McAfee MOVE AntiVirus Multi-Platform 3.5.0

Transcription

1 Product Guide McAfee MOVE AntiVirus Multi-Platform For use with epolicy Orchestrator 4.6.7, 4.6.8, Software

2 COPYRIGHT Copyright 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee MOVE AntiVirus Multi-Platform Product Guide

3 Contents Preface 7 About this guide Audience Conventions Find product documentation Introduction 9 Features McAfee MOVE AntiVirus Multi-Platform How the software works Components and what they do Before you start Installation and configuration 15 Requirements Download McAfee MOVE AV Multi-Platform packages Install McAfee MOVE AV Install the extension packages Install the VirusScan Enterprise for Linux extension Deploy the McAfee MOVE AV offload scan server Deploy the McAfee MOVE AV client Deploy in a XenDesktop or VMware View environment Install the McAfee MOVE AV client manually Uninstall McAfee MOVE AV Multi-Platform Uninstall the client and offload scan server with epolicy Orchestrator Remove the client or offload scan server package from epolicy Orchestrator Uninstall the extensions Uninstall the SVA Manager Troubleshooting installation issues Upgrade McAfee MOVE AV Multi-Platform 29 Upgrade the extension Upgrade the MOVE AV offload scan server with epolicy Orchestrator Upgrade persistent virtual machines Upgrade non-persistent virtual machines Upgrade the MOVE AV client with epolicy Orchestrator Create a MOVE AV client upgrade task Assign the McAfee MOVE AV client upgrade task to virtual systems McAfee SVA Manager 35 OSS assignment made easy Set up the SVA Manager Configuring SVA Manager Configuring the SVA Manager policy Add or edit an SVA Manager assignment rule using IP address McAfee MOVE AntiVirus Multi-Platform Product Guide 3

4 Contents Add or edit an SVA Manager assignment rule using McAfee epo tag Configure an offload scan server policy Configure a client policy: Assign OSS to clients using SVA Manager Monitoring and management 43 Integration with epolicy Orchestrator Policy management Configuring policies Create a policy Assign a policy Configuring permissions sets Configure permission sets Queries and reports Modify the VirusScan Enterprise compliance query results Default queries Dashboards and monitors MOVE Multi-Platform dashboard Report visibility and health of the offload scan server Global Threat Intelligence Change the Global Threat Intelligence level Create a policy specifying offload scan server Handling potentially malicious files Isolating malicious files in quarantine Change threat quarantine behavior Restore quarantined items Change the primary threat response Run the scan diagnostic tool Change when files are scanned Enable and configure on-demand scans Targeted on-demand scan Enable and configure RAM disk Communication between virtual machines and offload scan servers Change the offload scan server settings Change the offload scan server port McAfee MOVE AV Multi-Platform client alerts Triggered events Change the client alert behavior Change the offload scan server alert behavior Self-protection A Client command-line interface reference 69 Access the CLI config disable enable ftypes help loglevel pp q status version Password protected CLI Set password for client CLI B Server command-line interface reference 77 4 McAfee MOVE AntiVirus Multi-Platform Product Guide

5 Contents Access the CLI cache config help loglevel stats version C Install the offload scan server 81 Index 83 McAfee MOVE AntiVirus Multi-Platform Product Guide 5

6 Contents 6 McAfee MOVE AntiVirus Multi-Platform Product Guide

7 Preface This guide provides the information you need to configure, use, and maintain your McAfee product. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Conventions This guide uses these typographical conventions and icons. Book title, term, emphasis Bold User input, code, message Interface text Hypertext blue Title of a book, chapter, or topic; a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; a code sample; a displayed message. Words from the product interface like options, menus, buttons, and dialog boxes. A link to a topic or to an external website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee MOVE AntiVirus Multi-Platform Product Guide 7

8 Preface Find product documentation Find product documentation After a product is released, information about the product is entered into the McAfee online Knowledge Center. 1 Go to the McAfee ServicePortal at and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 8 McAfee MOVE AntiVirus Multi-Platform Product Guide

9 1 Introduction 1 McAfee Management for Optimized Virtual Environments AntiVirus (McAfee MOVE AntiVirus) is an anti-virus solution for virtual environments. It removes the need to install an anti-virus application on every virtual machine (VM), yet provides the protection and performance adequate for your organization requirements. MOVE AntiVirus brings advanced malware protection to your virtualized environments, and integrates real-time threat intelligence with security management across your physical and virtual infrastructure. Contents Features McAfee MOVE AntiVirus Multi-Platform How the software works Components and what they do Before you start Features MOVE AntiVirus features are important for your organization's system security, protection, and performance. Centralized management MOVE AntiVirus integrates fully into McAfee epo, leveraging its infrastructure for automated security reporting, monitoring, deployment, and policy administration. Optimized scanning MOVE AntiVirus provides higher operational benefits, and minimizes the performance impact on virtual servers with enhanced scan avoidance and scanning based on overall work load of the hypervisor. Flexible deployment McAfee MOVE AntiVirus offers the flexibility to choose your preferred deployment model: One option works across multiple virtualization platforms An agentless option that leverages the VMware vshield technology Greater Data Center visibility McAfee Data Center Connector, which is also part of the Data Center Security suite, provides a complete view into virtual data centers and imports key properties like servers, hypervisors, virtual machines through the McAfee epo console. McAfee MOVE AntiVirus Multi-Platform Product Guide 9

10 1 Introduction Features You can register a cloud account for VMware vsphere, Amazon Web Services (AWS), or OpenStack with McAfee epo to discover and gain visibility into all VMs, and protect them using MOVE AntiVirus. For details, see the product documentation for your version of Data Center Connector. McAfee SVA (Security Virtual Appliance) Manager McAfee SVA Manager integrates fully into McAfee MOVE AV Multi-Platform, and it automatically assigns the MOVE Offload Scan Servers to McAfee MOVE AV Multi-Platform clients based on configurable parameters like Scan Server load, McAfee epo tags, and IP address ranges. The SVA Manager component: Simplifies administrative management by automating the assignment of clients to the offload scan servers. Provides visibility of scan server status by monitoring the health of the offload scan servers. Performs load-balancing of offload scan servers. Scan diagnostic tool You can run the scan diagnostic tool to easily find frequently scanned files, extensions, and VMs, then include these results in the path exclusion policies to exclude them from being scanned. A good set of exclusions improves the performance of the virtual infrastructure. Restore quarantined items McAfee MOVE AV deletes any items that are detected as threats, converts a copy of the item to a non executable format, and saves it in the Quarantine folder. These quarantined items can be restored later. Quarantined items can include files, cookies, and registries. Targeted on-demand scan The targeted on-demand scan feature allows the administrator to select a system or a group of systems from the System Tree in McAfee epo and assign a client task to initiate the on-demand scan immediately. The OSS runs the specified Maximum concurrent targeted scans per Offload Scan Server in addition to the Maximum concurrent scans per Offload Scan Server defined in the policy. RAM disk for scanning RAM disk is used by the OSS for file scanning and it significantly reduces the disk I/O on the offline scan server. You can enable the RAM disk option in the epolicy Orchestrator server. RAM disk is created by the OSS and it improves the OSS performance by enhancing the scan time. 10 McAfee MOVE AntiVirus Multi-Platform Product Guide

11 Introduction McAfee MOVE AntiVirus Multi-Platform 1 McAfee MOVE AntiVirus Multi-Platform McAfee MOVE AntiVirus Multi-Platform is an anti-virus solution for virtual environments that removes the need to install an anti-virus application on every virtual machine (VM). This document covers installation, configuration, and product usage information for McAfee MOVE AV Multi-Platform. How the software works Traditional security solutions for virtual environments run as an anti-virus application on every VM on the hypervisor. This setup places a heavy burden on disk, CPU, and memory usage and results in reduced VM density per hypervisor. The Multi-Platform deployment option offloads all scanning to a dedicated VM an offload scan server that runs McAfee VirusScan Enterprise software. Guest VMs are no longer required to run anti-virus software locally, which results in improved performance for anti-virus scanning, and increased VM density per hypervisor. McAfee MOVE AV Multi-Platform 3.5 supports both on-access and on-demand scanning: On-access scanning Examines files on your computer as they are accessed, providing continuous, real-time detection of threats. On demand scanning Examines all files on virtual machines for potential threats. On demand scans supplement the continuous protection of on access scanning. You can also schedule regular scans at times that do not interfere with your work. McAfee MOVE AntiVirus Multi-Platform Product Guide 11

12 1 Introduction Components and what they do Components and what they do Each component performs specific functions to keep your environment protected. epolicy Orchestrator Communicates with the McAfee Agent, manages the Multi-Platform configuration, and provides reports on malware discovered within your virtual environment. Hypervisor Allows multiple operating systems to run concurrently on a hosted system. The hypervisor is a virtual operating platform that manages the execution of the guest operating system. McAfee Agent Communicates with epolicy Orchestrator, applies policies to each virtual machine, and deploys the McAfee MOVE AV client. McAfee MOVE AV client Allows virtual machines to consult with the offload scan server (OSS) for file scanning and malware detection. Enforces actions on the client when a threat is detected. McAfee MOVE AV Offload Scan Server Provides offloaded scanning support for virtual machines, which minimizes the performance impact on virtual desktops. McAfee MOVE AV client extension Provides policies and controls for configuring and managing the behavior of the McAfee MOVE AV client through epolicy Orchestrator. McAfee MOVE AV Offload Scan Server extension Provides policies and controls for configuring and managing the behavior of the McAfee MOVE AV offload server through epolicy Orchestrator. 12 McAfee MOVE AntiVirus Multi-Platform Product Guide

13 Introduction Before you start 1 VirusScan Enterprise Provides anti-virus protection for the offload scan server VM and communicates with the GTI servers. McAfee SVA Manager Automatically assigns offload scan servers to MOVE Multi-Platform clients based on configurable parameters like Scan Server load, McAfee epo tags, and IP address ranges. Data Center Connector for vsphere Integrates the management and automation feature of McAfee epo to discover and manage your guest VMs. For information about the other products in the solution, download their documentation from the McAfee Technical Support ServicePortal at Before you start Perform the following before starting installation and configuration of McAfee MOVE AV software. Remove or disable any anti-virus application installed on target virtual machines, such as VirusScan Enterprise or Windows Defender, before deploying McAfee MOVE AV client software. If VirusScan Enterprise is installed, create an epolicy Orchestrator product deployment client task to uninstall it from each virtual machine that receives the McAfee MOVE AV client. McAfee MOVE AntiVirus Multi-Platform Product Guide 13

14 1 Introduction Before you start 14 McAfee MOVE AntiVirus Multi-Platform Product Guide

15 2 Installation and configuration To set up your environment for the Multi-Platform deployment option, download the McAfee MOVE AV Multi-Platform components, and deploy the McAfee MOVE AV client and offload scan server to target systems. Contents Requirements Download McAfee MOVE AV Multi-Platform packages Install McAfee MOVE AV Uninstall McAfee MOVE AV Multi-Platform Troubleshooting installation issues Requirements Make sure that your environment includes these components, and that they meet these requirements. Software requirements epolicy Orchestrator 4.6.7, 4.6.8, or McAfee Agent 4.6 and later VirusScan Enterprise 8.8 To prevent multiple DAT updates to VirusScan Enterprise from occurring at the same time, we recommend distributing the policy between primary and secondary offload scan servers. For details about system requirements and instructions for setting up the epolicy Orchestrator environment, see the McAfee epolicy Orchestrator Installation Guide. System requirements The offload scan server requires a dedicated virtual machine with VirusScan Enterprise 8.8 installed. The virtual machine must meet these requirements: Operating system CPU Memory Windows 2008 R2 SP1, or Windows 2008 SP2 (64-bit), or Windows 2012 R2 CPU 4 vcpu, 2 GHz or higher 6 GB RAM or higher McAfee MOVE AntiVirus Multi-Platform Product Guide 15

16 2 Installation and configuration Requirements Free disk space Other requirements 8 GB or higher Static IP address This is required only when configuring the policies using the IP address. The McAfee MOVE AV client software requires one of these operating systems: Windows XP SP3 (32-bit) Windows 2003 R2 SP2 (32-bit) Windows Vista (32-bit or 64-bit) Windows 2008 SP2 (32-bit or 64-bit) Windows 7 (32-bit or 64-bit) Windows 2008 R2 SP1 (64-bit) Windows 8 (32-bit or 64 bit) Windows 2012 Windows 8.1 (32-bit or 64 bit) Windows 2012 R2 (64-bit) Windows XP virtual machines require 512 MB of RAM or more. All other operating systems require 1 GB of RAM or more. Requirements for SVA Manager Hypervisors CPU Memory VMware ESXi 5.0 or above Citrix XenServer 6.0 or above 2 vcpu 2 GB RAM or higher To deploy on Hyper-V, convert the.vmdk file, part of SVA Manager appliance, into a.vhd file, then attach.vhd file as hard disk to a new VM in Hyper-V. To convert.vmdk to.vhd, you can use the Microsoft Virtual Machine Converter standalone tool (v2.0) software. 16 McAfee MOVE AntiVirus Multi-Platform Product Guide

17 Installation and configuration Download McAfee MOVE AV Multi-Platform packages 2 Download McAfee MOVE AV Multi-Platform packages You must download the McAfee MOVE AV Multi-Platform package before the components can be deployed to virtual systems or installed on epolicy Orchestrator. From the McAfee download site ( download the product package MOVE <build number>(enu LICENSED RELEASE MAIN).zip, which has these individual packages. Package name Description MOVE AV_Offload_Scan_Server_3500.zip Offload scan server package MOVE AV_Client_3500_WIN.zip MOVE AV_Ext_3.5.0_Licensed.zip McAfee_MOVE MP_SVA_MANAGER.zip vsphere_ext_3.5.0.<bldnumber>.zip MOVE AV_DOCS_3.5.0.zip MOVE AV_HELP_3.5.0.zip Client deployment package License extension; upgrades evaluation extension to a fully licensed extension. This package installs all extensions for OSS, client, MOVE SVA Manager, and license. MOVE SVA Manager package Data Center Connector for vsphere package MOVE AV Multi-Platform documentation package This installs the McAfee epo Help extension for MOVE AV Multi-Platform. Upgrade is not supported for version Help extension. Make sure that you remove the previous version of the Help extension, then install version extension. Install McAfee MOVE AV These installation tasks must be performed and can be completed in the order specified here. You can use Data Center Connector for vsphere, which discovers and imports both running and stopped machine instances from VMware vcenter to the McAfee epo server. This product integrates the management feature of McAfee epo with the VMware vcenter server, displaying the imported virtual machines security and scan status on McAfee epo. You can use this report to install the MOVE AV Multi-Platform product to the target virtual systems, which are discovered and imported with the Data Center Connector. For details about installing and configuring the Data Center Connector for vsphere, see Data Center Connector for vsphere Product Guide. McAfee MOVE AntiVirus Multi-Platform Product Guide 17

18 2 Installation and configuration Install McAfee MOVE AV s Install the extension packages on page 18 The McAfee MOVE AV client and offload scan server extension packages must be installed in epolicy Orchestrator before you can manage McAfee MOVE AV on your virtual machines. Install the VirusScan Enterprise for Linux extension on page 18 Install this extension only to manage the VirusScan Enterprise for Linux policy on the SVA Manager. Deploy the McAfee MOVE AV offload scan server on page 19 After the McAfee MOVE AV offload scan server package has been added to McAfee epo, you can deploy the offload scan server to virtual machines. Deploy the McAfee MOVE AV client on page 21 After the McAfee MOVE AV client package has been added to McAfee epo, you can deploy the client to virtual machines. Deploy in a XenDesktop or VMware View environment on page 23 When operating in a XenDesktop or VMware View environment, follow these steps to avoid creating duplicate systems in epolicy Orchestrator. Install the McAfee MOVE AV client manually on page 24 It is possible to install the client manually without deploying it from epolicy Orchestrator. Install the extension packages The McAfee MOVE AV client and offload scan server extension packages must be installed in epolicy Orchestrator before you can manage McAfee MOVE AV on your virtual machines. Before you begin Download the extension file MOVE AV_Ext_3.5.0_Licensed.zip from the McAfee download site. For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Software Extensions Install Extension. 2 Browse to and select the extension file, then click OK. 3 Verify that the product name appears in the Extensions list. The license extension turns a trial client extension into a fully licensed extension. Install the VirusScan Enterprise for Linux extension Install this extension only to manage the VirusScan Enterprise for Linux policy on the SVA Manager. VirusScan for Linux is only licensed for use on the SVA Manager, and is not licensed for use on other Linux systems in your environment. For instructions on how to install, configure, and create a product update task, see the McAfee VirusScan Enterprise for Linux Configuration Guide. 18 McAfee MOVE AntiVirus Multi-Platform Product Guide

19 Installation and configuration Install McAfee MOVE AV 2 For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Software Extensions Install Extension. 2 Browse to and select each extension file, then click OK. Extension McAfee Agent McAfee VirusScan for Linux McAfee VirusScan for Linux reports File EPOAGENTMETA.ZIP LYNXSHLD2000.ZIP LYNXSHLD2000PARSER.ZIP 3 Verify that the product name appears in the Extensions list. Deploy the McAfee MOVE AV offload scan server After the McAfee MOVE AV offload scan server package has been added to McAfee epo, you can deploy the offload scan server to virtual machines. s Check in the offload scan server package on page 19 Check in the McAfee MOVE AV Multi-Platform offload scan server and client packages to the master repository so that epolicy Orchestrator can deploy it. Create a product deployment client task on page 20 Deploying the McAfee MOVE AV offload scan server from epolicy Orchestrator requires two tasks. You must first create a deployment client task, then assign that task to virtual machines. Assign a client task on page 20 The McAfee Agent must already be deployed to target virtual systems before running client tasks. Check in the offload scan server package Check in the McAfee MOVE AV Multi-Platform offload scan server and client packages to the master repository so that epolicy Orchestrator can deploy it. For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Software Master Repository, then click Actions Check In Package. 2 Select the Package type, then browse to and select the package file MOVE AV_Offload_Scan_Server _ Click Next to open the Package Options page. 4 Confirm or configure the following: Package info Confirm this is the correct package. Branch Select the required branch. If your environment requires testing new packages before deploying them throughout the production environment, we recommend using the Evaluation branch to check in packages. Once you finish testing the packages, you can move them to the Current branch by clicking Menu Software Master Repository. McAfee MOVE AntiVirus Multi-Platform Product Guide 19

20 2 Installation and configuration Install McAfee MOVE AV Options Select whether to: Move the existing package to the Previous branch When selected, moves packages in the master repository from the Current branch to the Previous branch when a newer package of the same type is checked in. Available only when you select Current in Branch. Package signing Specifies if the package is signed by McAfee or is a third-party package. 5 Click Save to begin checking in the package, then wait while the package is checked in. The offload scan server package appears in the Packages list on the Master Repository tab. Create a product deployment client task Deploying the McAfee MOVE AV offload scan server from epolicy Orchestrator requires two tasks. You must first create a deployment client task, then assign that task to virtual machines. Before you begin You must check in the McAfee MOVE AV Multi-Platform offload scan server package before you can create a client task. For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Policy Client Catalog. 2 Select Product Deployment in the Client Types menu, then click Actions New. 3 Select Product Deployment from the list, then click OK to open the Client Builder wizard. 4 Type a name for the task you are creating, and add any descriptive information in the Description field. 5 Make sure that Windows is the only Target platform selected. 6 For Products and components: a For offload scan server, select MOVE AV [Multi-Platform] Offload Scan Server from the drop-down list. b c Set the Action to Install, set the Language to Language Neutral, and set the Branch to Current. Leave the Command line setting blank. 7 Review the task settings, then click Save. The task is added to the list of client tasks for the selected client task type. Assign a client task The McAfee Agent must already be deployed to target virtual systems before running client tasks. Before you begin You must check in the McAfee MOVE AV Multi-Platform offload scan server package before you can run a client task. 20 McAfee MOVE AntiVirus Multi-Platform Product Guide

21 Installation and configuration Install McAfee MOVE AV 2 For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Policy Client Assignments, then click the Assigned Client s tab. 2 Click Actions New Client Assignment. 3 Select these settings, then click Next. Product McAfee Agent Type Product Deployment Name The name of the task you used when you created the client task 4 On the Schedule tab, enter the information appropriate to this task. 5 Examine the settings on the Summary tab, then click Save to assign the task. Deploy the McAfee MOVE AV client After the McAfee MOVE AV client package has been added to McAfee epo, you can deploy the client to virtual machines. s Check in the client package on page 21 Check in the McAfee MOVE AV Multi-Platform client package to the master repository so that epolicy Orchestrator can deploy it. Create a product deployment client task on page 22 Deploying the McAfee MOVE AV client from epolicy Orchestrator requires two tasks. You must first create a deployment client task, then assign that task to virtual machines. Assign a client task on page 22 The McAfee Agent must already be deployed to target virtual systems before running client tasks. Check in the client package Check in the McAfee MOVE AV Multi-Platform client package to the master repository so that epolicy Orchestrator can deploy it. For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Software Master Repository, then click Actions Check In Package. 2 Select the Package type, then browse to and select the package file MOVE AV_Client_3500_WIN. 3 Click Next to open the Package Options page. 4 Confirm or configure the following: Package info Confirm this is the correct package. Branch Select the required branch. If your environment requires testing new packages before deploying them throughout the production environment, we recommend using the Evaluation branch to check in packages. Once you finish testing the packages, you can move them to the Current branch by clicking Menu Software Master Repository. McAfee MOVE AntiVirus Multi-Platform Product Guide 21

22 2 Installation and configuration Install McAfee MOVE AV Options Select whether to: Move the existing package to the Previous branch When selected, moves packages in the master repository from the Current branch to the Previous branch when a newer package of the same type is checked in. Available only when you select Current in Branch. Package signing Specifies if the package is signed by McAfee or is a third-party package. 5 Click Save to begin checking in the package, then wait while the package is checked in. The client package appears in the Packages list on the Master Repository tab. Create a product deployment client task Deploying the McAfee MOVE AV client from epolicy Orchestrator requires two tasks. You must first create a deployment client task, then assign that task to virtual machines. Before you begin You must check in the McAfee MOVE AV Multi-Platform client package before you can create a client task. For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Policy Client Catalog. 2 Select Product Deployment in the Client Types menu, then click Actions New. 3 Select Product Deployment from the list, then click OK to open the Client Builder wizard. 4 Type a name for the task you are creating, and add any descriptive information in the Description field. 5 Make sure that Windows is the only Target platform selected. 6 For Products and components: a For client, select MOVE AV [Multi-Platform] Client from the drop-down list. b c Set the Action to Install, set the Language to Language Neutral, and set the Branch to Current. Leave the Command line setting blank. 7 Review the task settings, then click Save. The task is added to the list of client tasks for the selected client task type. Assign a client task The McAfee Agent must already be deployed to target virtual systems before running client tasks. Before you begin You must check in the McAfee MOVE AV Multi-Platform client package before you can run a client task. 22 McAfee MOVE AntiVirus Multi-Platform Product Guide

23 Installation and configuration Install McAfee MOVE AV 2 For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Policy Client Assignments, then click the Assigned Client s tab. 2 Click Actions New Client Assignment. 3 Select these settings, then click Next. Product McAfee Agent Type Product Deployment Name The name of the task you used when you created the client task 4 On the Schedule tab, enter the information appropriate to this task. 5 Examine the settings on the Summary tab, then click Save to assign the task. The McAfee MOVE AV client is deployed to every system in the selected group in the System Tree. 6 Confirm that the McAfee MOVE AV client is successfully installed: a Log on to the McAfee MOVE AV client system as an administrator. b Open the McAfee MOVE AV client command prompt and enter this command: mvadm status The command line returns protection status details if the client is successfully installed. Deploy in a XenDesktop or VMware View environment When operating in a XenDesktop or VMware View environment, follow these steps to avoid creating duplicate systems in epolicy Orchestrator. Before you begin The McAfee Agent must already be installed on the master image, and the McAfee MOVE AV client must already be in the master repository. 1 Deploy the McAfee MOVE AV client to the master image, then verify that it was applied successfully. 2 Configure and apply McAfee MOVE AV policies to the master image, then verify that they were applied successfully. 3 In the master image, delete the registry key AgentGUID from the location determined by your Windows operating system. 32-bit HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator \Agent (32 bit) 64-bit HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent (64 bit) 4 Shut down the master image and clone all virtual machines from that master image. When cloned images are turned on, new agent GUID values are automatically restored. McAfee MOVE AntiVirus Multi-Platform Product Guide 23

24 2 Installation and configuration Install McAfee MOVE AV Install the McAfee MOVE AV client manually It is possible to install the client manually without deploying it from epolicy Orchestrator. Before you begin Download the McAfee MOVE AV installer and store it in a location accessible from the system where it will be installed. The McAfee Agent must be installed on the target system. This procedure is used only when you don't want to use epolicy Orchestrator to deploy the client to the target system. 1 From the McAfee MOVE AV client package, extract the appropriate client installer based on your Windows operating system. 64-bit setup win amd64.exe 32-bit setup win x86.exe 2 Run the installer, then click Next in the Welcome screen. 3 In the License Agreement screen, accept the EULA, then click Next. 4 In the Customer information screen, enter a user name and organization, then click Next. 5 In the Destination folder screen, choose the default location or specify a different location, then click Next. 6 In the Ready to install the program screen, click Install. 7 Click Finish to complete the installation. 8 To configure the manual installation, open the McAfee MOVE AV client command prompt: click Start Programs McAfee MOVE AV client Command Prompt, and run these commands. mvadm status mvadm config set serveraddress1=<address of offload server 1> mvadm config set serveraddress2=<address of offload server 2> The offload scan server address can be entered in FQDN or IPv4 format. mvadm enable The McAfee MOVE AV client is now installed and running on the target system. 24 McAfee MOVE AntiVirus Multi-Platform Product Guide

25 Installation and configuration Uninstall McAfee MOVE AV Multi-Platform 2 Uninstall McAfee MOVE AV Multi-Platform A full uninstall involves removing these components: McAfee MOVE AV client, McAfee MOVE AV offload scan server, and the McAfee MOVE AV Multi-Platform extensions. s Uninstall the client and offload scan server with epolicy Orchestrator on page 25 Uninstalling the McAfee MOVE AV client with epolicy Orchestrator requires two tasks. First create an uninstallation client task, then assign that task to virtual systems. Remove the client or offload scan server package from epolicy Orchestrator on page 26 Remove the client or offload scan server package from the epolicy Orchestrator console. Uninstall the extensions on page 26 Uninstall the McAfee MOVE AV Multi-Platform extensions from epolicy Orchestrator. Uninstall the SVA Manager on page 27 Uninstalling the SVA Manager involves these steps. Uninstall the client and offload scan server with epolicy Orchestrator Uninstalling the McAfee MOVE AV client with epolicy Orchestrator requires two tasks. First create an uninstallation client task, then assign that task to virtual systems. s Create an uninstallation task on page 25 You must create an uninstallation task before you can apply it to systems and remove the software from the client. Assign the uninstallation task to virtual systems on page 26 The uninstallation task must be assigned to virtual systems to take effect. Create an uninstallation task You must create an uninstallation task before you can apply it to systems and remove the software from the client. For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Policy Client Catalog. 2 In the left column under McAfee Agent, select Product Deployment. 3 Click Actions New, select Product Deployment, then click OK. 4 Type the name of the task, like Uninstall MOVE AV client on VM client, and an optional Description. 5 Make sure that Windows is the only Target platform selected. 6 For Products and components, select the following, then click Next. a Select MOVE AV [Multi-Platform] client or MOVE AV [Multi-Platform] Offload Scan Server from the first drop-down list. b c Set the Action to Remove, set the Language to Language Neutral, and set the Branch to Current. Leave the Command Line setting blank. 7 Select the remaining options according to your environment's best practices, then click Save. McAfee MOVE AntiVirus Multi-Platform Product Guide 25

26 2 Installation and configuration Uninstall McAfee MOVE AV Multi-Platform The newly created task appears in the Client Catalog. Assign the uninstallation task to virtual systems The uninstallation task must be assigned to virtual systems to take effect. Before you begin The McAfee MOVE AV client is added to the Master Repository and your virtual systems are added to the System Tree. For option definitions, click? in the interface. 1 Select a group in the System Tree. 2 Click Menu Policy Client Assignments, then click the Assigned Client s tab. 3 Click Actions New Client Assignment. 4 Select these settings, then click Next. Product McAfee Agent Type Product Deployment Name The name of the task you created earlier 5 On the Schedule tab next to Schedule type, select Run Immediately from the drop-down list, set the Options as appropriate, then click Next. 6 Examine the settings displayed on the Summary tab, then click Save to assign the task. The McAfee MOVE AV client is removed from every system in the selected group in the System Tree. Remove the client or offload scan server package from epolicy Orchestrator Remove the client or offload scan server package from the epolicy Orchestrator console. For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, select Menu Software Master Repository. 2 Select MOVE AV [Multi-Platform] client or MOVE AV [Multi-Platform] Offload Scan Server, then click Delete. You can also use the Windows Control Panel to remove the offload scan server. Uninstall the extensions Uninstall the McAfee MOVE AV Multi-Platform extensions from epolicy Orchestrator. For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Software Extensions. 2 From the Extensions tab under McAfee group, select MOVE-AV. 26 McAfee MOVE AntiVirus Multi-Platform Product Guide

27 Installation and configuration Troubleshooting installation issues 2 3 Click Remove next to each extension. You must now uninstall both the base and license extensions. The license extension must be removed first. 4 Delete reports and queries manually after uninstalling the extension. Uninstall the SVA Manager Uninstalling the SVA Manager involves these steps. Before you begin You must have sudo rights to perform these actions. 1 Log on to SVA Manager appliance (virtual machine). 2 Run the sudo poweroff command, which shuts down the appliance. 3 Log on to the hypervisor that is hosting the SVA Manager appliance, then delete the SVA Manager VM. 4 Remove the SVA Manager entry from the McAfee epo server. Troubleshooting installation issues Common operating issues encountered in a McAfee MOVE AV deployment can be resolved by performing these actions. From the offload scan server system, check that the MOVE AV server service is running and listening on the specified port. The default port is Check that the McAfee MOVE AV client can communicate through any firewalls with the McAfee MOVE AV offload scan server on the specified port. Verify that the McAfee MOVE AV client is enabled. Run the mvadm status command from a McAfee MOVE AV client command-line interface with administrator rights. Make sure that the McAfee MOVE AV policy on epolicy Orchestrator is configured correctly. Protection State is Enabled McAfee MOVE AV offload scan server addresses are configured correctly Check that VirusScan Enterprise 8.8 is installed and working properly on the McAfee MOVE AV offload scan server virtual machine, and that a recent DAT is present. When configuring SVA Manager, make sure that both client and OSS are able to communicate with SVA Manager. McAfee MOVE AntiVirus Multi-Platform Product Guide 27

28 2 Installation and configuration Troubleshooting installation issues 28 McAfee MOVE AntiVirus Multi-Platform Product Guide

29 3 Upgrade McAfee MOVE AV Multi-Platform Review this list before upgrading your environment. Version 3.5 of the MOVE AV client and the offload scan server upgrades over version To upgrade McAfee MOVE AV Multi-Platform, you need to upgrade these components in the order specified here: 1 Product extension 2 Offload scan server 3 MOVE AV client The combination of offload scan server 3.5 and MOVE AV client is supported, but the combination of offload scan server and MOVE AV client 3.5 is not supported. VirusScan Enterprise 8.8 must be installed on the target system before you deploy the offload scan server. Contents Upgrade the extension Upgrade the MOVE AV offload scan server with epolicy Orchestrator Upgrade persistent virtual machines Upgrade non-persistent virtual machines Upgrade the MOVE AV client with epolicy Orchestrator Upgrade the extension Version 3.5 of the McAfee MOVE AV extension upgrades the extension on the McAfee epo server. Before you begin Make sure that the extension file is in an accessible location on the network. For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Software Extensions. 2 When the Extensions page opens, click Install Extension. 3 Browse to and select the MOVE AV_Ext_3.5.0_Licensed.zip file, then click OK. 4 After a confirmation message, click OK. All policies created in version exist after you upgrade to version McAfee MOVE AntiVirus Multi-Platform Product Guide 29

30 3 Upgrade McAfee MOVE AV Multi-Platform Upgrade the MOVE AV offload scan server with epolicy Orchestrator Upgrade the MOVE AV offload scan server with epolicy Orchestrator We recommend staggering the offload scan server upgrades so that protection is maintained on the legacy client virtual machines. In environments that are made up primarily of persistent images, creating additional version 3.5 offload scan servers is preferable to upgrading existing offload scan servers. For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Policy Client Catalog, select McAfee Agent Product Deployment, then click Actions New. 2 Make sure that Product Deployment is selected, then click OK. 3 Type a name for the task you are creating and add any notes. 4 Next to Target platforms, select Windows as the type of platform to use for deployment. 5 Next to Products and components, set the following: Select the product from the first drop-down list. The products listed are those for which you have already checked in a package to the master repository. If you do not see the product you want to deploy, you must first check in that product s package. Set the Action to Install, then select the Language of the package, and the Branch. To specify command-line installation options, type command-line options in the Command line text field. See the product documentation for information on command-line options of the product you are installing. You can click + or to add or remove products and components from the displayed list. 6 (Windows only) Next to Options, select if you want to run this task for every policy enforcement process, then click Save. 7 Click Menu Systems System Tree Assigned Client s, then select the required group in the System Tree. 8 Select the Preset filter as Product Deployment (McAfee Agent). Each assigned client task per selected category appears in the details pane. 9 Click Actions New Client Assignment to open the Client Assignment Builder wizard. 10 On the Select page, select Product as McAfee Agent and Type as Product Deployment, then select the task you created to deploy the product. 11 Next to Tags, select the platforms to which you are deploying the packages, then click Next. Send this task to all computers Send this task to only computers that have the following criteria Use one of the edit links to configure the criteria. 30 McAfee MOVE AntiVirus Multi-Platform Product Guide

31 Upgrade McAfee MOVE AV Multi-Platform Upgrade persistent virtual machines 3 12 On the Schedule page, select whether the schedule is enabled, and specify the schedule details, then click Next. 13 Review the summary, then click Save. Upgrade persistent virtual machines Upgrading persistent virtual machines provides nearly seamless virus protection, but requires the overhead of duplicate offload scan servers during the upgrade process. We recommend this method for environments comprised primarily of persistent virtual machines, where the and 3.5 clients require support from the offload scan server during the client migration process. 1 Install the 3.5 package and upgrade the extension in epolicy Orchestrator. 2 Create a new virtual server and install VirusScan Enterprise 8.8 on that server. 3 Install the offload scan server version 3.5 on the virtual server. 4 Create a new McAfee MOVE AV Multi-Platform 3.5 policy that references the offload scan server you created in the previous step, and assign it to the virtual machines being upgraded. The existing client policy configuration can be used during the upgrade. However, you use the new settings specified in the client's offload scan server assignment policy, you no longer can use the existing manual policy configuration. 5 Create an epolicy Orchestrator client task to upgrade the McAfee MOVE AV clients to version 3.5. As the upgrade task is executed on virtual machines, the VMs begin to use the 3.5 offload scanner for file scanning. 6 After all clients are upgraded to version 3.5, shut down the version offload scan servers. Upgrade non-persistent virtual machines Upgrading non-persistent virtual machines does not require creating additional offload scan servers, although it might result in a window of time when virtual machines are unprotected. McAfee recommends that you perform this upgrade during scheduled downtime. For option definitions, click? in the interface. 1 Install the 3.5 Master Repository client and OSS packages and upgrade the extensions in epolicy Orchestrator. 2 Create a new 3.5 client policy definition that references existing offload scan server systems. The existing client policy configuration can be used during the upgrade. However, you use the new settings specified in the client's offload scan server assignment policy, you no longer can use the existing manual policy configuration. McAfee MOVE AntiVirus Multi-Platform Product Guide 31

32 3 Upgrade McAfee MOVE AV Multi-Platform Upgrade the MOVE AV client with epolicy Orchestrator 3 From the epolicy Orchestrator console, upgrade all offload scan servers to version 3.5. Virtual machines serviced by upgraded offload scan servers do not have anti-virus protection until after this task is completed. 4 Modify the master or golden image by deploying version 3.5 of the McAfee MOVE AV client from epolicy Orchestrator, or by manually upgrading the client directly on the master image. Upgrade the MOVE AV client with epolicy Orchestrator Upgrading MOVE AV clients from epolicy Orchestrator requires two tasks. You must first create an upgrade client task, then assign that task to virtual machines. s Create a MOVE AV client upgrade task on page 32 Before you can upgrade the MOVE AV client, you must create a client upgrade task. Assign the McAfee MOVE AV client upgrade task to virtual systems on page 32 The upgrade task must be assigned to virtual systems to take effect. Create a MOVE AV client upgrade task Before you can upgrade the MOVE AV client, you must create a client upgrade task. For option definitions, click? in the interface. 1 Open the Client Catalog: click Menu Policy Client Catalog. 2 In the left column under McAfee Agent, select Product Deployment. 3 Click Actions New, select Product Deployment, then click OK. 4 Type the name of the task, for example, Upgrade MOVE AV client on VM client, and add information in the Description field. 5 Make sure that Windows is the only Target platform selected. 6 For Products and components: a Select MOVE AV client from the first drop-down list. b c Set the Action to Install, set the Language to Language Neutral, and set the Branch to Current. Leave the Command line setting blank. 7 Select the remaining options according to your environment's best practices, then click Save. The newly created task appears in the Client Catalog. Assign the McAfee MOVE AV client upgrade task to virtual systems The upgrade task must be assigned to virtual systems to take effect. Before you begin You must have already added the MOVE AV client to the master repository, and added your virtual systems to the System Tree. 32 McAfee MOVE AntiVirus Multi-Platform Product Guide

33 Upgrade McAfee MOVE AV Multi-Platform Upgrade the MOVE AV client with epolicy Orchestrator 3 For option definitions, click? in the interface. 1 Select a group in the System Tree. 2 Click Menu Policy Client Assignments, then click the Assigned Client s tab. 3 Click Actions New Client Assignment. 4 Select these settings, then click Next. Product McAfee Agent Type Product Deployment Name The name of the task you created earlier 5 On the Schedule tab next to Schedule type, select Run Immediately from the drop-down list, set the Options as needed, then click Next. 6 Examine the settings on the Summary tab, then click Save to assign the task. The McAfee MOVE AV client is upgraded on every system in the selected group in the System Tree. McAfee MOVE AntiVirus Multi-Platform Product Guide 33

34 3 Upgrade McAfee MOVE AV Multi-Platform Upgrade the MOVE AV client with epolicy Orchestrator 34 McAfee MOVE AntiVirus Multi-Platform Product Guide

35 4 McAfee 4 SVA Manager McAfee SVA Manager is a pre-packaged virtual appliance, which automatically assigns McAfee MOVE AV Multi-Platform offload scan servers to MOVE Multi-Platform clients. This assignment is based on configurable parameters like Scan Server load, McAfee epo tags, and IP address ranges. Contents OSS assignment made easy Set up the SVA Manager Configuring SVA Manager Configuring the SVA Manager policy Configure an offload scan server policy Configure a client policy: Assign OSS to clients using SVA Manager OSS assignment made easy An offload scan server can generally be assigned to endpoints, depending on the load of the endpoints. Let us consider that your organization has about 10,000 endpoints. If you assign 200 endpoints per OSS, you need about 50 offload scan servers and 50 policies that specify which offload scan servers a group of virtual machines uses. After you create this policy, you must assign it before it takes effect. It is a time-consuming task to manually assign these policies to the OSS. The McAfee SVA Manager can create IP address-based assignment rules and tag-based assignment rules where a range of endpoints are automatically assigned to a group of OSS. Set up the SVA Manager You must set up and configure the SVA Manager before registering the OSS and assigning it to a group of clients. Before you begin You must have administrator rights to perform this task. 1 Create the SVA Manager appliance (virtual machine) by deploying the SVA Manager OVF template and configuring a VM network for communication with the SVA Manager. 2 Turn on the VM. McAfee MOVE AntiVirus Multi-Platform Product Guide 35

36 4 McAfee SVA Manager Configuring SVA Manager 3 At the prompt, log on with these credentials: User name: svaadmin Password: svaadmin 4 Configure the VM appliance with these details: IP address and host name of the McAfee epo server Network DHCP or Static We recommend that you select Static IP address for SVA Manager. McAfee epo credentials Check for the correct format of the user name, for example: domain\\user name. DNS servers Time zone 5 Verify that these communication ports are open and reachable on the SVA Manager: 8080 For communication between SVA Manager and the client 8081 For communication between McAfee Agent and McAfee epo 8443 For communication between SVA Manager and the OSS By default, these ports are already opened through the firewall installed on the appliance. However, we recommend that you verify that the firewall settings in your environment are configured to allow communication on these ports. Now, the SVA Manager service can communicate with McAfee epo through the McAfee Agent. You must now set the required policies in McAfee epo. Use this command to manually run the configuration script: sudo/home/svaadmin/.sva-config Configuring SVA Manager The overall SVA Manager configuration and assignment process is made up of these stages. This assumes that the user already installed McAfee epo and the McAfee Agent is installed on client systems, which successfully communicate with the McAfee epo server. 1 Install the MOVE AV_Ext_3.5.0_Licensed.zip extension into McAfee epo. 2 Check in the MOVE AV Multi-Platform software packages (MOVE AV_Client_3500_WIN.zip and MOVE AV_Offload_Scan_Server_3500.zip) to the McAfee epo server. 3 Deploy the MOVE AV offload scan server package to the OSS host. 4 Deploy the MOVE AV client package to the client systems. 5 Set up your SVA Manager. 6 Configure the SVA Manager policy. 36 McAfee MOVE AntiVirus Multi-Platform Product Guide

37 McAfee SVA Manager Configuring the SVA Manager policy 4 7 Configure the offload scan server policy and assignment. 8 Assign the offload scan servers to endpoints. Configuring High Availability for MOVE SVA Manager For details on configuring High Availability for MOVE SVA Manager, see corporate/index?page=content&id=pd Configuring the SVA Manager policy McAfee SVA Manager automatically assigns offload scan servers to MOVE Multi-Platform clients based on configurable parameters like Scan Server load, McAfee epo tags, and IP address ranges. Add or edit an SVA Manager assignment rule using IP address Using their IP address range, assign a set of endpoints to a selected OSS or a number of offload scan servers, so that those clients are protected by these OSS rules. Before you begin Make sure that you installed the MOVE AV_Ext_3.5.0_Licensed.zip extension on the McAfee epo server. Make sure that you checked in the MOVE AV Multi-Platform software packages (MOVE AV _Client_3500_WIN.zip and MOVE AV_Offload_Scan_Server_3500.zip) to the McAfee epo server. Make sure that you deployed the MOVE AV offload scan server package to the OSS host. Make sure that you deployed the MOVE AV client package to the client systems. Make sure that you already set up the SVA Manager. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, select MOVE-AV [Multi-Platform] SVA Manager from the Product drop-down menu, then select General from the Category drop-down list. 3 Click New Policy or click the name of an existing policy to edit it. 4 Type a name for the new policy (for example, MOVE AV SVA Manager Policy), then click OK. McAfee MOVE AntiVirus Multi-Platform Product Guide 37

38 4 McAfee SVA Manager Configuring the SVA Manager policy 5 In the Assignment Rules tab on the Policy Settings page, click Add to open the Add/Edit OSS Assignment Rule dialog box and configure these settings as needed. For this option... Rule name Client IP Addresses Do this... Type a unique user-friendly name that can help you identify the rule. Type the IP address or a range of IP addresses of the endpoints, which must be assigned to the OSS. You can separate IP addresses or ranges with a comma (,) or a new line. Offload Server IP Addresses Type the IP address of the OSS, which must be assigned to the client. The Assign OSS if no rule is defined above for client option is used to assign the OSS to endpoints, which are not defined in any of the rules. By default, this option is enabled. 6 In the MOVE SVA Manager Settings tab, configure these settings as needed, then click Save to commit your changes. For this option... Threshold for OSS Capacity Warning OSS assignment rules OSS Lease time epo Credentials Do this... Specify the OSS capacity threshold level. A warning appears when the number of connected endpoints is more than this level. Prefer OSS from same subnet Select if you need to assign the OSS from the same subnet. Specify the interval for automatic assignment of OSS to endpoints. The default interval is 240 minutes. The load balancing depends on this value. Specify the credentials of the McAfee epo server that SVA Manager needs to connect. The user password must consist of ASCII characters only. Log Settings Communication Ports Number of Log Files Specify a number to limit the number of log files allowed before they are rotated. This is a positive integer value. Defaults to 4. Log File Size Specify a number to limit the size (in MB) of an individual log file. Log Level Select a log level from the supported log level types of McAfee MOVE AV offload scan server modules. OSS Port Type the port number of the OSS. This is the port where the OSS connects to SVA Manager. Client Port Type the port number of the client. This is the port where the MOVE AV Multi-Platform clients connect to SVA Manager. Make sure that the firewall script present in the SVA Manager appliance at /etc/init.d/sva firewall is also updated for the specified ports. You must restart the firewall with the command sudo service sva-firewall, so that the changes are updated. 38 McAfee MOVE AntiVirus Multi-Platform Product Guide

39 McAfee SVA Manager Configuring the SVA Manager policy 4 Add or edit an SVA Manager assignment rule using McAfee epo tag Assign a set of endpoints to a selected OSS using their tag group, so that those clients are protected by these OSS rules. Before you begin Make sure that you installed the MOVE AV_Ext_3.5.0_Licensed.zip extension into McAfee epo. Make sure that you checked in the MOVE AV Multi-Platform software packages (MOVE AV _Client_3500_WIN.zip and MOVE AV_Offload_Scan_Server_3500.zip) to the McAfee epo server. Make sure that you deployed the MOVE AV offload scan server package to the OSS host. Make sure that you deployed the MOVE AV client package to the client systems. Make sure that you already set up the SVA Manager. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, select MOVE-AV [Multi-Platform] SVA Manager from the Product drop-down menu, then select General from the Category drop-down list. 3 Click New Policy or click the name of an existing policy to edit it. 4 Type a name for the new policy (for example, MOVE AV SVA Manager Policy), then click OK. 5 In the Tag Assignment Rules tab on the Policy Settings page, click Add to open the Add/Edit OSS Tag Assignment Rule dialog box and configure these settings as needed. For this option... Rule name Select and add to client tags Select and add to offload Server Tags Do this... Type a unique user-friendly name that can help you identify the rule. Select the tag names of the endpoints, which must be assigned to the OSS. Select the tag name of the OSS, which must be assigned to the client. You can separate tag names with a comma (,). The tag-based assignment rule takes priority over the IP address-based assignment rule. The Assign OSS if no rule is defined above for client option assigns the OSS to endpoints, which are not defined in any of the rules. By default, this option is enabled. 6 In the MOVE SVA Manager Settings tab, configure these settings as needed, then click Save to commit your changes. McAfee MOVE AntiVirus Multi-Platform Product Guide 39

40 4 McAfee SVA Manager Configure an offload scan server policy For this option... Threshold for OSS Capacity Warning OSS assignment rules OSS Lease time epo Credentials Do this... Specify the OSS capacity threshold level. A warning appears when the number of connected endpoints is more than this level. Prefer OSS from same subnet Select if you need to assign the OSS from the same subnet. Specify the interval for automatic assignment of OSS to endpoints. The default interval is 240 minutes. The load balancing depends on this value. Specify the credentials of the McAfee epo server that SVA Manager needs to connect. The user password must consist of ASCII characters only. Log Settings Communication Ports Number of Log Files Specify a number to limit the number of log files allowed before they are rotated. This is a positive integer value. Defaults to 4. Log File Size Specify a number to limit the size (in MB) of an individual log file. Log Level Select a log level from the supported log level types of McAfee MOVE AV offload scan server modules. OSS Port Type the port number of the OSS. This is the port where the OSS connects to SVA Manager. Client Port Type the port number of the client. This is the port where the MOVE AV Multi-Platform clients connect to SVA Manager. Make sure that the firewall script present in the SVA Manager appliance at /etc/init.d/sva firewall is also updated for the specified ports. You must restart the firewall with the command sudo service sva-firewall, so that the changes are updated. Configure an offload scan server policy Create and assign a policy that specifies which offload scan servers a group of virtual machines uses. Before you begin Make sure that you installed the MOVE AV_Ext_3.5.0_Licensed.zip extension into McAfee epo. Make sure that you checked in the MOVE AV Multi-Platform software packages (MOVE AV _Client_3500_WIN.zip and MOVE AV_Offload_Scan_Server_3500.zip) to the McAfee epo server. Make sure that you deployed the MOVE AV offload scan server package to the OSS host. Make sure that you deployed the MOVE AV client package to the client systems. Make sure that you already set up the SVA Manager. 40 McAfee MOVE AntiVirus Multi-Platform Product Guide

41 McAfee SVA Manager Configure an offload scan server policy 4 For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, select MOVE-AV [Multi-Platform] Client from the Product drop-down menu, then select General from the Category drop-down list. 3 Click New Policy or click the name of an existing policy to edit it. 4 Type a name for the new policy (for example, MOVE AV Server Policy), then click OK. 5 In the General tab on the Policy Settings page, configure options as needed, then click Save to commit your changes. a Select Register this Offload Scan Server with MOVE SVA Manager to make sure that the selected OSS is registered with the available SVA Manager. The SVA manager works only with the offload scan servers assigned with it for assignment and reporting. b c d Type the MOVE SVA Manager IP address, host name, or domain name, and the MOVE SVA Manager Port. Default is Enter the Number of Log Files to limit the number of log files allowed before they are rotated. This is a positive integer value. Defaults to 20. Enter the Log File Size to limit the size (in MB) of an individual log file. 6 Click Click to view Advanced Options and configure options as needed, then click Save to commit your changes. To do this... Specify the Maximum Cache Items Configure the Concurrent Scans Provide the Server Port Select the Client Load Do this... Enter the appropriate amount to limit the number of items that can exist in the server cache. Enter the appropriate number to limit the number of available file scan request threads on the server. Type the port number of the server, which is ready for client request. Modifying the port number restarts the offload scan server. Select the load type, which specifies the workload and activities on endpoints. Low load More clients are present to be assigned to the OSS Medium load Moderate number of clients are present to be assigned to the OSS High load Fewer clients are present to be assigned to the OSS For example: A file server is high load A VDI VM used by a business user is low load A VM used by developer is high load McAfee MOVE AntiVirus Multi-Platform Product Guide 41

42 4 McAfee SVA Manager Configure a client policy: Assign OSS to clients using SVA Manager Configure a client policy: Assign OSS to clients using SVA Manager Create and assign a policy that specifies which offload scan servers a group of virtual machines uses. Before you begin Make sure that you installed the MOVE AV_Ext_3.5.0_Licensed.zip extension into McAfee epo. Make sure that you checked in the MOVE AV Multi-Platform software packages (MOVE AV _Client_3500_WIN.zip and MOVE AV_Offload_Scan_Server_3500.zip) to the McAfee epo server. Make sure that you deployed the MOVE AV offload scan server package to the OSS host. Make sure that you deployed the MOVE AV client package to the client systems. Make sure that you already set up the SVA Manager. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, select MOVE-AV [Multi-Platform] Client from the Product drop-down menu, then select Offload Scan Server Assignment from the Category drop-down list. 3 Click New Policy or click the name of an existing policy to edit it. 4 Type a name for the new policy (for example, OSS Assignment), then click OK. 5 Under Offload Scan Server on the Policy Settings page, configure options as needed, then click Save to commit your changes. Select Assign Offload Scan Server using SVA Manager to make sure that the given OSS is assigned to a set of virtual machines. Enter the SVA Manager IP address, host name, or domain name, and the SVA Manager Port. Default is Now, the clients request the SVA Manager when they require an OSS. SVA Manager serves them an OSS based on the filtering rules created in the SVA Manager policy. 42 McAfee MOVE AntiVirus Multi-Platform Product Guide

43 5 Monitoring 5 and management The McAfee MOVE AV deployment option monitors the status of virtual machines to identify problems and modify behavior from the epolicy Orchestrator console. Contents Integration with epolicy Orchestrator Policy management Configuring permissions sets Queries and reports Dashboards and monitors Global Threat Intelligence Handling potentially malicious files Communication between virtual machines and offload scan servers McAfee MOVE AV Multi-Platform client alerts Self-protection Integration with epolicy Orchestrator The McAfee MOVE AV deployment option uses the epolicy Orchestrator framework to deliver and enforce policies. This approach provides a single management solution that allows for mass deployment. epolicy Orchestrator communicates policy information to McAfee MOVE AV clients and the offload scan server at regular intervals via the McAfee Agent. The McAfee Agent enforces policies, collects event information, and transmits the information back to epolicy Orchestrator. Client-side management of the McAfee MOVE AV client and offload scan server is available through a command-line interface (CLI) on Windows-based clients. Policy management Through the epolicy Orchestrator console, you can configure both client and offload scan server policies from a central location. How policies are enforced When you change McAfee MOVE AV Multi-Platform policies in the epolicy Orchestrator console, the changes take effect on the targeted managed systems at the next agent-server communication. To enforce policies immediately, send an agent wake-up call to the targeted systems from the epolicy Orchestrator console. McAfee MOVE AntiVirus Multi-Platform Product Guide 43

44 5 Monitoring and management Policy management Policies and their categories Policy information for the McAfee MOVE AV client and offload scan server is grouped into categories: General and Offload Scan Server Assignment. You can create, modify, or delete as many policies as needed under this category. epolicy Orchestrator provides a preconfigured McAfee Default policy, which can't be edited or deleted, but can be copied. You then modify these copies to suit your needs. How policies are applied Policies are applied to any System Tree group or system by inheritance or assignment. Inheritance determines whether the policy settings for any system are taken from its parent. By default, inheritance is enabled throughout the System Tree. You can break inheritance by direct policy assignment. McAfee MOVE AV Multi-Platform, as managed by epolicy Orchestrator, enables you to create policies and assign them without regard to inheritance. When you break this inheritance by assigning a new policy to a system, all groups and systems that are children of the selected system inherit the new policy. Policy tracking and tuning The deployment and management of McAfee MOVE AV Multi-Platform clients and the offload scan server are handled from epolicy Orchestrator. Since McAfee MOVE AV policies apply only to virtual machines in the System Tree, you can group the virtual machines hierarchically by attributes. We recommend grouping the virtual machines by the McAfee MOVE AV Multi-Platform configuration criteria, including scan settings and use of the offload scan server. You can also use tags for automatic sorting into groups. Tags identify systems with similar characteristics. For more information on tagging, see the McAfee epolicy Orchestrator Product Guide. Deploying McAfee MOVE AV Multi-Platform to thousands of systems is managed easily because most virtual machines fit into a few usage profiles. Managing a large deployment is reduced to maintaining a few policy rules. As a deployment grows, newly added virtual machines fit one or more existing profiles, and can be placed under the correct group in the System Tree. Configuring policies You can configure the McAfee MOVE AV Multi-Platform client and offload scan server behavior with policy settings. Client policies Which offload scan server a client uses What to do when a threat is found When files are scanned How to handle quarantined files Which files and programs to exclude from scanning How the offload scan server operates Where to send alerts Server policies Maximum size of the server cache The number of concurrent scans that an offload scan server policy can support Which port the offload scan server listens to for scan requests from clients The number assigned to a log file and size 44 McAfee MOVE AntiVirus Multi-Platform Product Guide

45 Monitoring and management Policy management 5 Which types of files to scan McAfee GTI sensitivity level On-Demand Scan settings Create a policy Policies allow you to describe threat scanning behavior for specific virtual machines. By default, policies created in McAfee epo are not assigned to any groups or systems. When you create a policy, you are adding a custom policy to the Policy Catalog. You can create policies before or after a product is deployed. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, then select McAfee MOVE AV [Multi-Platform] client or McAfee MOVE AV [Multi-Platform] Offload Scan Server from the drop-down lists. 3 Click Actions New Policy. 4 On the New Policy page, configure the policy settings, then click OK. 5 In the General tab of the Policy Settings page for the newly created policy, configure the settings to control basic behavior. 6 Click Save. Assign a policy You must assign a policy for it to take effect. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 In the System Tree, select the group containing the virtual machines where you want to apply the policy. 3 Click Menu Systems System Tree Assigned Policies. 4 In the Product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server or MOVE AV [Multi-Platform] Client In the Actions column of the McAfee Default policy, select Edit assignments. 6 In the Inherit from list on the Policy Assignments page, select Break inheritance and assign the policy and settings below. 7 In the Assigned Policy list, select the policy you created earlier. 8 Click Save. 9 To apply the policy immediately, perform an agent wake-up call. The policies are not modified on client systems until the next agent-server communication that includes a Collect and Send Properties operation. This can be initiated from the agent on the client, or by performing an agent wake-up call from within epolicy Orchestrator. McAfee MOVE AntiVirus Multi-Platform Product Guide 45

46 5 Monitoring and management Configuring permissions sets Configuring permissions sets A permission set is a group of permissions (or access rights) granted to a user account for specific features of a product. Permission sets only grant permissions they never remove a permission. All permissions to all products and features are assigned automatically to global administrators. Other users must have permission assigned manually. Global administrators can assign existing permission sets when creating or editing user accounts and when creating or editing permission sets. For more information on permission sets, see the McAfee epolicy Orchestrator Product Guide. McAfee MOVE AV Permission set The McAfee MOVE AV Multi-Platform software adds a MOVE-AV [Multi-Platform] Client Policy Permission and MOVE-AV [Multi-Platform] Offload Scan Server section to the permission sets with one setting. This defines access rights to the software features. The MOVE AV 3.5 [Multi-Platform] SVA Manager adds the MOVE SVA Manager section to the permission sets. Global administrators must grant permissions to users to use the McAfee MOVE AV deployment option, because no permissions are granted by default. Other required permissions The global administrator must give epolicy Orchestrator permissions to handle other areas that work with the McAfee MOVE AV including queries, dashboards, and the Threat Event Log. For these features... Dashboards Queries Policies Events on virtual machines These permissions sets are required Dashboards, Queries and Reports Queries and Reports System Tree access, Policy Assignment Rules Systems, System Tree access, Threat Event Log Configure permission sets Update the read/write permissions assigned to the user roles defined for your epolicy Orchestrator environment. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu User Management Permission Sets. 3 Select a user role from the Permission Sets list. 4 Next to MOVE-AV [Multi-Platform] 3.5 Client Policy Permission or MOVE-AV [Multi-Platform] 3.5 Offload Scan Server Policy Permission, click Edit. 5 Select the permission level. 6 Click Save. For more information on permission sets, see the McAfee epolicy Orchestrator Product Guide. 46 McAfee MOVE AntiVirus Multi-Platform Product Guide

47 Monitoring and management Queries and reports 5 Queries and reports From the epolicy Orchestrator console, you can extract information about your McAfee MOVE AV Multi-Platform clients with several queries and reports. View events in the threat event log. Run default McAfee MOVE AV Multi-Platform queries that show important client information. Create reports using data sent by the McAfee MOVE AV clients to the epolicy Orchestrator database. Modify the VirusScan Enterprise compliance query results VirusScan Enterprise queries might report virtual machines that use McAfee MOVE AV Multi-Platform as noncompliant. We recommend that you use the VirusScan Enterprise Compliance report to determine compliance for systems that use the offload scan server. Use the McAfee MOVE AV client status report to determine if client protection is enabled. If virtual machines that use the Multi-Platform deployment option are reported incorrectly as noncompliant in the VirusScan Enterprise 8.8 Compliance query, consider excluding those systems from its results. For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Queries and Reports. 2 Click Shared groups VirusScan Enterprise VSE version 8.8 Compliance. 3 Click Edit, then click the Filters tab. 4 From Available Properties, select Products Property Installed products. 5 Select does not contain from the comparison, and type MOVE-AV in the text box. 6 Click Save to modify the query. Default queries The McAfee MOVE AV deployment option adds several queries to your epolicy Orchestrator environment. Table 5-1 MOVE AV Multi-Platform queries Query MOVE-AV [Multi-Platform]: Client Protection Status MOVE-AV [Multi-Platform]: Client connected with a given OSS MOVE-AV [Multi-Platform]: DAT version MOVE-AV [Multi-Platform]: Summary of Threats Detected in the Last 24 Hours MOVE-AV [Multi-Platform]: Threats Detected in the Last 24 Hours MOVE-AV [Multi-Platform]: Top 10 Computers with the Most Detections Description Displays the status of all MOVE clients managed by the server. Displays the details of the client and OSS it is assigned. Displays the DAT version of all MOVE AV clients that are managed by the server. Displays threats detected in the last 24 hours. Displays the number of threats detected in the last 24 hours by hour. Displays the top ten computers with the most threat detections in the last three months. McAfee MOVE AntiVirus Multi-Platform Product Guide 47

48 5 Monitoring and management Queries and reports Table 5-1 MOVE AV Multi-Platform queries (continued) Query MOVE-AV [Multi-Platform]: Top 10 Detected Threats MOVE-AV [Multi-Platform]: Top 10 Users with the Most Detections Description Displays the top ten detected threats in the last three months. Displays the top ten users with the most threat detections in the last three months. Table 5-2 MOVE offload scan server queries and events Query OSS Load: Number of Connected Endpoints OSS with Higher Average Scan Time in last 7 days OSS with MOVE SVA Manager details OSS: Average Scan Time Events OSS Capacity Events Description This categorizes the offload scan servers into Capacity full, Capacity Above Threshold, and Capacity Below Threshold based on the number of connected endpoints. Specifies the top 10 offload scan servers, which have reached the average scan time threshold and they are in this state for the longest time in the past 7 days. Lists all offload scan servers with MOVE SVA Manager details. Displays these scan time events of the OSS. OSS Average Scan Time OSS Average Scan Time Threshold OSS Average Scan Time Sampling Interval Specifies the maximum number of endpoints with the number of endpoints connected. OSS Capacity Full OSS Capacity Restored OSS Capacity Threshold hit Table 5-3 SVA Manager queries and events Query MOVE SVA Manager: OSS Assignment Failed MOVE SVA Manager: OSS Capacity Events Description Specifies the details and reasons of OSS assignment by the SVA Manager. This event is reported in the epolicy Orchestrator server. SVA_MANAGER_OSS_ASSIGNMENT_FAILED This event is reported when an OSS assignment request is sent from a client to the SVA Manager and it is unable to complete the client request, because no registered OSS is with full capacity. Specifies the maximum number of endpoints with the number of endpoints connected. These events are reported in the epolicy Orchestrator server. SVA_MANAGER_OSS_THRESHOLD_CAPACITY_HIT This event is reported when an OSS assignment request is sent from a client to the SVA Manager and cumulative capacity of all offload scan servers eligible to serve that client has reached the threshold value, which is set in the advanced options of the SVA Manager policy. SVA_MANAGER_OSS_CAPACITY_FULL This event is reported when an OSS assignment request is sent from a client to the SVA Manager and all offload scan servers eligible to serve that client have reached their full capacity. 48 McAfee MOVE AntiVirus Multi-Platform Product Guide

49 Monitoring and management Dashboards and monitors 5 Table 5-3 SVA Manager queries and events (continued) Query MOVE SVA Manager: OSS Registration Events SVA_MANAGER_STARTED SVA_MANAGER_STOPPED Description Displays the OSS registration events raised by the SVA Manager. These events are reported in the epolicy Orchestrator server. SVA_MANAGER_OSS_REGISTER This event is reported whenever an OSS is registered with SVA Manager. SVA_MANAGER_OSS_UNREGISTER This event is reported whenever an OSS is unregistered from the SVA Manager because of issues like OSS shutdown, network interruptions. This event is reported when the SVA Manager starts. This event is reported when the SVA Manager stops. You can add these queries to dashboards to more efficiently track your environment by displaying several queries at once. The queries are constantly refreshed, or you can run them at a specified frequency. You can add them to reports that are run on specific schedules and export them as PDF files or messages. The epolicy Orchestrator Threat Event Log contains information about detections, scan failure, on-demand scan, and targeted on-demand scan events. OSS information A shell script, msmclient.sh, is available with SVA Manager and it is used to retrieve the OSS details. The script is available at /opt/mcafee/movesvamanger. For these commands to work and retrieve the results, the SVA Manager application must be running. Run these commands with root rights from the /opt/mcafee/movesvamanager directory: sudo./msmclient.sh osscount Displays the number of offload scan servers attached to the SVA Manager. sudo./msmclient.sh ossinfo Displays some basic information about the offload scan servers attached to the SVA Manager. sudo./msmclient.sh ossdetails Displays some advanced information about the OSS: current OSS load, OSS GUID, and last heartbeat time. Dashboards and monitors Dashboards, which are comprised of monitors, help you track key metrics from major components of the MOVE AV Multi-Platform. McAfee epo 4.6 Dashboards are grouped under Private Dashboards. McAfee epo 5.1 Reports are grouped under McAfee Dashboards. MOVE Multi-Platform dashboard The MOVE Multi-Platform dashboard is added to your McAfee epo server when you install the MOVE Multi-Platform software. The dashboard displays a collection of monitors based on the results of the default MOVE Multi-Platform software queries. McAfee MOVE AntiVirus Multi-Platform Product Guide 49

50 5 Monitoring and management Dashboards and monitors The default monitors that appear under the MOVE Multi-Platform dashboard are: OSS Load: Number of Connected Endpoints Displays the number of managed endpoints with load category of the OSS. Capacity Full Indicates that the OSS limit is reached when the number of endpoints is equal to what can be assigned. Capacity Above Threshold Appears when capacity of an OSS is more than its threshold value. Capacity Below Threshold Appears when capacity of an OSS is less than its threshold value. OSS with Higher Average Scan Time in last 7 days Specifies the top 10 offload scan servers, which have reached average scan time threshold and they are in this state for the longest time in the past 7 days. See the chapter on dashboards in the McAfee epolicy Orchestrator Product Guide for information about managing dashboards. Report visibility and health of the offload scan server You can check the product properties of MOVE AV Multi-Platform and the product component MOVE OSS using the epolicy Orchestrator server. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Systems System Tree Systems tab. 50 McAfee MOVE AntiVirus Multi-Platform Product Guide

51 Monitoring and management Dashboards and monitors 5 3 Click an OSS system to open the System Information page. 4 Click Product tab and select the product as MOVE AV [Multi-Platform]. You can now see these product properties, which can be used to determine the health details of the OSS. Table 5-4 General Property Installed Path Language MOVE SVA Manager IP Address/Hostname MOVE SVA Manager Port On Demand Scan Status Plugin Version Server Port System Status Description Offload scan server installation directory. Supported language SVA Manager IP address. SVA Manager port number. OSS triggered on-demand scan of Endpoints. Plugin version Port of the OSS to handle endpoint requests. Offload scan server service status. Table 5-5 Endpoint Property Connected Endpoints Connected Endpoints Threshold Maximum number of endpoints Table 5-6 Scan requests Description Number of endpoints connected to the OSS. The offload scan server will raise an event when the number of connected endpoints is more than this value. Maximum number of endpoints that can connect to the OSS. Property Pending Requests in Queue Ram Disk Size (MB) Total AV Scan Failures Total AV Scan Requests Total File Transfer Requests Total Request Failures Total Response Failures Total Scan Requests Total Scans on RAM Disk Total Smart File Requests Description Total number of endpoint requests in queue. Size of RAM disk created at the OSS. Number of failed file scan and smart scan requests at AV scanner. Number of file scan and smart scan requests to AV scanner. Total number of file scan requests from the endpoints. Number of endpoint requests failed. Number of response failed from the OSS. Total number of scan requests from the endpoints. Total number of file transfer scan requests performed using RAM disk. Total number of smart scan request from the endpoints. Scan request means all scan requests that include checksum, file and smart scan request. File Scan request means the scan request where file transfer happens. Smart Scan request means the scan request where file transfer does not happen, however, some portion of the file is transferred. These statistical attributes under Scan requests can help in many useful implications about the health of the OSS and its scanning performance. For example, using the attributes like Total scans on RAM Disk and Total File Transfer Requests you can easily confirm that what fraction of total file scan requests is being served through RAM disk. McAfee MOVE AntiVirus Multi-Platform Product Guide 51

52 5 Monitoring and management Global Threat Intelligence Table 5-7 Scan threads Property Scan Thread Count Total Idle Threads Description Number of threads on the OSS to serve scan requests. Number of idle threads on the OSS waiting to serve scan requests. Table 5-8 Scan time Property Average Request Process Time (seconds) Average Request Process Time (seconds) Table 5-9 Scan Cache Description Average time taken on the OSS to process scan requests. Average time taken on the OSS before scan requests are getting served on the OSS. Property Checksum Cache Hits Number of Checksums in Cache Description Number of checksum cache hits. Number of checksum in cache. Global Threat Intelligence McAfee Global Threat Intelligence (GTI) File Reputation is a comprehensive, real-time, cloud-based file reputation service that enables McAfee products to protect customers against both known and emerging malware-based threats. This cloud-based system receives billions of file reputation queries each month, and responds with a score that reflects the likelihood that the file in question is malware. The score is based not only on the collective intelligence from sensors querying the McAfee cloud and the analysis performed by McAfee Labs researchers and automated tools, but also on the correlation of cross-vector intelligence from web, , and network threat data. The McAfee anti-malware engine whether deployed as part of an endpoint anti-malware, gateway, or other solution uses the score to determine action (such as block or quarantine) based on local policy. These are the key benefits of GTI File Reputation: Compresses the threat protection time period from days to milliseconds Increases malware detection rates Reduces downtime and remediation costs associated with malware attacks Change the Global Threat Intelligence level You can change the Global Threat Intelligence (GTI) sensitivity level from epolicy Orchestrator when required. Higher sensitivity levels are more secure, but can degrade performance and might cause more false positive results. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, then from the product list select MOVE AV [Multi-Platform] Offload Scan Server McAfee MOVE AntiVirus Multi-Platform Product Guide

53 Monitoring and management Handling potentially malicious files 5 3 Click the name of an existing policy to edit it, then click the Scan Settings tab. 4 Select the Sensitivity level from the drop-down list. The default and recommended setting is Medium. The GTI level is changed as specified. If the new GTI level is more sensitive than before, all previously scanned files are flushed from the cache. Create a policy specifying offload scan server Create a policy that specifies which offload scan servers a group of virtual machines uses. After you create this policy, you must assign it before it takes effect. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, then select MOVE AV [Multi-Platform] Client Click New Policy. 4 Type a name for the new policy (for example, MOVE AV Server Policy), then click OK. 5 In the General tab on the Policy Settings page, configure options as needed, then click Save to commit your changes. Select Enable malware protection to make sure that the protection state is enabled. The protection state is disabled by default. Enter the Offload Scan Server 1 IP address, host name, or domain name, and the Offload Scan Server 1 Port. Default is McAfee MOVE AV Multi-Platform 3.5 supports Fully Qualified DNS names, which allow for DNS Round-Robin Load Balancing. This type of load balancing distributes client requests across multiple servers. Enter the Offload Scan Server 2 IP address, host name, or domain name, and the Offload Scan Server 2 Port. Default is McAfee recommends using two different addresses when setting up the primary and secondary servers. Using the same address for both servers results in delayed coverage, which occurs when recovering from loss of connection to the primary server. Modify the Scan Timeout, Scan Result Cache, and Cache Expiration Time settings, as needed. Handling potentially malicious files Policy settings determine what happens to a file after a scan determines it to be malicious. The McAfee MOVE AV Multi-Platform deployment option can take three actions when dealing with a potentially malicious file. These policy settings determine which action is taken. McAfee MOVE AntiVirus Multi-Platform Product Guide 53

54 5 Monitoring and management Handling potentially malicious files Primary action Delete files automatically (default) Quarantine setting Enabled (default) Actions taken Back up the malicious file as a.vir file in the quarantine folder, then delete the original file. Delete files automatically Disabled Delete the file. Nothing appears in the quarantine folder and no backup copy of the file is made. This causes data loss if quarantine is not enabled. Deny access to files Enabled or Disabled Deny access to the file. Nothing appears in the quarantine folder. Isolating malicious files in quarantine The McAfee MOVE AV Multi-Platform deployment option deals with malicious files beyond events and notifications. When an item is detected as a threat, an event is triggered that notifies administrators of the threat. The malicious file can also be isolated in a quarantine folder, allowing you to perform other processes, like remove and restore, on the quarantined items. Quarantining is enabled by default, and quarantined items are placed in the C:\Quarantine folder on the system where the file was discovered. Quarantined items are sorted in the quarantine folder by threat category, and are automatically deleted after a configurable period of time. Quarantine behavior can be modified through policy changes. Change threat quarantine behavior Modify the default quarantine settings to suit your organizational policies. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Client Click the name of an existing policy to edit it, then click the Quarantine tab. 4 Change the threat quarantine behavior: Disable the quarantine functionality by deselecting Enabled. Change where quarantined items are stored by changing the Quarantine Directory setting. Mapped network drives and UNC network path names are not supported. If you don't want quarantined items deleted after a period, deselect Automatically delete quarantined data after the specified number of days. If you want to change how long quarantined items are stored before they are deleted, change the Number of days to keep backed-up data in the quarantine directory setting. 5 Click Save to modify the policy. The modified policy is applied after the next agent-server communication interval. If you want the policy applied immediately, perform an agent wake-up call on the systems where the newly modified policy is assigned. 54 McAfee MOVE AntiVirus Multi-Platform Product Guide

55 Monitoring and management Handling potentially malicious files 5 Restore quarantined items McAfee MOVE AV deletes any items that are detected as threats, converts a copy of the item to a non executable format, and saves it in the Quarantine folder. Before you begin Make sure that you installed the MOVE AV_Ext_3.5.0_Licensed.zip extension into McAfee epo. You can perform actions on quarantined items. For example, you might be able to restore an item after downloading a later version of the DAT that contains information that cleans the threat. Quarantined items can include various types of scanned objects, such as files, cookies, registries, or anything McAfee MOVE AV scans for malware. For option definitions, click? in the interface. 1 Log on to the epolicy Orchestrator server as an administrator. 2 Select Menu Policy Client Catalog. 3 From Client Types, select MOVE AV [Multi Platform] Client Restore From Quarantine. 4 Click the name of an existing client task or click New and confirm the task type. 5 Configure these settings on each tab and click Save. Tab Name Description Detection name Description Specifies a unique user friendly name for the task. Specifies some user friendly description about the task. Specifies the exact detection name of the item to restore from quarantine. 6 Click Assign, specify the servers where you want to assign the task, then click OK. 7 Click 2 Schedule to schedule the task. Change the primary threat response You can modify how the Multi-Platform deployment option handles potentially malicious files after a threat is detected. By default, the McAfee MOVE AV Multi-Platform policy backs up a potentially malicious file to a quarantine folder as a.vir file, then deletes the original. These steps change that behavior. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Client Click the name of an existing policy to edit it, then click the Actions tab. McAfee MOVE AntiVirus Multi-Platform Product Guide 55

56 5 Monitoring and management Handling potentially malicious files 4 Change the Perform this action first setting to Delete files automatically or Deny access to files, depending on your requirements. The second action is set to Deny access to files if that is not the first action. Otherwise, there is no second action. If quarantine is on, a backup of the file is made in the quarantine folder before it is deleted. 5 Click Save. Systems assigned this policy are updated at the next agent-server communication interval. Run the scan diagnostic tool You can run the scan diagnostic tool to calculate and display frequently scanned processes, files, extensions, and VMs, so that you can include these files in the path and process exclusion policies. These specified files are excluded from scans when they are written by a trusted process. Before you begin You must have administrator permissions to perform this task. Access the offload scan server command-line interface (CLI) on the offload scan server virtual machine to create and display this report. 1 Open the McAfee MOVE AV Offload Scan Server CLI: click Start Programs McAfee MOVE AV Server command prompt. This command prompt has administrator rights. At this command prompt, you can type commands that activate the mvadm utility to perform administration tasks on the Offload Scan Server. 2 To calculate the frequently scanned files, run this command: move_diagnose /T: <Time Window> /O: < Output File>. Where: T The time period, in minutes, set for calculating the frequently scanned files. For example, 3 minutes. O Full path of the output file for storing the results. 56 McAfee MOVE AntiVirus Multi-Platform Product Guide

57 Monitoring and management Handling potentially malicious files 5 At the end of specified minutes, the tool completes the analysis and displays the results. The default allowed time limit is 10 minutes. You can also change the time limit by configuring the registry settings in HKLM\System \CurrentControlSet\services\mvserver\Parameters\diagnostic \FrequentlyScanMaxTimeOutWindow This diagnostic tool captures these details: Top 10 file scan requests Top 10 file extensions Top 10 processes Top 10 virtual machines that are sending maximum scan and checksum requests. This tool can be used with 2.6 clients as well. Change when files are scanned You can modify the client policy to determine which files are scanned for threats and when. By default, all files are scanned when they are read from or written to disk, or when opened for backup. The McAfee Agent program files and the User Profile Manager process are excluded from scans. McAfee MOVE AntiVirus Multi-Platform Product Guide 57

58 5 Monitoring and management Handling potentially malicious files For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Client Click the name of an existing policy to edit it, then click the Scan Items tab. 4 Change the file scanning behavior in one of these ways: For this... Scan files Do this... Select any combination of: When writing to disk When reading from disk On network drives Opened for backup Depending on your environment, selecting On network drives can degrade network performance. File types to scan All files Select to scan all files. Default + Additional files Select to scan the default file types or any additional file types. You can add, edit, and remove any additional file types, which are included for scanning. Following only Select to specify a list of file extensions to scan. You can add, edit, and remove file extensions that are included for scanning. Archive and MIME-encoded files are not scanned by default. This behavior is changed by modifying the offload scan server policy. Wildcards are not supported, and exact matches are required. Do not include the period when specifying extensions. Path Exclusions Add them to the Path Exclusions and Process Exclusions lists. Excluding scan items The MOVE AV Multi-Platform product allows you to fine-tune the list of file types scanned. For example, you can exclude from scanning individual files, folders, and disks. These exclusions might be needed because the scanners could scan and lock a file when that file is being used by a database or server. This could cause the database or server to fail or generate errors. For example, path exclusion pattern.ost prevents any file with the.ost extension from being scanned. Wildcards and regular expressions aren't supported. Using the Import option, you can browse and select the exclusion rule file and add path exclusions. A path exclusion entry *.log is available, so that the log files at the client system are not scanned. This improves the scanning performance of the client system. Publisher Exclusions You can choose to trust the authenticated and signed files from different publishers, so that the scanning performance improves by optimized use of resources at the OSS by sending less files for scan from endpoints. 5 Click Save to modify the policy. 58 McAfee MOVE AntiVirus Multi-Platform Product Guide

59 Monitoring and management Handling potentially malicious files 5 Enable and configure on-demand scans You can modify the offload scan server policy to enable system on-demand scans, and to determine the schedule and frequency of scans. Before you begin Make sure that you installed the MOVE AV_Ext_3.5.0_Licensed.zip extension into McAfee epo. By default, on-demand scans are not enabled. Other scan characteristics (for example, exclusions) are inherited from the client scan policy. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Offload Scan Server Click the name of an existing policy to edit it, then click the On-Demand Scan tab. 4 Configure these settings, then click Save. To do this... Enable On-Demand Scanning Specify the Maximum concurrent scans per Offload Scan Server Configure the Maximum On-Demand Scan time (minutes) Specify the On-Demand Client Scan interval (days) Specify the Maximum concurrent targeted scans per Offload Scan Server Determine the On-Demand Scan time window Do this... Select Enabled. Enter the appropriate amount for your environment. We recommend 2. Enter the appropriate amount for your environment. We recommend 150. Enter the appropriate amount for your environment. We recommend 7. Enter the appropriate amount for your environment. We recommend that you set the default value 1. A high value can affect scanning performance. The maximum concurrent targeted on-demand scan value is 400. Set or clear the time slots to specify available scan times. Green indicates a time slot when a scan can start and white indicates a time when a scan can't start. Grid cells can be toggled between available (green) and unavailable (white) by clicking the cell, column header, or row header. Targeted on-demand scan The targeted on-demand scan feature in MOVE AV Multi-Platform allows the administrator to select a system or a group of systems from the System Tree and assign a client task to initiate the on-demand scan immediately. The OSS runs the specified Maximum concurrent targeted scans per Offload Scan Server in addition to the Maximum concurrent scans per Offload Scan Server defined by the administrator. McAfee MOVE AntiVirus Multi-Platform Product Guide 59

60 5 Monitoring and management Handling potentially malicious files Configure targeted on-demand scans Modify the offload scan server policy to enable on-demand scanning, and to set the concurrent scan value to the default value. Before you begin Make sure that you have installed the MOVE AV_Ext_3.5.0_Licensed.zip extension into McAfee epo. By default, on-demand scans are not enabled. Other scan characteristics (for example, exclusions) are inherited from the client scan policy. Review these assumptions before configuring targeted on-demand scans: If the targeted on-demand scan task is performed on more than one VM, the targeted on-demand scan clients are picked up randomly by the OSS. If the administrator has assigned a targeted on-demand scan task to a VM, and if the OSS has reached the maximum number of targeted on-demand scan, the recently initiated on-demand scan is scheduled later when the targeted on-demand scan slot is available. The maximum number of targeted on-demand scans cannot be greater than these values: The configured maximum concurrent targeted on-demand scans per OSS The configured maximum concurrent general on-demand scans per OSS For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Offload Scan Server Click the name of an existing policy to edit it, then click the On-Demand Scan tab. 4 Configure these settings, then click Save. To do this... Enable On-Demand Scanning Configure the Maximum On-Demand Scan time (minutes) Specify the Maximum concurrent targeted scans per Offload Scan Server Do this... Select Enabled. Enter the appropriate amount for your environment. We recommend 150. Enter the appropriate amount for your environment. We recommend that you set the default value 1. A high value can affect scanning performance. The maximum concurrent targeted on-demand scan value is 400. Create and run a targeted on-demand scan client task Select a system or a group of systems from the System Tree and assign a client task to initiate the targeted on-demand scan immediately. Before you begin Make sure that you installed the MOVE AV_Ext_3.5.0_Licensed.zip extension into McAfee epo. 60 McAfee MOVE AntiVirus Multi-Platform Product Guide

61 Monitoring and management Handling potentially malicious files 5 For option definitions, click? in the interface. 1 Log on to the epolicy Orchestrator server as an administrator. 2 Select Menu Policy Client Catalog. 3 From Client Types, select MOVE AV [Multi Platform] Client Targeted On Demand Scan. 4 Click the name of an existing client task or click New and confirm the task type. 5 Configure these settings on each tab and click Save. Tab Name Description Description Specifies a unique user friendly name for the task. Specifies some user friendly description about the task. For this task to run successfully, make sure that the On-Demand Scanning option in the MOVE-AV [Multi-Platform] Offload Scan Server policy is enabled. 6 Click Assign, specify the servers where you want to assign the task, then click OK. 7 Click 2 Schedule to schedule the task. Enable and configure RAM disk RAM disk is used by the OSS for file scanning and it significantly reduces the disk I/O on the offline scan server. You can enable the RAM disk option in the epolicy Orchestrator server. RAM disk is created by the OSS and it improves the OSS performance by enhancing the scan time. Before you begin Make sure that you installed the MOVE AV_Ext_3.5.0_Licensed.zip extension into McAfee epo. For option definitions, click? in the interface. 1 Log on to the epolicy Orchestrator server as an administrator. 2 Click Menu Policy Policy Catalog, select MOVE-AV [Multi-Platform] Offload Scan Server from the Product drop-down menu, then select General from the Category drop-down list. McAfee MOVE AntiVirus Multi-Platform Product Guide 61

62 5 Monitoring and management Communication between virtual machines and offload scan servers 3 Click New Policy or click the name of an existing policy to edit it. 4 In the Scan Settings tab on the Policy Settings page, enable or disable RAM Disk Support. By default, this option is enabled. After enabling the RAM disk option on the epolicy Orchestrator server, the RAM disk is created by the OSS. On enabling the RAM disk support, the RAM disk is created when the service starts. The RAM disk size is calculated based on the total RAM size on the OSS. Total RAM Size on OSS Less than (4 GB 100 MB) Equal to (4 GB+100 MB) Greater than 4 GB+100 MB RAM disk size 0 MB 100 MB (50% of RAM Size 4 GB) MB The RAM disk volume name is mvram. The RAM disk is deleted when the service starts. You can view the RAM disk size and total scans on RAM disk from the OSS product properties. For details, see Report visibility and health of the offload scan server. Communication between virtual machines and offload scan servers The McAfee MOVE AV client and the offload scan server communicate through a specific port to isolate the communication channel. To allow this communication to occur, the specific network port must be opened up on any firewalls between the systems. By default, the Multi-Platform deployment option uses port This port is not generally used by other applications. If your network has other requirements, you can change this communication port by modifying the policy. Secure communication between clients and the offload scan server by placing VMs on VLANs or by using the IPsec protocol suite. Both options impact product performance. Change the offload scan server settings You can modify the GTI file reputation and scan archive files, unwanted programs, and MIME files from the Scan Settings tab. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog. 62 McAfee MOVE AntiVirus Multi-Platform Product Guide

63 Monitoring and management McAfee MOVE AV Multi-Platform client alerts 5 3 From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server Click the Scan Settings tab, then select these options as needed: To do this... Scan files with an archive Scan for unwanted programs Use these settings... Select Scan Archive Files Select Scan for Unwanted Programs By default archive files aren't saved, so make sure that you scan for potentially unwanted programs (PUPS). Scan for MIME files Select Scan MIME Files Modify the GTI file reputation Select McAfee Global Threat Intelligence file reputation Change the offload scan server port The port used by the offload scan server can be changed after installation if your network environment requires that the Multi-Platform deployment option use a different port. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, then from the Product List select MOVE AV [Multi-Platform] Offload Scan Server Click the name of an existing policy to edit it, then click the General tab. 4 Enter the corresponding server port number. Default is From the epolicy Orchestrator console, modify the policy assigned to the group of virtual machines using this offload scan server to reflect the new port number. See the McAfee epolicy Orchestrator Product Guide for details on modifying policies. 6 Perform an agent wake-up call to push the modified policy to appropriate virtual machines. The offload scan server service restarts after you receive the modified policy port number. McAfee MOVE AV Multi-Platform client alerts McAfee MOVE AV Multi-Platform generates alerts when protection is enabled or disabled, when a file scan fails, or when a threat is detected. These alerts can be displayed in any of three locations: the local system's Windows Event Log, the epolicy Orchestrator threat event log, or on the local system as a McAfee system tray pop-up menu. You can configure these alerts by changing the policy. McAfee MOVE AntiVirus Multi-Platform Product Guide 63

64 5 Monitoring and management McAfee MOVE AV Multi-Platform client alerts Triggered events McAfee MOVE AV Multi-Platform displays one of these messages when the triggering event occurs. Client events Event ID Level Event message High Threat Detected Medium Scan Time Out Low Protection Enabled Medium Protection Disabled Server events Event ID Level Event message Info Offload Scan Server stopped Info On-Demand scan started Info On-Demand scan complete Info On-Demand scan terminated. Scan time limit reached Info On-Demand scant terminated. Scan disabled in policy Info On-Demand scan terminated. Exceeded maximum number of concurrent scans High On-Demand scan terminated. Scan failure on client High On-Demand scan terminated. Unexpected termination. Change the client alert behavior The default alert locations can be modified to suit your organizational policies. By default, McAfee MOVE AV Multi-Platform displays alerts in the local system's Windows Event Log, and the epolicy Orchestrator threat event log. Alert notification locations can be changed by modifying the McAfee MOVE AV Multi-Platform policy. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Client Click the name of an existing policy to edit it, then click the Alerts tab. 4 Change the threat alert behavior by selecting or deselecting these locations: Malware detections are reported to the client event log Malware detection events are sent to epolicy Orchestrator Malware detections result in a pop-up on the client 5 Click Save to modify the policy. The modified policy is applied after the next agent-server communication interval. If you want the policy applied immediately, perform an agent wake-up call on the systems where the newly modified policy is assigned. 64 McAfee MOVE AntiVirus Multi-Platform Product Guide

65 Monitoring and management Self-protection 5 Change the offload scan server alert behavior The default alert locations can be modified to suit your organizational policies. By default, McAfee MOVE AV Multi-Platform displays alerts in the local system's Windows Event Log, and the epolicy Orchestrator threat event log. Alert notification locations can be changed by modifying the McAfee MOVE AV Multi-Platform policy. For option definitions, click? in the interface. 1 Log on to McAfee epo as an administrator. 2 Click Menu Policy Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Offload Scan Server Click the name of an existing policy to edit it, then click the Alerts tab. 4 Change the threat alert behavior by selecting or deselecting these options: Offload Scan Server events are reported to the Windows Event Log Offload Scan Server events are sent to epolicy Orchestrator 5 Click Save to modify the policy. The modified policy is applied after the next agent-server communication interval. If you want the policy applied immediately, perform an agent wake-up call on the systems where the newly modified policy is assigned. Self-protection The self-protection feature defends files, services, and registry keys on virtual machines. Use the VirusScan Enterprise access protection rules for self-protection of the offload scan server. The self-protection feature prevents malicious attacks on MOVE AV Multi-Platform components. This keeps your virus protection active and stable. Protection type File protection Protection effects These files and all parent folders are protected against deletion and renaming. <install_dir>\mvadm.exe <install_dir>\mvmctraypl.dll <install_dir>\mvagtsvc.exe <install_dir>\passwd <install_dir>\mvagntpl.dll Registry protection These registry keys, all subkeys, and all values under them are protected. services\mvagtdrv services\mvagtsvc services\eventlog\application\move AV client All parent keys starting from services are protected from deletion and rename. Service stop protection The mvagtsvc service cannot be stopped. The self-protection feature is controlled by the IntegrityEnabled configuration parameter. By default, the parameter is set to 0x7, and all components of the feature are enabled. McAfee MOVE AntiVirus Multi-Platform Product Guide 65

66 5 Monitoring and management Self-protection The configuration parameter accepts values from 0 7, which is a decimal representation of a 3-bit binary value. Decimal value Binary value Definition Protection disabled File protection Registry protection File and registry protection Service protection Service and file protection Service and registry protection Service, registry, and file protection For example, to enable file and registry protection, set the parameter to 3 (0b011) with this command: mvadm config set IntegrityEnabled=3 To enable file and Service stop protection, but not registry protection, set the parameter to 5 (0b101) with this command: mvadm config set IntegrityEnabled=5 To disable the self-protection feature, set the parameter to 0 with this command: mvadm config set IntegrityEnabled=0 When Service stop protection is enabled (by setting the highest bit to 1), the mvagtsvc service does not accept stop commands. File protection and registry protection require the agent driver be loaded, but service stop protection does not. Use these commands to load or unload the driver. mvadm enable mvadm disable McAfee MOVE AV Multi-Platform Offload Scan Server We recommend using the following VirusScan Enterprise access protection rules for self-protection of the offload scan server. These must be configured manually after installation. 66 McAfee MOVE AntiVirus Multi-Platform Product Guide

67 Monitoring and management Self-protection 5 Protection type File protection (via VirusScan Enterprise access protection) Registry protection (VirusScan Enterprise access protection) Protection effects Create a File/Folder Access Protection Rule that excludes the mvserver.exe process, and blocks the C:\Program Files (x86)\mcafee\move AV Server \** folder. Set File actions to prevent to Write access to files, New files being created and Files being deleted. See McAfee VirusScan Enterprise Product Guide for details. These registry keys and all keys and values under them must be protected: HKCCS/Service/mvserver HKCCS/Service/mvserver/Parameters HKCCS/Service/mvserver/Parameters/ODS McAfee MOVE AntiVirus Multi-Platform Product Guide 67

68 5 Monitoring and management Self-protection 68 McAfee MOVE AntiVirus Multi-Platform Product Guide

69 A Client command-line interface reference You can access the McAfee MOVE AV Multi-Platform client command-line interface (CLI) on the agent virtual machine to perform basic maintenance tasks. The CLI is a series of commands that you can issue to the mvadm utility. Each command has arguments that can be appended to the command to modify its behavior. This reference lists each command in mvadm, and all argument variations. Contents Access the CLI Password protected CLI Access the CLI A shortcut to the McAfee MOVE AV Multi-Platform command-line interface (CLI) is added to the Windows Start menu during installation. Open the McAfee MOVE AV Multi-Platform CLI: click Start Programs McAfee MOVE AV Client Command Prompt. This command prompt has administrator rights. At this command prompt, you can type commands that activate the mvadm utility to perform administration tasks on the virtual machine. config Use the config command to display and edit the configuration settings that are applied to the current installation. mvadm config set NAME=VALUE mvadm config show Arguments set NAME=VALUE show Description Sets the value of the configuration setting NAME to VALUE. Lists the configuration settings. Parameter Value Description AllowNetworkScan 0 (off) or 1 (on). Defaults to 0. Enables or disables scanning of files residing on a network path. ConnTimeout A positive integer value. Defaults to 0 (no timeout). Sets the connection timeout in milliseconds. McAfee MOVE AntiVirus Multi-Platform Product Guide 69

70 A Client command-line interface reference Access the CLI Parameter Value Description EventSink IntegrityEnabled LogFileNum An integer between 0 (no notifications) and 14 (all notifications). Defaults to 14. An integer between 0 (no self-protection) and 7 representing a binary value. Defaults to 7 (all self-protections). A positive integer value. Defaults to 4. LogFileSize An integer greater than Defaults to MaxFileSize A positive integer value. Defaults to 40. QuarantineEnabled 0 (off) or 1 (on). Defaults to 1. QuarantineFolder A valid file path. Defaults to C: \Quarantine. Determines where threat events are sent. The total combines the values for Windows Event Viewer log (2), epolicy Orchestrator Threat Event Log (4), and McAfee system tray pop-up menu (8). Determines the active self-protections. The total combines the values for file (1), registry (2), and services (4). Limits the number of log files allowed before they are rotated. Limits the size (in KB) of an individual log file. Limits the size (in MB) of files where scan results are cached. Files up to this size are transferred completely to the offload scan server for scanning. Enables or disables quarantine services. Determines where quarantined files are stored. Cannot be a mapped network drive or UNC file path. QuarantineDays A positive integer. Defaults to 28. Determines the number of days quarantined files are stored before being deleted. Submitting a 0 turns off quarantined file deletion. RTEMode 0 (off) or 1 (on). Defaults to 0. Indicates protection status on the virtual machine. This value cannot be changed through the config command. ScanAllFileTypes ScanFlags ScanTimeout ServerAddress1 ServerAddress2 0 (specific extensions) or 1 (all files). Defaults to 1. An integer between 0 (no operations scanned) and 7 representing a binary value. Defaults to 7 (all operations scanned). A positive integer. Defaults to An IPv4 address or FQDN. No default. An IPv4 address or FQDN. No default. ServerPort1 Between 1024 and Defaults to ServerPort2 Between 1024 and Defaults to ThreatAction1 ThreatAction2 0 (delete) or 1 (deny access). Defaults to 0. 0 (delete) or 1 (deny access). Defaults to 1. Determines whether to scan all files or only specific extensions. Determines which operations trigger scanning. The total combines the values for Read (1), Write (2), and Backup (4). Limits the time (in milliseconds) allowed for file scans after which the file can be accessed. Specifies the IPv4 address or FQDN of the primary offload scan server used by the virtual machine. Specifies the IPv4 address or FQDN of the secondary offload scan server used by the virtual machine. Specifies the port used to communicate with the primary offload scan server. Specifies the port used to communicate with the secondary offload scan server. Determines the primary action taken when a threat is detected. Determines the secondary action taken when a threat is detected. 70 McAfee MOVE AntiVirus Multi-Platform Product Guide

71 Client command-line interface reference Access the CLI A Parameter Value Description SVAManagerAddress An IPv4 address or FQDN. No default. SVAManagerPort Between 1024 and Defaults to Specifies the IPv4 address or FQDN of the SVA Manager. Specifies the port used to communicate with SVA Manager. disable Use the disable command to disable the McAfee MOVE AV client on the virtual machine. mvadm disable Arguments default Description Disables the McAfee MOVE AV client on the virtual machine. This command removes virus protection from the virtual machine. enable Use the enable command to enable the McAfee MOVE AV client on the virtual machine. mvadm enable Arguments Description default Enables the McAfee MOVE AV client. This restores virus protection to the virtual machine. ftypes Use the ftypes command to display and edit the list of file extensions to be sent for anti-virus scanning. mvadm ftypes add extn mvadm ftypes remove extn mvadm ftypes list Wildcards are not supported by the ftypes command, and extensions must be an exact match. Issuing an mvadm ftypes add doc command does not cause.docx files to be scanned. Arguments add extn Description Causes the files with extension extn to be included for anti-virus scanning. remove extn Removes the files with extension extn from the list of files to be included for anti-virus scanning. list Lists the file extensions to be included for anti-virus scanning. McAfee MOVE AntiVirus Multi-Platform Product Guide 71