Product guide
Configuring on-access scanning of trusted installers
The Microsoft Windows Trusted Installer, or TrustedInstaller service, protects certain system
files from being replaced, changed, or deleted. This protects these files from threats that would
install a rootkit or other malware on the system. These "Trusted installer" files are very difficult
for malware to change and should not require on-access scanning.
The on-access scan trusted installer setting is disabled by default with VirusScan Enterprise 8.8.
This allows the installation of
trusted
software without on-access scanning, which improves
performance. This is specifically true for service pack installations for Microsoft Windows.
For security reasons, you could enable this feature so all files being installed by the trusted
installer are also being scanned, but this increase the installation time and reduces the overall
system performance.
To configure on-access scanning of Trusted Installer files using ePolicy Orchestrator, access
the VirusScan Enterprise 8.8.0, On-Access General Policies, and click General . Next to
Scan, click Trusted installers.
The following ePolicy Orchestrator 4.5 shows on-access scanning of trusted installers enabled.
Filtering 1051 and 1059 events
Filtering 1051 and 1059 events sent by the McAfee Agent can improve your ePolicy Orchestrator
dashboard readability and help you find actual events that occur.
By default, all 1051 and 1059 events are sent to ePolicy Orchestrator from McAfee Agents. A
large number of these events could hide actual events that are a threat to your clients. The
following, relatively non-threatening, event types could add up to 95% of received client events
in the ePolicy Orchestrator database.
• 1051 - Unable to scan password protected (Medium)
• 1059 - Scan Timed Out (Medium)
Other Common Configuration Changes
Configuring on-access scanning of trusted installers
39McAfee VirusScan Enterprise 8.8