McAfee MOVE / VMware Collaboration Best Practices



Similar documents
McAfee MOVE AntiVirus Multi-Platform 3.5.0

McAfee VirusScan Enterprise 8.8 Best Practices Guide

McAfee MOVE AntiVirus (Agentless) 3.6.0

Data Center Connector for vsphere 3.0.0

Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

McAfee MOVE AntiVirus 2.6.0

McAfee Optimized Virtual Environments - Antivirus for VDI. Installation Guide

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later

McAfee Optimized Virtual Environments for Servers. Installation Guide

Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

Protecting the un-protectable Addressing Virtualisation Security Challenges

Anti-Spyware Enterprise Module software

McAfee VirusScan Enterprise for Linux Software

Product Guide. McAfee Endpoint Security 10

Data Center Connector for OpenStack

Product Guide. McAfee Endpoint Protection for Mac 2.1.0

Sophos Anti-Virus for NetApp Storage Systems startup guide

In this note, you will learn the basic applications of McAfee VirusScan Enterprise (hereafter McAfee ). Six topics will be covered as below:

Two Great Ways to Protect Your Virtual Machines From Malware

Antivirus Solution Guide for Clustered Data ONTAP 8.2.1: McAfee

McAfee VirusScan Enterprise for Storage 1.1.0

Sophos Anti-Virus for Windows, version 7 user manual. For Windows 2000 and later

Upgrade Guide. McAfee Vulnerability Manager Microsoft Windows Server 2008 R2

VMware/Hyper-V Backup Plug-in User Guide

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

AVG File Server. User Manual. Document revision ( )

VMware vsphere 5 Quick Start Guide

AV Management Dashboard

Product Guide. McAfee Endpoint Security for Mac Threat Prevention

Using McAfee VirusScan Enterprise 8.7i Jocelyn Kasamoto

McAfee VirusScan Enterprise 8.8 software Product Guide

Drobo How-To Guide. Cloud Storage Using Amazon Storage Gateway with Drobo iscsi SAN

In order to upload a VM you need to have a VM image in one of the following formats:

BITDEFENDER ENDPOINT SECURITY TOOLS

Security Practices Essentials. Viruses McAfee Virus Software Critical Windows Updates Network Settings. Spyware Adaware Spybot Windows Defender

McAfee Public Cloud Server Security Suite

Sophos Endpoint Security and Control Help. Product version: 11

GRAVITYZONE UNIFIED SECURITY MANAGEMENT. Use Cases for Beta Testers

Bitdefender GravityZone Sales Presentation

Sophos Endpoint Security and Control Help

McAfee Threat Intelligence Exchange Software

vsphere Replication for Disaster Recovery to Cloud

Basic Setup Guide. Remote Administrator 4 NOD32 Antivirus 4 Business Edition Smart Security 4 Business Edition

Core Protection for Virtual Machines 1

POC Installation Guide for McAfee EEFF v4.1.x using McAfee epo 4.6. New Deployments Only Windows Deployment

Comodo MyDLP Software Version 2.0. Endpoint Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Desktop Release Notes. Desktop Release Notes 5.2.1

ActiveImage Protector 3.5 for Hyper-V with SHR. User Guide - Back up Hyper-V Server 2012 R2 host and

Best Practice Configurations for OfficeScan (OSCE) 10.6

Net Protector Admin Console

Quickstart Guide. First Edition, Published September Remote Administrator / NOD32 Antivirus 4 Business Edition

TECHNICAL PAPER. Veeam Backup & Replication with Nimble Storage

Sophos Anti-Virus for Mac OS X Help

UP L17 Virtualization: Security Without Sacrificing Performance

McAfee Security for Microsoft SharePoint User Guide

If the Domain Controller is running Windows Server 2003, it is strongly advised that the Group Policy Management tool is installed.

Trend Micro OfficeScan Best Practice Guide for Malware

McAfee DAT Reputation Implementation Guide. Version 1.0 for Enterprise

LANDesk Management Suite 9.0. Getting started with Patch Manager

JUNIPER NETWORKS FIREFLY HOST ANTIVIRUS ARCHITECTURE

Symantec Endpoint Protection Datasheet

Bosch Video Management System High availability with VMware

VIRTUALIZATION SECURITY IN THE REAL WORLD

McAfee Deep Safe. Security beyond the OS. Kai-Ping Seidenschnur Senior Security Engineer. October 16, 2012

Sophos Anti-Virus for Mac OS X: Home Edition Help

AVG File Server User Manual. Document revision (11/13/2012)

Acronis Backup & Recovery 10 Advanced Server Virtual Edition. Quick Start Guide

Version Kaspersky Lab FOR INTERNAL USE ONLY

How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform

Symantec Endpoint Protection

GRAVITYZONE HERE. Deployment Guide VLE Environment

Best Practice Configurations for OfficeScan 10.0

McAfee Asset Manager Console

Sophos Anti-Virus for Mac OS X Help

Quick Start Guide for Parallels Virtuozzo

Kaspersky Endpoint Security 8 for Linux INSTALLATION GUIDE

Best Practices for Deploying Behavior Monitoring and Device Control

McAfee VirusScan and epolicy Orchestrator Administration Course

Getting started. Symantec AntiVirus Corporate Edition 8.1 for Workstations and Network Servers

VMware for Bosch VMS. en Software Manual

Using McAfee VirusScan. Professional Edition Version 8.0. Software On a DX8000 DVR

Installing and Configuring vcloud Connector

Total Protection Service

VirtualXP Users Guide

How to Configure Sophos Anti-Virus for Home Systems

Unprecedented Malware Growth

BITDEFENDER GRAVITYZONE

ClearPass Policy Manager 6.3

Microsoft Security Essentials Installation and Configuration Guide

INFUSION BUSINESS SOFTWARE Installation and Upgrade Guide

McAfee(R) Security Virtual Appliance 5.6 Installation Guide

RMM/MDM. Quick Reference Guide

Antivirus Best Practices for VMware Horizon View 5.x BEST PRACTICES

Sophos for Microsoft SharePoint startup guide

Installation Guide. McAfee Security for Microsoft Exchange Software

Make Optimizing Security Protection in Virtualized Environments a Priority

Transcription:

McAfee MOVE / VMware Collaboration Best Practices Christie J. Karrels Sales Engineer Federal DoD January 11, 2013 1 P a g e

Contents Introduction... 3 Traditional Anti-Malware vs. Optimized Anti-Malware... 3 Best Practices... 4 AV Best Practices... 4 Disabling processes on enable on-access scanning... 4 Changing a system registry to improve performance... 5 Defining the default high and low processes during scans... 6 Excluding archive files from on-access scanning... 8 Configuring system utilization to match system use... 9 Configuring the scan cache... 11 McAfee MOVE Antivirus... 12 Components and what they do... 12 MOVE AV Best Practices... 13 HBSS Best Practices... 14 McAfee Agent Best Practices... 14 2 P a g e

Introduction In today s mobile workforce, more companies, and the DoD, are turning to virtualization to support their users. Virtualization has its pros and cons. Without a doubt, the greatest advantage of virtualization is cost. Utilizing only the resources needed while sharing hardware resources is a great advantage and we all want to take advantage of this. While doing this, we know that security is still a major concern. Gartner just published a paper this month discussing why security protection in virtualizations must be a priority. One of the main points from this article that was brought away was that there are a number of security vendors creating security that may work in the virtualized environment, but is it really built for a virtualized environment. Traditional Anti-Malware vs. Optimized Anti-Malware Traditional Anti-malware absolutely has its place, but in the virtualized environment, we need to look at why vendors are coming out with what they consider an optimized product. AV Storms. What are they? When a client is started after some time (more than a day) powered down, depending on the policy configuration, it could kick off a daily quick scan, definition updates, a startup scan and possibly a weekly full scan. When starting a device is the worst time to be doing all these activities as the system is busy starting up other services and apps at the same time. This can all contribute to kill responsiveness. This is a major issue with standard products within a virtualized environment since all virtual desktops (VDI) share the same resources. With an optimized product, this is dealt with by properly handling a system during startup. Large AV Footprint. In a traditional product, the system has the full AV installed on the host, utilizing quite a bit of resources because on a native system, resources are available. When there are shared resources, the main goal is to provide a user experience that meets or exceeds the expectations of native hardware, while reducing the amount of resource on the back end. The harddrive space utilized by some security vendors is 400mb or more of space. McAfee MOVE is 8mb. Lack of DAT updates on offline virtual machines. What happens if a virtual machine is offline for some time, well when it comes back online, the system is out of date with its security software. This will cause a hit on the network and the hypervisor when that system tries to download DATs, which in some cases is over 100mb or more. Overall challenges. Above are just a few challenges that are brought to light when we start discussing Anti-Malware solutions for visualized environments. There are a number more that we could discuss. 3 P a g e

Best Practices Below are the best practices recommended by McAfee for traditional Antivirus, HBSS best practice, as well as MOVE AV best practices. AV Best Practices Traditional AV is what is included with the DISA AV contract. You are able to use McAfee Antivirus on a virtual system, but are susceptible to the overhead associated with traditional antivirus. Some of these being, AV storms, large DAT update files, lack of DAT updates on offline virtual machines. For traditional AV many of the best practices we followed are specific to the full McAfee Antivirus v8.8. I will highlight some of the very important best practices, but please also see the McAfee VSE 8.8 Best Practices Guide. (Another document, provided in another file). Below are the best practices recommended for performance improvements. Some of the default settings for VirusScan Enterprise might not be the best settings for optimal performance. These best practices describe some of those settings and their alternate configurations. CAUTION: Changing some of these setting can affect your system security, so please validate against your own security policy. Disabling processes on enable on-access scanning Changing a system registry to improve performance Defining the default high and low processes during scans Excluding archive files from on-access scanning Configuring system utilization to match system use Configuring the scan cache Disabling processes on enable on-access scanning Disabling processes on enable during system startup reduces your system startup time. If the on-access scanning process on enable feature is configured, all programs or executables are scanned when they are started. When you start your system some programs or executables start automatically. These executables might start prior to starting mcshield.exe. If the process on enable feature is configured and the mcshield.exe starts after these other executables the on-access scanner will scan each of the previously running executables in the order they started. This can slow your system and increase your system start up time. To change the processes on enable setting using epolicy Orchestrator, access the VirusScan Enterprise 8.8.0, On-Access General Policies, and click the General tab. Confirm Processes on enable is not selected. The following epolicy Orchestrator 4.5 shows processes on enable deselected. 4 P a g e

Changing a system registry to improve performance By default the McAfee Agent registry setting is configured to run at normal priority. Changing the McAfee Agent registry setting to use LowerWorkingThreadPriority improves VirusScan Enterprise performance. CAUTION: This best practice contains information about opening or modifying the registry. The following information is intended for System Administrators. Registry modifications are difficult to restore and could cause system failure if done incorrectly. Before proceeding, McAfee strongly recommends backing up your registry and understanding the restore process. For more information, see: http://support.microsoft.com/kb/256986 Do not run a.reg file that is not confirmed to be a genuine registry import file. You must disable McAfee Self Protection to allow a new registry key to be added on the registry path described in the following steps. Use the following steps to edit the McAfee Agent framework registry configuration: 1. Click Start Run, type regedit and the Registry Editor user interface appears. 2. Navigate to the following Registry: 3. [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework] 4. In the right-hand pane, right-click a blank space and select New DWORD Value. 5. For the name, type LowerWorkingThreadPriority and click ENTER. 6. Right-click LowerWorkingThreadPriority and click Modify. 7. In the Value data field type 1, then click OK. 8. Click Registry Exit. 5 P a g e

9. Restart the McAfee Framework Service using the following steps: Click Start Run, type services.msc. From the General tab, scroll up or down and select the McAfee Framework Service, right-click to open Properties dialog box. Next to Startup Type, in the middle of the dialog box, click Manual from the list. From Service Status, click Start and OK. Defining the default high and low processes during scans You can change the default configuration of some high- and low-risk process policies on the onaccess scanner to improve system performance and focus the scanning where it is most likely to detect malware. CAUTION: There is some risk associated with adding exclusions to high-and low-risk process policies. The risk is determined by other policy settings, but generally the risk is minimal and should be assessed on a case-by-case basis. Be careful when you determine the degree of acceptable risk to obtain the desired performance improvement. To change the default low-risk process policies using epolicy Orchestrator, access the VirusScan Enterprise 8.8.0, On-Access Low-Risk Processes Policy, and click the Low-Risk Processes tab. Click Add and refer to the Low-risk processes table for some of the low-risk processes that could be added to the on-access scanner exclusion. Configure the Scan Items, Exclusions, and Actions tab options to change the behavior of the onaccess scanner. NOTE: One or more of these options must be changed for the low-risk processes to have an effect on performance. 6 P a g e

The following epolicy Orchestrator 4.5 display shows some processes added as low-risk. 7 P a g e

Excluding archive files from on-access scanning Including archive files in on-access scanning can significantly impact system performance. Scanning these archive files during a scheduled on-demand scan off-hours avoids impacting users and eliminates any threats from these files. CAUTION: Some malware might be stored in these archive file. But VirusScan Enterprise would usually find and stop any malware attack when these archive files are read or uncompressed. When you open folders with a lot of data, more than 20GB, the on-access scanner starts scanning these files and could take most of your system's processing resources. This can affect your system's performance. If you check the contents of the folder being scanned there are probably large compressed files in the older. For example, ZIPs, CABs, and installation or other self-extracting EXEs files. As each of these files is opened Windows Explorer decompresses these files looking for icons to add to the icon cache. As each file is opened the on-access scanner checks it for malware. To configure the off-hours scans of compressed archive using epolicy Orchestrator, access the VirusScan Enterprise 8.8.0, On-Access Default Processes Policy, and click Scan Items. Deselect Scan inside archives (e.g..zip). The following epolicy Orchestrator 4.5 display shows scanning compressed files deselected. 8 P a g e

Configuring system utilization to match system use Previous versions of VirusScan Enterprise used a proprietary thread priority process. VirusScan Enterprise 8.8 uses the Windows Set Priority setting for the scan process and thread priority. This lets the operating system set the amount of CPU time that the on-demand scanner receives at any point in the scan process. The system utilization setting in the On-Demand Scan Properties maps to the Windows Set Priority control. The following figure shows the corresponding Windows Set Priority setting for the on-demand scan set priority configured as Normal in Task Manager. Setting the system utilization for the scan to low provides improved performance for other running applications. The low setting is useful for systems with high end user activity. Conversely, by setting the system utilization to normal the scan completes faster. The normal setting is useful for systems that have large volumes and very little end user activity. 9 P a g e

You might want to configure the system utilization differently depending what type of activity is performed on your system. For example, use one of the following setting for systems with the listed user activity: Normal For systems with little user activity. For example, servers. Below Normal For systems with typical user activity. For example, individual workstations. Low For systems with above average user activity. For example, workstations used for CPU intensive activities such as computer aided design (CAD). NOTE: Setting the system utilization to low could cause your on-demand scan to take up to twice as long. To configure the system utilization using epolicy Orchestrator, click Menu System System Tree and click Client tasks. Click the Configuration and Performance tabs to specify performance options for the scan. Use the System Utilization slider to configure the setting for the scan process and threads priority best for the type of activity performed on your system 10 P a g e

Configuring the scan cache The VirusScan Enterprise scan cache saves a list of scanned files that are clean. This improves your system performance by saving this clean file scan cache information during a system reboot. This also allows the on-demand scanner to use this clean file cache information to reduce duplicate file scanning. These options should remain enabled for the best boot time and overall system responsiveness during on-demand scans. NOTE: Disable these settings during a malware outbreak or if your security requirements are high. To configure the scan cache settings using the epolicy Orchestrator, access the VirusScan Enterprise 8.8.0, General Options Policies, and click the Global Scan Settings tab. Enable the following scan cache settings: Enable saving scan data across reboots Allow On-Demand Scans to utilize the scan cache The following epolicy Orchestrator 4.5 shows the scan cache enabled. 11 P a g e

McAfee MOVE Antivirus McAfee MOVE AntiVirus Multi Platform is an anti virus solution for virtual environments that removes the need to install an anti virus application on every virtual machine (VM). This document covers installation, configuration, and product usage information for McAfee MOVE AV Multi Platform. For the Federal Validated Solution we utilized the McAfee MOVE AV Agentless. The Agentless deployment option integrates with VMware vshield using VMware vshield Endpoint. This solution addresses the challenges of protecting your virtual environment and keeping it free of malware without an agent from McAfee, resulting in easy deployment and setup. McAfee MOVE AntiVirus Agentless provides virus protection for virtual machines (VMs) and contains a Security Virtual Appliance (SVA) delivered as an Open Virtualization Format (OVF) package. The Agentless deployment option: Uses the VMware vshield Endpoint API to receive scan requests from VMs on the hypervisor Relies on VirusScan Enterprise for Linux for SVA protection and updates Uses epolicy Orchestrator to manage the MOVE configuration on the SVA Leverages the McAfee Agent for policy and event handling Provides reports on viruses that are discovered on the VMs by using epolicy Orchestrator Components and what they do Each component performs specific functions to keep your environment protected. 12 P a g e

epolicy Orchestrator (epo) Allows you to configure policies to manage McAfee MOVE AV Agentless and provides reports on malware discovered within your virtual environment. File Quarantine Remote quarantine system, where quarantined files are stored on an administrator specified network share. GTI (Global Threat Intelligence) Classifies suspicious files that are found on the file system. When the real time malware defense detects a suspicious program, it sends a DNS request for analysis to a central database server hosted by McAfee Labs. Hypervisor (ESXi) Allows multiple operating systems to run concurrently on a hosted system. The hypervisor is a virtual operating platform that manages the execution of the guest operating systems. ESXi are embedded hypervisors for servers that run directly on server hardware without requiring an additional underlying operating system. Security Virtual Appliance (SVA) Provides anti virus protection for VMs and communicates with the loadable kernel module on the hypervisor, epolicy Orchestrator, and the GTI servers. The SVA is the only system directly managed by epolicy Orchestrator, but you can install the McAfee Agent and other McAfee products on the VMs. McAfee VirusScan Enterprise for Linux, McAfee Agent 4.6, and McAfee MOVE AV Agentless comes pre installed. VMware vcenter Console that manages the ESXi servers, which host the guest VMs that require protection. vshield Manager Manages the vshield components for the SVA and VMware vshield Endpoint, and monitors the health of the SVA. Virtual Machines (VMs) Completely isolated guest operating system installation within a normal host operating system that supports both virtual desktops and virtual servers. MOVE AV Best Practices McAfee MOVE is Antivirus optimized for the virtual environment. The settings out of the box are set so they provide the maximum protection with the minimum overhead. Depending on your environment, you might consider modifying the Virusscan exclusions list: Adding.txt, and.log files. Install the Virusscan for Enterprise Linux (VSEL) extension. Change the VSEL policy to Turn Off Scanning on Network mounted drives, and add /opt/mcafee/move/log/ as an exclusion. Lastly, VMware has developed a best practice guide for Antivirus within the VMware View 5 environment. We recommend following that document as well. Listed here: http://www.vmware.com/files/pdf/vmware-view-antiviruspractices-tn-en.pdf. 13 P a g e

HBSS Best Practices DISA s HBSS should be configured a certain way to maintain a efficient working environment. Below are some best practices for some components within the HBSS collection of software. McAfee Agent Best Practices The McAfee Agent to server communication interval is set correctly. Recommend to use the maximum setting allowed 720 minutes. From the epo server console, select the asset to be checked, then select Policies, followed by McAfee Agent from the product list. From the General category, select the applicable policy. From the General tab, ensure the Agent-to-Server Communication Interval option is set to 720 minutes or less. The McAfee Agent is configured correctly for the policy enforcement interval. Recommend to use the maximum setting allowed 30 minutes. From the epo server console, select the asset to be checked, and then select Policies, followed by McAfee Agent from the product list. From the General category, select the applicable policy. From the General tab, ensure the Policy Enforcement Interval option is set to 30 minutes or less. 14 P a g e

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information