (for example, ZIP) and Decode MIME encoded files.
Both options are disabled by default for new On-Demand scans.
Miscellaneous
Scan files that have been migrated to storage (default: disabled) - When files are transferred
to network storage devices (network filers), a stub is left on the local drive to represent the
stored file. When this option is enabled, VirusScan will attempt to restore the files to the local
drive location and then perform a scan against them. Note that this option can have a
detrimental effect on the performance of On-Demand scans.
112
13
On-Demand Scanner
Configuring On-Demand Scan Tasks
System utilization
This section provides a slider-bar where end-users can specify the maximum system utilization,
from 10% to 100%, when performing On-Demand scans. The default setting is 100%. The
following points should be considered regarding System utilization:
1 The System utilization setting only affects Files/Folders that are specified as targets, not
Cookie Scan or Registry Scan, etc.
2 The On-Demand Scanner uses what CPU usage is available for processes running at normal
priority, meaning, CPU use is shared if other processes of equal priority need it. If nothing
else is happening then we get all the CPU. For real-time systems, where any CPU use impact
can be detrimental, the engineers for those systems should have their critical processes
running at a higher priority level and thus CPU cycles will be theirs and our scan will get
what is left over.
3 Registry scan performance in VirusScan Enterprise 8.5i is markedly slower than the 8.0i
version, because 8.0i only scanned a small portion of the registry, specific problematic areas,
whereas 8.5 takes advantage of the 5000+ engine to scan more, and to scan it more
thoroughly. Adjusting System utilization will have no effect on this performance.
113
13
On-Demand Scanner
Configuring On-Demand Scan Tasks
Clean (default)
Delete
Delete (default)
114
13
On-Demand Scanner
Configuring On-Demand Scan Tasks
Log to file (default: enabled) - Specifies whether the On-Demand Scanner will record
scanning activity to the log file. You can specify a custom path for log files in the field
provided. By default, the On-Demand Scan log will be written to
%DEFLOGDIR%\Mcafee\DesktopProtection\OnDemandScanLog.txt.
Limit size of log file (default: enabled) - Instructs the On-Demand Scanner to limit the
maximum log file to the size specified.
Maximum log file size (MB) (default: 1Mb) - specifies the size limit for the On-Demand log.
Maximum entry: 999MB
Format (default: Unicode (UTF8)) - Indicates the encoding format for the text file containing
the On-Demand log entries. Options are: ANSI, Unicode (UTF8) and Unicode (UTF16).
Session settings (default: disabled) - When enabled, instructs the On-Demand Scanner to
provide a dump of all VirusScan Enterprise configuration settings to the log, whenever an
event is logged. This option is primarily used as a troubleshooting tool. Leaving this option
enabled will cause the log to reach maximum size more quickly.
Failure to scan encrypted files (default: enabled) - Specifies that a log entry will be made
whenever the On-Demand Scanner is unable to scan a file because it is encrypted.
115
13
On-Demand Scanner
Configuring On-Demand Scan Tasks
Schedule Settings
To schedule an On-Demand Scan to run periodically, click the Schedule button on the
On-Demand Scan Properties page.
116
13
On-Demand Scanner
Configuring On-Demand Scan Tasks
Enable (schedule task runs at specified time) - by default, this option is disabled for new
On-Demand Scan tasks. You must enable the Schedule Settings in order to configure any of
the available scheduling options for this task.
User Account Settings (default: none) - Allows the end-user to supply a set of credentials to
be used by the scheduled task in the event that there is no logged-on user when the scan event
is scheduled to occur. Supply a username, domain name, and user password in the fields
provided.
117
13
On-Demand Scanner
Configuring On-Demand Scan Tasks
Run task (interval) (default: daily) - Provides a pull-down menu with preset intervals for
scheduled tasks. Options are:
Daily
Weekly
Monthly
Once
At Startup
At Logon
When Idle
Immediately
On Dialup
Start Time (default: current system time) - This field is available for most of the Run task
intervals, but becomes unavailable when it is not an appropriate parameter (for example, At
Startup). It can be set in either local time, or Coordinated Universal Time (UTC), also known
as Greenwich Mean Time (GMT) or Zulu Time (Z).
118
13
On-Demand Scanner
Configuring On-Demand Scan Tasks
Enable randomization (default: disabled) - For tasks scheduled on a time interval, enabling
randomization ensures that multiple machines with the same schedule settings will not
activate at the exact same moment. Randomization allows the scheduler to offset the
schedule time by a random value within the Hours and Minutes settings provided, to help
prevent simultaneously invoking this task on multiple computers.
Run if missed (default: disabled) - If the task was unable to run on schedule (for example, the
computer was shut down at the scheduled scan time), enabling this option will allow you to
run the missed task after a delay interval that you configure.
Schedule Task [Interval] (default varies by interval) - Depending upon the Run task interval
you have selected, this section will provide different options each interval selection, at the
bottom of this screen.
Daily, Weekly, and Monthly options for the Schedule Task [Interval] feature, are shown above.
Please proceed to the next section: Student Lab - On-Demand Scanning: Full Scan and
Targeted Scan Configuration and Detection.
119
13
14
Objectives
Upon completion of this lab, the student will be able to;
120
121
14
122
14
6 In the Item to Scan field, activate the pull-down menu and view the scan locations available
for selection.
123
14
23 Double-click the Full Scan task to open its Properties page. Note the additional, default scan
locations listed on the Where tab.
24 Double-click the Targeted Scan task to open its Properties page.
25 Arrange the Properties windows so that you can view them side-by-side.
26 Note the differences, and similarities in the scanning location defaults for both scan tasks.
124
14
Targeted Scan
32 Disable the On Access Scanner.
33 Right-click on the eicar.zip file on your Desktop and select Extract All. The password to
extract this file is eicar. Extract to your Desktop.
34 Double-click the Targeted Scan task to open its Properties page.
35 On the Where tab, select each scan location item and click the Remove button. Answer Yes
to the Notification dialog. Repeat until all tasks have been removed.
125
14
46 The Targeted Scan will find and detect the EICAR test file (eicar.txt) located on your
Desktop. Because we have configured the primary scan action as Prompt, the ODS Alert
dialog will appear indicating the detection and recommending action to take.
126
14
Reset to Default
51 Double-click the Targeted Scan task to open its Properties Page.
52 Click the Reset to Default button on the right side of the dialog.
53 Note that the scanning locations have been reset to the default locations that are available for
VirusScan Enterprise 8.5i with the Anti-spyware Module installed.
54 Click on the Actions Tab. Note that the Primary Action has been reset to the default value of
Clean.
55 Click OK.
Note
All On-Demand Scan tasks (Full Scan, Targeted Scan, or Custom On-Demand Scan) can be
configured as in the above lab. All ODS configuration options are available for all ODS scan
tasks.
127
14
67 Create a new On-Demand Scan Task by either; 1) right-click inside VirusScan Console and
select New On-Demand Scan Task or, 2) From the VirusScan Console menu bar select Task
> New On-Demand Scan Task.
68 A new scan task will appear named New Scan. Rename this task to My Scan Task.
128
14
77 Click OK.
78 Right-click on My Scan Task and select Start. (You may also start tasks by selecting the task
and clicking the green arrow icon on the VirusScan toolbar.)
79 If you receive an Old DAT files warning dialog, click OK.
129
14
80 The On-Demand Scan Progress dialog will appear. Notice that because the scan action is
configured to clean, no additional alert dialog was presented for the unwanted program
detections found in the ASDAT folder. All uncleanable files will be deleted and listed at the
bottom of the progress screen.
Note
The AS-SAMPLE.ZIP file was not deleted by the On-Demand Scan because it is a
password-protected archive and cannot be scanned.
Review
If the McAfee Anti-spyware module has not been installed with VirusScan Enterprise 8.5i,
how many default scan locations are listed on the Full Scan Properties, Where tab?
What On-Demand Scan task is added to VirusScan Console after installing the McAfee
Anti-spyware module?
130
14
T / F Installing the McAfee Anti-spyware module with VirusScan Enterprise 8.5i adds
additional default on-demand scan locations on the Where tab, and adds additional location
options for selection when adding a scan location. (Circle True or False)
In order for an on-demand scan to detected unwanted programs, you must select (checkmark)
the Detect unwanted programs entry on the ______________ _____________ tab of the
On-Demand Scan properties dialog.
T / F The Targeted Scan configuration options are unique to the Targeted Scan task, and are
not available for other on-demand scan tasks. (Circle True or False)
131
14
15
Quarantine Manager
McAfee VirusScan Enterprise 8.5i
Objectives
At the end of this section, the student will be able to;
Configuration
Policy tab - Configure quarantine folder and auto-delete interval
Quarantine Folder (default: [install drive]\QUARANTINE) - This option allows the end-user
to specify a folder location for quarantined items to be stored.
132
Quarantine Manager
Configuration
Number of days to keep backed-up data in the quarantine manager (default: 28) - Specifies
the length of time to keep quarantined files before automatically deleting them. Maximum
setting is 999 days.
Date/Time quarantined
Detection type
Detected as
Number of objects
DAT Version
133
15
Quarantine Manager
Configuration
Engine Version
You can take actions on the items in the quarantine folder by right-clicking on an item and
selecting an action from the context menu. You can act on multiple items by first shift-selecting
the items to be acted upon, and then choosing an option from the context menu.
Check for false positive - If the DATs have been updated, rescan this item and if it is not
infected, automatically restore it.
134
15
Quarantine Manager
Configuration
Properties - Show the Quarantine Item Details dialog for the (single) selected item.
Please proceed to the next section; Student Lab - Quarantine Manager Policy.
135
15
16
Objectives
Upon completion of this lab, the student will be able to;
136
3 On the Policy tab, notice that here you can define the folder used as the Quarantine Folder.
4 This tab also provides an option to Automatically delete quarantined data, and configure the
Number of days to keep backed up data in the quarantine folder.
137
16
5 Navigate through My Computer to drive C:, double-click the Quarantine folder to open and
view its contents as shown in the example below.
6 Note that the Quarantine folder contains a list of files with the .bup (backup) extension. These
files contain the aggregate components of single detection events combined into a single file
with a .bup extension. For example, if an unwanted program detection removed registry keys
and files from your computer, both the registry keys and files for that detection will be
backed-up into a single .bup file in the Quarantine folder.
7 Close the C:\Quarantine folder window.
Manager Tab
8 Click on the Manager tab. Here you will see the programs detected in earlier labs and placed
in quarantine.
138
16
9 Right-click on any of the detections listed on the Manager tab. Select Rescan.
10 The Rescan Quarantined Items dialog will appear reporting the result of rescanning the item.
In this instance, Rescan will report that the item is still detected as an unwanted program.
Note
If you selected AVT_PWCRACKER.COM to rescan, you will not receive a detection message
because we have excluded this sample from unwanted program detection.
15 Quarantine Manager will notify you that the selected items were restored. Click OK.
16 Open the ASDAT folder on your Desktop. Note that the unwanted program that you selected
has been restored to its original location.
Note
Disabling the On-Access Scanner was required before restoring the unwanted program file to
prevent OAS from detecting and deleting the file during the restore operation.
139
16
20 Examine the details for the item that you selected. When finished, click Close.
21 Close the Quarantine Manager Policy window.
Review
T / F The Quarantine Folder must be [drive]:\QUARANTINE and cannot be changed. (Circle
True or False)
T / F You can configure Quarantine Manager Policy to automatically delete quarantined data
after a predetermined interval. (Circle True or False)
To rescan an item in quarantine, you can select the _____________ command by
right-clicking on any item in the quarantine list.
In order to restore an item from the quarantine list, it may be necessary to disable the
____-___________ ____________ before selecting Restore, to prevent re-detection.
140
16
To see details for any item in the quarantine list, right-click the item and select
_______________.
141
16
17
AutoUpdate
McAfee VirusScan Enterprise 8.5i
Objectives
At the end of this section, the student will be able to;
AutoUpdate Overview
The AutoUpdate task is used to automatically update DATs and scan engines for VirusScan
Enterprise 8.5i. Additionally, AutoUpdate can be used to automatically get other updates such
as service packs and product upgrades.
AutoUpdate can be configured to search for updates from different locations called repositories,
located locally, on the network, and on the Internet.
Configuration
Log File
Log file location (default: [install path]\McAfee\DesktopProtection\UpdateLog.txt) indicates the location of the AutoUpdate log file.
Update Options
Get newer detection definition files if available (default: enabled) - Instructs AutoUpdate to
look for new DAT packages at update.
Get newer detection engine and dats if available (default: enabled) - Instructs AutoUpdate to
look for new engine updates, as well as DAT packages at update.
142
AutoUpdate
Repositories
Get other available updates (service packs, upgrades, etc.) (default: enabled) - Instructs
AutoUpdate to look for other updates, fixes, patches, etc. at update.
Enter the executable to be run after the Update is completed (default: none) - Enter the
complete path to any executable that you want to run after AutoUpdate completes.
Only run after successful update (default: disabled) - When selected, instructs AutoUpdate
to run the executable specified in the previous field, only when AutoUpdate was successful.
Schedule Button - This button will activate the scheduling options for AutoUpdate. The
available options are identical to the scheduling options for the On-Demand Scan task. Please
refer to the On-Demand Scan section for details of these options.
Update Now Button - Click this button to initiate an immediate AutoUpdate attempt.
Repositories
When AutoUpdate runs, it checks the AutoUpdate Repository list for a list of locations to check
for updates from. By default, the McAfee Repository is listed as the source for DAT and
component updates.
143
17
AutoUpdate
Repositories
Default Repositories
To edit the AutoUpdate Repository list, select Tools > Edit AutoUpdate Repository List from
VirusScan Console.
The screenshot above shows the default AutoUpdate Repository List for the beta version of
VirusScan Enterprise 8.5i. The release version will list standard default repositories like NAIhttp
and NAIftp.
144
17
AutoUpdate
Repositories
If you select the repository item and click the Edit button, the Repository Settings dialog will
appear, displaying information regarding the repository item.
Adding a Repository
There are four types of repository connections supported by AutoUpdate:
Local path
Administrators can setup a repository on an HTTP or FTP server, or on a local network share,
to allow updating from an internal source that has mirrored the update files. This can be useful
for environments where only selected computers have access to the Internet.
To add a repository to the AutoUpdate Repository list, click the Add button on the Edit
AutoUpdate Repository List dialog. This will activate the Repository Settings dialog for a New
Repository.
In the following example, a new repository named Network Share has been created to update
from a UNC path (network share). The UNC path has been entered under Repository Details in
the Path field.
145
17
AutoUpdate
Repositories
Note that UNC updates can access the network path using the logged-on account or you can
supply a set of credentials to authenticate with the network share (default for new UNC
repositories). In our example, credentials have been supplied for this connection.
Once the Repository Settings are complete, clicking OK will cause the new repository to appear
on the Repository list.
146
17
AutoUpdate
Repositories
You can change the order in which AutoUpdate will check repositories by using the Move up
and Move down buttons on the Edit AutoUpdate Repository List dialog. You can also disable a
repository from being checked for updates by removing the checkmark in front of the repository
name or by deleting it from the list altogether using the Delete button.
The example above shows the new UNC repository moved to the top of the list, and the McAfee
Beta repository disabled (no checkmark before the repository name).
147
17
AutoUpdate
Repositories
Proxy Settings
If your network uses a proxy server, you can specify which proxy settings to use, the address of
the proxy server, and whether to use authentication. Proxy information is stored in the
AutoUpdate repository list (SITELIST.XML). The proxy settings you configure here apply
to all the repositories in this repository list except for those defined as exceptions. The table
below describes the options for AutoUpdate Proxy settings.
148
17
AutoUpdate
Mirror Tasks
The AutoUpdate Proxy settings tab is shown above. Note the default setting; Use Internet
Explorer proxy settings. The Exceptions button is used to list repositories that will not use these
proxy settings.
Mirror Tasks
The Mirror Task allows end-users to create a replica of the update files from the updater site, to
a specified location. This allows an Internet-connected computer, for example, to place update
files on a local share location which can be used as an AutoUpdate repository by other
computers. This is one available AutoUpdate solution for environments where many computers
do not have Internet access.
For systems completely disconnected from a network resource, the Mirror Task can be used to
create a local mirror of the update files on an Internet-connected machine, which can be
transferred to CD or other removable media. The disconnected system can then copy the files to
a local respository for updating or the removable media itself can be configured as a repository,
as long as the drive and path information remain constant between uses.
Mirror Tasks can be launched manually, or scheduled to occur at intervals, in exactly the same
manner as On-Demand Scan tasks.
149
17
AutoUpdate
Mirror Tasks
This will create a New Mirror Task entry in VirusScan Console. You can rename the task at this
time if you wish. NOTE: You may right-click on the entry at any time and select Rename.
150
17
AutoUpdate
Mirror Tasks
To configure the mirror task, either; double-click the New Mirror Task entry or right-click on
the New Mirror Task entry and select Properties or click the Display Task Properties icon from
the VirusScan Console toolbar. This will activate the McAfee AutoUpdate Properties - [Mirror
Task Name] properties dialog.
Log File
These are the standard log file options available in VirusScan Enterprise 8.5i. The default log
file location is [install path]\McAfee\DesktopProtection\MirrorLog.txt. You can modify the log
file path and name, as well as the text file encoding method used, in this section.
Update Options
This section of the Mirror Task properties is not used, and is a result of the re-use of the
AutoUpdate GUI elements for this dialog box. They have no function for mirror tasks.
Buttons
Schedule - allows you to schedule the Mirror Task for pre-defined intervals. Scheduling
options are identical to On-Demand Scan task scheduling.
151
17
AutoUpdate
Mirror Tasks
Mirror Location - provides a field to enter or browse to the location you want to create the
mirror copy files in. Only existing local drives and paths are allowed in this field.
Output
The following shows the results of a successful mirror task;
The following table provides a brief overview of the files found in the mirror task repository
folder, after the mirror task is complete.
152
17
AutoUpdate
Mirror Tasks
153
17
18
Objectives
Upon completion of this lab, the student will be able to;
Perform AutoUpdate
AutoUpdate
1 Open VirusScan Console.
2 From the menu bar, select Tools > Edit AutoUpdate Repository List ...
154
155
18
11 Click OK.
12 In the Edit AutoUpdate Repository List dialog, remove the checkmark from McAfee
Repository.
156
18
13 Click OK.
14 You have now successfully configured AutoUpdate to update from a local repository
(folder).
15 Navigate to VirusScan Console.
16 Right-click on AutoUpdate and click Start.
17 The McAfee AutoUpdate Progress dialog will appear.
18 Note the messages indicating the files being updated. Once the update has completed, click
Close.
19 You have successfully updated VirusScan Enterprise 8.5i from a local repository.
Mirror Task
20 Navigate to the MIRROR folder on your Desktop and note that it contains no files.
21 In VirusScan Console, from the menu bar select Task > New Mirror Task.
22 Press Enter to accept the name New Mirror Task.
157
18
23 The AutoUpdate Properties for the New Mirror Task dialog opens.
27 Click OK.
28 On the AutoUpdate Properties for the New Mirror Task dialog click the Mirror Now button.
Wait a few minutes to allow the mirror task to complete. You can view the status of the New
Mirror Task in VirusScan Console.
29 Navigate to the MIRROR folder on your Desktop. You can see the update files being
replicated into the folder. This folder could be shared on a network and act as a repository for
other computers running VirusScan Enterprise 8.5i.
30 In VirusScan Console, right-click on New Mirror Task and click View Log.
158
18
38 Click OK.
39 Click OK on the AutoUpdate Properties for New Mirror Task dialog.
40 Navigate to VirusScan Console and wait three minutes.You should see the status of the
AutoUpdate Task change to Running ... at the time you scheduled the update to run.
Note
Because we are updating from a local repository, the AutoUpdate status message; Running ...
may appear and disappear too quickly to observe. View the AutoUpdate log to confirm that your
update task ran as scheduled. You can also view the Status and Last Run items in VirusScan
Console.
159
18
Review
In order to edit the AutoUpdate Repository List, select ______________> Edit AutoUpdate
Repository List.
T / F The Edit AutoUpdate Repository List dialog allows you to enable or disable available
repositories as valid update locations for AutoUpdate. (Circle True or False)
When adding a new repository, you can configure AutoUpdate to retrieve files from; HTTP
repository, FTP repository, UNC path, and ___________ ___________.
The ____________ ____________ replicates update files, then stores them in a location you
specify for use by other computers.
If you want to make the AutoUpdate Task always run at a specific time, you must disable the
_______________________ feature under Schedule Settings.
160
18
19
Troubleshooting
McAfee VirusScan Enterprise 8.5i & McAfee Anti-spyware
Enterprise Module
Objectives
At the end of this section, the student will be able to;
Identify output files from the MER Tool for VirusScan Enterprise 8.5i
161
Troubleshooting
Configuring Scanners to Record Session Settings
To enable Session Settings, go to the Reports tab and place a checkmark in front of Session
settings, as shown above. This will instruct the scanner to dump the session configuration data
for the Scanner to the log file the next time it logs an event.
162
19
Troubleshooting
Configuring Scanners to Record Session Settings
In many cases, the keys and values written by the session settings output is self-explanatory, for
example, bScanFloppyOnShutdown = 1 indicates that the option to scan floppy disks on system
shutdown is enabled. The number 0 would indicate the option is disabled. Some scanner keys
are in plain English, for example the On-Demand Scanner session settings.
Other keys are not as easily understandable, and in some cases may appear to contradict the
setting they represent. For example, bDontScanBootSectors = 1 would seem to indicate that
NOT scanning boot sectors is enabled, but in fact, the key indicates that the option to Scan Boot
Sectors is enabled for the On-Access Scanner.
The following table lists the keys and possible values for the On-Access Scanner Session
Settings shown in the previous log example:
163
19
Troubleshooting
Log Files
Note
In order to prevent the scanner log from reaching maximum size too quickly, it is
recommended that Session settings be enabled for a particular scanner only when
troubleshooting an issue, or other situation where a dump of the scanner settings are
required.
Log Files
Default Log File Directory
When troubleshooting customer issues with VirusScan Enterprise 8.5i, collecting the log files
created by the product are a necessary first step in determining the source of a problem.
During installation, VirusScan Enterprise 8.5i defines a System Variable; %DEFLOGDIR%, as
the default path to create log files.
This System Variable does not appear in the System Variables list on the Environment Variables
page in Windows, nor will performing a SET command at a DOS prompt reveal this variable or
its value because in most cases, the variable is not defined until logging occurs.
Each executable that does logging checks for DEFLOGDIR. If it does not exist then the process
creates it. The variable DEFLOGDIR is created by reading the name of the common directory
from; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Common AppData, and appending McAfee\DesktopProtection. For Windows XP Professional
users with a standard installation, this would translate to; C:\Documents and Settings\All
Users\Application Data\McAfee\DesktopProtection.
The following table lists the default log file locations and names for VirusScan Enterprise 8.5i
tasks:
Note
If you upgrade over a previous version of VirusScan Enterprise, the variable used for the default
log path will remain VSEDEFLOGDIR as it was in the previous installation, however, the log
file path will be changed to the new VirusScan Enterprise 8.5i location, and log files in the
previous versions directory (%VSEDEFLOGDIR%\Network Associates\VirusScan) will be
deleted.
164
19
Troubleshooting
Log Files
This method will allow you to find the location of any of the log files, even if the path or log file
name has been customized.
165
19
Troubleshooting
Minimum Escalation Requirements (MER) Tool
166
19
Troubleshooting
Minimum Escalation Requirements (MER) Tool
167
19
Troubleshooting
Minimum Escalation Requirements (MER) Tool
168
19
Troubleshooting
Minimum Escalation Requirements (MER) Tool
169
19
20
Objectives
Upon completion of this lab, the student will be able to;
Note
POP3 email is not supported by VirusScan Enterprise 8.5i and customers should be
discouraged from using the On-Delivery E-Mail Scanner in POP3 environments. This lab
setup is designed solely to provide hands-on configuration and detection without the need
for an elaborate mail server setup.
This lab can be conducted with each computer acting as a stand-alone workstation.
This lab is intended to demonstrate the On-Demand E-mail Scanning features of VirusScan
Enterprise 8.5i.
This lab requires the FT Gate E-mail server tool (ftgate.zip) which should be located on your
desktop. If you do not have this tool, please notify your instructor.
This lab is intended to use the existing installation and configuration created in Lab 6 On-Demand Scanner Configuration & Detection. If you are performing this lab out of order,
install VirusScan Enterprise 8.5i with maximum protection, and then install the McAfee
Anti-spyware module before proceeding with this lab.
Note
The Lotus Notes E-mail Scanner will not be demonstrated during this lab. Please refer to the
VirusScan Enterprise 8.5i Courseware or User Guide for more information on this feature.
170
171
20
23 At the Remote Access dialog, select Use a direct LAN connection and click Next.
172
20
25 In the Postmaster Account field, type admin (lowercase), and a password of mcafee
(lowercase). Click Next.
26 Click Finish.
27 Click Finish.
173
20
36 Click Create...
37 On the User Mailbox Configuration dialog, under Security, click Change Password.
38 In the New Password and Confirm Password fields type mcafee (lowercase).
174
20
39 Click OK.
40 In the FTGate Mailbox Manager, click the Add button.
41 The Add Mailbox or Alias dialog will appear.
42 In the Mailbox/Alias field, type student2.
43 Click Create...
44 On the User Mailbox Configuration dialog, under Security, click Change Password.
45 In the New Password and Confirm Password fields type mcafee (lowercase).
46 Click OK.
47 Click OK.
48 Click OK in the FTGate Mailbox Manager.
49 In the FTGate Program Files Folder window, double-click FTGate Server.
50 The FTGate Mail Gateway will initialize.
175
20
51 Resize the window by dragging the right border until the Operation buttons are visible.
176
20
60 On the E-mail Accounts dialog, select Add a new e-mail account. Click Next.
61 On the E-mail Accounts dialog, select POP3 and click Next.
62 On the Internet E-mail Settings (POP3) dialog, enter the following information:
Your Name: student1
E-mail Address: student1@mcafee.com
Incoming mail server (POP3): enter your ip address as recorded above
Outgoing mail server (SMTP): enter your ip address as recorded above
User Name: student1
177
20
Password: mcafee
63 Click the Test Account Settings button. You should receive the message Congratulations!
All tests completed successfully. Click Close to continue. If you do not receive this
message, verify that you have followed the above setup steps correctly and try again. If this
still fails, please notify your instructor.
64 Click Close.
65 Click Next.
66 Click Finish.
67 This should return you to the Mail dialog. In the lower portion of this dialog, select Always
use this profile and select student1 from the pull down menu. Click OK.
68 Outlook E-mail client configuration for student1 is now complete. You will now configure
Outlook for student2.
69 From the Start bar select E-mail Microsoft Office Outlook.
70 From the Menu bar select Tools > E-mail Accounts.
71 Select View or Change Existing e-mail accounts and click Next.
178
20
179
20
6 Restore the Outlook window by clicking on Inbox Microsoft Outlook in the Start bar.
7 Click New to create a new mail message.
8 In the To field, type student2@mcafee.com.
9 In the Subject field, enter test.
10 From the Menu bar, select Insert > File.
11 Navigate to your desktop and select eicar.txt. Click Insert.
12 Click Send.
180
20
Note
Files detected by the On-Delivery E-mail Scanner are placed only in the Outlook
Quarantine folder. As a result they will not appear in Quarantine Manager.
181
20
Review
Infections in files with extensions that are not on the current scan list may still generate
detections during e-mail delivery if the Outlook _______________ ________________
Scanner is enabled.
T/F Infections detected by the On-Delivery E-mail Scanner are manageable using
Quarantine Manager Policy (select True or False)?
182
20
21
Portions of the contents of this document are Confidential and for Internal Use Only.
Warning
Port Blocking
File-Share-Folder Protection
Exclusions
Alerting Rules
Registry-Value-Key Protection
test.rul (Located in the VirusScan directory, manually created. Expected to be used by Tier
III Support/AVERT) Definition and the rules (file, registry, port blocking) that Access
Protection enforces. test.rul will take precedence over any existing Access Protection rules,
including user-defined. Any preexisting rules will not apply when test.rul is applied. Test.rul
is not commonly used. However, one should be aware that this is an extremely powerful file.
vscan.bof (Located in the VirusScan directory, created at installation) Definition and the
rules (file, registry, port blocking) that Access Protection enforces; this file will be the default
rule file upon VirusScan installation.
extra.rul (Located in the VirusScan directory, manually created. Expected to be used by Tier
III Support/AVERT) Same as vscan.bof, except extra.rul will be part of DAT updates as
necessary. Note: extra.rul will not replace all McAfee defined rules contained in vscan.bof
and will not replace user-defined rules.
183
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
mcshield.exe Process that drives the On-Access Scan, which drives the Access Protection
functionality.
mfapfk.sys (based on Syscore build) Driver that allows Access Protection to function.
Shstat.exe - System Tray Icon glow, Right-Click Functionality for log files
Centralized Alerting
Generation of .ALR files for OAS, Unwanted program Policy, ScriptScan, Buffer
Overflow, ODS, AutoUpdate, Access Protection, and Email scan
Alert Filtering
Alerts are filtered according to severity levels (All, Sev1, Sev2, Sev3, Sev4)
Event Log
VirusScan Enterprise events are logged to Local Application Log (Event Viewer)
SNMP Traps
Alerts are generated in the form of SNMP traps
Logging Functions
Specific log files of all the components OAS (Unwanted program Policy & ScriptScan),
Buffer Overflow, ODS, AutoUpdate, Access Protection, and Email scan
Variant Alerting
Enable VirusScan Enterprise to respond to variant detections
mytilus.dll - Send alerts and ILogger for ODS and both mail scanners (installed to
\VirusScan folder)
184
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
Cookies Scan - The cookies scan detects potentially unwanted cookies in the cookies folder.
On Detections (File & Cookies Scan) allows user to set the primary (Clean, Delete, Move,
Prompt, Continue and Delete Mail) and secondary (Prompt, Move, Delete, Continue and
Delete mail) action.
Note: Clean maps to delete.
On Exclusions (File & Cookies Scan) - If the module detects a file that you legitimately
use, you can exclude it from detection.
Registry Scan - he registry scan detects potentially unwanted spyware-related registry entries
that were not previously cleaned.
Cookies Scan - The cookies scan detects potentially unwanted cookies in the cookies folder.
On Detections (File, Registry & Cookies Scan) allows user to set the primary (Clean,
Delete, Move, Prompt, Continue and Delete Mail) and secondary (Prompt, Move, Delete,
Continue and Delete mail) action.
Note: Clean maps to delete.
On Exclusions (File, Registry & Cookies Scan) if the module detects a cookie that you
legitimately use, you can exclude it from detection.
185
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
McShield.exe
mytilus2.dll
scriptproxy.dll
scanotlk.dll
NCScan.dll
vsplugin.dll
shutil.dll
ShCfg32.exe
vsodscpl.dll
vstskmgr.exe
shstat.exe
graphics.dll
BBCpl.dll
NVPCpl.dll
186
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
VirusScan Console
Plug-ins
Provide features in the console. Plug-ins exist for the following:
OAS, ODS, AutoUpdate, Buffer Overflow, Access Protection, On-Delivery Email scan,
Unwanted program Policy
Statistics Displays
Plug-in Integration, providing access to latest count of each scanner
Interface Options
Password & Display options applied to all interfaces in product
Remote Console
Access other client consoles(one at a time) from local system
Interface Testing
Menu items, Toolbars, Status messages (of console)
Licensing
<Nothing>
Scheduling
Task scheduling is a function in console, with integration of CMA Agent - applies to tasks
only
Vstskmgr - Pushes task schedule configuration to CMA for remotely configured tasks
Plug-ins - Each feature provides a plug-in for use in the console. These are always installed,
even when install is console only. This is necessary for Remote console feature to work.
Requirement Check
Installer
Check the minimum requirements for installing VirusScan Enterprise application
187
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
Setup Parameters
Feature, Switches, Path, interface, additional Product Selection
Over-install methods
Various upgrade of our legacy Anti-Virus Products
Deployment Methods
Remotely installing the VirusScan applications using 1st party ePolicy Orchestrator &
Protection Pilot 3rd Party management products
Installation
Typical Install
Installs all components
Custom Install
Allows a user to select the components to be installed, and other customizations
Uninstallation
Uninstallation of VirusScan Enterprise Application
Repair Installation
Allows the user to modify/repair VirusScan Enterprise features/files/registry
License Application
Allows the user to select Licensing options for the application
Nailite.dll
Lotus Scan
The Lotus Notes component has two Scanner features On Access Scanner and On Demand
Scanner.
Lotus Notes uses SMTP and POP3 when configured at server level. However, client uses
TCP/IP for transmitting the messages to and from Domino server; Lotus-On Access will scan
any attachment (mail or otherwise) and based on configuration will default to local access for
mail, and server side for any others.
To Scan the Open Local databases, On Demand Scanner can be used.
188
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
Both On Access and On Demand have the similar property page for scanning. Except that
options under Server Scanning Settings of Notes Scanner Settings tab is grayed out for On
Demand Scan. These pages are from the control panel applet for the Outlook scanner and in
general issues that affect the Notes Scanner will also affect the Outlook scanner. One page of the
setup is exclusive to the Notes scanner and only affects our Notes scanner application.
The notes.ini file is searched by VirusScan Enterprise installer for the Lotus Notes scanner
installation. It updates the notes.ini file with required details so that, Actions menu is populated
with On-Access and On-Demand Scan properties on the Lotus Client. The .ini file will also
identify the server location, and helps the Lotus email scanner identify the default mail path. This
is needed so that the scan server settings can be matched to filter scanning on the server side.
If the notes.ini file is missing then VirusScan Enterprise does not update and hence the Actions
menu will not list the menu items required to set Lotus-OA and Lotus-OD properties.
Also, the Lotus installer will search for .ini files in multiple locations including User Profile
and Lotus Program file locations unless those .ini files reside in shared profile areas such as all
users.
On demand scan can be launched from Lotus client only, whereas Lotus-On-Access Scanner can
be viewed in two ways VirusScan Enterprise console and Action Menu.
NCInstall.dll - Notes Scanner Installer Helper. Not used once installed for uninstall.
NCTrace.dll - Notes Scanner Diagnostics - Not used by the application unless special trace
registry keys are set.
189
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
The functional decomposition at a high level has been broken down into the following scenarios:
Legend:
Packages
ASE
VSE
(80i/8.5)
DFW
(AMG)
X
DFW
ASE+
(AMG)
DFW
Source And
Destination
Features
Source for
Configuration
Install Options
ASE
VSE
DFW
8.0i/8.5
VSE+
ASE+
DFW
DFW
On-Access
Scanner
Scheduled Scans
AutoUpdate
Schedule
Alert Properties
X
X
Alert Manager
Installation
McAfee Desktop
Firewall
User Interface
Properties
Add/Remove
Options
DAT and Engine
Files
Patch Files
AutoUpdate
Configuration
Programs
Additional Files
Registry Settings
Installation
Designer
Password
X
X
190
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
Configuration File
Packages
Upgrade License
Post-Installation
Options
Finish
YX
YX
YX
YX
Destination
Type
On-Delivery
Scanner
VSECFG.CAB - File which needs to copy into McAfee Installation Designer folder of
installed product for applying the customized settings.
ASECFG.CAB - File which needs to copy into McAfee Installation Designer folder of
installed product for applying the customized settings.
NAP/PLUGIN
OAS-General
OAS-Default processes
191
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
User Interface
Alert
Access Protection,
Provides User-interface Pages for creating managed Tasks like ODS, Update, and Mirror
VSplugin.dll:
Policy is defined at the ePolicy Orchestrator server.
Policy is sent by the ePolicy Orchestrator server to the client ePolicy Orchestrator agent
Agent receives policy
The agent calls a VSplugin.dll to enforce the policy
The vsplugin.dll applies the policy to the point product
Vsupdate.dll:
VirusScan Enterprise plug-in for updates, it communicates to the rest of the VirusScan
Enterprise product when it receives notification of an update from the agent
Vsebll.dll:
VirusScan Enterprise event parser .dll which is included in the extended NAP
Mfeapfa.dll:
ActiveX control included in the NAP to display access protection rules from vscan.bof
Mytilus.dll:
Sends events to agent
ePOPolicyMigration.exe:
This file should be run to copy the VSE80i and VSE7.1 rules into VSE8.5 when VSE8.5
NAP is checked-in over VSE80i or VSE7.1
Pkgcatalog.z
192
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
VSE850.Nap
Once this file is checked into ePolicy Orchestrator/Protection Pilot Repository Database, the
product is now ready for management. This NAP file will give a set of web pages. Using
these web pages, Policies for configuration settings as well as creating/scheduling the
Managed Tasks can be applied and enforced onto clients.
VSE850Reports.Nap
Once this file is checked-into ePolicy Orchestrator/Protection Pilot Repository Database, the
Management console is now ready to capture and show up the events generated in Point
Product. This file will give a GUI (charts, graphs) so that an administrator can view the
statistics of Clients.
Sitelist.xml
This file contains the server routing information and the update repository list. Sitelist.xml is
also shared by the Common Updater. It contains all the repositories (ftp, http, etc.) created
by Management Server and shoots up the common updater to update from the selected
repository (in priority) at given scheduled time.
C:\Program Files\Network
Associates\ePO\(version)\DB\Software\Current\VIRUSCAN8600
Directory created in e-Policy Orchestrator server when a Pkgcatalog.z file is checked-in.
This directory consists of the files needed by ePolicy Orchestrator to deploy the product.
E.g.: Setup.exe, setup.ini, uninst.dll, uninst.ini, vse850.msi.
Vsplugin.dll
Each Point Product will have its own Plug-in to communicate with the agent. VirusScan
Enterprise has this file which has a Plug-in program that will communicate with the common
agent and apply the policy settings to point product.
ePOPolicyMigration.exe
This file comes with the VSe8.5 Build. This file should be run to copy the VSE80i and
VSE7.1 rules into VSE8.5 when VSE8.5 NAP is checked-in over VSE80i or VSE7.1
193
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
Full Scan Included in the default installation. The scanned items are: Memory for rootkits,
Running Processes, and All local drives
Right-Click Scan All Local and Network Drives can be scanned by right-clicking on the
specific drive or folder. The root, and all the folders and subfolders within the scanned drive
or folder will be scanned.
Schedule Scan User can have the ability to schedule an on-demand scan at a specified time
and reoccurrence. This scheduled scan can also be performed anytime in the VirusScan
console.
ePolicy Orchestrator scheduled task Scheduled on demand scans can also be scheduled
through the ePolicy Orchestrator console where schedule tasks will deploy to clients via
ePolicy Orchestrator.
Scan32.exe
ODS interface
Shext.dll
ShellExtensions Right-Click Scan interface
Mcshield.exe
Description: On-Access Scanner Service
File Location: C:\Program Files\McAfee\VirusScan Enterprise
Registry Locations:
HKLM\System\CurrentControlSet\Services\McShield
HKLM\Software\McAfee\VSCore\On Access Scanner\McShield
194
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
As the diagram of VSCore above shows, McShield, the file responsible for On-Access Scan
activity is a component of VSCore, not an individual application.
McShield essentially has no UI. It does all of its scanning in the background. When it needs to
alert the user of detection or allow the user to change its properties, the user isnt really accessing
McShield, but other elements of VSCore, such as the Announcer which launches when detection
has occurred or the Common Shell when you want to access the properties.
Outlook Scan
The On-Delivery E-Mail Scanner settings (except for the settings in the Notes Scanner Settings
tab) are shared by Outlook On-Delivery scanner and Notes On-Access scanner.
Outlook On-Delivery Scanner and On-Demand Scanner are the two components of Outlook
Scan, both of them use the outlook plug-in.
Outlook Scan uses MAPI (Messaging Applications Programming Interface) API to talk to
Exchange Server. On-Delivery Scan scans the email at time of delivery (Inbox or to local .pst
folder) provided Outlook is running.
On-Delivery and On-Demand have a similar property page for scanning. Though Outlook
On-Delivery property screen has a Lotus Scan configuration tab, changes made to this do not
affect the On-Delivery outlook scan functionality.
NOTES:
No matter what the order of installation is of Outlook, VirusScan Enterprise Outlook scanner
functionality will be available as long this component is selected to install.
OTLKUI.dll - This will be installed when we switch to VSCORE 13.2. This DLL contains
the UI part of the Outlook Scan (Prompt dialog box, On-Demand Scan UI, etc.)
195
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
The following registry keys are created for the outlook Email scan:
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\Alerts
bSendToAlertManagerEmail
On-Delivery Settings:
SOFTWARE\McAfee\VSCore\Email Scanner\Outlook\OnDelivery
On-Demand Settings:
SOFTWARE\McAfee\VSCore\Email Scanner\Outlook\OnDemand
ASE-M:
SOFTWARE\McAfee\VSCore\NVP
Outlook:
SOFTWARE\Microsoft\Exchange\Client\Extensions
ScriptScan
ScriptScan functions by acting as a proxy between the script and Windows actual script
interpreters. It does what is referred to as hooking functions that are started when a script is
executed.
Without ScriptScan in place, a script uses Active X to call a DLL that then calls another DLL
which creates a ClassFactory object. This object then creates an ActiveScript object, which then
loads and runs the script. If the script contains malicious code, then it is run just like any other
non-malicious code would be run.
With ScriptScan in place, the process running the vbscript or jscript code loads the ScriptScan
scanner components, and the following functions are hooked:
IActiveScriptParse32:: AddScriptlet
IActiveScriptParse32:: ParseScriptText
IActiveScriptParseProcedure2_32::ParseProcedureText
In very basic terms, if the script is clean, ScriptScan passes it on to the Windows interpreter to
finish the job.
If the script is infected, then the original function is still called, but instead of passing the infected
script, ScriptScan will pass an empty string. By default an OAS message will appear saying the
script was blocked. However, the alerting is solely dependent on the users configuration.
There is also an option to exclude processes from ScriptScan. These are comma-separated
values; ScriptScan will exclude specified processes in the "Processes to exclude:" textbox.
196
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
Self Protection
Self-Protection is VirusScans ability to protect its own files (McAfee files) from vulnerability
from VirusScans advanced protection characteristics. Self-Protection is essentially a set of rules
designed to prevent the user, whether it is an administrator or user with limited privileges, from
altering VirusScan Enterprises files, configuration or services. This ensures that the protection
VirusScan Enterprise is providing (access protection, McAfee cleaning, etc.) is not
compromised in any way.
Of course, a user with administrator privileges can alter these settings in the Access Protection
Properties.
Self-Protection is considered a value added service. That is, instead of being an actual
component, it is more a presentation of already present features in a way that the user will see
that they are getting added value from our product.
Self-Protection is made up of two components:
Lockdown.dll - Lockdown.dll is an Access Control List (ACL) that protects services such
as Mcshield.exe, VsTskMgr.exe, naPrdMgr.exe & FrameworkService.exe. Because ACLs
do not work when the user is an administrator lockdown.dll cannot be used to protect
VirusScan Enterprise 8.5s files and settings.
Access Protection Rules - VirusScan Enterprise 8.5s Access Protection rules prevent
access to objects by intercepting requests in the kernel instead of relying on the objects
security descriptors. These rules will protect all of VirusScan Enterprise 8.5s files and
registry settings. Through the use of exclusions they allow some of the management
functions that need to be allowed.
The specific Access Protection rules that will be detached from the AP properties and moved
to the Self-Protection UI have yet to be definitively identified.
vscan.bof
mcshield.exe
197
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
Exclusions
The exclusion information is written to the registry in the following keys:
For OAS:
HKLM\Software\McAfee\VSCore\On Access Scanner\McShield\Configuration\Default
HKLM\Software\McAfee\VSCore\On Access Scanner\McShield\Configuration\High
HKLM\Software\McAfee\VSCore\On Access Scanner\McShield\Configuration\Low
For ODS:
Default Task: HKLM\SOFTWARE\McAfee\Desktop Protection\Default Task
Other Tasks: HKLM\SOFTWARE\McAfee\Desktop Protection\Task\<Task ID>
In each key, the total number of exclusions is stored in the registry value NumExcludeItems.
Type
0 Last modified date
1 Creation date
2 Last accessed date
3 Pattern
4 File Type
5 Windows File Protection
6 Recycle Bin
198
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
5 (WFP)Not used
6 (Recycle Bin)Not used
Updater
Component Breakdown (by File):
Dats
AVVclean.dat
AVVnames.dat
AVVscan.dat
Engine
McScan32.dll
Messages.dat
License.dat
Updater component
Mcupdate.exe
Framework Service/CMA
Schedules the update task, performs the actual updating, including the UI during the update
itself, processes the sitelist XML, sends log and alert information back to the McUpdate UI,
and shares its binaries with the common agent that is run by management tools.
Mirror Task
Performed by CMA using a special updating script. Creates a replica of a site that the user
points to - Whatever is in that site can be downloaded to a local server for easier access and
less network traffic.
Interface Testing
Menu items, Toolbars, agent update icon
199
21
VirusScan Enterprise 8.5i Architectural Component Breakdown - Confidential / Internal Use Only
UI Change (only when CMA 3.6 is added) so that Engine Updates will always include Dats
ecus (5000 engine team requirement).
Update Window
Shows progress of update and which DATs are being downloaded
Rollback Option
DATs and Engine should go back to previous version
Edit Sitelist
Repositories can be added, modified, deleted, and imported
Scheduler
Sets time and date and how often to run the update
200
21
22
201
202
22
mcafee.com