Product Guide McAfee Endpoint Protection for Mac 2.1.
COPYRIGHT Copyright © 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc.
Contents 1 Preface 7 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7 7 8 Introduction 9 Why you need security for Mac . . How McAfee Endpoint Protection for Anti-malware . . . . . . Desktop firewall . . . . .
Contents Remove or restore the quarantined item . . . . . . . . . . . . . . . . . . . . . . . . Update the anti-malware and DAT files . . . . . . . . . . . . . . . . . . . . . . . . . Perform a system scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure custom scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create a scan task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modify an existing scan task . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Run a query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 6 Troubleshooting 71 Run the repairMSC utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Index McAfee Endpoint Protection for Mac 2.1.
Contents 6 McAfee Endpoint Protection for Mac 2.1.
Preface This guide provides the information you need for all phases of product use, from installation to configuration to troubleshooting. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience.
Preface Find product documentation Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access... Do this...
1 Introduction ® McAfee Endpoint Protection for Mac offers scalable security solution that minimizes the risk of exposing your Mac to vulnerabilities. The software provides a securely configured environment that: • Protects your Mac from viruses, spyware, trojan horses, and other malware threats. • Prevents unauthorized network access. • Prevents execution of unwanted application. • Restricts applications to run with restricted or without network access.
1 Introduction How McAfee Endpoint Protection for Mac protects your system Threat category Potential threat Botnet breakdowns Infects your system or network and controls it from remotely to spread malware. Network threat Slows down network performance and gain unauthorized access to systems. With McAfee Endpoint Protection for Mac is enabled, your Mac is protected from these malware threats without compromising the needs.
Introduction Product features • Regular mode — When the network packet adheres to a rule’s condition, the associated action defined in the rule is executed. If no matching rule is found, the network packet is blocked. • Adaptive mode — When the network packet matches a rule’s conditions, the associated action defined in the rule is executed. If no matching rule is found, the packet is allowed and a rule is created to allow similar packets later.
1 Introduction Product features Desktop firewall • Regular mode — When the network packet adheres to a rule’s condition, the associated action defined in the rule is executed. If no matching rule is found, the network packet is blocked. • Adaptive mode — When the network packet matches a rule’s conditions, the associated action defined in the rule is executed. If no matching rule is found, the network packet is allowed and a rule is created to allow similar packets later.
Introduction Product features 1 General • Self protection — Allows ePolicy Orchestrator administrators to enable password protection in the client interface to prevent local users from modifying the defined policy preferences, and to uninstall the software on managed Macs. McAfee Endpoint Protection for Mac 2.1.
1 Introduction Product features 14 McAfee Endpoint Protection for Mac 2.1.
2 Installation and deployment Install McAfee Endpoint Protection for Mac on a standalone (unmanaged) Mac, or deploy from ePolicy Orchestrator on a managed Mac. When you install McAfee Endpoint Protection for Mac on Mac OS X server, only the Anti-malware component is installed. The Application Protection and Desktop Firewall components are not installed.
2 Installation and deployment Package contents Package contents The software package contains these files that are necessary for installation. Package Description EPM‑‑.dmg Contains files to install the software on standalone Mac. EPM‑‑ePO‑.zip Contains files to deploy the software from the ePolicy Orchestrator server.
2 Installation and deployment Upgrade the software 4 Type the following command, then press return. sudo installer -pkg EPM‑‑ .pkg –target / 5 Type the administrator password, then press return. The following message appears. The Install was successful. Upgrade the software McAfee Endpoint Protection for Mac supports upgrading the software and migrating the configuration from the previous versions of the software.
2 Installation and deployment Upgrade the software • McAfee Security for Mac 1.1 and later to McAfee Endpoint Protection for Mac 2.1 When the software is upgraded, only the Anti-malware and Application Protection policies are migrated and these policies will co-exist with the new policies. The Desktop Firewall policies are not migrated. • McAfee Endpoint Protection for Mac 2.0 to McAfee Endpoint Protection for Mac 2.
Installation and deployment Default settings 2 Default settings Once installed, McAfee Endpoint Protection for Mac starts protecting the Mac immediately based on the default configurations defined. Refer to these default settings, and configure them for your environment.
2 Installation and deployment Recommended post-installation tasks Desktop Firewall Feature Default settings Desktop firewall • Regular Mode — Enabled • Trust Local Subnet — Selected For default firewall rules, see Desktop firewall. Application Protection Feature Default settings Application Protection Rules • Allow All Apple signed binaries — Allowed • Unknown/Modified Applications — Allow Exclusions — None.
2 Installation and deployment Deploy the software on a managed Mac Task Description Anti-malware protection McAfee Endpoint Protection for Mac comes with the default settings for anti-malware protection. Verify that the default settings are consistent with your organization policies and provides complete protection against malware.
2 Installation and deployment Deploy the software on a managed Mac Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator as an administrator. 2 Click Menu, Software, then click Software Manager. 3 In the Software Manager page Product Categories list, select Software (By Label), select McAfee Endpoint Protection for Mac 2.1, select EPM‑‑ePO‑, then click Check in All.
2 Installation and deployment Deploy the software on a managed Mac Install the extensions manually Install McAfee Endpoint Protection for Mac extensions using ePolicy Orchestrator. You must install these extensions to enable the features of the product: • Endpoint Protection for Mac 2.1.0:Anti-malware • Endpoint Protection for Mac 2.1.0:General • Endpoint Protection for Mac 2.1.0:Application Protection • Host Intrusion Prevention (Desktop firewall features) • Endpoint Protection for Mac 2.1.
2 Installation and deployment Test the installation Test the installation When you have completed the installation, we recommend that you test it to make sure that the software is installed properly and can protect the Mac. Tasks • Test the anti-malware protection feature on page 24 You can test the anti-malware protection feature by accessing the European Institute of Computer Anti-Virus Research (EICAR) standard anti-virus test file.
2 Installation and deployment Test the installation 4 Click 5 From the Dock, click Finder, Go | Applications | then double-click iTunes to display this message. to prevent further changes. For more information on application preferences, see Configuring protection preferences on a standalone Mac. Test the desktop firewall feature Test the desktop firewall feature by creating a rule. Consider a scenario where you want to create an allow rule for www.abcwebsite.com.
2 Installation and deployment Uninstall the software 7 In the Transport Protocol section, select All Protocols. 8 Open the browser, type the website name, then press return. Make sure no McAfee ePO rule allows access to this domain. Uninstall the software Remove the software from the standalone Mac and remove the software and its related extensions from the Mac that is managed by ePolicy Orchestrator.
Installation and deployment Uninstall the software 2 Remove the software from a managed Mac Remove McAfee Endpoint Protection for Mac from the managed Mac and remove the extensions from the ePolicy Orchestrator server. Tasks • Remove the software on page 27 Create a client task on the ePolicy Orchestrator to remove McAfee Endpoint Protection for Mac from the managed Mac.
2 Installation and deployment Uninstall the software Remove the software extensions Remove the McAfee Endpoint Protection for Mac extensions from the ePolicy Orchestrator server. Remove only the extensions for McAfee Endpoint Protection for Mac. Do not remove the Host Intrusion Prevention extensions because they are used by other products or systems. Task For option definitions, click ? in the interface. 28 1 Log on to the ePolicy Orchestrator server as an administrator.
3 Using the software on a standalone Mac You can use the McAfee Endpoint Protection for Mac console to view the dashboard, events details, the history of all events, quarantined items, and to configure scan schedules.
3 Using the software on a standalone Mac History of events • Application Protection • Desktop Firewall Recent events summary You can view the summary of recent five events in Dashboard. The events summary includes: • Status of scan task with number of malware detected from on-access scan and on-demand scan. • Anti-malware update status with DAT version details. • Prevention of application execution details. Recent events displays only the summary of events.
3 Using the software on a standalone Mac Quarantine malware Quarantine malware The quarantine feature isolates dangerous or suspicious malware that could harm your Mac otherwise. To view the quarantined items, from the status bar, click the McAfee menulet | McAfee Endpoint Protection for Mac Console | Quarantine. The quarantine page displays the original path of items quarantined with date and time of the event. You can either remove or restore the quarantined item.
3 Using the software on a standalone Mac Perform a system scan Perform a system scan Perform an on-demand scan on specific files, folders, and local or network-mounted volumes immediately. Task 1 Click the McAfee menulet 2 On the console dashboard, click Scan Now. 3 From the What to scan drop-down list, select Start Scan. on the status bar, then select McAfee Endpoint Protection for Mac Console.
Using the software on a standalone Mac Configure custom scan tasks 6 7 3 In the When to scan section, select a schedule for the scan task, then click Schedule Scan. • Immediately — Starts a scan task immediately. If you select to scan items immediately, click Start Scan. • Once — Scans the defined locations once at the scheduled date and time. • Daily — Scans the defined locations every day at the scheduled time.
3 Using the software on a standalone Mac Configure custom scan tasks 34 McAfee Endpoint Protection for Mac 2.1.
4 Configuring protection preferences on a standalone Mac Use McAfee Endpoint Protection for Mac preferences to enable or disable anti-malware, application protection, desktop firewall, and to configure the protection parameters. Contents General preferences Anti-malware Application protection Desktop firewall Configure an update schedule General preferences Enable or disable the protection features that you want to run on your Mac.
4 Configuring protection preferences on a standalone Mac Anti-malware 4 • Application Protection — Define rules for applications, to run with full network access, restricted network access, or deny application execution. • Desktop Firewall — Define rules that control incoming and outgoing network traffic. Click to prevent further changes. McAfee Endpoint Protection for Mac is shipped with the default set of policies.
Configuring protection preferences on a standalone Mac Anti-malware 7 • Delete — To delete the item that contains spyware. • Notify — To notify you when spyware is detected. No other action is taken. 4 From the Also scan drop-down list, select where you want to enable scanning: • Archives & Compressed Files • Apple Mail Messages • Network Volumes When these options are selected, McAfee Endpoint Protection for Mac will detect the threat.
4 Configuring protection preferences on a standalone Mac Anti-malware 6 From the Also scan drop-down list, select where you want to enable scanning: • Archives & Compressed Files • Apple Mail Messages • Network Volumes When you run a full scan, by default, all network volumes mounted on your Mac are scanned for threats. 7 Click to prevent further changes. Define anti-malware exclusions Exclude files and folder paths from an on-access scan or on-demand scan.
4 Configuring protection preferences on a standalone Mac Application protection On-demand scan preferences • Always enable the scan for Archives & Compressed Files while performing on-demand scan. This is recommended because you may have disabled scanning option for these files. • Always select Quarantine as the secondary action for virus and spyware detections so that you can retrieve the files from the product console later.
4 Configuring protection preferences on a standalone Mac Application protection 3 On the Rules tab, you can: • Select or deselect Allow All Apple Signed Binaries. • Select Allow, Deny, or Prompt from the Unknown/Modified Applications drop-down list to configure application execution and network access settings for unknown and modified applications. If you select Prompt, type seconds (where n is a value between 10 and 300).
4 Configuring protection preferences on a standalone Mac Application protection Modify an existing application protection rule You can modify the existing application protection rule's definition that is in force, according to your requirement. Task 1 Click the McAfee menulet 2 On the Application Protection tab, click 3 Double-click the rule you want to modify, make the needed changes, then click OK to return to the Rules page.
4 Configuring protection preferences on a standalone Mac Application protection 5 From the list, add the path of the applications you want to exclude, then click Open. 6 Click to prevent further changes. To delete an exclusion, select the item, then press fn+delete. Best practices for application protection We recommend that you follow this strategy to configure application protection rules that match your business needs.
4 Configuring protection preferences on a standalone Mac Desktop firewall Recommended application protection configuration • Add basic rules to allow or block certain applications based on the checklist prepared earlier. During this stage, do not add any rules for restricted network access or advanced rules for certain binaries. • Verify and make sure that no third-party application protection and firewall products are installed on the systems that are being used in the test environment.
4 Configuring protection preferences on a standalone Mac Desktop firewall • FTP inspection — Desktop firewall automatically creates dynamic rules for FTP data connections, by actively monitoring the FTP commands on the control channel. • Trusted networks — You can define networks that can include subnets, ranges, or a single IP address that can be used while creating firewall rules.
4 Configuring protection preferences on a standalone Mac Desktop firewall To change the desktop firewall protection from Regular mode to Adaptive mode, click Endpoint Protection for Mac Preferences | Desktop Firewall | Adaptive Mode. | McAfee How Adaptive mode firewall protection works In Adaptive mode, the precedence method is followed, but differently than in Regular mode. In Adaptive mode, desktop firewall uses precedence to apply rules. The rule at the top of the rules list is applied first.
4 Configuring protection preferences on a standalone Mac Desktop firewall To change the desktop firewall protection from Adaptive mode to Regular mode, click Endpoint Protection for Mac Preferences | Desktop Firewall | Regular Mode. | McAfee How DNS blocking works You can create a list of domain names for which you want to block access. Specify the domain names that you want to block. You can use ? and * wildcards to define the domain names.
4 Configuring protection preferences on a standalone Mac Desktop firewall Desktop firewall monitors the PORT, EPRT, PASV, and EPSV commands on the control channel, and determines which dynamic rules must be created for subsequent FTP data connections. The combination of the control connection and one or more data connections is called a session. When the data transfer is complete, the dynamic rules created for data transfer are removed.
4 Configuring protection preferences on a standalone Mac Desktop firewall How desktop firewall rules are organized Rules are categorized as ePO Rules, Client Rules, and Adaptive Rules. Rules are displayed in tree view. The ePO Rules group appears at the top with the list of rules, followed by the Client Rules, then the Adaptive Rules. To view desktop firewall rules, click • | McAfee Endpoint Protection for Mac Preferences | Desktop Firewall.
Configuring protection preferences on a standalone Mac Desktop firewall • 4 These rules allow the Mac to: • Obtain an IP address using DHCP. • Perform DNS queries. • Perform DAT updates. • Allow communication with ePolicy Orchestrator. • Client Rules — Created locally to allow or block specific network access. • Adaptive Rules — Created automatically to allow the packet whenever a non-matching data packet is received.
4 Configuring protection preferences on a standalone Mac Desktop firewall For this field... Configure these options... Rule Name Type a name for the rule. Status • Enabled — To enable the firewall rule. • Disabled — To disable the firewall rule. The rules appear as greyed out in the rules list, when it's status is set to Disabled. Action • Block — To block the network traffic. • Allow — To allow the network traffic. Direction • Incoming — To apply the rules for incoming network traffic.
Configuring protection preferences on a standalone Mac Desktop firewall For this field... 4 Configure these options... Network Protocol Define the configuration for Local Mac using: IPv4 • Single • Fully Qualified Domain Name • Subnet • Any Local IP Address • Local Subnet • Any IPv4 Address • Range (of IP addresses) Local system is the system on which you are adding rules.
4 Configuring protection preferences on a standalone Mac Desktop firewall • Action — Allow • Select UDP, Local, then type the Port No as 68 • Direction — Outgoing • Select UDP, Remote, then type the Port No as 67 Create a rule to allow DNS queries • Rule Name — Type a name for the rule • Network Protocol (IPv4) — Not applicable • Status — Enabled • Transport Protocol — Select Protocol • Action — Allow • Select UDP, Remote, then type the Port No as 53 • Direction — Outgoing Create a r
Configuring protection preferences on a standalone Mac Desktop firewall • Allow outgoing for POP3, IMAP, SMTP • Allow outgoing for RDP • Allow outgoing for Idap • Allow bi-directional for AFP/SMB, if you are using file sharing 4 Best practices for desktop firewall We recommend that you configure these firewall rules that protect your system in line with your organizational requirements. • McAfee Endpoint Protection for Mac is shipped with a set of default firewall rules.
4 Configuring protection preferences on a standalone Mac Configure an update schedule Configure an update schedule Configure the repository list that needs to be accessed to update the anti-malware, the proxy connection settings, and the anti-malware update schedule. Tasks • Configure the repository list on page 54 Always keep your DAT files and anti-malware up to date to secure your Mac from the latest threats.
Configuring protection preferences on a standalone Mac Configure an update schedule 4 4 Select whether to use a proxy. • Do not use a proxy • Configure proxy settings manually 5 Select Use these settings for all proxy types to specify the same IP address and port number for all proxy types. 6 Select FTP or HTTP server, then type the IP address and port number of the selected server. 7 Select Use authentication, then type the user name and password for FTP, HTTP, or a local repository.
4 Configuring protection preferences on a standalone Mac Configure an update schedule 56 McAfee Endpoint Protection for Mac 2.1.
5 Managing the software with ePolicy Orchestrator Integrate and manage McAfee Endpoint Protection for Mac using ePolicy Orchestrator management software. McAfee ePolicy Orchestrator provides a scalable platform for centralized policy management and enforcement on your McAfee security products and the systems where they are installed. It also provides comprehensive reporting and product deployment capabilities through a single point of control.
5 Managing the software with ePolicy Orchestrator Manage policies Configure these policies with your preferences, then assign them to groups of the managed Mac. For generic information about policies, see the product guide for your version of ePolicy Orchestrator. Tasks • Create or modify policies on page 58 You can create and edit policies for a specific group in the System Tree.
Managing the software with ePolicy Orchestrator Create a self-protection policy 5 Create a self-protection policy Self-protection allows ePolicy Orchestrator administrators to enable password protection for preferences in the client interface for managed Macs. Enabling password protection prevents local users from modifying preferences that are defined by the ePolicy Orchestrator administrator, and prevents uninstalling the software on managed Macs.
5 Managing the software with ePolicy Orchestrator Create an anti-malware policy 4 5 On the General tab of the policy page, select these options: • General policies controlling overall functioning of Anti-malware — To enable or disable the on-access scan and on-demand scan. • Anti-malware update — To disable the local auto update schedule. Click the On-access Scan tab and define these settings: In... Define...
Managing the software with ePolicy Orchestrator Schedule an anti-malware update In.. Define.. On-demand Scan policies • Scan contents of Archives and compressed files — To scan archived and compressed files. 5 • Scan Apple Mail Messages — To scan Apple mail messages. • Scan file on Network Volumes — To scan files on mounted network volumes. When a virus is found • Clean — To clean the item that contains malware. • Quarantine — To isolate the item that contains malware.
5 Managing the software with ePolicy Orchestrator Schedule an on-demand scan Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Systems | System Tree, then select a group or systems. 3 On the Assigned Client Tasks tab, click Actions, then select New Client Task Assignment. 4 a For product, select McAfee Agent. b For Task Type, select Product Update. c Click Create New Task to open the Client Task Catalog.
Managing the software with ePolicy Orchestrator Create an application protection policy 5 5 Define these parameters, then click Next. • Schedule status • Start time • Schedule type • Task runs according to • Effective period • Options 6 In the Summary page, click Save. 7 In the System Tree, select the systems or groups where you assigned the task. 8 In the right pane, click the Group Details tab, then click Wake Up Agents.
5 Managing the software with ePolicy Orchestrator Desktop firewall policy 10 Type the application name with its path, then click OK. For example, to exclude the application Calculator, type /Applications/Calculator.app in the Name field, then click OK. 11 Click Save. If you disable the Application Protection from ePolicy Orchestrator, the security status of the managed Mac still appears that Your Mac is Secured.
5 Managing the software with ePolicy Orchestrator Desktop firewall policy 4 Select the options, then click Save. From... Set these options... Firewall status Enabled — To enable desktop firewall protection on managed Mac. • Regular protection — To allow network traffic, only when the network packet adheres to the rule's conditions. • Adaptive mode — To create an allow rule, when the network packet does not match the existing rule.
5 Managing the software with ePolicy Orchestrator Desktop firewall policy From.. Configure these options.. Network protocol 1 Select • Any Protocol — To allow any IP Protocol. • IP Protocol — To select IPv4 Protocol. McAfee Endpoint Protection for Mac supports only IPv4 Protocols.
Managing the software with ePolicy Orchestrator Create a DNS blocking policy 3 Click New Policy, type a name for the policy, then click OK. 4 On the Firewall Rules page, click New Group, type a name for the group, select Direction and Status, then click Next. 5 On the Location tab, define the options according to your requirements, then click Next. 6 On the Network Options tab, define the needed options, then click Next.
5 Managing the software with ePolicy Orchestrator Create a location awareness policy Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 2 From the Policy Catalog, select Host Intrusion Prevention 8.0: General as the product, then select Trusted Networks (Windows, Mac) as the category. 3 Click New Policy, type a name for the policy, then click OK to open the policy page.
Managing the software with ePolicy Orchestrator Queries and reports 5 Queries and reports Run predefined queries to generate reports, or modify them to generate custom reports. Query Displays EPM: Anti-malware Compliance The current Endpoint Protection for Mac: Anti-malware version compliance. EPM: Anti-malware Threats A line chart of the number of internal virus detections. EPM: Anti-malware Version Client versions for Endpoint Protection for Mac: Anti-malware.
5 Managing the software with ePolicy Orchestrator Queries and reports 70 McAfee Endpoint Protection for Mac 2.1.
6 Troubleshooting Identify and troubleshoot issues when using McAfee Endpoint Protection for Mac. Run the repairMSC utility Use the repairMSC utility to troubleshoot McAfee Endpoint Protection for Mac issues. It generates diagnostic reports, which can be uploaded to the McAfee server for analysis. Task 1 Open a Terminal window, type the following command, then press return. /usr/local/McAfee/repairMSC 2 Type the administrator password when prompted, then press return.
6 Troubleshooting Run the repairMSC utility 72 McAfee Endpoint Protection for Mac 2.1.
Index A about this guide 7 adaptive mode 43 adaptive rules 45 anti-malware best practices 38 configuring anti-malware 38 defining exclusions 38 testing the feature 24 updating DAT files 31 anti-malware update, ePolicy Orchestrator scheduling 61 application protection configuring preferences 39 creating rules 40 defining exclusions 41 modifying rules 41 reapplying rules 41 testing the feature 24 B best practices configuring application protection 42 firewall rules 53 C check-in package, ePolicy Orchestrat
Index installation (continued) using wizard 16 introduction 9 post installation tasks 20 preferences switching 35 M Q malware quarantine 31 removing quarantined items 31 restoring quarantined items 31 McAfee ServicePortal, accessing 8 quarantine malware 31 removing malware 31 restoring malware 31 queries, ePolicy Orchestrator 69 N R need for security 9 regular firewall protection 44 removal of quarantined item 31 removal of software 27 removal of software extension 28 reports, ePolicy Orchestrator
0-00
