McAfee VirusScan Enterprise 8.
COPYRIGHT Copyright © 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preface Contents Audience Conventions How this guide is organized Finding product documentation Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: • Administrators — People who implement and enforce the company's security program. • Security officers — People who determine sensitive and confidential data, and define the corporate policy that protects the company's intellectual property.
Preface How this guide is organized How this guide is organized This document is meant as a reference to use along with the VirusScan Console and ePolicy Orchestrator user interfaces. • Getting Started — Describes VirusScan Enterprise 8.8 what it does and what is new in this release. • Configuring Minimum Security — Describes the minimum VirusScan Enterprise settings that have protected hundreds of customers from malware attacks.
Getting Started To properly use VirusScan Enterprise 8.8 you must understand what it does and what is new in this release. What it is and does VirusScan Enterprise offers easily scalable protection, fast performance, and mobile design to protect your environment from the following: • Viruses, worms and Trojan horses • Access protection violations and exploited buffer overflows • Potentially unwanted code and programs It detects threats, then takes the actions you configured to protect your environment.
Configuring Essential Security The VirusScan Enterprise settings described in this chapter have protected hundreds of customers from malware attacks. McAfee Sales Engineers and Support staff have tested these settings, and when configured correctly and in the order listed, they are very effective in protecting your systems. NOTE: If any one of the settings described in the following best practices is not configured, your system is vulnerable to threats. Contents 1. Configuring self protection 2.
Configuring Essential Security 2. Configuring on-access scanning when reading files and for all files settings • Prevent termination of McAfee processes The following ePolicy Orchestrator 4.5 display shows VirusScan Enterprise self protection configured. 2. Configuring on-access scanning when reading files and for all files settings On-access scanning is your first line of defense from malware attacks. You must have on-access scanning enabled and configured to scan all files when reading.
Configuring Essential Security 3. Setting buffer overflow minimum protection 3. Setting buffer overflow minimum protection Buffer overflow attacks compose greater than 25% of malware attacks. Without buffer overflow protection enabled your systems are more vulnerable to attacks that attempt to overwrite adjacent memory in the stack frame. NOTE: Buffer overflow is not installed on 64-bit systems. By default buffer overflow protection is enabled on all VirusScan Enterprise protected machines.
Configuring Essential Security 4. Confirming VirusScan, DAT file, and engine versions 4. Confirming VirusScan, DAT file, and engine versions The importance of an update strategy cannot be overstated. Without the latest VirusScan Enterprise detection definition (DAT) files and scanning engine installed your system is not protected from the latest viruses.
Configuring Essential Security 5. Enabling "Artemis" To schedule automatic DAT and engine updates, refer to 8. Configuring DAT files and Engine updates. 5. Enabling "Artemis" Artemis, the heuristic network check feature, looks for suspicious programs and DLLs running on VirusScan Enterprise protected client systems. The Artemis feature catches malware before the regular DATs are deployed. It has been deployed successfully to more than 27 million endpoints and should be enabled at all times.
Configuring Essential Security 6. Configuring daily memory scans 6. Configuring daily memory scans On-demand scanning of processes and memory is the early warning system for your VirusScan Enterprise protected computers. You must enable this feature, as part of your essential protection, to scan running processes and memory for rootkits at least once per day. This on-demand scan finishes in 30-90 seconds with virtually no impact to the end-users.
Configuring Essential Security 7. Configuring regular on-demand scans • Memory for rootkits • Running processes The following ePolicy Orchestrator 4.5 display shows the memory rootkits and running processes scan configured: You must click Schedule and configure when you want the daily memory rootkits and running processes client task scan to occur. 7.
Configuring Essential Security 7. Configuring regular on-demand scans • Cookies • Registry Click the following Scan Options: • Include subfolders • Scan boot sectors The following ePolicy Orchestrator 4.5 display shows these on-demand scan location settings and options configured: Scheduling how often to scan McAfee strongly recommends you schedule on-demand scans at these intervals: • Daily — Too often, unless you have a major malware outbreak. • Weekly — Aggressive and provides good protection.
Configuring Essential Security 7. Configuring regular on-demand scans • Set the specific information depending on how often you configured the on-demand scan to run. The following ePolicy Orchestrator 4.5 display shows these scheduled scan settings configured: Configuring frequent active user on-demand scans McAfee suggests configuring specific active user workstation on-demand scans, as opposed to server on-demand scans.
Configuring Essential Security 8. Configuring DAT files and Engine updates 8. Configuring DAT files and Engine updates All of the previous sections describing on-demand and on-access scanning require the VirusScan Enterprise DAT files and scan engines to be the most recent versions available. The DAT files are updated daily to identify and take action against the most recent threats. See best practice 4.
Configuring Essential Security 8. Configuring DAT files and Engine updates You must click Schedule and configure how often and when you want to update these packages. Refer to the McAfee VirusScan Enterprise 8.8 software Product Guide, Configuring the AutoUpdate task section. McAfee VirusScan Enterprise 8.
Configuring Performance Improvements Some of the default settings for VirusScan Enterprise might not be the best settings for optimal performance. These best practices describes some of those settings and their alternate configurations. CAUTION: Changing some of these setting can affect your system security.
Configuring Performance Improvements Changing a system registry to improve performance Changing a system registry to improve performance By default the McAfee Agent registry setting is configured to run at normal priority. Changing the McAfee Agent registry setting to use LowerWorkingThreadPriority improves VirusScan Enterprise performance. CAUTION: This best practice contains information about opening or modifying the registry. • The following information is intended for System Administrators.
Configuring Performance Improvements Defining the default high and low processes during scans 8 Restart the McAfee Framework Service using the following steps: • Click Start | Run, type services.msc. • From the General tab, scroll up or down and select the McAfee Framework Service, right-click to open Properties dialog box. • Next to Startup Type, in the middle of the dialog box, click Manual from the list. • From Service Status, click Start and OK.
Configuring Performance Improvements Defining the default high and low processes during scans Table 1: Low-risk processes Application Process Effect McAfee Agent FrameworkService.exe Improves overall performance McAfee VirusScan Enterprise McScanCheck.exe Improves DAT update performance McScript_InUse.exe Improves DAT update performance mcupdate.exe Improves DAT update performance apache.exe Improves ePO console performance eventparser.
Configuring Performance Improvements Configuring file exclusions on Windows Domain Controller Configuring file exclusions on Windows Domain Controller To improve VirusScan Enterprise on-access scan performance, configure exclusions for some files used by Windows Domain Controller with Active Directory or File Replication Services.
Configuring Performance Improvements Configuring file exclusions on Windows Domain Controller Active Directory and Active Directory-Related Files Create exclusions for the following files and folders: Main NTDS Database Files • Default path — %windir%\ntds\ • File names: • Ntds.dit • Ntds.
Configuring Performance Improvements Configuring file exclusions on Windows Domain Controller FRS Database Log files • Default path — %windir%\ntfrs\ • Path and file name(s): • %FRS Working Dir%\jet\log\*.log NOTE: If registry key is not set. • %DB Log File Directory%\log\*.log NOTE: If registry key is not set. • %FRS Working Dir%\jet\log\edbres00001.jrs NOTE: For Windows Vista, Windows Server 2008, and Windows Server 2008 R2. • %FRS Working Dir%\jet\log\edbres00002.
Configuring Performance Improvements Excluding administration tools from PUPs removal • sysvol Exclude NOTE: If any one of these folders or files have been moved or placed in a different location, scan or exclude the equivalent element. • The location of the files or folder if it is not in the default location: Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory DFS The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS is used to replicate shares.
Configuring Performance Improvements Excluding archive files from on-access scanning Configure an exclusion Perform the following steps to configure an exclusion for your administrator tool: NOTE: The following process uses the open source remote desktop software, TightVNC, as an example. Using ePolicy Orchestrator, access the VirusScan Enterprise 8.8.0, Unwanted Programs Policies, and click Scan Items.
Configuring Performance Improvements Configuring system utilization to match system use each of these files is opened Windows Explorer decompresses these files looking for icons to add to the icon cache. As each file is opened the on-access scanner checks it for malware. To configure the off-hours scans of compressed archive using ePolicy Orchestrator, access the VirusScan Enterprise 8.8.0, On-Access Default Processes Policy, and click Scan Items. Deselect Scan inside archives (e.g. .ZIP).
Configuring Performance Improvements Configuring system utilization to match system use The following figure shows the corresponding Windows Set Priority setting for the on-demand scan set priority configured as Normal in Task Manager. 28 McAfee VirusScan Enterprise 8.
Configuring Performance Improvements Configuring system utilization to match system use Setting the system utilization for the scan to low provides improved performance for other running applications. The low setting is useful for systems with high end user activity. Conversely, by setting the system utilization to normal the scan completes faster. The normal setting is useful for systems that have large volumes and very little end user activity.
Configuring Performance Improvements Configuring on-demand scan file scan threads for best performance Configuring on-demand scan file scan threads for best performance If you are running on-demand scans on a system with dual core processors, or very fast hard drives, you can change some registry setting to improve on-demand scan performance. CAUTION: This best practice contains information about opening or modifying the registry. • The following information is intended for System Administrators.
Configuring Performance Improvements Configuring on-demand scan file scan threads for best performance 2 Start the windows Registry Editor and navigate to the following local machine key: HKLM\Software\McAfee\DesktopProtection\Tasks 3 Depending on whether you want to increase or lower the number of absolute file scan threads, create one of the following DWORD registry settings: • dwMaxThreadsNormal — For Normal system utilization • dwMaxThreadsBelowNormal — For below normal system utilization • dwMaxThr
Configuring Performance Improvements Configuring the scan cache Additional change If you still experience unresponsiveness, McAfee recommends you change the way the DATS are being consumed by the engine. Before you make this change you should understand that it increases your system: • Boot time, by at most 10% • Peak memory consumption of McShield by four times the current amount NOTE: This setting is suggested for systems that do not have tight memory requirements and boot time restriction.
Configuring Performance Improvements Configuring the scan cache Configuring the scan cache To configure the scan cache settings using the ePolicy Orchestrator, access the VirusScan Enterprise 8.8.0, General Options Policies, and click the Global Scan Settings tab. Enable the following scan cache settings: • Enable saving scan data across reboots • Allow On-Demand Scans to utilize the scan cache The following ePolicy Orchestrator 4.5 shows the scan cache enabled. McAfee VirusScan Enterprise 8.
Other Common Configuration Changes You can make changes to the VirusScan Enterprise 8.8 default configuration to add or improve other performance characteristics. Contents Configuring on-access scanning of network drives Configuring exclusions on Exchange servers with GroupShield Configuring on-access scanning of trusted installers Filtering 1051 and 1059 events Configuring on-access scanning of network drives Network access drives are not, by default, scanned for malware when you access the drive.
Other Common Configuration Changes Configuring exclusions on Exchange servers with GroupShield Configuring exclusions on Exchange servers with GroupShield Microsoft Exchange Server 2010 system running McAfee GroupShield should have VirusScan Enterprise 8.8.0 on-access scanning exclusions configured for the files listed in this best practice. If you don't configure these exclusions your system performance could be significantly slower.
Other Common Configuration Changes Configuring exclusions on Exchange servers with GroupShield Add all of the exclusions lists in the following tables: • Exchange Application-related extension exclusions • Exchange Database-related extension exclusions • Exchange Offline Address Book-related extension exclusions • Exchange Content Index-related extension exclusions • Exchange Unified Messaging-related extension exclusions • Exchange file exclusion • Internet Information Services (IIS) Working folder exclus
Other Common Configuration Changes Configuring exclusions on Exchange servers with GroupShield Exchange Application-related extension exclusions Exclusion Applicable to... **\Microsoft\Exchange Server\**\*.config Exchange Server 2010 **\Microsoft\Exchange Server\**\*.dia Exchange Server 2010 **\Microsoft\Exchange Server\**\*.wsb Exchange Server 2010 Exchange Database-related extension exclusions Exclusion Applicable to... **\Microsoft\Exchange Server\**\*.
Other Common Configuration Changes Configuring exclusions on Exchange servers with GroupShield Exclusion Applicable to... **\Microsoft\Exchange Server\**\*.002 Exchange Server 2010 Exchange Unified Messaging-related extension exclusions Exclusion Applicable to... **\Microsoft\Exchange Server\**\*.cfg Exchange Server 2010 **\Microsoft\Exchange Server\**\*.grxml Exchange Server 2010 Exclusion Applicable to... Security notes...
Other Common Configuration Changes Configuring on-access scanning of trusted installers Configuring on-access scanning of trusted installers The Microsoft Windows Trusted Installer, or TrustedInstaller service, protects certain system files from being replaced, changed, or deleted. This protects these files from threats that would install a rootkit or other malware on the system. These "Trusted installer" files are very difficult for malware to change and should not require on-access scanning.
Other Common Configuration Changes Filtering 1051 and 1059 events These two events are displayed in the VSE: Threats Detected that appear on your ePolicy Orchestrator dashboard. NOTE: By filtering these events there is a slight chance ePolicy Orchestrator you might not capture an actual threat of this type. To disable these two events using ePolicy Orchestrator, complete this task. 1 click Menu | Configuration | Server Settings and the Server Settings page appears.
Index 1051 and 1059 events, filtering 39 A Active Directory exclusions 22 archive files exclusions 26 Artemis, minimum settings 11 audience for this guide 4 B buffer overflow protection minimum settings 9 on-access scanning 8 C common maximum protection settings, table 7 conventions used in this guide 4 D DAT files updating 10 documentation organization 5 typographical conventions 4 documentation for products, finding 5 O on-access scanning minimum protection 8 network drives 34 Trusted Installers 39 A
Index T V Trusted Installer configure on-access scanning 39 virtual machine protection settings, table 7 VirusScan Enterprise registry change to improve performance 19 VSE Threats Detected, ePolicy Orchestrator dashboard 39 U Unable to scan password protected, 1051 event 39 W Windows Domain Controller exclusions 22 42 McAfee VirusScan Enterprise 8.
