McAfee Management for Optimized Virtual Environments AntiVirus

Product Guide

McAfee Management for Optimized Virtual

Environments AntiVirus 4.5.1

For use with McAfee ePolicy Orchestrator

COPYRIGHT

© 2017 Intel Corporation

TRADEMARK ATTRIBUTIONS

Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active

Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,

McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee

Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.

Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS

FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU

HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR

SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A

FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET

FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF

PURCHASE FOR A FULL REFUND.

2

McAfee Management for Optimized Virtual Environments AntiVirus 4.5.1

Product Guide

Contents

1

2

Preface 7

About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Product overview 9

What is McAfee MOVE AntiVirus? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Multi-Platform deployment . . . . . . . . . . . . . . . . . . . . . . . . . . .

9

Agentless deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Multi-Platform components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Agentless components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

12

How it works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

13

The role of the McAfee MOVE AntiVirus SVM (Multi-Platform) . . . . . . . . . . . . . 13

The role of the McAfee MOVE AntiVirus SVM (Agentless) . . . . . . . . . . . . . . . 13

The role of the SVM Manager (Multi-Platform) . . . . . . . . . . . . . . . . . . . 13

The role of the security management platforms . . . . . . . . . . . . . . . . . .

13

Configuring McAfee MOVE AntiVirus 15

The importance of creating a security strategy . . . . . . . . . . . . . . . . . . . . . . 15

McAfee ePO features leveraged by McAfee MOVE AntiVirus . . . . . . . . . . . . . . . . . 16

About the McAfee ePO System Tree . . . . . . . . . . . . . . . . . . . . . . .

17

Using client tasks with McAfee MOVE AntiVirus . . . . . . . . . . . . . . . . . . . 18

Automated installation and deployment . . . . . . . . . . . . . . . . . . . . . . . . . 19

Using policies in McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Create a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Assign a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

How the policy assignment works (Agentless) . . . . . . . . . . . . . . . . . . .

21

Configuring policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Configuring permissions sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Using permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Configure permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . .

23

Configuring McAfee MOVE AntiVirus settings . . . . . . . . . . . . . . . . . . . . . . . 24

Configuring common settings for Multi-Platform . . . . . . . . . . . . . . . . . .

24

Configuring exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . .

25

Configuring client load per SVM (Multi-Platform) . . . . . . . . . . . . . . . . . . 28

Scanning for threats on client computers . . . . . . . . . . . . . . . . . . . . . . . . 29

Types of scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

How McAfee GTI works . . . . . . . . . . . . . . . . . . . . . . . . . . . .

29

Excluding items from scans . . . . . . . . . . . . . . . . . . . . . . . . . .

30

Configure common scan settings . . . . . . . . . . . . . . . . . . . . . . . .

30

On-access scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

On-demand scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Configure deferred scan settings (Multi-Platform only) . . . . . . . . . . . . . . . . . .

43


Product Guide

3

4

Contents

3

4

5

6

Client notifications for deferred scan . . . . . . . . . . . . . . . . . . . . . . . 44

Scan diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Identify frequently scanned items from McAfee ePO (Agentless) . . . . . . . . . . . . 44

Identify frequently scanned items from command line (Agentless) . . . . . . . . . . . 45

Identify frequently scanned items from McAfee ePO (Multi-Platform) . . . . . . . . . . 47

Identify frequently scanned items from command line (Multi-Platform) . . . . . . . . . 47

Managing McAfee MOVE AntiVirus 51

Keeping your protection up to date . . . . . . . . . . . . . . . . . . . . . . . . . .

51

Responding to detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

51

Unwanted program detection . . . . . . . . . . . . . . . . . . . . . . . . . . 51

On-access scan detections . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

On-demand scan detections . . . . . . . . . . . . . . . . . . . . . . . . . .

52

Quarantined items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

52

Configure the settings for quarantine . . . . . . . . . . . . . . . . . . . . . . . 52

Restore quarantined items (Multi-Platform) . . . . . . . . . . . . . . . . . . . .

53

How quarantine works (Agentless) . . . . . . . . . . . . . . . . . . . . . . . . 54

Self-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Events, responses, and McAfee MOVE AntiVirus . . . . . . . . . . . . . . . . . . . . .

59

Analyzing your protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

59

Integrating TIE and Advanced Threat Defense . . . . . . . . . . . . . . . . . . . . . . 60

How Threat Intelligence Exchange works . . . . . . . . . . . . . . . . . . . . . 60

How Advanced Threat Defense works . . . . . . . . . . . . . . . . . . . . . .

61

Scenarios for using Threat Intelligence Exchange . . . . . . . . . . . . . . . . . . 62

How a reputation is determined . . . . . . . . . . . . . . . . . . . . . . . . . 62

Monitoring activity in your environment 63

Monitoring activity with McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . . 63

McAfee MOVE AntiVirus dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

View visibility and health details of the SVM . . . . . . . . . . . . . . . . . . . . . . . 64

View default queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

64

Predefined Multi-Platform queries . . . . . . . . . . . . . . . . . . . . . . . . 64

Predefined Agentless queries . . . . . . . . . . . . . . . . . . . . . . . . . . 67

McAfee MOVE AntiVirus server tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Client command-line interface reference 69

Accessing the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

69 config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

69

disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

ftypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

72 help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 loglevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

72

pp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Password protected CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Set password for client CLI . . . . . . . . . . . . . . . . . . . . . . . . . .

76

Server command-line interface reference 77

Access the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

78

help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 loglevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

79


Product Guide

Contents

7

stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Troubleshooting 81

Error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Index 95


Product Guide

5

Contents

6


Product Guide

Preface

This guide provides the information you need to work with your McAfee product.

Contents

About this guide

Find product documentation

About this guide

This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.

Audience

McAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all of its features.

Conventions

This guide uses these typographical conventions and icons.

Italic

Bold

Title of a book, chapter, or topic; a new term; emphasis

Text that is emphasized

Monospace

Narrow Bold

Commands and other text that the user types; a code sample; a displayed message

Words from the product interface like options, menus, buttons, and dialog boxes

Hypertext blue A link to a topic or to an external website

Note: Extra information to emphasize a point, remind the reader of something, or provide an alternative method

Tip: Best practice information

Caution: Important advice to protect your computer system, software installation, network, business, or data

Warning: Critical advice to prevent bodily harm when using a hardware product


Product Guide

7

Preface

Find product documentation

Find product documentation

On the ServicePortal, you can find information about a released product, including product documentation, technical articles, and more.

Task

1

Go to the ServicePortal at https://support.mcafee.com

and click the Knowledge Center tab.

2

In the Knowledge Base pane under Content Source, click Product Documentation.

3

Select a product and version, then click Search to display a list of documents.

8


Product Guide

1

Product overview

McAfee

®

Management for Optimized Virtual Environments AntiVirus (McAfee

®

MOVE AntiVirus) is an anti-virus solution for virtual environments. It provides protection and performance for your organization without having to install an anti-virus application on every virtual machine (VM).

McAfee MOVE AntiVirus detects threats, then protects your environment based on settings that you configure.

You can configure the software as a standalone product, or you can use McAfee

®

ePolicy Orchestrator

®

(McAfee

®

ePO

™

) to configure, manage, and enforce your policies. Once configured, you can use queries and dashboards to track activity and detections.

Contents

What is McAfee MOVE AntiVirus?

Key features

Multi-Platform components

Agentless components

How it works

What is McAfee MOVE AntiVirus?

McAfee MOVE AntiVirus provides anti-virus protection for virtual environments, without having to install anti-virus software on every virtual machine.

The software provides the protection and performance needed for your organization.

Once installed, McAfee MOVE AntiVirus immediately begins protecting your systems from malware.

The software includes two deployment options, Multi-Platform and Agentless. Both options provide consistent protection and are managed and reported on by McAfee ePO.

Multi-Platform deployment

The Multi-Platform is an agent-based deployment option. It offloads all scanning to a dedicated

Security Virtual Machine (SVM) that runs McAfee

®

VirusScan

®

Enterprise software. Guest VMs are no longer required to run anti-virus software locally, which improves performance for anti-virus scanning, and increases VM density per hypervisor.

The Multi-Platform deployment option:

• Supports on-access scanning and on-demand scanning to examine files for potential threats.

• Uses McAfee

®

Threat Intelligence Exchange (TIE) and McAfee

®

Advanced Threat Defense for in-depth analysis of suspect files using local, global, and enterprise-level caches, and to define threat reputation and take the required actions.

• Uses McAfee ePO to manage the McAfee MOVE AntiVirus configuration on client systems, McAfee

MOVE AntiVirus SVM, and SVM Manager.


Product Guide

9

1


Key features

• Uses to automatically assign the SVM to the clients for simplified administrative management, monitoring the health of SVMs, and load-balancing of SVMs. See the installation guide for instructions about deploying and configuring the autoscale SVM.

• Uses the McAfee

®

Agent for policy and event handling.

• Uses McAfee ePO for reports on viruses that are discovered on the VMs.

Agentless deployment

This deployment method integrates with VMware NSX Manager and VMware vShield. It protects your virtual environment from malware without a McAfee Agent for easy deployment and setup. This deployment provides virus protection for VMs on the hypervisor.

The Agentless deployment option:

• Uses the VMware vShield Endpoint API to receive scan requests from VMs on the hypervisor.

• Relies on McAfee ® Endpoint Security for Linux Threat Prevention for SVM scanning and updates.

• Uses McAfee ePO to manage the McAfee MOVE AntiVirus configuration on the SVM.

• Uses McAfee Agent for policy and event handling.

• Uses McAfee ePO for reports on viruses that are discovered on the VMs.

Key features

McAfee MOVE AntiVirus features are important for the security, protection, and performance of your enterprise systems.

Some features are shared by the Multi-Platform and Agentless deployment options, and some features apply to only one option.

Feature Description

Centralized management

Data Center visibility

McAfee MOVE AntiVirus integrates fully into

McAfee ePO for automated security reporting, monitoring, deployment, and policy administration.

Cloud Workload Discovery, part of the Data Center

Security suite, provides a complete view into virtual datacenters and imports key properties like servers, hypervisors, and VMs through McAfee ePO.

On-access scanning Examine files as they are accessed, providing continuous, real-time detection of threats.

On-demand scanning

Targeted on-demand scanning

SVM Manager

Examine all files on VMs to find potential threats any time or on a schedule.

Optimize file scanning for files where the previous scanning is timed out for reasons such as large file size, file structure, and file composition.

Automatically assign the SVM to Multi-Platform clients for simplified administrative management, monitoring the health of SVMs, and load-balancing of SVMs.

Multi-Platform Agentless

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

NA

10


Product Guide


Multi-Platform components

1

Feature

SVM autoscaling

Scan diagnostics

RAM disk for scanning

Threat Intelligence

Exchange

Advanced Threat

Defense integration

Description

The SVMs automatically scale up and down depending on the number of endpoints connected.

Define the number of backup SVMs that are ready to protect your client systems. Calculate the number of ready SVMs required for the maximum number of clients that need protection at any time of the day. The standby SVMs are automatically deployed based on the backup SVM value.

Run the scan diagnostic tool to easily find frequently scanned files, extensions, and VMs, then use the results to exclude them from being scanned, improving performance.

RAM disk is used by the OSS for file scanning and it significantly reduces the disk I/O on the offline scan server. By default, RAM disk is enabled in the

McAfee ePO server. RAM disk is created by the

OSS and it improves the OSS performance by enhancing the scan time.

Determine a file's reputation risk score with seamless integration of TIE, McAfee ePO, and

McAfee MOVE AntiVirus.

Protect your client systems and network against malware and Advanced Persistent Threats (APTs) with the multi-level threat detection capabilities of

ATD.

Optimized scanning Minimize the performance impact on virtual servers with enhanced scan avoidance and scanning based on overall workload of the hypervisor.

NSX

Manager-based deployment

Register the SVM with VMware NSX Manager and automatically deploy it to a host to provide virus protection for VMs on a new hypervisor as soon as the hypervisor is added to the cluster.

VMware vCNS-based deployment

Endpoint Scan and

Security reports

Deploy the SVM to hypervisor or hypervisors in vCNS environment to provide virus protection for

VMs on a hypervisor.

With the Cloud Workload Discovery software, quickly retrieve Endpoint Scan Report and

Endpoint Security Report of all registered endpoints.

Multi-Platform Agentless

Yes NA

Yes

Yes

Yes

Yes

Yes

NA

NA

Yes

Yes

NA

NA

NA

Yes

Yes

Yes

Yes

Multi-Platform components

Each component performs specific functions to keep your environment protected.

ePolicy Orchestrator — A management platform that communicates with the McAfee Agent, manages the Multi-Platform configuration, and provides reports on malware discovered in your virtual environment.

Hypervisor — A virtual operating platform that allows multiple operating systems to run concurrently on a hosted system and manages the execution of the guest operating system.

McAfee Agent — A client-side component that communicates with McAfee ePO, applies policies to each VM, and deploys the McAfee MOVE AntiVirus client.


Product Guide

11

1


Agentless components

McAfee MOVE AntiVirus client — The client software that allows VMs to work with the Security

Virtual Machine (SVM) for file scanning and malware detection. Enforces actions on the client when a threat is detected.

McAfee MOVE AntiVirus SVM — The Security Virtual Machine VM that provides offloaded scanning support for VMs, minimizing the performance impact on virtual desktops.

SVM Manager — A load balancing component that automatically assigns SVM to Multi-Platform clients based on configurable parameters like scan server load, McAfee ePO tags, and IP address ranges.

McAfee MOVE AntiVirus Common extension — The product extension that provides policies and controls for configuring and managing the self-protection for the product's command line interface.

You can enable events and logging details of the McAfee MOVE AntiVirus client through McAfee ePO.

McAfee MOVE AntiVirus extension — The product extension that provides policies and controls for configuring and managing components such as SVM Manager, SVM Settings, on-access and on-demand scanning, and shared cloud solutions. It provides the configurations required for managing the McAfee MOVE AntiVirus SVM through McAfee ePO.

VirusScan Enterprise — Anti-virus software that enables anti-virus scanning for the SVM virtual machine and communicates with the McAfee GTI servers.

Cloud Workload Discovery — A Data Center discovery software that integrates the management and automation feature of McAfee ePO to discover and manage your guest VMs.

Agentless components

Each component performs specific functions to keep your environment protected.

ePolicy Orchestrator — A management platform that allows you to configure policies to manage

Agentless configuration and provides reports on malware discovered in your virtual environment.

Security Virtual Machine (SVM) — The McAfee MOVE AntiVirus service package that provides anti-virus protection for VMs and communicates with the loadable kernel module on the hypervisor,

McAfee ePO, and the McAfee GTI servers. The SVM is the only system directly managed by McAfee ePO. Endpoint Security for Linux Threat Prevention, McAfee Agent, and McAfee MOVE AntiVirus

(Agentless) are pre-installed.

File Quarantine — Remote quarantine system, where quarantined files are stored on an administrator-specified network share.

McAfee GTI (Global Threat Intelligence) — A comprehensive, real-time, cloud-based threat intelligence service that classifies suspicious files that are found on the file system. When the real-time malware defense detects a suspicious program, it sends a DNS request for analysis to a central database server hosted by McAfee Labs.

VMware vCenter — Console that manages the ESXi servers, which host the guest VMs that require protection.

Hypervisor (ESXi) — A virtual operating platform that allows multiple operating systems to run concurrently on a hosted system. and manages the execution of the guest operating systems. ESXi is an embedded hypervisor for servers that runs directly on server hardware without requiring an extra underlying operating system.

vCloud Networking and Security Manager (vCNS) — A centralized network management component that manages the vShield components for the SVM and VMware vShield Endpoint, and monitors the health of the SVM.

12


Product Guide


How it works

1

VMware NSX Manager — Console that allows you to configure, provision, and automate the protection on the endpoints in a datacenter.

Virtual Machines (VMs) — Completely isolated guest operating system installations in a normal host operating system that support both virtual desktops and virtual servers.

How it works

McAfee MOVE AntiVirus detects, resolves, and logs information about detected threats. The software is installed on McAfee MOVE AntiVirus Security Virtual Machine (SVM) to perform these tasks.

The software includes two deployment options, Multi-Platform and Agentless. Both options provide consistent protection and are managed and reported on by McAfee ePO.

The role of the McAfee MOVE AntiVirus SVM (Multi-Platform)

The Multi-Platform is an agent-based deployment option. It offloads all scanning to a dedicated

Security Virtual Machine (SVM) that runs VirusScan Enterprise software. Guest VMs are no longer required to run anti-virus software locally, which improves performance for anti-virus scanning, and increases VM density per hypervisor.

The role of the McAfee MOVE AntiVirus SVM (Agentless)

McAfee MOVE AntiVirus SVM provides anti-virus protection for VMs and communicates with the loadable kernel module on the hypervisor, McAfee ePO, and the McAfee

®

Global Threat Intelligence

™

(McAfee GTI) servers.

The SVM is the only system directly managed by McAfee ePO. Endpoint Security for Linux Threat

Prevention, McAfee Agent, and McAfee MOVE AntiVirus are preinstalled.

The role of the SVM Manager (Multi-Platform)

The SVM Manager automatically assigns the McAfee MOVE AntiVirus SVM to McAfee MOVE AntiVirus clients based on configurable parameters like scan server load, McAfee ePO tags, and IP address ranges. The SVM Manager also assigns the McAfee MOVE AntiVirus SVM to McAfee MOVE AntiVirus clients that do not have tags and are not in IP address ranges.

The role of the security management platforms

This deployment provides virus protection for virtual machines on a hypervisor. You use the McAfee ePO console to deploy the McAfee MOVE AntiVirus SVM to hypervisors or to a whole vCenter.

(Agentless only) You can register the McAfee MOVE AntiVirus SVM with VMware NSX Manager and deploy it automatically to one or more clusters. This deployment automatically provides virus protection for virtual machines on a new hypervisor from the moment the hypervisor is added to the cluster.


Product Guide

13

1


How it works

14


Product Guide

2

Configuring McAfee MOVE AntiVirus

Configure McAfee MOVE AntiVirus settings to prevent malware access, keep your protection up to date, and scan for malware on client systems.

McAfee MOVE AntiVirus provides two types of file scanning, on-access and on-demand. You can customize the scan settings based on your demands and requirements.

Contents

The importance of creating a security strategy

McAfee ePO features leveraged by McAfee MOVE AntiVirus

Automated installation and deployment

Using policies in McAfee ePO

Configuring permissions sets

Configuring McAfee MOVE AntiVirus settings

Scanning for threats on client computers

Configure deferred scan settings (Multi-Platform only)

Scan diagnosis

The importance of creating a security strategy

Protecting your virtual systems from malware requires a well-planned strategy: define threat prevention and detection, response to threats, and ongoing analysis and tuning.

Prevention — Avoiding threats

Define your security requirements to make sure that your data sources are protected. Then, develop an effective scan strategy to stop intrusions before they gain access to your environment.

Configure these features to prevent intrusions:

• Self-Protection — (Multi-Platform only) One of the first things that malware tries to do during an attack is to disable your system security software. Configure Self-Protection for McAfee MOVE

AntiVirus (Multi-Platform) to prevent McAfee MOVE AntiVirus service and files, registries from being stopped or changed.

• Common scan options — Enable McAfee MOVE AntiVirus and configure options that apply to all scans, including:

• (Multi-Platform) Quarantine location and the number of days to keep quarantined items before automatically deleting them

• (Agentless) Quarantine network share

• Scan Diagnostics client task — Run the scan diagnostic tool or use McAfee ePO to calculate and display frequently scanned files, extensions, processes, and VMs. You can use these results to exclude them from being scanned.


Product Guide

15

2


McAfee ePO features leveraged by McAfee MOVE AntiVirus

Detection — Finding threats

Develop an effective strategy to detect intrusions when they occur. Configure these features to detect threats:

• On-Access Scan — Scan for threats as files are read from or written to disk.

• On-Demand Scan — Run immediate and scheduled scans, including scanning for malware-related registry entries that weren't previously cleaned.

• Targeted On-Demand Scan — Select a system or a group of systems from the System Tree and initiate the on-demand scan on the target system.

Response — Handling threats

Use product log files, automatic actions, and other notification features to determine the best way to handle detections.

• Actions — Configure what happens in response to a detection.

• Alerts — Specify how McAfee MOVE AntiVirus notifies you when detections occur, including alerting options and logging.

Tuning — Monitoring, analyzing, and fine-tuning your protection

Monitor and analyze your configuration to improve system and network performance, and enhance virus protection, if needed. Use these tools and features:

• Queries, dashboards, and server tasks (McAfee ePO) — Monitor scanning activity and detections.

• Log files — View a history of detected items. Analyzing this information might reveal that you must enhance your protection or change the configuration to improve system performance.

• Scan policies — Analyze log files or queries and change policies to increase performance or virus protection, if needed. For example, you can improve performance by configuring exclusions, highand low-risk process scanning, and disabling scan on write.

• Scan Diagnostics reports — Run and view these scan diagnostic queries:

• Top 10 Scanned File Extensions for each SVM

• Top 10 Scanned Files for each SVM

• Top 10 Scanned Virtual Machines for each SVM

• (Multi-Platform only) Top 10 Scanned Processes for each SVM

McAfee ePO features leveraged by McAfee MOVE AntiVirus

McAfee MOVE AntiVirus leverages these features in the McAfee ePO environment.

McAfee ePO feature

Policies

Client tasks

McAfee MOVE AntiVirus

Adds predefined policies to the Policy Catalog.

Adds predefined client tasks to the Client Task Catalog.

Dashboards and monitors Adds predefined dashboards and monitors.

Permission sets Adds a McAfee MOVE AntiVirus permission group to each permission set.

16


Product Guide



2

McAfee ePO feature

Queries and reports

Server tasks

Threat Event Log

McAfee MOVE AntiVirus

Adds:

• Predefined queries to the Query list.

Query names include Multi-Platform, Agentless, and SVM name for easier filtering.

• Predefined Result Types and Properties for creating and narrowing the scope of custom queries.

Adds predefined server tasks to the Server Tasks list in Automation.

Adds McAfee MOVE AntiVirus events that you can filter and view.

About the McAfee ePO System Tree

The System Tree is a graphical representation of how your managed network is organized.

McAfee ePO enables you to automate and customize system organization. The structure that you put in place affects how security policies are inherited and enforced throughout your environment.

You can perform these McAfee MOVE AntiVirus functions from the System Tree.

Function

Policies

Client Tasks

(Multi-Platform)

Category

MOVE AntiVirus Common 4.5.1

| Options

MOVE AntiVirus 4.5.1 |

Options

MOVE AntiVirus 4.5.1 | On

Access Scan

MOVE AntiVirus 4.5.1 | On

Demand Scan

MOVE AntiVirus 4.5.1 | Shared

Cloud Solutions

(Multi-Platform only)

MOVE AntiVirus 4.5.1 | SVM

Manager Settings


Description

Includes policy setting to prevent McAfee MOVE

AntiVirus service and files, registries from being stopped or modified. You can also specify the settings required for events and logging for Multi-Platform.

Configures settings that apply to both on-access and on-demand scans.

When a threat is detected, the on-access scanner responds based on the configurations under this policy.

When a threat is detected, the scanner responds based on the configurations under this policy.

The Shared Cloud Solutions policy determines whether files and certificates are blocked or allowed on systems in your environment based on reputation levels.

Create and assign a policy that specifies which SVM a virtual infrastructure group uses.

You can define the SVM auto scale settings, so that the SVM deployment starts automatically depending on the number of clients connecting to the SVM for protection.

MOVE AntiVirus 4.5.1 | SVM

Settings

Restore from Quarantine

Targeted On-Demand Scan

Specifies the scanning settings and performance configurations for the SVM.

Performs actions on quarantined items. For example, you can restore an item after downloading a later version of the DAT that contains information that cleans the threat.

Optimizes file scanning for files where the previous scanning is timed out for reasons such as large file size, file structure, and file composition.


Product Guide

17

2



Function

Client Tasks

(Agentless)

Targeted ODS

Category

Scan Diagnostics


Targeted On-Demand Scan

Description

Run the scan diagnostic task to easily find frequently scanned files, extensions, and VMs, then use these results to exclude them from being scanned.

A good set of exclusions improves the performance of the virtual infrastructure.




Using client tasks with McAfee MOVE AntiVirus

Use client tasks to automate system management in your McAfee ePO environment. For example, you can configure a client task to deploy product updates, run a scan diagnosis, or run an on-demand scan.

Depending on your permissions, you can use predefined client tasks as is, edit them, or create custom client tasks.

McAfee MOVE AntiVirus adds these predefined client tasks to the Client Task Catalog.

Function

Client Tasks

(Multi-Platform)

Client Tasks

(Agentless)

Category

Restore from

Quarantine

Targeted

On-Demand Scan

Description

Performs actions on quarantined items. For example, you can restore an item after downloading a later version of the DAT that contains information that cleans the threat.



Run the scan diagnostic task to easily find frequently scanned files, processes, extensions, and VMs, then use these results to exclude them from being scanned.





For information about creating and using client tasks and the Client Task Catalog, see the McAfee ePO documentation.

18


Product Guide


Automated installation and deployment

2

Automated installation and deployment

Having multiple installation and deployment methods ensures that you can select the level of automation or customization that best suits your environment.

• Automated wizards — Install and deploy the product with preconfigured, default settings and minimal interaction during installation.

• McAfee MOVE AntiVirus SVM autoscaling — The security administrator can define the number of backup SVMs that are ready to protect your client systems. Calculate the number of ready SVMs required for the maximum number of clients that need protection at any time of the day. The standby SVMs are automatically deployed based on the backup SVM value. For example, if you specify the backup SVM as 4, two standby SVMs are deployed automatically. Therefore, the McAfee

MOVE AntiVirus SVMs automatically scale up and down depending on the number of endpoints connected.

• SVM Manager — Automatically assigns McAfee MOVE AntiVirus SVM to (Multi-Platform) clients based on configurable parameters like scan server load, McAfee ePO tags, and IP address ranges.

This is applicable to Multi-Platform only.

Using policies in McAfee ePO

Policies enable you to configure managed products and apply the configuration to systems in your network, all from the McAfee ePO console.

Policies are collections of settings that you create, configure, and apply, then enforce. Most policy settings correspond to settings that you configure for the McAfee MOVE AntiVirus client systems.

Other policy settings are the primary interface for configuring and deploying the McAfee MOVE

AntiVirus SVM and its components.

McAfee MOVE AntiVirus adds these categories to the Policy Catalog.

Table 2-1 McAfee MOVE AntiVirus categories

Category Description

Options

On Access Scan

On Demand Scan

Share Cloud Solutions


SVM Manager Settings


SVM Settings

Configures the quarantine manager options that apply to both on-access scanner and on-demand scanner. Also, specifies the SVM assignment details for Multi-Platform.

Examines files on the computer as the user accesses them, and provides continuous, real-time detection of threats.

Configures the on-demand scan settings for the preconfigured scans that run on the SVM.

Enables you to specify that files and certificates with specific reputations are allowed to perform certain scan actions, as specified by scan rules.

Configures the SVM Manager and autoscale settings required for SVM deployment and management.

Specifies settings that apply to SVM configuration, scanning options, on-demand scan configurations required for SVM, and scan performance.

Table 2-2 McAfee MOVE AntiVirus Common categories

Category Description

Options

Allows you to configure the settings to defend files, services, and registry keys on virtual machines and to log events and alerts.


Product Guide

19

2

20


Using policies in McAfee ePO

In each category, these predefined policies are available:

Table 2-3 McAfee MOVE AntiVirus predefined policies

Policy Description

McAfee Default Defines the default policy that takes effect if no other policy is applied. You can duplicate this policy, but you can't delete or modify it.

My Default

Specifies predefined settings for the category.

You can use predefined policies as is, edit the My Default policies, or create custom policies.

For information about creating and using policies and the Policy Catalog, see the McAfee ePO documentation.

Create a policy

Policies allow you to describe threat scanning behavior for specific virtual machines.

Before you begin

You installed the McAfee MOVE AntiVirus extension on the McAfee ePO server.

By default, policies created in McAfee ePO are not assigned to any groups or systems. When you create a policy, you add a custom policy to the Policy Catalog. You can create policies before or after a product is deployed.

Task

For details about product features, usage, and best practices, click ? or Help.

1

Log on to McAfee ePO as an administrator.

2

Select Menu | Policy | Policy Catalog, then select MOVE AntiVirus 4.5.1 or MOVE AntiVirus Common 4.5.1 from the drop-down lists.

3

Select Menu | Policy | Policy Catalog, then click New Policy.

4

On the New Policy page, configure the policy settings, then click OK.

5

On the General tab of the Policy Settings page for the new policy, configure the settings to control basic behavior.

6

Click Save.

Assign a policy

You must assign a policy to the client systems for it to take effect.



Task


1


2

In the System Tree, select the group containing the virtual machines where you want to apply the policy.


Product Guide


Using policies in McAfee ePO

2

3

Select Menu | Systems | System Tree | Assigned Policies.

4

From the Product drop-down list, select MOVE AntiVirus 4.5.1 or MOVE AntiVirus Common 4.5.1.

5

In the Actions column of the McAfee Default policy, select Edit assignments.

6

In the Inherit from list on the Policy Assignments page, select Break inheritance and assign the policy and settings

below.

7

In the Assigned Policy list, select the policy you created.

8

Click Save.

9

To apply the policy immediately, send an agent wake-up call.

The policies are not modified on client systems until the next agent-server communication that includes a Collect and Send Properties operation. This can be initiated from the agent on the client, or by sending an agent wake-up call from McAfee ePO.

How the policy assignment works (Agentless)

VM-based scan configuration is enabled by default. With the VM-based scan configuration, the McAfee ePO administrator can enforce unique scan policies with exclusion to different groups, resource pool, or specific virtual machines protected by McAfee MOVE AntiVirus SVM on a hypervisor, even when

McAfee Agent is not deployed to the client systems.

The on-access and on-demand scan policies can be applied to SVMs or to a specific virtual machine, or group. With VM-based scan configuration enabled by default, all VMs are protected by the on-access and on-demand scan policies, which are assigned to VM or group.

The on-access and on-demand scan policies can be assigned to the system using system-based assignment or rule-based assignment in McAfee ePO.

Run policy collector (Agentless)

You can run the policy collector to update the target SVMs with the latest on-access and on-demand scan policies. The policies and updates are enforced to SVM within the default policy collection interval, which is 60 minutes.

Best practice: We recommend that you specify the policy collection interval depending on your environment so that the policies and updates are not enforced to SVM in short period.

Task


1

Select Menu | Automation | MOVE AntiVirus Deployment | Configuration | Server Settings.

2

Click Run next to Run policy collector.

The Policy collection completed successfully message appears on successful collection of the policies.

You can change the policy enforcement interval by navigating to Menu | Automation | MOVE AntiVirus

Deployment | Configuration | Server Settings | Edit. You can also view the task log for policy collection (MOVE

AntiVirus:Policy collection task) by navigating to Menu | Automation | Server Task Log. The policy collection task log gets updated within the default policy collection interval, which is 60 minutes.

3

Send an agent wake-up call to the target SVMs.


Product Guide

21

2


Configuring permissions sets

Configuring policies

You can configure the McAfee MOVE AntiVirus client and SVM behavior with policy settings.

Policies for client

• Which SVM a client uses.

• When files are scanned.

• Which files and programs to exclude from scanning.

• Where to send alerts.

• What to do when a threat is found.

• How to handle quarantined files.

• How the SVM operates.

Policies for SVM

• Maximum size of the server cache.

• The number of concurrent scans that an SVM policy can support.

• Which port the SVM listens to for scan requests from clients.

• The number assigned to a log file and size.

• Which types of files to scan.

• McAfee GTI sensitivity level.

• On-demand and on-access scan settings.

Configuring permissions sets

A permission set is a group of access rights granted to a user account for specific features of a product. Permission sets only grant permissions — they never remove a permission.

All permissions to all products and features are assigned automatically to global administrators. Other users must have permission assigned manually. Global administrators can assign existing permission sets when creating or editing user accounts and when creating or editing permission sets.

For more information on permission sets, see the product documentation for your version of McAfee ePO.

McAfee MOVE AntiVirus permission set

The McAfee MOVE AntiVirus software adds sections to the permission sets including the MOVE AntiVirus

SVM Manager role.

Global administrators must grant permissions to users for the MOVE AntiVirus Common, MOVE

AntiVirus Deployment, MOVE AntiVirus General, and MOVE AntiVirus Policy Permission sections, because no permissions are granted by default.

Permission section

MOVE AntiVirus

Common

Permission set

View policy and task settings

Description

MOVE AntiVirus

Deployment

MOVE AntiVirus

General

View and change policy and task settings

View/Edit Deployment

MOVE AntiVirus

Configuration

Run System Tag Info

Command

User can view the policy and task settings that are available under MOVE AntiVirus Common extension in McAfee ePO.

User can view and edit the policy and task settings that are available under MOVE AntiVirus Common extension in McAfee ePO.

User can view and edit the MOVE AntiVirus

Deployment configuration details in McAfee ePO.

This permission is used by the SVM Manager to fetch the system tag information which are configured and assigned to the client systems.

22


Product Guide


Configuring permissions sets

2

Permission section

MOVE AntiVirus

Policy Permission

Permission set

View policy and task settings

View and change policy and task settings

Description

User can view the policy and tasks settings that are available under MOVE AntiVirus extension in

McAfee ePO.

User can view and edit the policy and tasks settings under MOVE AntiVirus extension in McAfee ePO.

Other required permissions

The global administrator must give McAfee ePO permissions to handle other areas that work with

McAfee MOVE AntiVirus including queries, dashboards, and the Threat Event Log.

For these features...

Dashboards

Queries

Policies

Events on virtual machines

These permissions sets are required

Dashboards, Queries and Reports

Queries and Reports

System Tree access, Policy Assignment Rules

Systems, System Tree access, Threat Event Log

Using permission sets

A permission set specifies all permissions that apply to one object and controls users' level of access to features.

McAfee MOVE AntiVirus adds a permission group MOVE AntiVirus SVM Manager to each permission set.

Permission groups define the access rights to the features. McAfee ePO grants all permissions for all products and features to global administrators. Administrators then assign user roles to existing permission sets or create permission sets.

Feature

Automatic responses

Client tasks

Required permissions

Automatic Responses, Event Notifications, plus any feature-specific permissions depending on the feature used (such as System Tree or queries).

• McAfee MOVE AntiVirus (Multi-Platform) Tasks

• McAfee MOVE AntiVirus (Agentless) Tasks

Dashboards and monitors Dashboards

Policies

Queries

McAfee MOVE AntiVirus Policy

Queries and Reports

Server tasks

System Tree

Threat Event Log

Server tasks

Systems, System Tree access

Systems, System Tree access, Threat Event Log

Configure permission sets

Update the read/write permissions assigned to the user roles defined for your McAfee ePO environment.


Product Guide

23

2


Configuring McAfee MOVE AntiVirus settings

Task


1


2

Select Menu | User Management | Permission Sets.

3

Select a user role from the Permission Sets list.

4

Next to any McAfee MOVE AntiVirus permission, click Edit.

5

Select the permission level.

6

Click Save.

Configuring McAfee MOVE AntiVirus settings

Configure settings that apply to all components and features of McAfee MOVE AntiVirus in the MOVE

AntiVirus Common 4.5.1 and MOVE AntiVirus 4.5.1 extensions.

Configuring common settings for Multi-Platform

Configure settings that apply to all components and features of McAfee MOVE AntiVirus in the MOVE

AntiVirus Common 4.5.1 extension.

These settings include Self-Protection, logging, and events details for Multi-Platform.

Protect McAfee MOVE AntiVirus resources

One of the first things that malware attempts to do during an attack is to disable your system security software. Configure Self-Protection in the Options policy under MOVE AntiVirus Common 4.5.1 to prevent

McAfee MOVE AntiVirus services and files, registries from being stopped or modified.

Task


1


2

Select Menu | Policy | Policy Catalog, then select MOVE AntiVirus Common 4.5.1 from the Product list.

3

From the Category list, select Options.

4

Click the name of an editable policy.

5

Under Self-Protection, enable these options.

Select this...

Enable Self-Protection

For this...

To prevent McAfee MOVE AntiVirus services and files, registries from being stopped or modified.

Enable Self-Protection for MOVE CLI To protect the command line utility from being accessed by unauthorized users.

6

Click Save.

Configure logging settings

Configure McAfee MOVE AntiVirus logging in the Options policy under MOVE AntiVirus Common 4.5.1 to retrieve the software deployment and configuration details.

24


Product Guide



2

Task


1


2


3


4


5

Configure Logging and Events settings on the page.

6

Click Save.

Configuring exclusions

McAfee MOVE AntiVirus enables you to fine-tune your protection by specifying items to exclude from scanning.

For example, you might need to exclude some file types to prevent a scanner from locking a file used by a database or server. A locked file can cause the database or server to fail or generate errors.

Every item in exclusion lists is mutually exclusive. Each exclusion is evaluated separately from the others in the list.

To exclude a folder on Windows systems, append a backslash (\) character to the path. To exclude a folder on Linux systems, append a forward slash (/) character to the path.

Path exclusions

The McAfee MOVE AntiVirus product allows you to fine-tune the list of file types scanned including individual files, folders, and disks. You might need these exclusions because the scanners might scan and lock a file when that file is being used by a database or server. This might cause the database or server to fail or generate errors.

When specifying the path exclusions, wildcards are supported.

(Windows system) All folder exclusion must append a backslash (\). For example, C:\temp\test\

If you do not append a backslash (\) for the specified path, the file test is excluded.

(Linux system) All folder exclusion must append a forward slash (/). For example, /temp/test/

If you do not append a forward slash (/) for the specified path, the file test is excluded.

Process exclusions

The McAfee MOVE AntiVirus product allows you to fine-tune the list of process types scanned including processes. You might need these exclusions because the scanners might scan and lock a process when that process is being used by a database or server. This might cause the database or server to fail or generate errors.

When specifying the process exclusions, wildcards are not supported.

Wildcards in exclusions

You can use wildcards to represent characters in exclusions for files, folders, and detection names.


Product Guide

25

2

26



Table 2-4 Valid wildcards

Wildcard character

?

*

**

Name

Question mark

Asterisk

Double asterisk

Represents

Single character

This wildcard applies only if the number of characters matches the length of the file or folder name. For example: The exclusion W??

excludes WWW, but doesn't exclude WW or WWWW.

(Windows system) This wildcard matches one character. For example: ?:\ABC matches C:\ABC and D:\ABC

(Linux system) This wildcard matches one character. For example: /?

DEF/ matches /CDEF/

Multiple characters, except backslash (\).

(Windows system) This wildcard matches zero or more characters.

For example: C:\ABC\*\XYZ matches C:\ABC\DEF\XYZ and C:\ABC

\XYZ

Zero or more of any characters, including backslash (\).

(Windows system) This wildcard matches zero or more characters.

For example: C:\ABC\**\XYZ matches C:\ABC\DEF\XYZ and C:\ABC

\XYZ

(Windows system) Wildcards can appear in front of a backslash (\) in a path. For example, C:\ABC\*

\XYZ matches C:\ABC\DEF\XYZ.

(Linux system) Wildcards can appear in front of a forward slash (/) in a path. For example, ?DEF

matches /CDEF.

Root-level exclusions (Multi-Platform)

McAfee MOVE AntiVirus requires an absolute path for root-level exclusions. This means that you can't use leading \ or ?:\ wildcard characters to match drive names at the root level.

Instead, you can use leading **\ wildcard characters in root-level exclusions to match drives and subfolders.

For example, **\test\ matches the following:

C:\test\

D:\test\

C:\temp\test\

D:\foo\test\

Root-level exclusions (Agentless)

For Windows systems

McAfee MOVE AntiVirus requires an absolute path for root-level exclusions. You can use leading ?:\ wildcard characters in root-level exclusions to match drives and subfolders.

For example, ?:\test\ matches the following:

C:\test\

D:\test\


Product Guide



2

System variables (Multi-Platform)

These are the Windows system variables that are supported for Multi-Platform.

System variables are not supported for Agentless.

System variable

%ALLUSERSPROFILE%

%CommonProgramFiles%

%CommonProgramFiles(x86)%

%CommonProgramW6432%

%ProgramData%

%ProgramFiles%

%ProgramFiles(x86)%

%ProgramW6432%

%PUBLIC%

%SystemDrive%

%SystemRoot%

%windir%

Path

C:\ProgramData

C:\Program Files\Common Files

C:\Program Files (x86)\Common Files (only in 64-bit version)

C:\Program Files\Common Files (only in 64-bit version)

%SystemDrive%\ProgramData

%SystemDrive%\Program Files

%SystemDrive%\Program Files (x86) (only in 64-bit version)

%SystemDrive%\Program Files (only in 64-bit version)

%SystemDrive%\Users\Public

C:\

%SystemDrive%\Windows

%SystemDrive%\Windows

Import path exclusions from Endpoint Security Threat Prevention scan policies

If you are using Endpoint Security Threat Prevention in your environment, then you can import the list of path exclusions that are defined under on-access scan and on-demand scan policies of Endpoint

Security Threat Prevention to McAfee MOVE AntiVirus scan policies.


• You installed the McAfee MOVE AntiVirus extension on the McAfee ePO server.

• You installed the Endpoint Security Threat Prevention extension on the McAfee ePO server.

• You have path exclusions list ready under the on access scan and on demand scan policies of Endpoint Security Threat Prevention.

Task


1


2

Select Menu | Policy | Policy Catalog, then select Endpoint Security Threat Prevention from the Product list.

3

From the Category list, select On Access Scan or On Demand Scan.

From on-demand scan policy, you can import only the exclusions that are defined under Full Scan tab.

4

Next to the name of the policy that you want to import path exclusions from, click Export to open

Export page.

5

Next to the Download file, right-click the policy name and select Save link as....

6

From the Save As window, browse to the location and click Save to save the xml file.


Product Guide

27

2



7

Select Menu | Policy | Policy Catalog, then select McAfee MOVE AntiVirus 4.5.1 from the Product list.

8

From the Category list, select On Access Scan or On Demand Scan.

9


10 From Path Exclusions under Exclusions option, click Import... to open Import Exclusion Path dialog box.

11 Under Select the file to add exclusion path, click Choose File then browse to the location, and select the xml file that is download from Endpoint Security Threat Prevention.

If you want to clear the existing exclusions, select Clear existing exclusions.

12 Click Ok to import the exclusions list.

You can now see that the path exclusions are imported.

13 Click Save to save the changes in the policy.

Configuring client load per SVM (Multi-Platform)

Depending on your environment, you can configure the load type for each your SVMs, which specifies the workload and activities on clients. Configure the client load per each SVM in the SVM Settings policy.

The available options are:

• Low (More number of clients) — Lower file activity on the clients. SVM can handle more clients. Default number of clients is 300.

• Medium (Moderate number of clients) — Medium file activity on the clients. Default number of clients is

250.

• High (Few number of clients) — Higher file activity on the clients. SVM can handle fewer clients. Default number of clients is 150.

• Custom — You can customize workload and activities for your clients.

We recommend 250. Because increasing this value might cause performance issues or scan delays, or both.

Alerts on number of client connections and scan time

You can configure the alerts on number of client connections and scan time per SVM. Configure the

Alert me option for each SVM in the SVM Settings policy.

The available options are:

28


Product Guide


Scanning for threats on client computers

2

• When number of client connections to the SVM reaches_____% — Specify the SVM capacity level (in percentage) for number of client connections. A warning appears when the number of connected clients is more than this level. Default value is 90.

• When average scan time on the SVM exceeds_____seconds — Specify the SVM's average scan time (in seconds). A warning appears when the average scan time on the SVM exceeds this level. Default value is 10 seconds.

Scanning for threats on client computers

Scanning files for threats when the user accesses them provides protection against intrusions when they occur. Periodically scanning areas of your system most susceptible to infection ensures complete protection.

Types of scans

McAfee MOVE AntiVirus provides two types of scans: on-access scans and on-demand scans.

• On-access scan — Configure on-access scans to run on managed endpoints. Whenever you access files, folders, and programs, the on-access scanner checks the operation and scans the item, based on criteria defined by the administrator. On-access scanning provides continuous and real-time detection of threats.

To configure and schedule on-access scans, use the on-access scan policy settings.

• On-demand scan — Configure and schedule on-demand scans to run on managed endpoints. This scan type examines all files on virtual machines for potential threats during the time specified.

On ‑demand scans supplement the continuous protection of on‑access scanning. You can also schedule regular scans at times that do not interfere with your work.

To configure and schedule on-demand scans, use these client task settings:

• Targeted On Demand Scan — Allows you to select a system or a group of systems from the System

Tree to initiate the on-demand scan.

• Policy-based On-Demand Scan — Schedules the predefined on-demand scans. Configure the behavior of these scans in the policy settings for on-demand scan.

The Options policy includes settings that apply to all scan types.

How McAfee GTI works

If you enable McAfee GTI for the on-access or on-demand scanner, the scanner uses heuristics to check for suspicious files.

The scanner submits fingerprints of samples, or hashes, to a central database server hosted by

McAfee Labs to determine if they are malware. By submitting hashes, detection might be made available sooner than the next DAT release, when McAfee Labs publishes the update.

You can configure the sensitivity level that McAfee GTI uses when it determines if a detected sample is malware. The higher the sensitivity level, the higher the number of malware detections. However, allowing more detections can result in more false positive results. The McAfee GTI sensitivity level is set to Medium by default. Configure the sensitivity level for each scanner in the SVM Settings policy.


Product Guide

29

2



Excluding items from scans

McAfee MOVE AntiVirus scanners enable you to fine-tune the list of scanned items by specifying items to exclude.

For example, you might need to exclude some file types to prevent a scanner from locking a file used by a key application, database, or server. A locked file can cause the database or server to fail or generate errors.

For this scan type... Specify items to exclude

On-access scan Files, file types, folders, and process exclusions

On-demand scan Files, file types, and folders

Where to configure Use wildcards?

On Access Scan policy

Yes

On Demand Scan policy

Yes

Configure common scan settings

To specify settings that apply to both on-access and on-demand scans, configure the MOVE AntiVirus 4.5.1

| Options policy settings.

The common scan setting under MOVE AntiVirus 4.5.1 | Options policy apply to all scans:

• Quarantine Manager (Multi-Platform) — Specifies the quarantine location and the number of days to keep quarantined items before automatically deleting them.

• Quarantine network share (Agentless) — Specifies the specified network share where the quarantined files are stored. Make sure that you have write permission to the shared folder.

McAfee MOVE AntiVirus supports only Windows share path for quarantine network share. Linux share path is not supported for quarantine network share.

• SVM Server Communication (Multi-Platform) — Specifies the scan server port for communicating with the client system.

• SVM Assignment (Multi-Platform)

• Assign SVM using SVM Manager — Specifies the IP address of the SVM manager for assigning the SVM using SVM Manager.

• Assign SVM manually — Specifies the IP address of the SVM to assign the SVM manually.

Task


1


2

Select Menu | Policy | Policy Catalog, then select MOVE AntiVirus 4.5.1 from the Product list.

3


4


5

Configure settings on the page, then click Save.

30


Product Guide



On-access scanning

The on-access scanner examines files on the computer as the user accesses them, and provides continuous, real-time detection of threats.

How on-access scanning works

The on-access scanner integrates with the system at the lowest levels (File-System Filter Driver) and scans files where they first enter the system.

2

The on-access scanner delivers notifications to the System Service interface when detections occur.


Product Guide

31

2



When an attempt is made to access or modify a file, the scanner intercepts the operation and takes these actions.

1

Examines the file at the client system.

2

Checks if any exclusion is defined in the policy. If any exclusion is defined for the file, then the access is allowed.

3

If exclusion is not defined, the scanner checks whether the file is present in local cache in the client system. If it is present, then access is allowed.

4

If the file is not present in local cache in the client system, the scanner checks for publisher trust in the client system. If publisher trust matches, then the access is allowed.

5

If the publisher trust does not match, the scanner checks for the file in global cache in the SVM. If the file is present, then the access is allowed.

6

If the file is not present in global cache, the scanner compares the information in the file to the known malware signatures in the currently loaded DAT files.

a

If the file is clean, the result is cached and the read, write, or rename operation is granted.

McAfee MOVE AntiVirus cashes the result in the SVM and the client system.

b

If the file contains a threat, the scanner sends the file nature as malware to the client systems, where the configured action is taken.

On-access scanning with TIE and ATD enabled

1

On-access scanner goes through the steps 1 thru 4 of How on-access scanning works.

2

If the publisher trust does not match:

a

The client looks for the reputation in global cache in the SVM. If the reputation is available, then the access is allowed based on the Shared Cloud Solutions policy assigned to the system.

b

If the reputation is not available in global cache in the SVM, the client sends the file hashes to the SVM for TIE lookup.

c

The SVM checks the reputation cache for the file hash. If the file hash is found, the SVM gets the reputation data from the SVM cache and sends the reputation to the client and the action is taken.

d

(With SVM is connected to TIE) If the file hash is not found in the SVM cache and TIE server does not have the reputation:

a

(Advanced Threat Defense is present) If the policy on the endpoint determines that the file has to be sent to Advanced Threat Defense, the server sends the file for further analysis. To send the file to Advanced Threat Defense, these requirements must meet:

• Advanced Threat Defense (ATD) option is configured under Shared Cloud Solutions policy on the

McAfee ePO server.

• Size of the file is less than 10 MB

b

The TIE server returns the file hash's reputation to the SVM once the data is received from

Advanced Threat Defense after analysing the file.

3

The McAfee MOVE AntiVirus takes action based on the Shared Cloud Solutions policy assigned to the system that is running the file.

4

The SVM sends threat details as threat events to McAfee ePO.

32


Product Guide



Changing when files are scanned

You can change the client policy to determine which files are scanned for threats and when.

By default, files are scanned when they are read from or written to disk, or when opened for backup.

The McAfee Agent program files and the User Profile Manager process are excluded from scans.

When files are written to disk, the on-access scanner scans these files:

• Incoming files written to the local drive.

• Files (new, changed, or files copied or moved from one drive to another) created on the local drive or a mapped network drive (if enabled with Multi-Platform).

When files are read from disk, the scanner examines these files:

• Outgoing files read from the local drive or mapped network drives (if enabled with Multi-Platform).

• Files trying to execute a process on the local drive.

• Files opened on the local drive.

Depending on your environment, selecting On network drives can degrade network performance.

Configure on-access scan policy settings

These settings enable and configure on-access scanning, which includes specifying messages to send when a threat is detected and different settings based on process type.

Task


1


2


3

From the Category list, select On-Access Scan.

4


5

Click Show Advanced.

6

Select Enable On-Access Scan to enable the on-access scanner and modify options.

7

Configure these settings to control which files are scanned.

2


Product Guide

33

2



For this...

Scan

Do this...

Select any combination of:

• When writing to disk

• When reading from disk

• On network drives

• Opened for backup (Multi-Platform only)

Depending on your environment, selecting On network drives can degrade network performance.

The supported file systems for Linux client system are ext2, ext3, ext4, btrfs, cifs, vfat, ISO9660, xfs, and nfs.

File types to scan

• All files — Select to scan all files.

• Default + Additional files (Multi-Platform only) — Select to scan the default file types or any additional file types. You can add, edit, and remove additional file types, which are included for scanning.

By default, this option is selected.

• Following only — Select to specify a list of file extensions to scan. You can add, edit, and remove file extensions that are included for scanning.

Wildcards are supported, and exact matches are required. Do not include the period when specifying extensions.

Archive and MIME-encoded files are not scanned by default. This behavior is changed by modifying the SVM Settings policy.

For more information about how to use wildcards when creating exclusions in

VirusScan Enterprise or McAfee MOVE AntiVirus, see McAfee KnowledgeBase article

KB54812 .

Exclusions

Path Exclusions

Add them to the Path Exclusions list.

The McAfee MOVE AntiVirus product allows you to fine-tune the list of file types scanned including individual files, folders, and disks. You might need these exclusions because the scanners might scan and lock a file when that file is being used by a database or server. This might cause the database or server to fail or generate errors.

When specifying the exclusions:

• Wildcards are supported for path exclusions.

• (Multi-Platform only) Windows system variables are supported, see System variables for the list of supported system variables.

(Agentless only) System variables are not supported.

Using the Import option, you can browse to and select the exclusion rule file and add path exclusions.

A path exclusion entry *.log is available, so that the log files on the endpoints are not scanned. This improves the scanning performance of the client system.

34


Product Guide



2

For this...

Do this...

Process Exclusions

Add them to the Process Exclusions list.

The McAfee MOVE AntiVirus product allows you to fine-tune the list of process types scanned including processes. You might need these exclusions because the scanners might scan and lock a process when that process is being used by a database or server. This might cause the database or server to fail or generate errors.

Wildcards are not supported for process exclusions.

Publisher Exclusions

You can choose to trust the authenticated and signed files from different publishers, so that the scanning performance improves by optimized use of resources at the SVM by sending fewer files for scanning from the endpoints.

Here are the portable executable extensions that are excluded with this option: .cpl,

.exe, .dll, .ocx, .sys, .scr, .drv, .efi, .fon

• Certificate revocation check — This is used for the Windows Publisher Trust feature. You can configure the certificate revocation check with these options:

• none — McAfee MOVE AntiVirus does not do certificate revocation check.

• for end Certificate locally — McAfee MOVE AntiVirus checks whether the end certificate of the file is valid or has it being revoked. This is checked from the Windows CRL

(local cache) that is maintained by Windows locally.

• for full certificate chain locally — McAfee MOVE AntiVirus checks the complete chain of certificate for a particular digitally signed file against the Windows CRL (local cache) that is maintained by Windows locally.

• for end certificate locally as well as by getting CRL from the issuing CA — McAfee MOVE AntiVirus checks against the Windows CRL (local cache) that is maintained by Windows locally and also checks against the issuing CA's (certificate authority) CRL that is done over network.

8

On the Actions tab, configure Threat detection first response. Make sure that you select a first action and a secondary action.

Available first actions:

• Delete files automatically and quarantine — Once the threat is detected, it deletes and quarantines the threat to the specified location.

(Agentless only) If no quarantine policy is configured, the Delete files automatically and quarantine action does not occur even if it is configured as the primary action.

• Delete files automatically — Once the threat is detected, it deletes the threat.

• Deny access to files — Prevents the user from accessing the file.

Available secondary action:

• Deny access to files — Prevents the user from accessing the file.

9

Click Save to store the policy.


Product Guide

35

2



On-demand scanning

The on-demand scanner examines the client systems for potential threats at regular intervals or at convenient times.

Use on-demand scans to supplement the continuous protection of the on-access scanner, such as to scan latent and inactive processes. You can also schedule regular scans at times that do not interfere with your work.

How on-demand scanning works

The on-demand scanner searches files, folders, and registry for any malware that might have infected the computer.

You decide when and how often the on-demand scans occur. You can scan at a scheduled time, or at startup.

The on-demand scanner intercepts the operation and takes these actions:

1

Examines the file at the client system.

2

Checks if any exclusion is defined in the policy. If any exclusion is defined for the file, then the access is allowed.

3

If exclusion is not defined, the scanner checks whether the file is present in local cache in the client system. If it is present, then access is allowed.

4

If the file is not present in local cache in the client system, the scanner checks for publisher trust in the client system. If publisher trust matches, then the access is allowed.

5

If the publisher trust does not match, the scanner checks for the file in global cache in the SVM. If the file is present, then the access is allowed.

6

If the file is not present in global cache, the scanner compares the information in the file to the known malware signatures in the currently loaded DAT files.

a

If the file is clean, the result is cached and the read, write, or rename operation is granted.

McAfee MOVE AntiVirus cashes the result in the SVM and the client system.

b

If the file contains a threat, the scanner sends the file nature as malware to the client systems, where the configured action is taken.

For example, if the action is configured to Deny files automatically and quarantine (the default setting), the scanner:

• Deletes items that are detected as threats and saves copies in a non-executable format to the Quarantine folder.

• Records the results in the activity log.

• Notifies the user that it detected a threat in the file, and includes the item name and the action taken.

7

If the file doesn't meet the scanning requirements, the scanner doesn't check it. The scanner continues until all data is scanned.

The on-demand scan detection list is cleared when the next on-demand scan starts.

36


Product Guide



2

On-demand scanning with TIE and ATD enabled

1

On-demand scanner goes through the steps 1 thru 4 of How on-demand scanning works.

2

If the publisher trust does not match:

a

The client looks for the reputation in global cache in the SVM. If the reputation is available, then the access is allowed based on the Shared Cloud Solutions policy assigned to the system.

b

If the reputation is not available in global cache in the SVM, the client sends the file hashes to the SVM for TIE lookup.

c

The SVM checks the reputation cache for the file hash. If the file hash is found, the SVM gets the reputation data from the SVM cache and sends the reputation to the client and the action is taken.

d

(With SVM is connected to TIE) If the file hash is not found in the SVM cache and TIE server does not have the reputation:

a

(Advanced Threat Defense is present) If the policy on the endpoint determines that the file has to be sent to Advanced Threat Defense, the server sends the file for further analysis. To send the file to Advanced Threat Defense, these requirements must meet:

• Advanced Threat Defense (ATD) option is configured under Shared Cloud Solutions policy on the

McAfee ePO server.

• Size of the file is less than 10 MB

b

The TIE server returns the file hash's reputation to the SVM once the data is received from


3


4


Optimizing the scanning performance on systems

To minimize the impact that on-demand scans have on a system, specify performance options when configuring these scans.

Enable and configure on-demand scans

You can modify the on-demand scan policy to enable system on-demand scans, and to determine the schedule and frequency of scans.



By default, on-demand scans are not enabled. Other scan settings (for example, exclusions) are inherited from the client scan policy.

Task


1


2

Select Menu | Policy | Policy Catalog, then from the Product list select MOVE AntiVirus 4.5.1.

3

From the Category list, select On Demand Scan.


Product Guide

37

2



4


5

Configure these settings, then click Save.

38


Product Guide



2

For this... Do this...

Enable

On-demand

Scan

Select Enable on-demand scan.

• Specify maximum time for each file scan ____ seconds — Enter the appropriate amount for your environment. We recommend 45.

• Run on-demand scan for every ____ days — Enter the appropriate amount for your environment. We recommend 7.

• On-demand scan will stop after____ minutes — The amount of time to wait for a scan to complete, in minutes. Defaults to 150 minutes. This is the duration for which a

McAfee MOVE AntiVirus Agent waits for scan response of a file from the SVM.

Typically, file scans are fast. However, file scans might take longer time due to large file size, file type, or heavy load on the SVM. In case, the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated.

• Cache scan results for files smaller than ____ MB (Multi-Platform only) — Set the maximum file size

(in MB) up to which scan results must be cached. Defaults to 40 MB. Files smaller than this threshold are copied completely to the SVM and scanned. If the file is found to be clean, its scan result is cached based on its SHA 1 checksum for faster future access. Files larger than this size threshold are transferred in chunks that are requested by the SVM and scanned.

File Types to

Scan

• All files — Select to scan all files. By default, this option is selected.

• Default + Additional files (Multi-Platform only) — Select to scan the default file types or any additional file types. You can add, edit, and remove additional file types, which are included for scanning.

• Following only — Select to specify a list of file extensions to scan. You can add, edit, and remove file extensions that are included for scanning.

Wildcards are supported, and exact matches are required. Do not include the period when specifying extensions.

Path

Exclusions

Archive and MIME-encoded files are not scanned by default. This behavior is changed by modifying the SVM Settings policy.

For more information about how to use wildcards when creating exclusions in

VirusScan Enterprise or McAfee MOVE AntiVirus, see McAfee KnowledgeBase article

KB54812 .

Add them to the Path Exclusions list.

Excluding scan items — The McAfee MOVE AntiVirus product allows you to fine-tune the list of file types scanned including individual files, folders, and disks.

You might need these exclusions because the scanners might scan and lock a file when that file is being used by a database or server. This might cause the database or server to fail or generate errors.

When specifying the exclusions:

• Wildcards are supported.

• (Multi-Platform only) Windows system variables are supported, see System

variables for the list of supported system variables.

(Agentless only) System variables are not supported.


Product Guide

39

2



For this... Do this...

Using the Import option, you can browse to and select the exclusion rule file and add path exclusions.

A path exclusion entry *.log is available, so that the log files on the endpoints are not scanned. This improves the scanning performance of the client system.

On-demand scan events and log details

McAfee MOVE AntiVirus generates various alerts around on-demand scan. You can view the ODS statuses and event logs in McAfee ePO and client systems.

The log files for on-demand and on-access scans are available in the installation directory.

In the client log file, you can search for terms like ODS: start scan and ODS: scan complete to know the status on-demand scan.

(Multi-Platform only) You can also view the ODS status from the local system's Windows Event Log on the client system. (Event: On-Demand Scan Started on winvistax64mp.moveauto.com using engine version 5600.1067 and

dat version 7203.0000)

McAfee MOVE AntiVirus generates alerts for on-demand scan . These alerts can be displayed in any of three locations:

• The local system's Windows Event Log

• The McAfee ePO Threat Event Log

• The local system as a McAfee notification area pop-up menu

Table 2-5 Server on-demand scan events (Multi-Platform)

Event ID Event message

36984 On-demand scan started.

36985

36986

36987

On-demand scan completed.

On-demand scan terminated. Scan time limit reached.

On-demand scan terminated. Scan disabled in policy.

36988

36989

36990

37009

On-demand scan terminated. Exceeded maximum number of concurrent scans.

High on-demand scan terminated. Scan failure on client.

High on-demand scan terminated. Unexpected termination.

Threat detected.

Table 2-6 Server on-demand scan events (Agentless)

Event ID

37055

37056

37057

37058

37059

37060

37061

Event message

On-demand scan started.

On-demand scan completed.

On-demand scan found malware.

On-demand scan failed to start.

On-demand scan terminated. Scan time limit reached.

On-demand scan terminated. Scan target powered off.

On-demand scan terminated. Scan disabled in policy.

40


Product Guide



2

Table 2-6 Server on-demand scan events (Agentless) (continued)

Event ID

37062

37076

Event message

On-demand scan resumed.

Malware detected and successfully deleted.

Targeted on-demand scan

The targeted on-demand scan feature allows the administrator to select a system or a group of systems to initiate the on-demand scan on the target system.

When the admin initiates the targeted on-demand scan on the client system, McAfee Agent schedules the client task (targeted on-demand scan) on the client system. The SVM picks the client task and then runs the on-demand scan on the client system depending on the targeted on-demand scan slot availability. McAfee Agent monitor shows the statuses such as TODSTask becomes active, TODSTask is successful, and TODSTask is finished, but these are not the actual on-demand scan statuses. You can view the on-demand scan statuses and event logs in McAfee ePO and client systems. For on-demand scan statuses and event logs details, see On-demand scan events and log details in this guide.

The SVM runs the specified maximum concurrent targeted on-demand scans per SVM defined by the administrator. When the SVM has reached the maximum number of targeted on-demand scans, the recently initiated on-demand scan runs later when the targeted on-demand scan slot is available.

Example 1:

Consider a scenario where:

• Restrict number of on-demand scans to____per SVM is set as 2

• Restrict number of targeted on-demand scans to____per SVM is set as 2

• No on-demand scan is running currently

• Two targeted on-demand scans are running currently

With these assumptions, if you configure one more targeted on-demand scan, the newly scheduled targeted on-demand scan would start when one of the existing targeted on-demand scans completes.

Example 2:

Consider a scenario where:

• Restrict number of on-demand scans to____per SVM is set as 2

• Restrict number of targeted on-demand scans to____per SVM is set as 2

• One or two on-demand scan is running currently

• Two targeted on-demand scans are running currently

With these assumptions, if you configure one more targeted on-demand scan, the newly scheduled targeted on-demand scan would start when one of the existing targeted on-demand scans completes.

Configure targeted on-demand scans

Change the SVM Settings policy to enable on-demand scanning, and to set the concurrent scan value as needed.




Product Guide

41

2



By default, on-demand scans are disabled. Other scan settings (for example, exclusions) are inherited from the client on-demand scan policy.

Task


1


2

Select Menu | Policy | Policy Catalog, then from the Product list select MOVE AntiVirus 4.5.1.

3

From the Category list, select SVM Settings.

4


5

Under Concurrent on-demand scans, configure these settings, then click Save.

To do this...

Restrict number of targeted on-demand scans to____per SVM

Do this...

Enter the appropriate value for your environment.

The default value is 1 and increasing this value reduces the performance.

Create and run targeted on-demand scan

Select a system or a group of systems from the System Tree and initiate the targeted on-demand scan.



• You enabled the Enable on-demand scan option under the On Demand Scan policy.

• You configured Restrict number of targeted on-demand scans to_____per SVM under the SVM Settings policy.

• A new ODS does not start if an ODS is currently running on the targeted system.

Task


1

Log on to the McAfee ePO server as an administrator.

2

Select Menu | Systems | System Tree.

3

Select the VMs you want to run the targeted on-demand scan.

4

From Actions, select Targeted ODS [MOVE].

For McAfee ePO 5.1.3 version, scheduling page is not available and targeted on-demand scan runs immediately on the targeted system.

(For Agentless) If any target VM is powered off, McAfee ePO sends the task once the VM is powered on and then SVM initiates the scan.

5

On the Schedule page, schedule the task and click Next.

6

On the Summary page, review the task details and click Save to run the on-demand scan.

42


Product Guide


Configure deferred scan settings (Multi-Platform only)

2

Create and run a targeted on-demand scan client task (Multi-Platform)

Select a system or a group of systems from the System Tree and assign a client task to initiate the targeted on-demand scan.



• You enabled the Enable on-demand scan option under the On Demand Scan policy.

• You configured Restrict number of targeted on-demand scans to_____per SVM under the SVM Settings policy.

• A new ODS does not start if the ODS is already running on the targeted system.

Task


1


2

Select Menu | Policy | Client Task Catalog.

3

From Client Task Types, select MOVE AntiVirus 4.5.1 | Targeted On-Demand Scan [Multi-Platform].

4

Click the name of an existing client task or click New Task, then confirm the task type.

5

Configure Task Name and Description on each tab, then click Save.

6

Click Assign, specify the servers where you want to assign the task, then click OK.

7

Click 2 Schedule to schedule the task.

Configure deferred scan settings (Multi-Platform only)

The deferred scan feature optimizes file scanning for files where the previous scanning timed out because of large file size, file structure, or file composition.



Whenever the previous on-access scanning timed out, the scanning for a file starts again with an increased or new timeout depending on the file size. You can configure this timeout value and the file size using the McAfee ePO server.

For an on-demand scan, the scanning for a file starts according to the timeout based on file size value specified in the deferred scan policy.

Task


1


2

Select Menu | Policy | Policy Catalog, select MOVE AntiVirus 4.5.1 from the Product drop-down menu, then select On-Access Scan or On-Demand Scan from the Category drop-down list.

3

Click New Policy or click the name of an existing policy to edit it.


Product Guide

43

2


Scan diagnosis

4

Type a name for the new policy (for example, MOVE AV Scan Policy), then click OK.

5

Under Deferred Scan (Multi-Platform only), select Enable on-access deferred scan or Enable on-demand deferred scan and configure these file size ranges and scan timeout values, then click Save.

File size range

> 40 MB and <=200 MB

> 200 MB and <=4096 MB

> 4096 MB and greater

Scan timeout

480 seconds

900 seconds

1800 seconds

Client notifications for deferred scan

If the deferred scanning is incomplete after reaching the maximum timeout, access to the file is allowed.

These client notifications appear to the user on the client system for successful on-access scanning or scan timeouts:

• Deferred scan completed for file <C:\Test\file name>. File is safe to access.

• Deferred scan is in progress for file <C:\Test\file name>. (A thread in svchost.exe process took

45 seconds for scanning. Hence, access denied.)

• Deferred scan is timed out for file <C:\Test\file name>. Hence, access allowed.

• Deferred scan failed for file <C:\Test\file name> due to some internal error. Hence, access denied.

• Deferred scan failed for file <C:\Test\file name>. Hence, access denied.

• Access Denied: Deferred scan is in progress for file <C:\Test\file name>.

• Deferred scan completed for file <C:\Test\file name>. File is not accessible.

• Deferred scan completed for file <C:\Test\file name>. File is deleted.

The client notifications do not appear for on-demand scan.

Scan diagnosis

You can run the scan diagnostic tool or use McAfee ePO to calculate and display a list of files, extensions, and VMs that are scanned frequently. You can include these results in the path exclusion policies to exclude them from being scanned.

Identify frequently scanned items from McAfee ePO

(Agentless)

Select an SVM or a group of SVMs from the System Tree and assign a client task to calculate and display frequently scanning files, extensions, and VMs. You can include these results in the path exclusion policies to exclude them from being scanned.



44


Product Guide


Scan diagnosis

2

Task


1


2


3

From Client Task Types, select MOVE AntiVirus 4.5.1 | Scan Diagnostics [Agentless].

4

Click the name of an existing client task or click New Task and confirm the task type.

5

Configure these settings on each tab, then click Save.

Tab

Task Name

Description

Description

Specifies a unique name for the task.

Specifies a description about the task.

Diagnosis Time Specifies the time period, in minutes, set for calculating the frequently scanned files.

For example, 1–10 minutes.

6

Click Assign, specify the SVM where you want to assign the task, then click OK.

7

Click Schedule to schedule the task.

At the end of specified minutes, the McAfee ePO completes the analysis and displays the results.

The default allowed time limit is 10 minutes.

8

Select Menu | Reporting | Queries & Reports, then select MOVE AntiVirus 4.5.1 [Agentless] under McAfee Groups to view and run these scan diagnostic queries:

• MOVE AntiVirus: Top 10 Scanned File Extensions for each SVM — Lists the top 10 file extensions scanned by the SVM.

• MOVE AntiVirus: Top 10 Scanned Files for each SVM — Lists the top 10 files scanned by the SVM.

• MOVE AntiVirus: Top 10 Scanned Virtual Machines for each SVM — Lists the top 10 virtual machines that are sending maximum scan and checksum requests.

Identify frequently scanned items from command line

(Agentless)

Use the scan diagnostic command line tool to calculate and display frequently scanning files, extensions, and VMs, on a system running the Agentless software. You can include these results in the path exclusion policies to exclude them from being scanned.


• Make sure that the user is a root user, or has sudo permissions.

• The name of the VM is resolved only when the vCenter is successfully registered in the

SVM Settings policy using McAfee ePO. Otherwise, only the VM ID appears.

Access the command line interface (CLI) of the SVM to create and display this report.

This diagnostic tool captures these details:

• Top 10 file scan requests.

• Top 10 file extensions.

• Top 10 virtual machines that are sending scan and checksum requests.


Product Guide

45

2


Scan diagnosis

Task

1

To calculate the frequently scanned files, run the command:

>cd /opt/McAfee/move/bin>sudo ./scan_diagnostic or sudo /opt/McAfee/move/bin/ scan_diagnostic.

These parameters are available:

Option

--help

--time arg

Definition

Shows how to use the command and its options.

Specifies the time period, in seconds, set for calculating the frequently scanned files. For example, 60 seconds.

--elements arg Specifies the number of entries to be captured and displayed in the result.

--path arg

Specifies the output folder path. The default path is /opt/McAfee/move/log.

At the end of specified minutes, the tool completes the analysis and displays the results. The default allowed time limit is 1 minute.

2

(Optional) Change the time limit by editing the svaconfig.xml file located at /opt/McAfee/move

/etc/.

To stop the scan diagnostic tool while it is collecting the data, use the Ctrl+C keys.

46


Product Guide


Scan diagnosis

2

Identify frequently scanned items from McAfee ePO (Multi-

Platform)

Select one or a group of SVMs from the System Tree and assign a client task to calculate and display frequently scanning files, extensions, processes, and VMs. You can include these results in the path exclusion policies to exclude them from being scanned.



Task


1


2


3

From MOVE AntiVirus 4.5.1 under Client Task Types, select Scan Diagnostics [Multi-Platform].

4


5


• Task Name — Specifies a unique user

‑friendly name for the task.

• Description — Specifies some user

‑friendly description about the task.

• Diagnosis Time — Specifies the time period, in minutes, set for calculating the frequently scanned files. for example 1-10 minutes.

6

Click Assign, select one or a group of SVMs where you want to assign the task, then click OK.

7


At the end of specified minutes, the McAfee ePO server completes the analysis and displays the results. The default allowed time limit is 10 minutes.

8

Select Menu | Reporting | Queries & Reports and select MOVE Antivirus 4.5.1 [Multi-Platform] under McAfee Groups to view and run these scan diagnostic queries:

• MOVE AntiVirus: Top 10 Scanned File Extensions for each SVM — Lists the top 10 file extensions scanned by the SVM.

• MOVE AntiVirus: Top 10 Scanned Files for each SVM — Lists the top 10 files scanned by the SVM.

• MOVE AntiVirus: Top 10 Scanned Processes for each SVM — Lists the top 10 processes scanned by the SVM.

• MOVE AntiVirus: Top 10 Scanned Virtual Machines for each SVM — Lists the top 10 virtual machines that are sending maximum scan and checksum requests.

This data is rolled over every 7 days.

Identify frequently scanned items from command line (Multi-

Platform)

The scan diagnostic tool calculates and displays frequently scanned processes, files, extensions, and

VMs. You can include these files in the path and process exclusion policies. These specified files are excluded from scans when they are written by a trusted process.


You must have administrator permissions to perform this task.


Product Guide

47

2


Scan diagnosis

Access the SVM command-line interface (CLI) on the SVM virtual machine to create and display this report.

This diagnostic tool captures these details:

• Top 10 file scan requests

• Top 10 file extensions

• Top 10 processes

• Top 10 virtual machines that are sending maximum scan and checksum requests.

Task

1

Open the SVM CLI: click Start | Programs | McAfee | MOVE AV Server command prompt.

This command prompt has administrator rights.

At this command prompt, you can type commands that activate the mvadm utility to perform administration tasks on the SVM.

48


Product Guide


Scan diagnosis

2

2

To calculate the frequently scanned files, run this command: move_diagnose /T: <Time Window> /O: < Output File>

Option Definition

T

O

The time period, in minutes, set for calculating the frequently scanned files. For example,

3 minutes.

Full path of the output file for storing the results.

At the end of specified minutes, the tool completes the analysis and displays the results. The default allowed time limit is 10 minutes.

3

(Optional) Change the time limit by configuring the registry settings in HKLM\System

\CurrentControlSet\services\mvserver\Parameters\diagnostic

\FrequentlyScanMaxTimeOutWindow.


Product Guide

49

2


Scan diagnosis

50


Product Guide

3

Managing McAfee MOVE AntiVirus

Manage McAfee MOVE AntiVirus by responding to threat detections, managing quarantined items, and periodically analyzing your protection.

Contents

Keeping your protection up to date

Responding to detections

Quarantined items

Self-protection

Events, responses, and McAfee MOVE AntiVirus

Analyzing your protection

Integrating TIE and Advanced Threat Defense

Keeping your protection up to date

McAfee MOVE AntiVirus depends on the engine and information in the content files to identify and act on threats. Every day, McAfee Labs releases new content files to address new threats.

To update systems managed by McAfee ePO, use the Master Repository. The Master Repository on the

McAfee ePO server maintains the latest versions of the engine and content files.

For Agentless SVM, the AutoUpdate for DAT files is disabled. Use McAfee ePO to create a client task and update to the latest versions of the engine and DAT files.

Responding to detections

When a threat occurs, the McAfee MOVE AntiVirus configuration determines the threat detection method and response.

If McAfee MOVE AntiVirus is configured to Deny files automatically and quarantine (the default setting), the scanner deletes items that are detected as threats and saves copies in a non-executable format to the

Quarantine folder. For example, if the file can't be deleted, the scanner denies access to the file.

Unwanted program detection

The on-access and on-demand scanners detect unwanted programs using policy settings that you configured and DAT files.

When a detection occurs, the scanner that detected the unwanted program applies the action that you configured for that scanner.


Product Guide

51

3


Quarantined items

Review the information in the log file, then decide whether to take any of these additional actions:

• Fine-tune the settings for the scan to make your scans more efficient.

• Exclude unwanted program and files from detection.

If a legitimate program was detected (false positive), configure it as an exclusion.

On-access scan detections

When a threat is detected, the on-access scanner responds according to the settings in the On-Access

Scan policy.

Review the information in the activity log to decide whether to take more actions:

• Fine-tune the settings for scan to make your scans more efficient.

To make scanning more efficient, exclude legitimate files and delete known threats from the quarantine.

• Configure the scanner to:

• Deny files automatically and quarantine — Deletes and quarantines the item that contains the threat.

• Delete files automatically — Deletes the item that contains the threat.

• Deny access to files — Prevents the user from accessing files with detected threats.

• Configure the scanner to display a message to users when a threat is detected.

On-demand scan detections

When an on-demand detection occurs, the scanner response depends on the type of on-demand scan.

For targeted on-demand scans, the scanner uses Targeted On-Demand Scan client task settings. For policy-based on-demand scans, the scanner uses On-Demand Scan policy settings.

Review the information in the log file to decide whether to take more actions:

• Fine-tune the settings for the scan to make your scans more efficient.

To make scanning more efficient, exclude legitimate files and delete known threats from the quarantine.

• Configure the scanner to prompt for action.

• Configure the scanner to:

• Deny files automatically and quarantine — Deletes and quarantines the item that contains the threat.

• Delete files automatically — Deletes the item that contains the threat.

• Notify only — Notifies when accessed an item that contains the threat.

Quarantined items

McAfee MOVE AntiVirus deletes items that are detected as threats and saves copies in a non-executable format to the Quarantine folder.

You can restore a quarantined item.

Configure the settings for quarantine

Configure quarantine manager settings in the Options policy, including the location of quarantined items and how long to keep them.

52


Product Guide


Quarantined items

Task


1


2


3


4


5

Configure the Quarantine Manager settings, then click Save.

For...

Option

Multi-Platform Quarantine

Directory

Description

Specify where quarantined items are stored by changing the quarantine directory.

Mapped network drives and UNC network path names are not supported.

Agentless

Quarantine network share

Quarantined files are stored on the specified network share. The share is mounted as CIFS, so the remote share must support this protocol. Read and write permissions are required.


Enter the IP address or FQDN so that it can be resolved by the

SVM. How this is entered depends on the environment and how the SVM is configured.

Network domain name

The domain used to access the specified share.

Network user name The user name used to access the specified share.

Network password The password used to access the specified share.

Restore quarantined items (Multi-Platform)

McAfee MOVE AntiVirus deletes any items that are detected as threats, converts a copy of the item to a non ‑executable format, and saves it in the Quarantine folder.



You can restore a quarantined item.

Task


1


2


3

From Client Task Types, select MOVE AntiVirus 4.5.1 | Restore from Quarantine (Multi-Platform).

4


3


Product Guide

53

3


Quarantined items

5


Tab

Task Name

Description

Detection name

Description

Specifies a unique name for the task.

Specifies a description about the task.

Specifies the exact detection name of the item to restore from quarantine. You can find the Threat Name under Menu | Reporting | Threat Event Log.

If TIE is disabled then the detection name of the item would be such as Artemis!

EB51D377817C, RDN/Generic.dx!dqq

If TIE is enabled then the detection name of the item would be such as TIE!

4414f6c4303c2ce9a23261a880b3ee6b3ef4f378. The detection name of the item is prefixed with TIE! and suffixed with SHA-1 reputation value of the item.

6

Click Assign, specify the servers where you want to assign the task, then click OK.

7


You can also use this mvadm command on the client system to restore the quarantined items: mvadm q restore <Detection_Name>

How quarantine works (Agentless)

McAfee MOVE AntiVirus (Agentless) implements a remote quarantine system, where quarantined files are stored on an administrator-specified network share.

The quarantine network share is mounted on the SVM during policy enforcement at /mnt/quarantine using the Common Internet File System (CIFS) protocol. If mounting fails, the Quarantine Mount Failed event is generated and mounting is attempted at the next policy enforcement.

A file is quarantined when:

• The Quarantine network share configuration, which is present under the Options policy, is mounted.

• A detection occurs.

• Delete files automatically and quarantine is the primary action. Quarantined files are automatically deleted after 28 days.

If no quarantine policy is configured, the Delete files automatically and quarantine action does not occur even if it is configured as the primary action under the scan policies.

54


Product Guide


Quarantined items

The restore tool at-a-glance

This diagram provides an overview of how the quarantine restore tool works.

3

The restore tool requires Java Runtime Environment (JRE) 1.8.

Modify quarantine_restore.cmd by adding -Djava.net.preferIPv4Stack=true to the JVMARGS variable.

1

Connect to a quarantine share.

2

View the list of quarantined files.

3

View the VMs corresponding to the selected file.

4

Save a file to your local system.

5

Restore a specific file to one or more selected VMs.

Configure the quarantine folder

You can limit access to the quarantine folder by configuring permissions.

Tasks

•

Set permissions for shared folders on page 55

Setting permission for the quarantine folder allows you to specify who has access to the share.

Set permissions for shared folders

Setting permission for the quarantine folder allows you to specify who has access to the share.


Create the following:


Product Guide

55

3


Quarantined items

• Quarantine folder

• Domain User Account — The account used by the SVM to quarantine files.

• Domain Local Security Group — This group has access to the Restore Tool.

Task

1

Right-click the quarantine folder, then select Properties.

2

Select the Sharing tab, then click Advanced Sharing

3

In the Advanced Sharing dialog box, select Share this folder.

4

Click Permissions, select the default user name Everyone, click Remove, then click Apply.

5

Click Add to select an object type.

You can give permission only to administrators who require access to the quarantine folder.

a

In Select Users or Groups, enter your Domain User account in the object names dialog box, then click

OK.

b Select the user name you created earlier, select Full Control, then click OK.

6

Click Add to select an object type.

a

In Select Users or Groups, enter your Domain Local Security Group in the object names dialog box, then click OK.

b With this group selected, select Full Control, then click OK.

Restore a file

Restoring a quarantined file allows you to save to your local system or to a specific VM.


• Update the DATs on the SVM and the system where you run the restore, when necessary.

• Download MOVE

‑AV‑AL_RestoreTool.4.5.1.Zip from the McAfee download site and extract the contents.

• Make sure that the TCP port 445 is open on the guest VM's firewall.

Task

1

From the folder where you extracted MOVE

‑AV‑AL_RestoreTool.4.5.1.Zip, start the quarantine restore tool.

quarantine_restore.cmd

The Connect dialog box is automatically displayed.

2

Enter the location and credentials of the quarantine share, then click OK.


If you need to connect to a different share, click Connect.

56


Product Guide


Self-protection

3

3

From the list of quarantined files, select the file you want to restore.

If a file is listed multiple times, it has been quarantined multiple times and the contents of the file are different.

4

Choose one of these two options:

• Save the file to your local system.

1

Select Save File.

2

Browse to the location, enter a file name, and click OK.

The file is saved to the specified location. The quarantined file remains on the share.

• Restore the file to selected VMs.

1

Select the VMs where you want to restore the file, then click Restore.

2

Enter valid credentials to restore the file to all selected VMs.

The same file can be restored to multiple VMs by multi-selecting the VM hosts before you click

Restore. The same credentials must be valid for all selected VMs for this method to work.

The file is restored to each selected VM. The quarantined file is removed from the share after it is successfully restored. When the restore is completed, the list of quarantined files and VMs are updated to reflect the current state.

Errors are logged in the RestoreTool.log.

Self-protection

The self-protection feature defends files, services, and registry keys on virtual machines. Use the

VirusScan Enterprise access protection rules for protecting the components of the SVM.

McAfee MOVE AntiVirus (Multi-Platform) Client

The self-protection feature prevents malicious attacks on McAfee MOVE AntiVirus (Multi-Platform) client components. This keeps your virus protection active and stable.

Protection type Protection effects

File protection Files inside the installed directory and driver file (mvagtdrv.sys) are protected from being deleted or renamed.

Registry protection

These registry keys, all subkeys, and all values under them are protected.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mvagtdrv

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mvagtsvc

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\EventLog

\Application\MOVE AV client

Service stop protection

The mvagtsvc service cannot be stopped.

The self-protection feature is controlled by the IntegrityEnabled configuration parameter. By default, the parameter is set to 0x7, and all components of the feature are enabled.

The configuration parameter accepts values from 0–7, which is a decimal representation of a 3-bit binary value.


Product Guide

57

3


Self-protection

5

6

7

2

3

4

Decimal value

0

1

Binary value

000

001

010

011

100

101

110

111

Definition

Protection disabled

File protection

Registry protection

File and registry protection

Service protection

Service and file protection

Service and registry protection

Service, registry, and file protection

For example, to enable file and registry protection, set the parameter to 3 (0b011) with this command: mvadm config set IntegrityEnabled=3

To enable file and service stop protection, but not registry protection, set the parameter to 5

(0b101) with this command: mvadm config set IntegrityEnabled=5

To disable the self-protection feature, set the parameter to 0 with this command: mvadm config set IntegrityEnabled=0

When Service stop protection is enabled (by setting the highest bit to 1), the mvagtsvc service does not accept stop commands. File protection and registry protection require the agent driver be loaded, but service stop protection does not. Use these commands to load or unload the driver.

mvadm enable mvadm disable

McAfee MOVE AntiVirus (Multi-Platform) SVM

Use the following VirusScan Enterprise access protection rules for protecting the components of the

SVM. These must be configured manually after installation.

58


Product Guide


Events, responses, and McAfee MOVE AntiVirus

Protection type Protection effects

File protection (via

VirusScan

Enterprise access protection)

Use the user defined rules of VirusScan Enterprise to protect MOVE files.

Create a File/Folder Access Protection Rule that excludes the mvserver.exe process, and blocks the C:\Program Files (x86)\McAfee\MOVE AV Server\** folder.

For File actions to prevent, select these options:

• Write access to files

• New files being created

• Files being deleted

See McAfee VirusScan Enterprise Product Guide for details.

Registry protection

(via VirusScan

Enterprise access protection)

Use the user defined rules of VirusScan Enterprise to protect registry keys.

These registry keys and all keys and values under them must be protected:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver


\Parameters


\Parameters\ODS

3

Events, responses, and McAfee MOVE AntiVirus

Configure Automatic Responses to respond to threat events.

The Threat Event Log is a log file of all threat events that McAfee ePO receives from managed systems.

In McAfee ePO, you can define which events are forwarded to the McAfee ePO server. To display the complete list of events in McAfee ePO, select Menu | Configuration | Server Setting, select Event Filtering, then click Edit.

Set up a Purge Threat Event Log server task to purge the Threat Event Log periodically.

For information about Automatic Responses and working with the Threat Event Log, see the McAfee ePO documentation.

Analyzing your protection

The ongoing process of analyzing your system protection enables you to improve the protection and performance of your system.

Analyzing your protection helps you to determine:

• Which threats you are facing

• What malware was used in the attack

• Where the threats are coming from

• Where and when the attacks occurred

• How often threats are found

• Which systems are being targeted

• How the attack affected the system


Product Guide

59

3


Integrating TIE and Advanced Threat Defense

Protection analysis is also helpful to:

• Create reports for IT and managers.

• Capture information used to create scripts and queries.

Dashboards and queries

Use McAfee ePO queries to view events, run default queries, and create reports.

• View events in the Threat Event Log.

• Run default queries that show important client information.

• Create reports using data sent by the McAfee Agent to the McAfee ePO database.

For information about how to run a query or report, see the product documentation for your version of

McAfee ePO.

Queries are questions that you ask McAfee ePO, which returns answers as charts and tables. You can export or download queries, combine them into reports, and use most queries as dashboard monitors.

Reports enable you to package one or more queries into a single PDF document, for access outside of

McAfee ePO.

To create reports, your assigned permission set must include the ability to create and edit reports. You can restrict access to reports using groups and permission sets exactly as you restrict access to queries. Reports and queries can use the same groups, and because reports primarily consist of queries, this allows for consistent access control.

VMs running Agentless do not have the McAfee Agent installed. Only the SVM appears in the McAfee ePO console, which means you don't see each VM. vShield Manager provides a report that validates the protection status of each VM.

Integrating TIE and Advanced Threat Defense

McAfee

®

Threat Intelligence Exchange (TIE) provides context-aware adaptive security for your virtual environment. It quickly analyzes files and content from the SVM in your environment and makes informed security decisions. These decisions are based on a file's security reputation and your own criteria set in the Shared Cloud Solutions policy of McAfee MOVE AntiVirus.

The Multi-Platform deployment, with TIE and Advanced Threat Defense integration, becomes a multi-layered solution that involves various techniques to scan and detect the malware. It includes:

• Pattern matching

• Global reputation

• Program emulation

• Static analysis

• Dynamic analysis

All these layers are seamlessly integrated and provide a single point of control for easy configuration and management.

How Threat Intelligence Exchange works

Threat Intelligence Exchange uses the Data Exchange Layer framework to share file and threat information instantly across the entire network.

60


Product Guide



3

In the past, you sent an unknown file or certificate to McAfee for analysis, then updated the file information throughout your network later. Threat Intelligence Exchange enables file reputation to be controlled at a local level, your virtual environment. You decide which files can run and which are blocked, and the Data Exchange Layer shares the information immediately throughout your environment.

Threat Intelligence Exchange components

Threat Intelligence Exchange includes these components.

• A server that stores information about file and certificate reputations, then passes that information to other systems.

• Data Exchange Layer brokers that allow bidirectional communication between managed systems on a network.

These components are installed as McAfee ePO extensions and add several new features and reports:

• McAfee TIE server extension

• McAfee DXL broker management

• McAfee DXL client for McAfee ePO

• McAfee DXL client management

How Advanced Threat Defense works

If Advanced Threat Defense is present, the following process occurs.

1

When a file reputation is looked in TIE and TIE determines that it is an Advanced Threat Defense candidate, then the file is submitted to Advanced Threat Defense for further analysis through TIE from SVM based on the settings in Shared Cloud Solutions policy under McAfee MOVE AntiVirus.

2

Advanced Threat Defense analyses the file and sends file reputation results to the TIE server using the Data Exchange Layer. The TIE server also updates the database and sends the updated reputation information to the SVM.

The Advanced Threat Defense solution primarily consists of the Advanced Threat Defense Appliance and the pre-installed software. The Advanced Threat Defense Appliance is available in two models. The standard model is the ATD-3000. The high-end model is the ATD-6000.

For installing and setting-up Advanced Threat Defense, see the installation guide for your version of

Advanced Threat Defense.

Advanced Threat Defense components

Advanced Threat Defense integrates its native capabilities with McAfee MOVE AntiVirus to provide you a multilayered defense mechanism against malware.

These are the features and components of Advanced Threat Defense that integrate with McAfee MOVE

AntiVirus for better malware detection:

• Its preliminary detection mechanism consists of a local blacklist to quickly detect known malware.

• It integrates with McAfee GTI for cloud-lookups to detect malware that has already been identified by organizations throughout the globe.

• It has the McAfee Gateway Anti-Malware Engine embedded within it for emulation capability.

• It has the McAfee Anti-Malware Engine embedded within it for signature-based detection.

• It dynamically analyzes the file by executing it in a virtual sandbox environment. Based on how the file behaves, Advanced Threat Defense determines its malicious nature.


Product Guide

61

3



Scenarios for using Threat Intelligence Exchange

• Immediately block a file — Threat Intelligence Exchange alerts the network administrator of an unknown file in the environment. Instead of sending the file information to McAfee for analysis,

McAfee MOVE AntiVirus blocks the file immediately. The administrator can then use Threat

Intelligence Exchange to learn whether the file is a threat and how many systems ran the file.

• Allow a custom file to run — A company routinely uses a file whose default reputation is suspicious or malicious, for example a custom file created for the company. This file can override the reputation of a file on TIE server so that it is allowed to run in the environment.

• Import known reputations — A company has several files that are trusted and used regularly, and other files that are not allowed. Because the reputations are already known and set, the administrator can import a list of files and their reputations directly into the Threat Intelligence

Exchange database. Those reputations are used immediately with no further action needed.

• See additional information about a file — Threat Intelligence Exchange notifies the network administrator of an unknown file. The administrator can see several details about the file, such as the file's parent process, company, hash information, and the systems that ran the file. The administrator can also see more detailed information about the file with VirusTotal, a free online service for scanning viruses, malware, and URLs.

How a reputation is determined

File and certificate reputation is determined when a file attempts to run on a managed system.

These steps occur in determining a file or certificate's reputation.

1

A user or system attempts to run a file.

2

McAfee MOVE AntiVirus compares and inspects the file with local cache and can't determine its validity and reputation.

3

The client looks for the reputation in global cache in the SVM and can't find the reputation and then sends the file hashes to the SVM for TIE lookup based on the Shared Cloud Solutions policy assigned to the system.

4

The SVM checks the reputation cache for the file hash. If the file hash is found, the SVM gets the reputation data from the SVM cache and sends the reputation to the client and action is taken.

5

If the file hash is not found in the SVM cache and TIE server does not have the reputation:

• (Advanced Threat Defense is present) If the policy on the endpoint determines that the file has to be sent to Advanced Threat Defense, the TIE server sends the file for further analysis. To send the file to Advanced Threat Defense, these requirements must meet:

• Advanced Threat Defense (ATD) option is configured under Shared Cloud Solutions policy on the McAfee ePO server.

• Size of the file is less than 10 MB.

• The TIE server returns the file hash's reputation to the SVM once the data is received from


See the additional steps under How Advanced Threat Defense works in this guide.

6


7


62


Product Guide

4

Monitoring activity in your environment

An important step in a protection strategy is using tools to monitor the malware events that occur on your systems.

Contents

Monitoring activity with McAfee ePO

McAfee MOVE AntiVirus dashboard

View visibility and health details of the SVM

View default queries

McAfee MOVE AntiVirus server tasks

Monitoring activity with McAfee ePO

Use McAfee ePO to monitor activity on your managed systems and determine what to do when issues occur.

Dashboards are collections of monitors that track activity in your McAfee ePO environment.

McAfee MOVE AntiVirus provides predefined dashboards and monitors. Depending on your permissions, you can use them as is, modify them to add or remove monitors, or create custom dashboards.

McAfee MOVE AntiVirus dashboard

The McAfee MOVE AntiVirus dashboard is added to your McAfee ePO server when you install the

McAfee MOVE AntiVirus software.

The dashboard displays a collection of monitors based on the results of the default McAfee MOVE

AntiVirus software queries.

The default monitors that appear under the McAfee MOVE AntiVirus dashboard are:

• SVM Load: Number of Connected Endpoints — Displays the number of managed endpoints with load category of the SVM.

• Capacity Full — Indicates that the SVM limit is reached when the number of endpoints is equal to what can be assigned.

• Capacity Above Threshold — Appears when capacity of an SVM is more than its threshold value.

• Capacity Below Threshold — Appears when capacity of an SVM is less than its threshold value.

• SVM with Higher Average Scan Time in last 7 days — Specifies the top 10 SVMs, which have reached average scan time threshold and they are in this state for the longest time in the past 7 days.


Product Guide

63

4


View visibility and health details of the SVM

See the chapter on dashboards in the McAfee ePolicy Orchestrator Product Guide for information about managing dashboards.

View visibility and health details of the SVM

You can check the product properties of McAfee MOVE AntiVirus and the product component SVM using McAfee ePO.

Task

1


2

Select Menu | Systems | System Tree | Systems tab.

3

Click an SVM system to open the System Information page.

4

Click Product tab and select the product as MOVE AntiVirus.

You can now see the product properties, which can be used to determine the health details of the

SVM.

View default queries

Run the predefined queries to generate reports based on McAfee MOVE AntiVirus components.

Task


1


2

Select Menu | Reporting | Queries & Reports.

3

From the McAfee Groups pane, select MOVE AntiVirus 4.5.1 to display the queries for the selected group.

4

From the Queries list, select a query, then click Run.

5

On the query results page, click any item in the results to drill down further.

6

Click Close when finished.

Predefined Multi-Platform queries

The McAfee MOVE AntiVirus (Multi-Platform) deployment option adds several queries to your McAfee ePO environment.

Table 4-1 Multi-Platform queries

Query

Client Protection Status

Clients connected with a given SVM

DAT version

Summary of Threats Detected in the Last

24 Hours

Description

Displays the status of all McAfee MOVE AntiVirus clients managed by the server.

Displays the details of the client and SVM it is assigned.

Displays the DAT version of all McAfee MOVE AntiVirus clients that are managed by the server.

Displays threats detected in the last 24 hours.

64


Product Guide


View default queries

Table 4-1 Multi-Platform queries (continued)

Query

Threats Detected in the Last 24 Hours

Top 10 Computers with the Most

Detections

Top 10 Detected Threats

Top 10 Users with the Most Detections

TIE/ATD Metrics for each MP SVM

Description

Displays the number of threats detected in the last 24 hours by hour.

Displays the top ten computers with the most threat detections in the last three months.

Displays the top ten detected threats in the last three months.

Displays the top ten users with the most threat detections in the last three months.

Lists all TIE or Advanced Threat Defense related metrics such as

Total File reputation requests to TIE, Total Certificate reputation requests to TIE, and Total number of Advanced Threat Defense candidates for each McAfee MOVE AntiVirus SVM.

Table 4-2 SVM queries and events

Query

SVM Load: Number of Connected

Endpoints

SVM with Higher Average Scan Time in last 7 days

Description

Categorizes the SVMs into Capacity full, Capacity Above Threshold, and Capacity

Below Threshold based on the number of connected endpoints.

Specifies the top 10 SVMs, which have reached the average scan time threshold and they are in this state for the longest time in the past 7 days.

Lists all SVMs with SVM Manager details.

SVM with SVM Manager details

SVM: Average Scan Time Events

SVM Capacity Events

Lists the SVM Average Scan Time, SVM Average Scan Time Threshold, and SVM Average Scan Time Sampling Interval details. This report is generated from SVM average Scan Time Threshold hit and SVM

Average Scan Time Threshold Restored events. The average scan time threshold for each SVM can be modified in the Alert me option under SVM

Settings policy.

Lists the SVM Capacity Full, SVM Capacity Restored, and SVM Capacity

Threshold hit details. This report is generated from SVM Capacity

Threshold hit, SVM Capacity Full, and SVM Capacity Threshold Restored event. The threshold limit of client connections for each SVM can be modified in the Alert me option under SVM Settings policy.

Lists the top 10 file extensions scanned by the SVM.

Top 10 Scanned File Extensions for each SVM

Top 10 Scanned Files for each SVM

Lists the top 10 files scanned by the SVM.

Top 10 Scanned Processes for each

SVM

Lists the top 10 processes scanned by the SVM.

Top 10 Scanned Virtual Machines for each SVM

Lists the top 10 virtual machines that are sending maximum scan and checksum request.

4


Product Guide

65

4



Table 4-3 SVM Manager queries and events

Query

SVM Assignment Failed

Description

Specifies the details and reasons of SVM assignment by the SVM Manager.

This event is reported on the McAfee ePO server.

• SVM_MANAGER_SVM_ASSIGNMENT_FAILED — This event is reported when an SVM assignment request is sent from a client to the SVM Manager and it is unable to complete the client request, because no registered SVM is with full capacity.

SVM Capacity Events

Specifies the maximum number of endpoints with the number of endpoints connected.

These events are reported on the McAfee ePO server.

• SVM_MANAGER_SVM_THRESHOLD_CAPACITY_HIT — This event is reported when an

SVM assignment request is sent from a client to the SVM Manager and cumulative capacity of all SVMs eligible to serve that client has reached the threshold value, which is set in the advanced options of the SVM Manager policy.

• SVM_MANAGER_SVM_CAPACITY_FULL — This event is reported when an SVM assignment request is sent from a client to the SVM Manager and all SVM eligible to serve that client have reached their full capacity.

SVM Registration Events

Displays the SVM registration events raised by the SVM Manager.

These events are reported on the McAfee ePO server.

• SVM_MANAGER_SVM_REGISTER — This event is reported whenever an SVM is registered with SVM Manager.

• SVM_MANAGER_SVM_UNREGISTER — This event is reported whenever an SVM is unregistered from the SVM Manager because of issues like SVM shutdown, network interruptions.

SVM_MANAGER_STARTED This event is reported when the SVM Manager starts.

SVM_MANAGER_STOPPED This event is reported when the SVM Manager stops.

You can add these queries to dashboards to more efficiently track your environment by displaying several queries at once.

The queries are constantly refreshed, or you can run them at a specified frequency. You can add them to reports that are run on specific schedules and export them as PDF files or email messages.

The McAfee ePO Threat Event Log contains information about detections, scan failure, and on-demand scan events.

SVM information

A shell script, msmclient.sh, is available with SVM Manager and it is used to retrieve the SVM details.

The script is available at /opt/McAfee/movesvamanger.

For these commands to work and retrieve the results, the SVM Manager application must be running.

66


Product Guide



4

Run these commands with root rights from the /opt/McAfee/movesvamanager directory:

• sudo ./msmclient.sh svacount — Displays the number of SVMs attached to the SVM Manager.

• sudo ./msmclient.sh svainfo — Displays some basic information about the SVMs attached to the SVM Manager.

• sudo ./msmclient.sh svadetails — Displays some advanced information about the SVM: current

SVM load, SVM GUID, and last heartbeat time.

Predefined Agentless queries

You can use predefined queries as is, or create queries from events and properties stored in the

McAfee ePO database.

To create custom queries, your assigned permission set must include the ability to create and edit private queries.

The Agentless deployment option provides these predefined queries:

Query

DAT Version

Detection Response Summary

Licensing Information

On-Demand Scan Events Summary

Service Events Summary

Definition

Specifies the DAT version available on the VMs. This query is available only when the Cloud Workload Discovery extension is installed.

Displays the number of threats on which an action such as Modify,

Access denied, and Deleted is taken versus the number of threats on which no action was taken, in the last three months.

Displays the number of VMs that are being managed by the licensed SVM. This report is generated from MOVE AntiVirus: Compute

licensing information server task.

Displays a summary of the on-demand scan events for the last three months.

Displays a summary of the service events for the last three months.

Displays a summary of the threats detected in the last 24 hours.


24 Hours


7 Days

Displays a summary of the threats detected in the last seven days.

Threat Count by Severity

Threat Names Detected per Week

Threats Detected in the Last 24 Hours

Threats detected in the Last 7 Days

Threats Detected Over the Previous 2

Quarters

Threats Detected per Week

Top 10 Detected Threats

Top 10 Scanned File Extensions for each

SVM

Specifies the slice count, which is the number of Agentless events.

Slice indicates different event severities for the last months.

Displays the name and number of different threats detected every week for the last three months.

Specifies the number of threats detected in the last 24 hours.

Specifies the number of threats detected in the last seven days.

Specifies the number of threats detected for the last three quarters.

Displays the number of threats detected every week for the last three months.

Displays the top 10 threats detected in the last three months.

Lists the top 10 file extensions scanned by the SVM.

Top 10 Scanned Files for each SVM

Top 10 Scanned Virtual Machines for each

SVM

Lists the top 10 files scanned by the SVM.

Lists the top 10 virtual machines that are sending maximum scan and checksum requests.


Product Guide

67

4


McAfee MOVE AntiVirus server tasks

Query

Top 10 Threats per Threat Category

Top 10 Virtual Machines with the Most

Detections

Unwanted Programs Detected in the Last

24 Hours

Unwanted Programs Detected in the Last

7 Days

Virtual Machines with Threats Detected per Week

Definition

Displays the top 10 threats in a threat category for the last three months. The threats are grouped by threat category and threat name.

Displays the top 10 virtual machines with the most threat detections in the last three months.

Displays the number of potentially unwanted program events for the last 24 hours.

Displays the number of potentially unwanted program events for the last seven days.

Displays the number of virtual machines detected with threats per week for the last three months.

McAfee MOVE AntiVirus server tasks

(For Multi-Platform only) If there is a connectivity issue with the SVM Manager, you must generate the certificates for McAfee MOVE AntiVirus.

(For Agentless only) You can run the server task to list the number of VMs being managed by the licensed SVM.

(For Multi-Platform only) MOVE AntiVirus : Generate Certificates

If there is a connectivity issue with the SVM Manager, you must generate the certificates for McAfee

MOVE AntiVirus, so that the McAfee MOVE AntiVirus SVM and SVM Manager communicate and authenticate each other properly. For details, see Generate the certificates for McAfee MOVE AntiVirus in the McAfee MOVE AntiVirus 4.5.1 Installation Guide.

(Agentless only) MOVE AntiVirus: Compute licensing information

From Menu | Automation | Server Tasks, you can run MOVE AntiVirus: Compute licensing information server task to list the number of VMs being managed by the licensed SVM. You can find the output of this server task from MOVE AntiVirus: Licensing information Queries & Reports.

68


Product Guide

5

Client command-line interface reference

You can access the McAfee MOVE AntiVirus (Multi-Platform) client command-line interface (CLI) on the agent virtual machine to perform basic maintenance tasks.

The CLI is a series of commands that you can issue to the mvadm utility. Each command has arguments that can be appended to the command to modify its behavior. This reference lists each command in mvadm, and all argument variations.

Contents

Accessing the CLI

Password protected CLI

Accessing the CLI

A shortcut to the Multi-Platform command-line interface (CLI) is added to the Windows Start menu during installation.

• Open the Multi-Platform CLI: click Start | Programs | McAfee | MOVE AV Client Command Prompt.


At this command prompt, you can type commands that activate the mvadm utility to perform administration tasks on the virtual machine.

config

Use the config command to display and edit the configuration settings that are applied to the current installation.

mvadm config set NAME=VALUE mvadm config show

Arguments

set NAME=VALUE show

Parameter

AllowNetworkScan

ConnTimeout

Description

Sets the value of the configuration setting NAME to VALUE.

Lists the configuration settings.

Value

0 (off) or 1 (on). Defaults to 0.

A positive integer value. Defaults to 0 (no timeout).

Description

Enables or disables scanning of files residing on a network path.

Sets the connection timeout in milliseconds.


Product Guide

69

5

70


Accessing the CLI

Parameter

EventSink

Value

An integer between 0 (no notifications) and 14 (all notifications). Defaults to 14.

Description

Determines where threat events are sent.

The total combines the values for

Windows Event Viewer log (2), McAfee ePO Threat Event Log (4), and McAfee system tray pop-up menu (8).

Determines the active self-protections.

The total combines the values for file (1), registry (2), and services (4).

IntegrityEnabled

LogFileNum

LogFileSize

MaxFileSize

QuarantineEnabled

QuarantineFolder

An integer between 0 (no self-protection) and 7 representing a binary value.

Defaults to 7 (all self-protections).

A positive integer value. Defaults to 4.

An integer greater than 1024.

Defaults to 2048.

A positive integer value. Defaults to 40.


A valid file path. Defaults to C:

\Quarantine.

Limits the number of log files allowed before they are rotated.

Limits the size (in KB) of an individual log file.

Limits the size (in MB) of files where scan results are cached. Files up to this size are transferred completely to the SVM for scanning.

Enables or disables quarantine services.

Determines where quarantined files are stored. Cannot be a mapped network drive or UNC file path.

QuarantineDays

RTEMode

OASStatus

ODSStatus

ScanAllFileTypes

A positive integer. Defaults to 28. Determines the number of days quarantined files are stored before being deleted. Submitting a 0 turns off quarantined file deletion.



Indicates protection status on the virtual machine. This value cannot be changed through the config command.

Indicates on-access scan status on the virtual machine. This value cannot be changed through the config command.


0 (specific extensions) or 1 (all files). Defaults to 1.

Indicates on-demand scan status on the virtual machine. This value cannot be changed through the config command.

Determines whether to scan all files or only specific extensions.

ODSScanAllFileTypes 0 (specific extensions) or 1 (all

ScanFlags

ScanTimeout files). Defaults to 1.

An integer between 0 (no operations scanned) and 7 representing a binary value.

Defaults to 7 (all operations scanned).

A positive integer. Defaults to

45000.

Determines whether to scan all files or only specific extensions.

Determines which operations trigger scanning. The total combines the values for Read (1), Write (2), and Backup (4).

ODS ScanTimeout

ServerAddress1

A positive integer. Defaults to

45000.

An IPv4 address or FQDN. No default.

Limits the time (in milliseconds) allowed for file scans after which the file can be accessed.

Limits the time (in milliseconds) allowed for on-demand scan after which the file can be accessed.

Specifies the IPv4 address or FQDN of the primary SVM used by the virtual machine.


Product Guide


Accessing the CLI

Parameter

ServerAddress2

ServerPort1

ServerPort2

ThreatAction1

ThreatAction2

ODS ThreatAction1

ODSThreatAction2

SVMManagerAddress

SVMManagerPort

Value


Between 1024 and 65535.

Defaults to 9053.


Defaults to 9053.

0 (delete) or 1 (deny access).

Defaults to 0.


Defaults to 1.


Defaults to 0.


Defaults to 1.



Defaults to 8080.

Description

Specifies the IPv4 address or FQDN of the secondary SVM used by the virtual machine.

Specifies the port used to communicate with the primary SVM.

Specifies the port used to communicate with the secondary SVM.

Determines the primary action taken when a threat is detected.

Determines the secondary action taken when a threat is detected.

Determines the primary action taken when a threat is detected during on-demand scan.

Determines the secondary action taken when a threat is detected during on-demand scan.

Specifies the IPv4 address or FQDN of the

SVM Manager.

Specifies the port used to communicate with SVM Manager.

disable

Use the disable command to disable the McAfee MOVE AntiVirus client on the virtual machine.

mvadm disable

Arguments Description

default

Disables the McAfee MOVE AntiVirus client on the virtual machine.

This command removes virus protection from the virtual machine leaving it vulnerable to threats.

enable

Use the enable command to enable the McAfee MOVE AntiVirus client on the virtual machine.

mvadm enable


default

Enables the McAfee MOVE AntiVirus client. This restores virus protection to the virtual machine.

5


Product Guide

71

5


Accessing the CLI

ftypes

Use the ftypes command to display and edit the list of file extensions to be sent for anti-virus scanning.

mvadm ftypes add oas extn mvadm ftypes remove oas extn mvadm ftypes list oas mvadm ftypes add oas exe pdf zip mvadm ftypes add ods exe pdf zip

Wildcards are not supported by the ftypes command, and extensions must be an exact match.

Issuing an mvadm ftypes add doc command does not cause .DOCX files to be scanned.

Arguments

add oas extn remove oas extn

Description

Causes the files with extension extn to be included for anti-virus scanning.

Removes the files with extension extn from the list of files to be included for anti-virus scanning.

Lists the file extensions to be included for on-access scan.

list oas add ods exe pdf zip Adds the files with extensions exe pdf zip to be included for on-access scan.

add ods exe pdf zip Adds the files with extensions exe pdf zip to be included for on-demand scan.

help

Use the help command to display usage information for the mvadm utility.

mvadm help mvadm help command


default

Lists the summary description for the McAfee MOVE AntiVirus client CLI commands.

command

Lists the detailed help for the provided command.

loglevel

Use the loglevel command to view and edit the log level of the McAfee MOVE AntiVirus client.

mvadm loglevel mvadm loglevel enable {MODULE_NAME | ALL} {TYPES... | ALL} mvadm loglevel disable {MODULE_NAME | ALL} {TYPES... | ALL}

72


Product Guide


Accessing the CLI

Arguments

default enable {MODULE_NAME |

ALL} {TYPES... | ALL} disable {MODULE_NAME |

ALL} {TYPES... | ALL}

Description

Lists the current log level of each module that is part of the McAfee

MOVE AntiVirus client. Use this form to get a full list of modules for use with other forms of the loglevel command.

Sets the log level for module MODULE_NAME or all modules to the specified log level types or to all types.

Clears the specified log level types or all types for module MODULE_NAME or for all modules.

These are the supported log level types:

• Error

• Warning

• System

• Info

• Detail

• Fnentry

• Fnexit

pp

Use the pp command to specify trusted processes. All files acted upon by a trusted process are excluded from scans.

Process passthru rule supports these path format:

• Just the process name, for example: xyz.exe

• Partial path, for example: abc\xyz.exe

• Complete path, for example: C:\abc\xyz.exe

• Windows path, for example: %windir%\abc\xyz.exe

Note these points while using the pp command to specify trusted processes:

• If %abc% does not resolve, skip it from the list.

• This format is only valid from McAfee ePO.

• This resolves the path with respect to the system user.

mvadm pp list oas mvadm pp list ods mvadm pp add oas <process path> mvadm pp remove oas <process path> mvadm pp set <process path> mvadm pp add oas <file path>

Arguments

list oas list ods

Description

Displays a list of all trusted processes for on-access scan.

Displays a list of all trusted processes for on-demand scan.

5


Product Guide

73

5


Accessing the CLI

Arguments

add oas <process image path>

Description

Adds the specified process (or processes) as a trusted process. As an example: mvadm pp add userprofilemanager.exe

All files acted upon by the userprofilemanager.exe file are excluded from the scan.

remove oas <process image path> set <process image path>

Removes the specified process (or processes) as a trusted process.

Removes all existing trusted processes and adds the specified process (or processes) as trusted processes.

add oas <file path> Adds specified file path as a trusted file path for on-access scan. For example: mvadm pp add oas c:\windows\system32\notepad.exe

All file paths acted upon by the c:\windows\system32\notepad.exe file path are excluded from on-access scan.

exp

Use the exp command to specify path exclusion. All paths acted upon by a trusted process are excluded from on-access scan.

mvadm exp add oas <file path> mvadm exp list oas

Arguments

add oas <file path> list oas

Description

Excludes specified file path from trusted file path during on-access scan. For example: mvadm exp add oas "3|11|c:\folder1\*.txt"

3 | 11 — This scans the specified directory only.

3 | 15 — This scans the specified directory and sub directories.

All file paths acted upon by the 3|11|c:\folder1\*.txt file path are excluded during on-access scan.

Lists excluded file paths from on-access scan.

q

Use the q command to change McAfee MOVE AntiVirus (Multi-Platform) quarantine behavior.

mvadm q list mvadm q restore <detected as> mvadm q remove <detected as>

74


Product Guide


Accessing the CLI

Arguments

list

Description

Lists the currently quarantined files and their detection type.

restore <detected as> Restores all .VIR files from the currently configured quarantine folder with the specified <detected as> category.

remove <detected as>

Deletes all .VIR files from the currently configured quarantine folder with the specified <detected as> category.

status

Use the status command to display the current state of the McAfee MOVE AntiVirus client in terms of operational mode (enabled or disabled) and its McAfee MOVE AntiVirus Multi-Platform SVM details.

mvadm status

Arguments

default

OASStatus

ODSStatus

ODSScanAllFiletypes

Description

Lists the current McAfee MOVE AntiVirus client status.

Displays the current status of the on-access scan.

Displays the current status of the on-demand scan.

Lists the all file types of on-demand scan.

Example

C:\Program Files\McAfee\MOVE AV client>mvadm status

Scan Configuration: Enabled

On Access Scan: Enabled

On Demand Scan: Disabled

Driver Status: Driver is loaded

Primary Server: 10.216.19.210:9053 [Active]

Secondary Server: NONE:9053 [Not Configured]

SVM Manager: 10.216.19.154:8080 [Configured]

Protection Status: Enabled

version

Use the version command to display the version of the McAfee MOVE AntiVirus client installed on the virtual machine.

mvadm version


default

Displays the version of the McAfee MOVE AntiVirus client installed on the virtual machine. This is most useful for verifying that an upgrade operation is complete, or checking if an upgrade is needed.

5


Product Guide

75

5


Password protected CLI

Password protected CLI

Set the password protection through the client policy to prevent users from changing the anti-virus settings, or disabling the AV protection.

After setting the password, type the password to execute any of these commands on the mvadm command-line of the clients.

• config

• disable

• enable

• filetypes

• procpassthru

• loglevel

Set password for client CLI

Specify the password on the McAfee ePO server to prevent users from changing the AV settings, or disabling the AV protection on the client.



Task


1

Log on to McAfee ePO as an administrator

2


3


4


5

Enable Enable Self-Protection for MOVE CLI and type the password, then retype it in Confirm Password.

6

Click Save to modify the policy.

You can now verify that the commands on the client system are password-protected.

76


Product Guide

6

Server command-line interface reference

You can access the command-line interface (CLI) on the SVM virtual machine to perform basic maintenance tasks.

The CLI is a series of commands that you can issue to the mvadm utility. Each command has arguments that can be appended to the command to modify the command's behavior. This reference lists each command in mvadm, and all argument variations.

Access the CLI

A shortcut to the command-line interface (CLI) for the SVM is added to the Windows Start menu during installation.

Task

•

Open the McAfee MOVE AntiVirus SVM CLI: click Start | Programs | McAfee | MOVE AV Server Command

Prompt.


At this command prompt, you can type commands that activate the mvadm utility to perform administration tasks on the SVM.

cache

Use the cache command to perform operations on the SVM's scan cache.

mvadm cache save cfilename mvadm cache load cfilename mvadm cache list mvadm cache flush mvadm cache info


save cfilename Save the current set of checksums from the trusted checksum cache to the file cfilename.

load cfilename Load the checksums from file cfilename to the trusted checksum cache.

list

List the checksums available in the trusted checksum cache.


Product Guide

77

6


Access the CLI

Arguments

flush info

Description

Remove all checksums from the trusted checksum cache.

Print details of the trusted checksum cache.

config

Use the config command to display and edit the configuration settings that are applied to current installation.

mvadm config set NAME=VALUE mvadm config show

Arguments

set NAME=VALUE show

Description

Sets the value of the configuration setting NAME to VALUE.

Lists the configuration settings.

Parameters

ComputeCksum

Value

0 (server) or 1 (client).

Defaults to 1.

Description

Determines whether to use the server-computed checksum of the file or the checksum sent by the McAfee MOVE AntiVirus client.

Sets the connection timeout in milliseconds.

ConnTimeout

GTILevel

Between 0 (disabled) and 5

(Very High). Defaults to 1 (Very

Low).

Sets the Global Threat Intelligence level.

IntegrityEnabled

0 (off) or 1 (on). Defaults to 1. Enables or disables the self-protection feature.

LogFileNum

A positive integer value.

Defaults to 4.

Limits the number of log files allowed before they are rotated.

LogFileSize

MaxCacheItems


Defaults to 0 (no timeout).

An integer greater than 1024.

Defaults to 2048.


Defaults to 1,000,000.

Limits the size (in KB) of an individual log file.

Limits the number of items that can exist in the cache.

NumThreads

Between 0 and 500. Defaults to

300.

Limits the number of available scan request threads.

ScanArchiveFiles

0 (off) or 1 (on). Defaults to 0. Enables or disables scanning inside archive files.

ScanPUPS

0 (off) or 1 (on). Defaults to 0. Enables or disables checking for potentially unwanted programs (PUPs). Scan behavior is determined by VirusScan Enterprise settings.

ServerPort1

RAMDiskEnabled


Defaults to 9053.

SVMManagerAddress An IPv4 address or FQDN. No default.

SVMManagerPort


Defaults to 8080.

1 (0x1)

Determines the port on which the server listens for client requests.

Specifies the IPv4 address or FQDN of the

SVM Manager.

Specifies the port used to communicate with

SVM Manager.

Enables or disables the RAM disk option.

78


Product Guide


Access the CLI

Parameters

MaxNumClients

OSSGUID

Value

250 (0xf4240)

<GUID>

Description

Maximum number of clients, which can be connected to the OSS.

Unique GUID required to register it to SVM

Manager.

help

Use the help command to display usage information for the mvadm utility.

mvadm help mvadm help command


default command

Lists the summary description for the McAfee MOVE AntiVirus SVM CLI commands.

Lists the detailed help for command command.

loglevel

Use the loglevel command to view and edit the log level of the McAfee MOVE AntiVirus SVM modules.

mvadm loglevel mvadm loglevel enable {MODULE_NAME | ALL} {TYPES... | ALL} mvadm loglevel disable {MODULE_NAME | ALL} {TYPES... | ALL}

Arguments

default enable {MODULE_NAME |

ALL} {TYPES... | ALL} disable {MODULE_NAME |

ALL} {TYPES... | ALL}

Description

Lists the current log level of each module in the McAfee MOVE

AntiVirus SVM. Use this form to get a full list of modules for use with the other forms of the loglevel command.

Sets the log level for module MODULE_NAME or all modules to the specified log level types or to all types.

Clears the specified log level types or all types for MODULE_NAME or for all modules.

These are the supported log level types:

• Error

• Warning

• System

• Info

• Detail

• Fnentry

• Fnexit

stats

Use the stats command to display the current statistics of the McAfee MOVE AntiVirus SVM.

mvadm stats

6


Product Guide

79

6


Access the CLI


default

Displays current usage and performance statistics for the McAfee MOVE AntiVirus SVM.

The statistics are collected in real time, and the displayed data is a snapshot of the information at the time the command was invoked. The full list of reported statistics is shown in the example output.

Example output

C:\>mvadm stats

Total number of cksum req: 13125

Total number of file transfer req: 11825

Total number of smart file req: 14

Total number of scans on RAM disk: 11825

Cksum cache hit: 1300

Total av scan req: 11825

Total av scan failure: 0

Data recv failure: 0

Resp send failure: 0

Total scan threads: 300

Total heart beat threads: 0

Total idle threads: 300

Number of requests in queue: 0

Number of items in cache: 0

Avg request process time: 0.045183 sec

Avg request wait time: 0.000000 sec

Number of frequently modified files scanned: 848

Data saved for frequently modified files: 98%

Maximum entries for frequently modified files: 25

Total Tie Requests: 95486

Total Tie File Reputation Requests: 90622

Total Tie Cert Reputation Requests: 36

Total ATD candidates: 851

Total ATD successful submissions: 76

Total Tie Cache Hits: 4712

Total Tie Certificate Cache Hits: 116

Total Tie File Reputation change events: 140

Total Tie Certificate reputation change events: 0

Total Tie Certificate hashes in Global cache: 34

Total Tie File hashes in Global cache: 46827

Tie Avg Response Time per Request: 0.370643 sec

version

Use the version command to display the version of the McAfee MOVE AntiVirus SVM application installed on the server virtual machine.

mvadm version


default

Displays the version number of the McAfee MOVE AntiVirus SVM. This is most useful for verifying that an update has completed successfully, or checking if an update is needed.

80


Product Guide

7

Troubleshooting

Use this information to resolve problems while running McAfee MOVE AntiVirus and using its deployment modes.

Contents

Error codes

Frequently asked questions

Error codes

Here are answers to some of the errors that you might see while deploying and managing the McAfee

MOVE AntiVirus product. You might see these errors on the McAfee ePO pages or/and in the log files.

Product Area: McAfee MOVE AntiVirus SVM (Agentless)

You might see these errors on the McAfee ePO pages or/and in the log files while deploying and managing the McAfee MOVE AntiVirus SVM (Agentless).

MOVE_ERROR_20001

Error string: [MOVE_ERROR_20001] Failed to create quarantine mount event

Cause: Quarantine details might not be configured properly.

Workaround:

1

Verify that quarantine details are configured under the Options policy in McAfee ePO.

2

Run the policy collector and send an agent wake-up call to the target SVM.

3

From the SVM, open /opt/McAfee/move/etc/optpolicy.xml and verify that the quarantine details are updated.

4

Verify that the quarantine path is resolved from the McAfee ePO server and the McAfee MOVE

AntiVirus SVM.

5

Make sure that the user has administrator privileges to quarantine share folder.


Product Guide

81

7

Troubleshooting

Error codes


Error string: [MOVE_ERROR_20002] Mounting <name of the network mount> failed, error(<system error code>): <system error message>


Workaround:

1


2


3


4


AntiVirus SVM.

5



Error string: [MOVE_ERROR_20003] Mounting [name of the local storage mode] failed, error((<system error code>)): <system error message>


Workaround:

1


2


3


4


AntiVirus SVM.

5



Error string: [MOVE_ERROR_20004] Detected malware <name of the malware>, quarantaine failed hence file is not deleted, file has been DENIED ACCESS, VMID: <ID of the VM> filename: <name of

the file>


Workaround:

1


2


3


4


AntiVirus SVM.

5


82


Product Guide

Troubleshooting

Error codes

7


Error string:

[MOVE_ERROR_20005] hyper_register unable to contact the hypervisor <name of the exception>

Please verify the hypervisor information supplied in the SVA policy on ePO or

[MOVE_ERROR_20005] hyper_register unable to contact the hypervisor <name of the exception> due to invalid credentials. Please verify the hypervisor information supplied in the SVA policy on ePO or

[MOVE_ERROR_20005] hyper_register unable to contact the hypervisor <name of the exception> due to invalid hypervisor URL. Please verify the hypervisor information supplied in the SVA policy on ePO

Cause: vCenter or hypervisor details might not be configured properly.

Workaround:

1

Verify that the vCenter or hypervisor details are configured under the SVM Settings policy in McAfee ePO.

2


3

From the SVM, open /opt/McAfee/move/etc/svapolicy.xml and verify that the vCenter or hypervisor details are updated.


Error string: [MOVE_ERROR_20006] hyper_register unable to contact the hypervisor due to timeout

<name of the exception> Please verify the hypervisor information supplied in the SVA policy on ePO and retry

Cause: vCenter or hypervisor details might not be configured properly.

Workaround:

1

Verify that the vCenter or hypervisor details are configured under the SVM Settings policy in McAfee ePO.

2


3

From the SVM, open /opt/McAfee/move/etc/svapolicy.xml and verify that the vCenter or hypervisor details are updated.

4

Verify that you are able to log on to the vCenter or hypervisor.

5

Verify that the vCenter or hypervisor is up and running.

Product Area: McAfee MOVE AntiVirus extension

You might see these errors on the McAfee ePO pages or/and in the log files while deploying and managing the McAfee MOVE AntiVirus product using McAfee MOVE AntiVirus extension.


Product Guide

83

7

84

Troubleshooting

Error codes


Error string: [MOVE_ERROR_30001] Critical error. Downloading ePO init files failed.

Cause:

For Static IP Pool:

The provided IP Pool details might be wrong.

For DHCP:

The DNS might not be able to ping FQDN or Hostname of the McAfee ePO server.

Workaround:

For Static IP Pool:

1

FQDN is resolved from McAfee ePO and the client and vice versa.

2

Verify that the provided IP Pool details are correct.

For DHCP:

1

FQDN is resolved from McAfee ePO and the client and vice versa.

2

Verify that the DNS that you got through DHCP can ping FQDN or hostname of the McAfee ePO server.


Error string: [MOVE_ERROR_30002] Compatibility checking failed

Cause: MOVEALCompatMatrix.xml might not be compatible with the versions of vCener, ESXi, vShield Manager, vShield Endpoint, and VM Tools.

Workaround: This error can be ignored because it does not impact while deploying and managing the McAfee MOVE AntiVirus product.


Error string: [MOVE_ERROR_30003] For some VM's either VMTools is not running or VM's are not part of the AD, hence, vSheild driver installation will fail on them

Cause: VM Tools are not running on some of the VMs or the VMs are not part of the Active Directory server.

Workaround:

1

Verify that VMware Tools are running properly on all the VMs.

2

Verify that the VMs are part of the Active Directory server.

3

Verify that you configured and registered all LDAP servers, which are managing the client systems to be protected, on the McAfee ePO server.


Error string: [MOVE_ERROR_30004] All VM's in the Hypervisor are not part of the AD, vSheild driver installation will fail on them

Cause: The VMs are not part of the Active Directory server.

Workaround:

1


2

Verify that you configured and registered all LDAP servers, which are managing the client systems to be protected, on the McAfee ePO server.


Product Guide

Troubleshooting

Error codes


Error string: [MOVE_ERROR_30005] VMTools in some VM's are not running, vSheild driver installation might fail on them

Cause: VM Tools are not running on some of the VMs.

Workaround:

1


2

Verify that you have configured and registered all LDAP servers, which are managing the client systems to be protected, on the McAfee ePO server.


Error string: [MOVE_ERROR_30007] Rest api call failed with exception

Cause:

For vCNS environment: vShield Manager details are not configured properly in McAfee ePO.

or

For NSX environment: NSX Manager details are not configured properly in McAfee ePO.

Workaround:

For vCNS environment

1

Verify that you configured the vShield Manager details under MOVE AntiVirus Deployment wizard properly in McAfee ePO.

2

From McAfee ePO system, open SQL Server and verify the details under DC_AL_VSM_DETAILS table.

For NSX environment

1

Verify that you configured the NSX Manager details properly under MOVE AntiVirus Deployment wizard in McAfee ePO.

2

From McAfee ePO system, open SQL Server and verify the details under DC_AL_NSX_MANAGER_DETAILS table.


Error string: [MOVE_ERROR_30008] Getting vsm heartbeat details : <APPLIANCE_URL> failed using : <CLIENT_DETAILS>

Cause: The vShield Manager might not be running.

Workaround:

1

Verify that the vShield Manager is up and running.


Error string: [MOVE_ERROR_30009] Error occurred while executing service setup task. Continuing with next setup

Cause: VMs might not be synchronized properly from the vCeter account in McAfee ePO.

Workaround:

• Synchronize the vCeter account under Registered Cloud Account page in McAfee ePO.

7


Product Guide

85

7

Troubleshooting

Error codes


Error string: [MOVE_ERROR_30010] NSX Manager is already registered with different McAfee ePO.

Cause: NSX Manager is registered with another McAfee ePO.

Workaround:

1

Verify that the vCenter account is registered with another McAfee ePO.

2

Verify that the NSX Manager is registered with another McAfee ePO under MOVE AntiVirus

Deployment wizard.

3

Unregister the MOVE service from Service Registration page from the MOVE AntiVirus Deployment wizard in McAfee ePO.


Error string: [MOVE_ERROR_30011] Error occurred while communicating with NSX Manager.

Cause: NSX certificate details are not valid.

Workaround:

1

Reconfigure and validate the NSX Manager details under Edit NSX Manager Details page in MOVE

AntiVirus Deployment wizard.

2

Verify that the validation is successful.


Error string: [MOVE_ERROR_30012] MOVE Service cannot be unregistered or upgraded as it is used in NSX Manager Security Policy.

Cause: The Security Policy is being used in NSX Manager.

Workaround:

1

On vSphere Web Client, click Home | Networking & Security | Service Composer | Security Policy.

2

Click Edit on each security policy.

3

From the Guest Introspection Services page, delete the security policy.

4

Verify that Guest Introspection Services is showing as 0 for all listed policies under Security Policy page.

5

Delete McAfee MOVE Service deployment from Service Deployments page.


Error string: [MOVE_ERROR_30013] MOVE Service cannot be unregistered as it is deployed on cluster(s).

Cause: SVM is deployed on the cluster(s).

Workaround:

1

On vSphere Web Client, click Home | Networking & Security | Service Composer | Security Policy.

2

Click Edit on each security policy.

3

From the Guest Introspection Services page, delete the security policy.

4

Verify that Guest Introspection Services is showing as 0 for all listed policies under Security Policy page.

5

Delete McAfee MOVE Service deployment from Service Deployments page.

86


Product Guide

Troubleshooting

Frequently asked questions

Frequently asked questions

Here are answers to some of the most frequently asked questions relating to the security implications of running McAfee MOVE AntiVirus and using its deployment modes.

How can I convert the SVM Manager format to Microsoft Hyper-V format?

You must convert the .vmdk file format to .vhd file to deploy the SVM Manager to Microsoft Hyper-V.

You must attach the converted file as a hard disk to create a new virtual machine.

1

Download and install Microsoft Virtual Machine Converter 3.0 (MVMC 3.0).

The SVM Manager can only be converted using the Microsoft Virtual Machine Converter 3.0

command line Windows PowerShell scripts.

2

Click Start | All Programs | Accessories, right-click Windows PowerShell, then click Run as administrator.

3

In the PowerShell console, run this command: Import-Module “C:\Program Files\Microsoft

Virtual Machine Converter\MvmcCmdlet.psd1”

4

For .vhdx format image, run this command: ConvertTo-VirtualHardDisk -SourceLiteralPath

"C:\VMDKs\SVM_Manager_3.x-disk1.vmdk"

5

For .vhd format image, run this command: ConvertTo-VirtualHardDisk -SourceLiteralPath

"C:\VMDKs\SVM_Manager_3.x-disk1.vmdk"-DestinationLiteralPath "C:\VHDs" -VhdType

FixedHardDisk -VhdFormat Vhd

6

After you have converted the file format to .vhd or .vhdx, mount the disk image to the Microsoft

Server 2012 R2 Hyper-V system:

a

On the Server 2012 R2 Hyper-V Manager, click New | Virtual Machine, then click Next.

Specify these VM details one by one on the wizard, then click Next.

Option Definition

VM Name

Memory Size

Specify the VM name of the instance.

Set the memory size of the VM.

Network Interface

Specify the details about the network interface associated to the instance.

b

Select Use and existing virtual hard disk, specify the path to the .vhdx or .vhd file, then click Next.

c

Click Finish, then turn on the SVM manager.

The McAfee MOVE AntiVirus detection pop-up message does not appear on the

Windows desktop. How do I fix this?

Method 1:

You need to enable the McAfee Agent policy option Show the McAfee system tray icon (Windows only) to display

McAfee MOVE AntiVirus detection pop-up message on the Windows desktop.

1


2

Select Menu | Policy | Policy Catalog.

3

From the Product drop-down list, select McAfee Agent.

4

From the Category drop-down list, select General.

5

Click New Policy.

7


Product Guide

87

7

88

Troubleshooting


6


7

Open the newly created policy.

8

Enable Show the McAfee system tray icon (Windows only) from General Options under General tab.

9

Click Save to save the changes, then click apply the policy to the clients.

Method 2 (Multi-Platform only):

If you require the Multi-Platform Threat Event pop-up alerts through the Remote Desktop Protocol

(RDP) session, you can run UPDATERUI.EXE manually.

Perform these steps inside your remote session.

1

Click Start | Run.

2

Run this command: "C:\Program Files\McAfee\Common Framework\CmdAgent.exe" /s

The McAfee Agent icon now appears in the toolbar, and the OAS Statistics can be viewed in the remote session.

How can I create an on-demand scan task for a Cloud Workload Discovery VM with

Agentless?

Perform these steps to create an on-demand scan task for the Cloud Workload Discovery VM with

Agentless systems.

1

Check in the Cloud Workload Discovery extension to McAfee ePO and create a Registered Cloud

Account for vSphere.

2

Click System Tree. You see the vSphere group that was previously added and all the client computers under that vSphere group entry.

3

Select an unmanaged computer where you want to trigger the on-demand scan:

a

Click Actions | Agent | Modify Policies on a Single System.

b

From the Product drop-down list, select MOVE AntiVirus 4.5.1.

c

From the Category drop-down list, select On Demand Scan.

d

Click New Policy.

e


f

Open the newly created policy, select Enable on-demand scan, then click Save.

4

Select the SVM that is managing that client VM and do an agent wake-up call.

The on-demand scan starts at the next available slot.

The Policy Collector task collects the unmanaged system policies and adds them to the SVM policy for the next policy enforcement.

What can I do if I see the warning message "Failed to get process info of

(system)", which is recorded in the Multi-Platform client mvagent.log?

This is an expected behavior. This informational message can be ignored.

In some environments, you might see these warning messages in mvagent.log, which is the scan log generated by the McAfee MOVE AntiVirus (Multi-Platform) client on protected systems:


Product Guide

Troubleshooting


7

• WARNING: utl_rt.c : 109: Process info is NULL for proc handle 0x4

• WARNING: fsh_winnt.c : 216: Failed to get for process info of (System)

The message does not upload as an event to McAfee ePO.

How can I manually check the DAT version installed on the McAfee MOVE AntiVirus

SVM in an Agentless environment?

You can check what DAT version is installed on the McAfee MOVE AntiVirus SVM using the Linux

Command Line Interface (CLI).

Method 1:

1

Log on to the McAfee MOVE AntiVirus SVM.

2

At the command prompt, run this command: sudo

3

When prompted, provide the valid credentials.

4

Run this command to display the SVM details: /opt/isec/ens/threatprevention/bin/isecav -v

For example:

McAfee Endpoint Security for Linux Threat Prevention Version : 10.2.0.717

HF Version : 1177340

License : Full

DAT Version : 8479.0

Engine Version : 5900.7806

Method 2:

1

Log on to the McAfee MOVE AntiVirus SVM.

2

At the command prompt, run this command: sudo /opt/McAfee/move/bin/sva-config -v

3

When prompted, provide the valid credentials.

The required details appear in the command window.

Why is DNS suffix missing on the SVM after successful deployment using a Static

IP Pool configured with a DNS suffix?

If you are using Static IP Pool address, make sure that the NSX Manager has the ePO IP or FDQN details.

1

Log on to vCenter as an administrator.

2

Click Networking and security | Service definition.

3

Double-click McAfee MOVE AV.

4

On the Manage tab, click Deployment.

Under OVF URL, make sure that the ePO IP or FQDN have been provided and not just the McAfee ePO server hostname.


Product Guide

89

7

90

Troubleshooting


What do I do if an upgrade attempt to McAfee MOVE AntiVirus 4.5.1 fails?

Perform these steps to successfully upgrade from McAfee MOVE AntiVirus (Agentless) 4.5.0 to McAfee

MOVE AntiVirus 4.5.1.

1

Install the McAfee MOVE AntiVirus 4.5.1 extension on the McAfee ePO server.

2

Check in the SVM 4.5.1.

3

Use the Migration Assistant utility and run the data migration. For information, see McAfee MOVE

AntiVirus Migration Guide.

4

Upgrade the McAfee MOVE AntiVirus Service.

How can I fix any filesystem error that appears after deploying Agentless?

1

Download a new copy of the Agentless OVF template from the product download : http:// www.mcafee.com/us/downloads/downloads.aspx

.

2

Deploy the Agentless OVF template. For details, see Agentless installation and configuration in the

McAfee MOVE AntiVirus 4.5.1 Installation Guide.

What do I do if Agentless SVM shows as unmanaged when registering with the

McAfee ePO server?

Make sure that the copy of the Agentless OVF package is from a known good source, preferably the

Intel Security download site, then do a fresh deployment.

Perform these steps only if the SVM shows as Unmanaged in McAfee ePO System Tree:

1

Delete the system from McAfee ePO.

When prompted, do not choose to remove the McAfee Agent.

2

For the existing SVM, from the local command line interface, run the registration script with this command: sudo /opt/McAfee/move/bin/svm-config

3

When prompted, click Yes to unregister with the vShield Manager.

4

Complete the procedure to unregister the product.

5

Turn off the SVM and delete it from the disk.

6

Proceed with the new deployment.

Agentless configuration fails and displays failed status on the McAfee ePO for the vCenter account. How do I fix this?

There are two causes for the status to show Configuration Failed:

• If the vShield Manager is not registered with vCenter under the Registered Cloud Accounts, then the vCenter will appear as Not Configured on the McAfee ePO console under McAfee MOVE AntiVirus

(Agentless).

• If the vShield Manager was first successfully registered with vCenter, but later removed from the

Registered Cloud Accounts, it may not synchronize the vCenter account successfully, resulting in Not

Configured being displayed on the McAfee ePO console under McAfee MOVE AntiVirus (Agentless).

Register or reregister the vCenter account under the Registered Cloud Accounts.

1


2

Select Menu | configuration | Registered Cloud Accounts to open Registered Cloud Account page.


Product Guide

Troubleshooting


7

3

Select the vCenter Account and click Delete.

4

Restart the ePO Event Parser Service.

5

Select Menu | Registered Cloud Accounts, and confirm that the specific vCenter account is now deleted.

6

On the Registered Cloud Account page, click Actions, then select Add Cloud Account.

7

Type the vCenter Account Details on the Registered Cloud Accounts page, then click Test Connection.

8

If Test Connection is successful, click Next, then accept the certificate.

9

Click Finish, then click OK.

10

Check the configuration status of the vCenter Account, and now it shows as Configured.

The McAfee ePO server will now create a task that will synchronize the vCenter according to the above configuration.

How do I keep disabled Windows Defender after installing Multi-Platform?

Method 1:

Perform these steps to disable and re-enable the MOVE driver.

1

Log on to the system as an administrator.

2


3

Run these commands one by one:

• mvadm disable

• mvadm enable

4

Close the command prompt window.

Method 2:

Perform these steps to restart Multi-Platform client service.

1

Log on to the system as an administrator.

2


3

Run these commands one by one:

• sc stop mvagtdrv

• sc start mvagtdrv

4

Close the command prompt window.

How do I avoid loss of loss of network connectivity on virtual machines that use

VMXNet3 NICs when deploying Agentless through McAfee ePO?

Method 1:

Make sure that the version of VMware Tools installed on the virtual machine is the exact same build as the VMware Tools version supplied by the host. When the script is invoked and the builds match, only the needed Guest Introspect (vShield components) are installed.

Method 2:

Make sure that the virtual machines also have their e1000 NICs installed, to maintain network functionality when the script is invoked remotely.


Product Guide

91

7

92

Troubleshooting


How do I delete the IP pool when an IP address is already in use?

Run this SQL query to remove the IP Pool details from the McAfee ePO database:

DELETE FROM [DC_AL_CONFIG_IPPOOL] WHERE IPPOOL_NAME='<POOL_NAME>'

What do I do when error "Critical error. Downloading ePO init files failed" appears when deploying SVM through McAfee ePO using an IP Pool?

When you deploy the SVM through McAfee ePO using an IP Pool on the VMWare ESX host, you may see these errors in the SVM console session:

• ERROR [MOVEAL:pool-1-thread-1] svm.SvmEpoRegistrationTaskImpl - ePO Registration failed for

SVM with vm name: and for the Hypervisor: HyperVisor_Name

• ERROR [MOVEAL:pool-1-thread-1] svm.SvmEpoRegistrationTaskImpl - Reason being: Critical error.

Downloading ePO init files failed.

When you see these errors make sure that the prefix length is correct for the IP Pool according to the characteristics of the destination network.

What is the error return code description for McAfee MOVE AntiVirus (Agentless)

SVM registration with the vShield Manager?

When McAfee MOVE AntiVirus (Agentless) SVM registration fails, vShield Manager provides a Return Code error.

Return Code Definition

200

OK operation successful.

201

400

Created: Entity successfully altered.

Bad Request: Internal error codes. Please refer to the Error Schema for more details.

401

600

601

602

Unauthorized: Incorrect user name or password.

Unrecognized vendor ID.

Vendor is already registered.

Unrecognized altitude.

603

604

605

606

607

608

609

610

Solution is already registered.

Invalid IPv4 address.

Invalid port.

Port out of range.

Unrecognized moid.

Location information is already set.

Location not set.

Insufficient rights.

612

613

614

615

616

617

618

Solutions still registered.

Solution location information still set.

Solution still activated.

Solution not activated.

Solution is already activated.

IP:Port already in use.

Bad solution ID.


Product Guide

Troubleshooting


Return Code Definition

619

vShield Endpoint is not licensed.

620

Internal error.

I am using McAfee MOVE AntiVirus (Agentless) in NSX environment. Where do I find the original name of the hostname where the infection occurred instead on IP of McAfee MOVE AntiVirus SVM?

The Threat Event Log displays the hostname of the system where infection has occurred.

Make sure that you configured SVM Configuration details and tested connection settings under SVM Settings policy on the McAfee ePO server.

1


2

Select Menu | Reporting | Threat Event Log.

I am using McAfee MOVE AntiVirus (Agentless) in NSX environment. I found that, for some reason, McAfee MOVE AntiVirus SVM is doing nothing. How do I redeploy the McAfee MOVE AntiVirus SVM?

1

Power off the McAfee MOVE AntiVirus SVM.

2

Delete the McAfee MOVE AntiVirus SVM.

The NSX Manager now redeploys the McAfee MOVE AntiVirus SVM.

7


Product Guide

93

7

Troubleshooting


94


Product Guide

Index

A

about

McAfee MOVE AntiVirus

9

about this guide

7

Agentless components

12

features

10

C

client command-line reference

accessing client

69

config command

69

disable command

71 enable command

71

ftypes command

72 help command

72

loglevel command

72

pp command

73

q command

74

status command

75 version command

75

client notification deferred scan

44

client task

18

quarantine

53

scan diagnosis

44

,

47

targeted ODS

43

command line password protected

76

common settings

configuring

24

components defined

11

,

12

overview

11

,

12

config command client

69

SVM

78

configuration deferred scan

43

exclusions

25

on-access scan

33

on-demand

36

permission sets

23


configuration (continued) quarantine manager

52

quarantine settings

54

targeted on-demand scan

41

conventions and icons used in this guide

7

D

dashboard


63

MOVE AntiVirus queries

64 default queries, displaying

64

deferred scan client notification

44

configuring

43

deployment

agentless

10

,

13 method

13

methods

9

,

10

,

13

multi-platform

9

,

13

details

protection

59

detection

finding threats

15

on-access scan

52

on-demand scan

52

responding

51

unwanted program

51

diagnostic tool

running

45

disable command

71

documentation

audience for this guide

7

product-specific, finding

8

typographical conventions and icons

7

E

enable command

71

events

MOVE AntiVirus

59

exclusions

configuring

25

scan items

30

Product Guide

95

Index

F

features

McAfee MOVE AntiVirus (Agentless)

10

McAfee MOVE AntiVirus (Multi-Platform)

10

file protection

57

H

help command client

72

SVM

79

I

installation

automated

19 wizard

19

integration

TIE

60

introduction


9

L

logging


24

logging and events on-demand scan

40

loglevel command client

72

SVM

79

M

management diagnostic tool

45

quarantine

54

managing


51

McAfee GTI about

29

McAfee MOVE AntiVirus about

9

client tasks

18

configuring

15

,

24

features

10

managing

51

self-protection

57

McAfee ServicePortal, accessing

8

Multi-Platform components

11

features

10

mvadm

cache command

77

config command

69

,

78

disable command

71 enable command

71

96


mvadm (continued)

ftypes command

72 help command

72

,

79

loglevel command

72

,

79

pp command

73

q command

74

stats command

79

status command

75 version command

75

,

80

O

on-access scan

configuring

33

scan type

29

scanning

13

,

15

,

29

,

31

,

33

,

52

on-demand scan

configuring

36

logging and events

40

scan type

29

,

36

scanning

13

,

15

,

29

,

52

targeted

41

working

36

P

permission sets

23 configuring

23

policies

applying

20

create new

20

options summary

20

using

19

VM-based scan

21

protection

analyzing

59

Q

quarantine command-line access

74

configuring quarantine manager

52

folder, configuring

55

overview

54

restore a file

56

restore tool

55

restoring

53

queries

default, viewing

64

list

64

MOVE AntiVirus queries

64

pie charts

64 viewing default queries

64

queries, MOVE AntiVirus Agentless

predefined

67

Product Guide

R

registry protection

57

reports

supplied queries

64

response handling threats

15

MOVE AntiVirus

59

S

scan diagnosis

44 configuring

44

,

47

scan items

excluding

25

,

30

scan type on-access

31

scanning on-access

15

,

29

,

31

,

33

,

52

on-demand

15

,

29

,

52

scanning option

configuring

30

on-access

13 on-demand

13

scanning, deferred

43

security, strategy

15

self-protection


24

server command-line reference accessing SVM

77 cache command

77

config command

78

help command

79

loglevel command

79

stats command

79

version command

80

service protection

57

ServicePortal, finding product documentation

8

Index

status, displaying

64

SVM

configuring

13

self-protection

57

view details

64

SVM CLI

cache command

77

config command

78

help command

79

loglevel command

79

stats command

79

version command

80

SVM Manager about

13

T

targeted on-demand scan

Agentless

42

configuring

41

Multi-Platform

43

technical support, finding product information

8

threat prevention

scanning

15

TIE integrating

60

V

virtual machines

protecting

13

VM-based scan policies

21

W

wizard installation

19


Product Guide

97

0-00

No results