Endpoint Security for Mac Threat Prevention 10.2.0 … Troubleshooting 41 Run the repairMSC utility ..... 41 Protecting your managed Mac 6 Installing the software on a Mac managed

Product Guide

McAfee Endpoint Security for Mac ThreatPrevention 10.2.0

COPYRIGHT

© 2016 Intel Corporation

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Endpoint Security for Mac Threat Prevention 10.2.0 Product Guide

Contents

Preface 7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1 Introduction 9Why you need security for Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Protecting your standalone Mac2 Installing the software on a standalone Mac 15

Hardware and software requirements . . . . . . . . . . . . . . . . . . . . . . . . . 15Install the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Install the software using wizard . . . . . . . . . . . . . . . . . . . . . . . . 16Install the software from the command line (silent installation) . . . . . . . . . . . . 16

Supported upgrades on a standalone Mac . . . . . . . . . . . . . . . . . . . . . . . . 17Upgrade the software on a standalone Mac . . . . . . . . . . . . . . . . . . . . 18

Test the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Test the Threat Prevention feature . . . . . . . . . . . . . . . . . . . . . . . . 18

Default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Recommended post-installation tasks . . . . . . . . . . . . . . . . . . . . . . . . . 20Uninstall the software from a standalone Mac . . . . . . . . . . . . . . . . . . . . . . 20

3 Using the software on a standalone Mac 23Security status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23View your Mac security status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Recent events summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24View event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Remove event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24View the quarantined items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Remove or restore the quarantined item . . . . . . . . . . . . . . . . . . . . . . . . 25Update the DAT and Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Run a system scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Configure custom scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Create a scan task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Change settings in an existing scan task . . . . . . . . . . . . . . . . . . . . . 27Remove an existing scan schedule . . . . . . . . . . . . . . . . . . . . . . . . 28

4 Configuring protection settings on a standalone Mac 29General protection options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Enable or disable protection features . . . . . . . . . . . . . . . . . . . . . . 29Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

How Threat Prevention works . . . . . . . . . . . . . . . . . . . . . . . . . . 30

McAfee Endpoint Security for Mac Threat Prevention 10.2.0 Product Guide 3

Types of scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Configure on-access scan preferences . . . . . . . . . . . . . . . . . . . . . . 32Configure on-demand scan preferences . . . . . . . . . . . . . . . . . . . . . . 34Exclude files or directories from scanning . . . . . . . . . . . . . . . . . . . . . 35Best practices for Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . 35

Configure an update schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Configure the repository list . . . . . . . . . . . . . . . . . . . . . . . . . . 37Configure proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Configure the DAT update schedule . . . . . . . . . . . . . . . . . . . . . . . 38

Debug logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Enable or disable debug logging . . . . . . . . . . . . . . . . . . . . . . . . . 39

5 Troubleshooting 41Run the repairMSC utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Protecting your managed Mac6 Installing the software on a Mac managed with McAfee ePO 45

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Check in the package to the McAfee ePO server . . . . . . . . . . . . . . . . . . . . . 46

Check in the package using Software Manager . . . . . . . . . . . . . . . . . . . 46Check in the package manually . . . . . . . . . . . . . . . . . . . . . . . . . 46

Install the extensions on the McAfee ePO server . . . . . . . . . . . . . . . . . . . . . 46Install the extensions using Software Manager . . . . . . . . . . . . . . . . . . . 47Install the extensions manually . . . . . . . . . . . . . . . . . . . . . . . . . 47

Install the client software on a managed Mac using the installation URL . . . . . . . . . . . . 47Create an installation URL . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Install the software with an installation URL on a managed Mac . . . . . . . . . . . . 48

Deploy the software from McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . 48Test the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Remove the software from a managed Mac . . . . . . . . . . . . . . . . . . . . . . . 49

Remove the software extensions . . . . . . . . . . . . . . . . . . . . . . . . 49Remove the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

7 Installing the software on a Mac managed with McAfee ePO Cloud 51McAfee ePO Cloud components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Accessing the McAfee ePO Cloud account . . . . . . . . . . . . . . . . . . . . . . . . 53Install the client software on a managed systems using the installation URL . . . . . . . . . . 53

Create an installation URL . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Install the software with an installation URL . . . . . . . . . . . . . . . . . . . . 54

Deploy the client software from McAfee ePO Cloud . . . . . . . . . . . . . . . . . . . . 54

8 Managing the software with McAfee ePO and McAfee ePO Cloud 55Using Endpoint Security extensions as common extensions . . . . . . . . . . . . . . . . . 55Manage policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Create or modify policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Assign policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Monitor the McAfee Agent status . . . . . . . . . . . . . . . . . . . . . . . . 57

Threat Prevention policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Configure On-Access Scan policy . . . . . . . . . . . . . . . . . . . . . . . . 58Configure On-Demand Scan policy (Full Scan) . . . . . . . . . . . . . . . . . . . 60Configure an On-Demand Scan policy (Quick Scan) . . . . . . . . . . . . . . . . . 62Exclude files or directories from scanning . . . . . . . . . . . . . . . . . . . . . 64Schedule a full or quick scan on managed Mac . . . . . . . . . . . . . . . . . . . 65

Contents


Schedule a custom on-demand scan . . . . . . . . . . . . . . . . . . . . . . . 66Schedule the DAT update . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Queries for Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . 67Other queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Index 69

Contents


Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all ofits features.

ConventionsThis guide uses these typographical conventions and icons.

Italic Title of a book, chapter, or topic; a new term; emphasis

Bold Text that is emphasized

Monospace Commands and other text that the user types; a code sample; a displayed message

Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes

Hypertext blue A link to a topic or to an external website

Note: Extra information to emphasize a point, remind the reader of something, orprovide an alternative method

Tip: Best practice information

Caution: Important advice to protect your computer system, software installation,network, business, or data

Warning: Critical advice to prevent bodily harm when using a hardware product


Find product documentationOn the ServicePortal, you can find information about a released product, including productdocumentation, technical articles, and more.

Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.

2 In the Knowledge Base pane under Content Source, click Product Documentation.

3 Select a product and version, then click Search to display a list of documents.

PrefaceFind product documentation


https://support.mcafee.com

1 Introduction

McAfee®

Endpoint Security for Mac Threat Prevention protects your Mac from viruses, spyware, trojanhorses, and other malware threats.

You can use the software on standalone and managed Mac systems.

• For a standalone Mac — You or your Mac administrator can install the software and configuresettings using the interface.

• For a managed Mac — Your system administrator sets up and configures security policies usingthese servers.

• McAfee® ePolicy Orchestrator® (McAfee ePO™)

• McAfee® ePolicy Orchestrator® Cloud (McAfee ePO™ Cloud)

Contents Why you need security for Mac Product features

Why you need security for MacSystems without protection might result in a security breach such as data loss, misuse of personal andbusiness information, and system disorder.

New products and technologies broaden opportunities for new security threats and challenges. Themotive behind these threats is to interrupt and espionage your system or destruct the data and thesystem functionality completely.

The targeted security threats devised by cyber criminals and hackers are evolving consistently andincreasing the risk consistently. The analyst reports say that the overall malware samples reachedmore than 450 million implying the importance of securing your Mac from the threats.

The list of threats and reported vulnerabilities that can harm your Mac are:

Threat category Potential threat

Malware Directs the user to access malicious items that can infect the Mac.

Examples: Flashback Trojan, Fake AV

Spyware Tracks every key you type to access sensitive information, such as user nameand password and other personal details.

Example: Keyloggers

Botnet breakdowns Infects your system or network and controls it remotely to spread malware.

Based on the modules that you have installed and enabled, McAfee Endpoint Security for Mac protectsyour Mac from malware, network threats, and web-based threats.

1


Product featuresThese are the main features of McAfee Endpoint Security for Mac Threat Prevention.

Prevention - Avoiding threats

Configure these features to stop intrusions before they gain access to your environment.

• Self Protection — Protects the security software files and folders from malware and from beingchanged or deleted.

• Password protection for client interface — Configure different access levels for users asneeded. You can also prevent users from changing the protection preferences.

• Password protection for uninstallation — Set password protection for the client software toprevent removal of the software from the Mac.

• Product Update client tasks — Update the engine and content files automatically from theMcAfee download website.

Detection - Finding threats

• On-Access Scan — Scans files and directories for threats whenever users access them.

• On-Demand Scan — Schedules a scan on files and directories at specific times. Each on-demandscan contains its own policy settings. You can also run Full Scan or Quick Scan on a Mac.

• McAfee® Global Threat Intelligence™ (McAfee GTI) — Supports McAfee GTI, a heuristic networklook up for suspicious files.

• Policy-Based On-Demand Scan client tasks — Run a Quick Scan or Full Scan on the EndpointSecurity Client from McAfee ePO. Configure the behavior of these scans in the policy settings for anon-demand scan.

• Additional options when scheduling on-demand scans — Allows you to run an on-demandscan when the system is idle or not running on battery power.

• 5800 Engine support — Pre-packaged with the latest 5800 engine that provides enhanceddetection capabilities.

Response - Handling threats

Use product log files, automatic actions, and other notification features to determine the best way tohandle detections.

• Actions — Configure actions to take when detections occur.

• Alerts — Specify how Threat Prevention notifies you when detections occur, including alertingoptions and filtering alerts by severity to limit alert traffic.

• Extra.DAT files — Download and install Extra.DAT files to provide protection from a major virusoutbreak.

1 IntroductionProduct features


Tuning - Monitoring, analyzing, and fine-tuning your protection

Monitor and analyze your configuration to improve system and network performance, and enhancevirus protection, if needed. Use the following tools and features:

• Queries, dashboards, and server tasks (McAfee ePO) — Monitor scanning activity anddetections.

• Log files (McAfee Endpoint Security for Mac Client) — View a history of detected items.Analyzing this information might reveal that you must enhance your protection or change theconfiguration to improve system performance.

• Scheduled tasks — Modify client tasks (such as Product Update) and scan times to improveperformance by running them during nonpeak times.

• Content repositories — Reduce network traffic over the enterprise Internet or intranet by movingthe content file repository closer to the clients.

• Scan policies — Analyze log files or queries and modify policies to increase performance or virusprotection, if necessary. For example, you can improve performance by configuring exclusions.

• Exclusion of files and directories from scanning — Excludes specific files and directories fromon-access scanning and on-demand scanning using criteria such as file type, extension, file age, orwildcards.

• Option to scan network volumes, compressed files, and Apple emails — Exclude or includemounted network volumes, compressed files, and Apple emails from scanning.

• Option to retain client-side exclusions — Overwrites or retains the client exclusion list foron-access scanning in a managed environment.

• Common extensions to manage Windows, Macintosh and Linux systems — Use McAfee®

Endpoint Security extensions as common extensions to manage policies for your Windows,Macintosh, and Linux systems.

• Common McAfee ePO Dashboard and queries — Use the McAfee ePO dashboard to view thestatus of managed Mac and Windows systems

• Turn off protection using the command-line option during product deployment — You candisable Threat Prevention protection using the command-line option from the McAfee ePO serverwhen deploying the software on managed Mac systems. For more information about using thecommand-line option, see McAfee KnowledgeBase article KB85505.

• Support for McAfee ePO Cloud — Support for McAfee ePO Cloud to manage policies for your Mac

• Menulet for easy access of the software interface — Easy access to the user interface byclicking the McAfee menulet from the status bar.

• Enable debug logging from client interface — Enable debug logging for the modules that youhave installed using the client interface.

IntroductionProduct features 1


https://kc.mcafee.com/corporate/index?page=content&id=kb85505

1 IntroductionProduct features


Protecting your standalone MacInstall the software, analyze the default settings, and configure protectionpreferences for your standalone Mac.

Chapter 2 Installing the software on a standalone MacChapter 3 Using the software on a standalone MacChapter 4 Configuring protection settings on a standalone MacChapter 5 Troubleshooting


Protecting your standalone Mac


2 Installing the software on a standaloneMac

Install the software on a standalone Mac using the wizard or from the command line.

Contents Hardware and software requirements Install the software Supported upgrades on a standalone Mac Test the installation Default settings Recommended post-installation tasks Uninstall the software from a standalone Mac

Hardware and software requirementsMake sure that your standalone Mac meets these requirements for successful installation.

Component Requirement

Hardware Mac that can run the supported operating system configuration.

Operating system • El Capitan 10.11.x (client and server)

If you are using McAfee®

Agent 5.x on your Mac, you must upgrade it to McAfeeAgent 5.0.2 with Hotfix HF1085179 before upgrading the operating system to ElCapitan. Otherwise, the communication between the McAfee

®

ePolicyOrchestrator

®

(McAfee ePO™

) server and the Mac fails, and you would be unableto manage the Mac from the McAfee ePO server. For more information about theMcAfee Agent 5.0.2 known issues with El Capitan, see McAfee KnowledgeBasearticle KB83895.

• Yosemite 10.10.x (client and server)

• Mavericks 10.9.x (client and server)

Browser Safari 7.1.x, 8.0.x, and 9.0.x.

Google Chrome 49 and later.

2


https://kc.mcafee.com/corporate/index?page=content&id=KB83895

Install the softwareInstall the software on a standalone Mac using the wizard or the command line.

Before you beginMcAfee Endpoint Security for Mac doesn't support the co-existence of competitor's softwarein the Mac. You must uninstall competitor's software from the system before installation.

Tasks• Install the software using wizard on page 16

The wizard guides you through the steps to install the software on your standalone Mac.

• Install the software from the command line (silent installation) on page 16You can use the command line to install the software without user intervention.

Install the software using wizardThe wizard guides you through the steps to install the software on your standalone Mac.

Task1 Download McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.dmg to

a temporary location on your Mac, then double-click it to mount.

2 Double-click McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkgto open the wizard.

During the installation, the installer prompts you to select modules for installation. You can selectone or multiple modules. To install a module later, you must start the installation wizard. If themodules are grayed out, it indicates that the installer has detected the competitor software on yourMac. You must uninstall it before installing the module. For more information, see McAfeeKnowledgebase article KB78192.

3 Follow the prompts to install the software.

To install the module that you have already installed, you must start the installation wizard, thenselect the module as needed. When you re-install the module, the protection settings that youconfigured previously are retained.

Install the software from the command line (silent installation)You can use the command line to install the software without user intervention.

Task1 Download McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.dmg to

a temporary location on your Mac, then double-click it to mountMcAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg.

2 Copy the McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg fileto a temporary location on your Mac.

3 Open a Terminal window and change the working directory to the one where you saved theMcAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg file.

2 Installing the software on a standalone MacInstall the software


https://kb.mcafee.com/corporate/index?page=content&id=kb78192

4 Type the following command, then press return.

sudo installer -pkgMcAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg –target /

5 Type the administrator password, then press return. The following message appears.

The Install was successful.

To install individual protection module using the command-line, see McAfee KnowledgeBase articleKB84772.

Supported upgrades on a standalone MacMcAfee Endpoint Security for Mac supports upgrading the software and migrating the preferences fromthe previous versions of the software.

You can upgrade the software from:

• McAfee® Endpoint Protection for Mac 2.3.0

• McAfee Endpoint Security for Mac 10.x

• McAfee® VirusScan™ for Mac 9.8.0

Upgrading from McAfee Endpoint Protection for Mac 2.3.0

When you upgrade the software, the respective preferences are migrated according to the modulesyou select.

When you upgrade the software from the previous version, the existing software is removed completelybut the preferences for all modules are saved. When you install a module, the respective preferencesare migrated.

For example:

If you select... Migrated preferences...

Threat Prevention Anti-malware

Since Application Protection module is not part of McAfee Endpoint Security for Mac, the ApplicationProtection preferences are migrated only when you install the McAfee

®

Application Protection 2.3.0software. For more information, see McAfee Application Protection product guide.

When you migrate the preferences from McAfee Endpoint Protection for Mac or McAfee VirusScan forMac, the Quarantine scan action is migrated to Delete, and the Notify scan action is migrated to Deny.

Upgrading from McAfee Endpoint Security for Mac 10.x

When you upgrade the software, the respective existing preferences are migrated according to themodule you select. For example:

If you select... Migrated preferences...

Threat Prevention Threat Prevention

Upgrading from McAfee VirusScan for Mac 9.8.0

When you upgrade the software, the existing anti-malware preferences are migrated.

Installing the software on a standalone MacSupported upgrades on a standalone Mac 2


https://kc.mcafee.com/corporate/index?page=content&id=kb84772

Upgrade the software on a standalone MacYou can upgrade the software and migrate the existing configuration settings.

Before you beginBefore upgrading the software, make sure that your system meets all requirements.

Task1 Install the software using the wizard.

For more information, see Install the software using wizard.

2 Make sure that all existing preferences are migrated to the new version.

Test the installationTest the software to make sure that it is installed properly and can protect your Mac.

Tasks• Test the Threat Prevention feature on page 18

Access the EICAR standard anti-virus test file to test the Threat Prevention feature.

Test the Threat Prevention featureAccess the EICAR standard anti-virus test file to test the Threat Prevention feature.

This file is the combined effort by anti-virus vendors to implement one standard that customers canuse to validate the anti-virus software.

Task1 Go to the EICAR website http://www.eicar.org.

2 Click DOWNLOAD ANTI MALWARE TESTFILE, then click DOWNLOAD.

3 From the Download area using the standard protocol http section, click the file eicar.com.txt.

For the test to be successful, McAfee Endpoint Security for Mac displays a Notification 1 detection(s)found on your system. with the relevant details.

Default settingsOnce installed, McAfee Endpoint Security for Mac starts protecting the Mac immediately based on thedefault configurations defined. Refer to these default settings, and configure them for yourenvironment.

General

Feature Default settings

Threat Prevention Enabled

2 Installing the software on a standalone MacTest the installation


http://www.eicar.org

Threat Prevention


Threat Prevention On-Access Scan:• Scan files while — Write

• Maximum scan time for a file — 45 seconds for a file.

• When a virus is found — Clean

• If clean fails — Delete

• When a spyware is found — Clean


• Enable McAfee GTI — Enabled.

• Sensitivity Level — Medium.

Also scan:• Archives & Compressed Files — Disabled

• Apple Mail messages — Disabled

• Network Volumes — Disabled

On-Demand Scan:• When a virus is found — Clean


• When a spyware is found — Clean


• Enable McAfee GTI — Enabled.

• Sensitivity Level — Medium.

• Archives & Compressed Files — Enabled

• Apple Mail messages — Enabled

• Network Volumes — Disabled

• Scheduled Scan Option• Scan only when the system is idle — Enabled.

• Do not scan when the system is on battery power — Enabled.

Exclusions — None

Update


Update In Repository List

• Repository Name — McAfeeHttp, McAfeeFtp

In Proxy Settings

• Proxy settings — Configure proxy settings manually

In Schedule• Schedule — Daily at 4:45 PM (local time)

Installing the software on a standalone MacDefault settings 2


Logging


Logging In Enable Debug Logging

• Threat Prevention — Disabled

Recommended post-installation tasksPerform these tasks to make sure that the protection configuration does not affect the businessroutines.

Task Description

Update thecontent files

After installation, McAfee Endpoint Security for Mac automatically updates thecontent files to protect the Mac from the latest threats. By default, this update isscheduled at 4.45 pm local time every day. When the files are updated for the firsttime, it may take longer time to download the full content. The subsequentupdates will be incremental.

You can view the content files last update details in the Console page.

Perform anon-demand scan

Run an on-demand-scan to scan the local volumes, after you install the softwareto clean the infected files that are not accessed by but reside in the Mac.

Configure the On-Demand Scan task to define:• The items to scan (files, folders, and drives)

• Set frequency of scan (daily, weekly, monthly, or immediately)

• Define the action when malware is found (Delete or Clean)

ThreatPrevention

McAfee Endpoint Security for Mac comes with the default settings. Verify that thedefault settings are consistent with your organization policies and providescomplete protection against malware.

Uninstall the software from a standalone MacYou can uninstall the software or specific modules from a Mac using the command line.

Before you beginYou must have administrator rights to uninstall the software.

2 Installing the software on a standalone MacRecommended post-installation tasks


Task1 Open a Terminal window.

2 Type the following command, then press return.

To remove... Use this command...

All modules sudo /usr/local/McAfee/uninstall EPMThreat Prevention module sudo /usr/local/McAfee/uninstall ThreatPrevention

The uninstallation command is case sensitive.

3 Type the administrator password when prompted.

When Uninstallation is enabled in Endpoint Security Common policy, uninstalling the software using thecommand line prompts you to type the password set by your McAfee ePO server administrator.

When the software is uninstalled, the following message appears:

Product has been uninstalled successfully.

When you uninstall the software, the McAfee Agent is not uninstalled from the system. This isbecause that it might be used by other products. Refer to the product guide of your McAfee Agentversion for more information.

Installing the software on a standalone MacUninstall the software from a standalone Mac 2


2 Installing the software on a standalone MacUninstall the software from a standalone Mac


3 Using the software on a standalone Mac

Access the McAfee Endpoint Security for Mac Console page to view your Mac security status and eventsdetails.

You can also view the quarantined items, configure scan schedules, and update the DAT and engine.

Contents Security status View your Mac security status Recent events summary View event log Remove event log View the quarantined items Remove or restore the quarantined item Update the DAT and Engine Run a system scan Configure custom scan tasks

Security statusView the security status and the protection features that are enabled or disabled on your Mac.

Use the dashboard to know the status of:

• Threat Prevention

• Firewall

• Web Control

View your Mac security statusThe Status page displays the security status of your Mac, the protection modules installed, and theirstatus.

You can view recent events summary and the last successful DAT or Engine update time.

The events that appear in the Status page are read-only.

To view your Mac security status and the protection modules installed:

Task• Click the McAfee menulet on the status bar, then select Console | Status.

The Status page also displays the protection modules that are installed on your Mac and its status.

3


Recent events summaryYou can view the summary of recent five events in Status page.

The events summary includes:

• Details of malware detected from on-access scan.

• Status of scan task with number of malware detected from on-demand scan.

• Threat Prevention update status with DAT version details.

Recent events displays only the summary of events. To view the complete details of events, navigate tothe Event Log page, then double-click the particular event.

View event logView and analyze event log to understand the software activity information.

The Event Log page displays all events with details for malware detection, scan schedules, and ThreatPrevention update.

Task1 Click the McAfee menulet on the status bar, then select Console.

2 On the console dashboard, click Event Log.

Twenty events are listed per page and you can use arrow keys to navigate through pages.

3 Double-click the event you want to view.

• Threat Prevention Update — Displays the DAT version, engine version, and the status of the update.

• On-Access Scan — Displays the application that accessed the malware, status of detection found,and total number of detections with the details.

• On-Demand Scan — Displays number of files scanned, name and location of infected files, if found,and action taken.

You can sort events based on Event, Type or Date & Time.

Remove event logRemove event log from the History page.


2 On the console dashboard, click Event Log.

3 Click , type the administrator password, then click OK

4 Select the event, then click Delete.

3 Using the software on a standalone MacRecent events summary


5 Click OK to remove the events.

You can't restore the events once you remove them from the list.

6 Click to prevent further changes.

View the quarantined itemsThe Quarantine feature isolates dangerous or suspicious malware that could harm your Mac otherwise.


2 On the console dashboard, click Quarantine.

The quarantine page displays the original path of items quarantined with date and time of the event.

Remove or restore the quarantined itemThe Quarantine page displays the list of quarantined items with the path, date, and time. You can restorethe quarantined items, only if you are sure that they are non-malicious items, otherwise you canremove them.

Before you beginYou must have administrator rights to remove or restore the quarantined item from the list.

Before restoring an item, we recommend that you send it to McAfee Labs for testing. Tosubmit a sample to McAfee Labs, see McAfee KnowledgeBase article KB68030.


2 On the console dashboard, click Quarantine.

3 Click , type the administrator password, then click OK.

• To restore, select the quarantined item, click Restore, then click OK to confirm.

• To remove, select the quarantined item, click Delete, then click OK to confirm.

You can't restore the items that are deleted from the quarantined list.


Using the software on a standalone MacView the quarantined items 3



Update the DAT and EngineAlways keep the DAT and Engine up to date to protect your Mac from the latest threats.


2 On the console dashboard, click Update Now.

3 Click Start Update to initiate the DAT update task.

Upon completion, the update summary appears with the engine version, DAT version, update status,and DAT creation date in the Threat Prevention Update section. You can view the status and details ofThreat Prevention update event in the Event Log page.

Run a system scanPerform an on-demand scan on specific files, directories, and local or network-mounted volumesimmediately.


2 On the console, click Scan Now.

3 From the What to scan drop-down list, select items, then click Start Scan.

You can select multiple items by clicking .

Configure custom scan tasksSchedule and customize scan tasks based on your requirements, to scan specific files, folders, andvolumes periodically. You can also modify or remove the existing schedule.For example, to scan your download folder and music library folder more frequently, you can define ascan schedule for only these two folders.

Tasks• Create a scan task on page 27

Create scan tasks that automatically run at scheduled periods with the defined parameters.

• Change settings in an existing scan task on page 27Change an existing scan schedule to add or remove locations or change the date and time.

• Remove an existing scan schedule on page 28Remove the scan schedule when you no longer need it.

3 Using the software on a standalone MacUpdate the DAT and Engine


Create a scan taskCreate scan tasks that automatically run at scheduled periods with the defined parameters.


2 Click in the bottom left corner.

3 In the Scan Name field, type a name, then click Create.

4 From the What to scan drop-down list, select the items you want scan. Click or - to remove thelocation.

• Documents — Scans the user documents folder.

• Desktop — Scans files and folders in desktop.

• Users — Scans the user directory.

• Applications — Scans the applications folders.

• Localhost — Scans the local host.

• Choose — Allows you to select folder or file location to scan.

5 In the When to scan section, select a schedule for the scan task, then click Schedule Scan.

• Immediately — Starts a scan task immediately. If you select to scan items immediately, click Start Scan.

• Once — Scans the defined locations once at the scheduled date and time.

• Daily — Scans the defined locations every day at the scheduled time. You can define the numberof occurrence to run the daily scan task or select No End Date to run the schedule without anylimit.

• Weekly — Scans the defined locations on a scheduled day and time of every week. You can definethe number of occurrence to run the weekly scan task or select No End Date to run the schedulewithout any limit.

• Monthly — Scans the defined locations on a scheduled date and time of every month. You candefine the duration or select No End Date to continue the schedule without any limit.

6 When you see a message that the scan task is scheduled, click OK.

7 Click Schedule Scan.

Change settings in an existing scan taskChange an existing scan schedule to add or remove locations or change the date and time.


2 On the console dashboard under Activity, click the scheduled task you want to modify. The scheduledtask displays the Last Scan Time and Next Scan Time.

3 Click Modify Scan, make the needed changes, then click Schedule Scan.

Using the software on a standalone MacConfigure custom scan tasks 3


Remove an existing scan scheduleRemove the scan schedule when you no longer need it.


2 On the console dashboard, select an existing scan schedule in the left pane.

3In the bottom left corner of the console, click to remove the selected item.

3 Using the software on a standalone MacConfigure custom scan tasks


4 Configuring protection settings on astandalone Mac

Use Preferences to configure protection settings for the installed modules.

Contents General protection options Threat Prevention Configure an update schedule Debug logging

General protection optionsUse the General tab options to enable the required protection preferences on your self-managed Mac.

You can enable or disable protection for the modules that you have installed.

• Threat Prevention

• Firewall

• Web Control

Enable or disable protection featuresEnable the protection feature as required for your environment.

Task1 Click the McAfee menulet on the status bar, then select Preferences.

2 On the General tab, click .

3 Type the password when prompted.

4 Enable or disable the protection as required.


Threat PreventionThreat Prevention protects your Mac from malware threats.

Configure the Threat Prevention settings to define actions for on-access scanning and on-demandscanning, and to exclude files and paths from scanning.

4


How Threat Prevention worksThreat Prevention protects your Mac from malware threats and unwanted programs by scanning itemson your Mac.

When enabled, the software scans files, folders on local, network-mounted volumes, and removablemedia whenever you access or create an item.

McAfee Endpoint Security for Mac uses the latest engine that:

• Performs complex analysis using the malware definition files (DATs)

• Decodes the contents of the item you access

• Compares them with the known signatures stored in the DAT files to identify malware

In addition, McAfee GTI (heuristic network check for suspicious files) looks for suspicious files andprograms running on client systems that Threat Prevention protects.

Use Threat Prevention preferences to configure actions for on-access scan, on-demand scan, or toexclude files or paths from scanning.

Types of scanThe software scans files on Mac in two ways, on-demand and on-access.

On-access scan — Scans files and folders for malware threats and unwanted programs whenever youaccess them, and takes actions according to the configuration.

On-demand scan — Scans files and folders for malware threats and unwanted programs at any timeor at scheduled time. You can run on-demand scan in two ways.

• Scan all files — Scans files and directories immediately for the locations you have selected in What toScan.

• Schedule Scan — Scans files and directories configured in What to Scan at the scheduled time.

4 Configuring protection settings on a standalone MacThreat Prevention


How on-access scan worksThis diagram shows how on-access scan works.

How on-demand scan worksThis diagram shows how on-demand scan works.

Configuring protection settings on a standalone MacThreat Prevention 4


Configure on-access scan preferencesThe on-access scan protects your Mac from threats in real time. It scans for malware whenever anitem is read from or written to the hard disk, and takes action according to the configuration.


2 On the Threat Prevention tab, click , type the administrator password, then click OK.



3 From the Scan files while drop-down list, select one of these options:

• Read — Scans items when they are read from the hard disk.

• Write — Scans items when they are written to the hard disk.

• Read & Write — Scans items when they are read from or written to the hard disk.

4 In Maximum scan time (in seconds), specify the duration allowed to scan each file.

You can specify a value between 10 and 9999. The default value is 45. When scanning exceeds thedefined time, the software stops scanning the file.

5 From the When a virus is found drop-down list, select one of these options:

• Clean — Clean the item that contains malware. Use the If clean fails drop-down list, to select asecondary action (Delete or Deny).

• Delete — Deletes the item that contains malware.

• Deny — Prevents the user from accessing files with detected threats.

Although the software denies access to the file, it still resides in the system.

Whenever you select the primary action as Clean or Delete, the item is quarantined by default.

6 From the When a spyware is found drop-down list, select one of these options:

• Clean — Cleans the item that contains spyware. Use the If clean fails drop-down list, to select asecondary action (Deny, Delete, or Allow).

• Delete — Deletes the item that contains spyware.

• Deny — Prevents the user from accessing files with detected threats.

Although the software denies access to the file, it still resides in the system.

• Allow — Allows the user to access files with detected threats.

Whenever you select the primary action as Clean or Delete, the item is quarantined by default.

7 In Also scan, select where you want to enable scanning:

• Archives & Compressed Files

• Apple Mail Messages

• Network VolumesWhen these options are selected, McAfee Endpoint Security for Mac detects the threat. But, theprimary and secondary actions might vary depending on the options selected.

8 Enable McAfee GTI and define its sensitivity level.

• Very low — The detections and risk of false positives are the same as with regular DAT contentfiles. A detection is made available to Threat Prevention when McAfee Labs publishes it insteadof waiting for the next DAT content file update.

• Low — This setting is the minimum recommendation for systems with a strong security footprint.

• Medium — Use this level when the regular risk of exposure to malware is greater than the risk ofa false positive. McAfee Labs proprietary, heuristic checks result in detections that are likely tobe malware. However, some detections might result in a false positive. With this setting, McAfeeLabs checks that popular applications and operating system files don't result in a false positive.



• High — Use this setting for deployment to systems or areas which are regularly infected.

• Very high — Detections found with this level are presumed malicious, but haven't been fully testedto determine if they are false positives. McAfee recommends to use this level for systems thatrequire highest security.


Configure on-demand scan preferencesSchedule an on-demand scan to run immediately, at a scheduled time, or at regular intervals.


2 On the Threat Prevention tab, click On-Demand Scan.

3 Click , type the administrator password, then click OK to open the On-Demand Scan page.

4 From the When a virus is found drop-down list, select one of these options:

• Clean — Cleans the item that contains malware. Use the If clean fails drop-down list, to select asecondary action (Delete, Continue scanning)

• Delete — Deletes the item that contains malware.

• Continue Scanning — Continues scanning when a threat is detected.

The detected threat still resides in the Mac.

5 From the When a spyware is found drop-down, select one of these options:

• Clean — Cleans the item that contains spyware. Use the If clean fails drop-down list, to select asecondary action (Delete, Continue scanning).

• Delete — Deletes the item that contains spyware.

• Continue scanning — Continues scanning when a threat is detected.

The detected threat still resides in the Mac.

6 Enable McAfee GTI and define its sensitivity level.

• Very low — The detections and risk of false positives are the same as with regular DAT contentfiles. A detection is made available to Threat Prevention when McAfee Labs publishes it insteadof waiting for the next DAT content file update.

• Low — This setting is the minimum recommendation for systems with a strong security footprint.

• Medium — Use this level when the regular risk of exposure to malware is greater than the risk ofa false positive. McAfee Labs proprietary, heuristic checks result in detections that are likely tobe malware. However, some detections might result in a false positive. With this setting, McAfeeLabs checks that popular applications and operating system files don't result in a false positive.

• High — Use this setting for deployment to systems or areas which are regularly infected.

• Very high — Detections found with this level are presumed malicious, but haven't been fully testedto determine if they are false positives. McAfee recommends to use this level for systems thatrequire highest security.



7 In Also scan, select where you want to enable scanning:

• Archives & Compressed Files

• Apple Mail Messages

• Network Volumes

8 In the Scheduled Scan Options, select one of these options:

• Scan only when the system is idle

• Scan anytime

• Do not scan when the system is on battery power


For information about creating a scan task, see Create a scan task.

Exclude files or directories from scanningExclude files and folder paths from an on-access scan or on-demand scan.


2 Click Threat Prevention, then click Exclusions.


4 Click in the bottom left corner.

5 Select the path of the required files and folders, then click Open.

6 Select or deselect the On-Access Scan and On-Demand Scan options as needed.

• Double-click an item to change the name or path that appears in the exclusion list.

• Use regular expressions to exclude items from scanning. For example, to exclude all files in thedesktop from scanning, specify the path as /Users/user/Desktop/*

• To remove the item from the exclusions list, select it, then click in the bottom left corner ofthe page (or press fn+delete).

If you deselect the On-Access Scan and On-Demand Scan options for a path added to the exclusion list, thepath is removed from the exclusion list immediately.


Best practices for Threat PreventionThis section describes the best practices to define the preferences for scheduling an on-access scanand an on-demand scan.

On-access scan preferences• Always enable On-access-Scan because it checks every file the user accesses, and detects malware

before it runs.

• Enable the scan option for the Network Volumes when needed, to scan files copied from or written toany network volumes.



On-demand scan preferences

• Always enable the scan for Archives & Compressed Files while performing on-demand scan. This isrecommended if you disabled scanning option for these files.

On-demand scan schedule

• Schedule an on-demand scan during non-peak hours (for example, during weekends ormaintenance period).

• When scheduling an on-demand scan for the first time, schedule a full on-demand scan of yourentire hard disk.

Exclusions

You can add regular expressions that match required patterns to exclude multiple files and foldersfrom being scanned.

Here are some recommended exclusions:

• Microsoft Outlook database files

• Thunderbird database files

• Encrypted files

• Generic plist files such as Info.plist or version.plist for on-access scanning

Here are some recommended exclusion examples using wildcards:

• To exclude files with the extension mdb, use *.mdb

• To exclude each user's Outlook Database files of different Microsoft Office versions, use /Users/*/Documents/Microsoft\ User\ Data/Office\ *\ Identities/*\ Identity/*

• To exclude all Info.plist under /Applications, use /Applications/*/Contents/Info.plist

• To exclude all version.plist under /Applications, use /Applications/*/Contents/version.plist

• To exclude files with the extensions jar, rar, or war under /private/var/tmp, use /private/var/tmp/*.?ar

Configure an update scheduleConfigure the repository list that needs to be accessed to update the DAT or Engine, the proxyconnection settings, and the update schedule.

Tasks• Configure the repository list on page 37

Always keep your DAT file up to date to secure your Mac from the latest threats.

• Configure proxy settings on page 37Configure Proxy settings if you use proxy servers to connect to the Internet for retrievingpackages.

• Configure the DAT update schedule on page 38Periodic DAT updates secure your Mac from latest threats.

4 Configuring protection settings on a standalone MacConfigure an update schedule


Configure the repository listAlways keep your DAT file up to date to secure your Mac from the latest threats.

The software is shipped with the configuration that allows access to the McAfee FTP server and HTTPserver to download the latest DAT file while your Mac is connected to the Internet.


2 Click Update.


4 In Repository Name list box, on the Repository List tab:

• — To add a repository.

• — To delete an existing repository.

• — To deprioritize repositories.

• — To prioritize repositories.

5 In Repository Type, select FTP, HTTP, or a Local repository from where the latest DATs can bedownloaded.

6 Specify a Repository URL, Port, User Name, and Password for the repository.

7 On the Schedule tab, define the schedule, then click Apply.


Configure proxy settingsConfigure Proxy settings if you use proxy servers to connect to the Internet for retrieving packages.


2 Click Update, then click the Proxy Settings tab.


4 Select whether to use a proxy.

• Do not use a proxy

• Configure proxy settings manually

5 Select Use these settings for all proxy types to specify the same IP address and port number for all proxytypes.

6 Select FTP or HTTP server, then type the IP address and port number of the selected server.

7 Select Use authentication, then type the user name and password for the server.

Configuring protection settings on a standalone MacConfigure an update schedule 4


8 To bypass a proxy server for specific domains, select the Specify exceptions, then type the domainname.


Configure the DAT update schedulePeriodic DAT updates secure your Mac from latest threats.


2 On the Update tab, click Schedule.


4 Click the drop-down list to select the update frequency, then click Apply.• Never — Never run the update

We recommend not to select this option. Always keep your DAT files and Engine up to date toprotect your Mac from the latest threats.

• Hourly — To run the update on the selected hours.

• Daily — To run the update daily at a specific time.

• Weekly — To run the update weekly at a specified time on weekdays.

• Monthly — To run the update once in a month at a specified time.


Debug loggingDebug logs provide important information that you can use for troubleshooting purposes.

Enabling debug logs for a module logs details for all components of the module.

For example, if you enable logging for Threat Prevention, logs are stored for on-access scanning andon-demand scanning activity.

• You can find the Threat Prevention logs at /var/log/system.log and /var/log/McAfeeSecurity.log. You can identify and filter the Threat Prevention logs by its name MFE_AV.

• You can find the Firewall logs at /var/log/system.log. You can identify and filter the firewall logsby its name MFE_FW.

• You can find the Web Control logs at /var/log/McAfeeSecurity.log. You can identify and filterthe Web Control specific log by its name MFE_WC.

4 Configuring protection settings on a standalone MacDebug logging


Enable or disable debug loggingConfigure the debug logging option for the installed modules.


2 Click the Logging tab.


4 Select the modules as required.


Configuring protection settings on a standalone MacDebug logging 4


4 Configuring protection settings on a standalone MacDebug logging


5 Troubleshooting

Identify and troubleshoot issues when using the standalone version of McAfee Endpoint Security forMac .

Run the repairMSC utilityUse the repairMSC utility to troubleshoot McAfee Endpoint Security for Mac issues. It generatesdiagnostic reports, which can be uploaded to the McAfee server for analysis.

Task1 Open a Terminal window, type the following command, then press return.

/usr/local/McAfee/repairMSC

2 Type the administrator password when prompted, then press return.

3 Type Y to continue, then press return.

A consolidated diagnostic report is generated in home directory for issue analysis. A list of issuesappears with each category relating to a number from 1 to 8.

4 Type a number that best describes the issue, then press return. The repairMSC runs a repair utilitybased on the number selected and provides a solution.

5 Type y or n to confirm whether the issue was fixed, then follow the on-screen instructions.

The report file repairMSC.zip is available in your home directory. (Users/<user>).

Contact McAfee support for troubleshooting assistance.

5


http://mysupport.mcafee.com

5 TroubleshootingRun the repairMSC utility


Protecting your managed MacInstall the required extensions and deploy a security strategy to protect yourmanaged Mac systems from threats.

Chapter 6 Installing the software on a Mac managed with McAfee ePOChapter 7 Installing the software on a Mac managed with McAfee ePO CloudChapter 8 Managing the software with McAfee ePO and McAfee ePO Cloud


Protecting your managed Mac


6 Installing the software on a Macmanaged with McAfee ePO

Install the software on the McAfee ePO server and deploy it to your managed Mac.

Contents System requirements Check in the package to the McAfee ePO server Install the extensions on the McAfee ePO server Install the client software on a managed Mac using the installation URL Deploy the software from McAfee ePO Test the installation Remove the software from a managed Mac

System requirementsMake sure that these requirements are met and you have administrator permission.

Component Requirements

Hardware Mac that can run with the supported operating system configuration.



Agent 5.x on your Mac, you must upgrade it toMcAfee Agent 5.0.2 with Hotfix HF1085179 before upgrading the operatingsystem to El Capitan. Otherwise, the communication between the McAfee

®

ePolicy Orchestrator®

(McAfee ePO™

) server and the Mac fails, and you wouldbe unable to manage the Mac from the McAfee ePO server. For moreinformation about the McAfee Agent 5.0.2 known issues with El Capitan, seeMcAfee KnowledgeBase article KB83895.



Browser Safari 7.1.x, 8.0.x, and 9.0.x

Google Chrome 49 and later.

McAfee Agent McAfee Agent 5.0.2 with Hotfix HF1085179 and later

McAfee ePolicyOrchestrator

5.1.1 and later

6



Check in the package to the McAfee ePO serverYou can check in the package using the Software Manager or check in the package manually.

Tasks• Check in the package using Software Manager on page 46

Check in, update, or remove McAfee Endpoint Security for Mac using the Software Manager.

• Check in the package manually on page 46Check in the McAfee Endpoint Security for Mac deployment package to the McAfee ePOMaster Repository.

Check in the package using Software ManagerCheck in, update, or remove McAfee Endpoint Security for Mac using the Software Manager.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to the McAfee ePO server as an administrator.

2 Select Menu | Software | Software Manager.

3 From the Product Categories list under Software (By Label), select Endpoint Security, select the package file,then click Check in All.

4 On the summary page, accept the McAfee End User License Agreement, then click OK.

Check in the package manuallyCheck in the McAfee Endpoint Security for Mac deployment package to the McAfee ePO MasterRepository.


1 Download the .zip file to a temporary location on the McAfee ePO server.


3 Select Menu | Software | Master Repository | Check In Package.

a For Package type, select Product or Update (.ZIP).

b Click Choose File, select the file, click Choose, then click Next.

4 Select Current, then click Save.

Install the extensions on the McAfee ePO serverInstall the software on the McAfee ePO server to configure and deploy policies for managed Mac.

Tasks• Install the extensions using Software Manager on page 47

Install the extensions using the Software Manager.

• Install the extensions manually on page 47Install Endpoint Security extensions on the McAfee ePO server manually.

6 Installing the software on a Mac managed with McAfee ePOCheck in the package to the McAfee ePO server


Install the extensions using Software ManagerInstall the extensions using the Software Manager.



2 Select Menu, Software, then click Software Manager.

3 From the Software Manager | Product Categories | Software (By Label), select Endpoint Security | McAfee EndpointSecurity 10.2.0, select from the right pane, then check in the extensions.

Install the extensions manuallyInstall Endpoint Security extensions on the McAfee ePO server manually.

You must install the extensions to enable the features of the product.



2 Select Menu | Software | Extensions, then click Install Extension.

3 Click Choose File and select the file that contains the extension, then click OK.

After installing the Endpoint Security extensions, you can use the migration tasks to migrate McAfeeEndpoint Protection for Mac 2.3 or McAfee VirusScan for Mac 9.8 policies and tasks. For moreinformation, see Endpoint Security migration help.

Install the client software on a managed Mac using theinstallation URL

McAfee ePO administrators can create an installation URL to install Endpoint Security for Mac clientsoftware on managed Mac.

Tasks• Create an installation URL on page 47

Create an installation URL and send it to the user to install McAfee Agent on a managedMac.

• Install the software with an installation URL on a managed Mac on page 48The Mac user can access the URL to install the client software on a managed Mac.

Create an installation URLCreate an installation URL and send it to the user to install McAfee Agent on a managed Mac.



2 Select Menu | Dashboards, then select Getting Started with ePolicy Orchestrator from the drop-down list.

Installing the software on a Mac managed with McAfee ePOInstall the client software on a managed Mac using the installation URL 6


3 On the Product Deployment page, click Start Deployment, define these settings, then click Deploy.• System Tree Group

• McAfee Agent

• Software and Policies

• Auto Update

4 On the Initial Product Deployment Summary page, click OK.

On the Dashboard page, the installation URL appears under Product Deployment section.

5 Email the URL with instructions to install the client software on the Mac to the user.

After successful installation, McAfee Agent checks back with the McAfee ePO server for assignedtasks for that system group, then installs the software accordingly.

Install the software with an installation URL on a managed MacThe Mac user can access the URL to install the client software on a managed Mac.

Before you beginMake sure that your managed Mac meets the hardware and software requirements.

You must have an installation URL that you created or received from your administrator.


1 Open a browser window, paste the installation URL in the address bar, then press Enter.

2 Follow the on screen instructions. If the installation does not start automatically, click Install.

Deploy the software from McAfee ePOUse McAfee ePO to deploy the client software to systems in your network that are managed.



2 Select Menu | Systems | System Tree, then select a group or systems.

3 On the Assigned Client Tasks tab, click Actions, then click New Client Task Assignment.

4 Complete these options, then click Create New Task:

a For Product, select McAfee Agent.

b For Task Type, select Product Deployment.

6 Installing the software on a Mac managed with McAfee ePODeploy the software from McAfee ePO


5 On the Client Task Catalog page:

a Type a name for the task.

b Select Mac as the target platform.

c In Products and components, select the product , select Install as the action, then click Save.

You can add more products by using .

6 In the Client Task Assignment Builder page:

a Select the task, then click Next.

b Schedule the task to run immediately, click Next to view a summary of the task, then click Save.

7 In the System Tree, select the systems or groups where you assigned the task, then click Wake UpAgents.

8 Select Force complete policy and task update, then click OK.

Test the installationAfter deploying the software, verify that the client software is installed and updated correctly onmanaged Mac systems.


1 Wait for client systems to report back to the McAfee ePO server (typically after an hour).

2 On the McAfee ePO console, select Menu | Dashboards, then select Endpoint Security: Installation Status for acomplete list of managed Mac and their installation status.

Remove the software from a managed MacRemove the client software from the managed Mac systems and remove the extensions from theMcAfee ePO server.

Tasks• Remove the software extensions on page 49

Remove the McAfee Endpoint Security for Mac extensions from the McAfee ePO server.

• Remove the software on page 50Create a client task on the McAfee ePO server to remove McAfee Endpoint Security for Macfrom the managed Mac.

Remove the software extensionsRemove the McAfee Endpoint Security for Mac extensions from the McAfee ePO server.

Installing the software on a Mac managed with McAfee ePOTest the installation 6




2 Select Menu | Software | Extensions.

3 In the left pane, select the extension and click Remove.

4 Select Force removal, bypassing any checks or errors, then click OK.

Remove the softwareCreate a client task on the McAfee ePO server to remove McAfee Endpoint Security for Mac from themanaged Mac.



2 Select Menu | Systems | System Tree, then select a group or systems.

3 Click the Assigned Client Tasks tab, then click New Client Task Assignment.

4 Complete these options, then click Create New Task.

a For Products, select McAfee Agent.

b For Task Type, select Product Deployment.

5 On the Client Task Catalog page:

a Type a name for the task.

b Select Mac as the Target platform.

c In Products and components, select the product, select Remove as the action, then click Save.

6 On the Client Task Assignment Builder page:

a Select the task, then click Next.

b Schedule the task to run immediately. Click Next to view a summary of the task, then click Save.

7 In the System Tree, select the systems or groups for which you assigned the task, then click Wake UpAgents.

8 Select Force complete policy and task update, then click OK.

6 Installing the software on a Mac managed with McAfee ePORemove the software from a managed Mac


7 Installing the software on a Macmanaged with McAfee ePO Cloud

Install and manage the software on a Mac that is managed with McAfee ePO Cloud.

McAfee ePO Cloud is an extensible management platform that enables centralized policy managementand enforcement of your security products and the systems where they are installed.

It also provides comprehensive reporting and product deployment capabilities, all through a singlepoint of control. Using McAfee ePO Cloud, you can deploy security products, patches, and servicepacks to the managed systems in your network.

Contents McAfee ePO Cloud components System requirements Installation overview Accessing the McAfee ePO Cloud account Install the client software on a managed systems using the installation URL Deploy the client software from McAfee ePO Cloud

McAfee ePO Cloud componentsThese components make up McAfee ePO Cloud software.

• McAfee ePO Cloud — The center of your managed environment. McAfee ePO Cloud deliverssecurity policies and tasks, controls updates, and processes events for all managed Mac.

• McAfee Agent — A vehicle of information and enforcement between the McAfee ePO Cloud andeach managed Mac. The agent retrieves updates, ensures task implementation, enforces policies,and forwards events for each managed Mac.

• Master Repository — The central location for all McAfee updates and signatures, residing onMcAfee ePO Cloud. The Master Repository retrieves user-specified updates and signatures fromMcAfee.

7


System requirementsMake sure that your managed Mac meet these requirements, and you have a valid account with theMcAfee ePO Cloud.

Component Requirements

Hardware Mac that can run with the supported operating system configuration.



Agent 5.x on your Mac, you must upgrade it to McAfeeAgent 5.0.2 with Hotfix HF1085179 before upgrading the operating system to ElCapitan. Otherwise, the communication between the McAfee

®

ePolicyOrchestrator

®

(McAfee ePO™

) server and the Mac fails, and you would be unableto manage the Mac from the McAfee ePO server. For more information about theMcAfee Agent 5.0.2 known issues with El Capitan, see McAfee KnowledgeBasearticle KB83895.



Browser Safari 7.1.x, 8.0.x, and 9.0.xGoogle Chrome 49 and later.

Installation overviewIn McAfee ePO Cloud environment, administrators can deploy the software remotely to managed Mac,or ask users to install it locally.

McAfee sets up each McAfee ePO Cloud account on an offsite management server and notifies the localadministrator when products are ready to install on managed Mac systems. Administrators thentypically create and send an installation URL to ePolicy Orchestrator administrators for installation ofclient software on Mac systems.

McAfee sends the credentials to you through registered email. If you have not previouslyactivated and configured an account, see the McAfee ePO Cloud product guide forinstructions.

McAfee Endpoint Security for Mac supports both URL installation and deployment tasks. As anadministrator, you can choose the method that best suits your needs.

1 Make sure that all managed Mac systems meet the hardware and software requirements.

2 Open the management console. Open a browser and log on to your McAfee ePO Cloud account.

3 Create the installation URL.

4 Send the installation URL to all Mac users to install the McAfee Agent and product software.

7 Installing the software on a Mac managed with McAfee ePO CloudSystem requirements



5 Deploy the client software with default or custom settings to managed Mac in one of these ways.

• Schedule product deployment tasks — Run product deployment tasks to deploy the softwareon managed Mac.

• Create an installation URL — Create an installation URL, then email it to users withinstructions about installing the product on their Mac.

• Verify that the client software is installed and up to date on all managed Mac.

Accessing the McAfee ePO Cloud accountThese are the high level actions to set up the McAfee ePO Cloud account.

1 The enterprise administrator requests access to use McAfee ePO Cloud.

2 McAfee emails the McAfee ePO Cloud URL and logon information to the enterprise administrator.

3 Log on to the McAfee ePO Cloud server.

Install the client software on a managed systems using theinstallation URL

Create an installation URL and send it to users to install the client software on managed systems.

Tasks• Create an installation URL on page 53

Create an installation URL to install the software on managed Mac.

• Install the software with an installation URL on page 54The managed Mac user can install the software on a local Mac with an installation URL.

Create an installation URLCreate an installation URL to install the software on managed Mac.


1 Log on to McAfee ePO Cloud as an administrator.

2 Click Menu | Getting Started | Customize.

3 On the Customize Software Installation page, define these settings, then click Done.• Group Name — Type a name of the group.

• Operating System — Select McAfee Agent for Mac.

• Software and Policies — Select McAfee Endpoint Security software modules as required.

• Auto Update — Select this option to download updates for the software.

The default policies and tasks of the module are selected by default.

4 Click Done.

Installing the software on a Mac managed with McAfee ePO CloudAccessing the McAfee ePO Cloud account 7


5 From the Dashboards drop-down list, select Getting Started with ePolicy Orchestrator.

On the right side pane under Getting Started, the URL that you created appears.

6 Email the URL with installation instructions to the Mac users.

After successful installation, McAfee Agent checks back with the McAfee ePO server for assignedtasks for that system group, then installs the software accordingly.

Install the software with an installation URLThe managed Mac user can install the software on a local Mac with an installation URL.

Before you begin• Make sure that your Mac meets the hardware and software requirements.

• You must have an installation URL that you created or received from your administrator.


1 Open a browser window, paste the installation URL in the address bar, then press Enter.

2 Follow the on-screen instructions.

Deploy the client software from McAfee ePO CloudDeploy the client software to systems in your network that are managed.



2 Select Menu | Software | Product Deployment

3 In the Product Deployment page, define these settings, then click Save.• Name • Language

• Description • Branch

• Type • Command line

• Auto Update • Select the systems

• Package • Select a start time

7 Installing the software on a Mac managed with McAfee ePO CloudDeploy the client software from McAfee ePO Cloud


8 Managing the software with McAfee ePOand McAfee ePO Cloud

Integrate and manage McAfee Endpoint Security for Mac using McAfee ePO or McAfee ePO Cloud.The primary differences in managing policies in two environments are:

• McAfee ePO — Organizations maintain McAfee ePO server in their premises and administratorscheck in and install the software on the server, create policy settings, and enforce them on multiplemanaged Mac systems using deployment tasks.

• McAfee ePO Cloud — McAfee or the service provider maintains the McAfee ePO server includingchecking in and installing the software. After setting up the cloud account from McAfee or otherservice providers, local administrators create policies and enforce them on managed Mac systemsusing deployment tasks.

For instructions about setting up and using McAfee ePO and McAfee Agent, see the product guide foryour version of the product.

Contents Using Endpoint Security extensions as common extensions Manage policies Threat Prevention policy Queries and reports

Using Endpoint Security extensions as common extensionsUse the latest Endpoint Security extensions as common extensions to manage your MicrosoftWindows, Macintosh, and Linux systems.You can use Endpoint Security extensions to configure and deploy policies for your Macintosh andWindows systems. On each policy page, a tag indicates that the option applies only for specificoperating systems. For example:

• Windows only — Applies only to Windows-based systems.

• Linux only — Applies only to Linux-based systems.

• Windows and Mac only — Applies only to Windows and Macintosh-based systems.

• Windows and Linux only — Applies only to Windows and Linux-based systems.

The policy options that don't contain any tag are applicable for Windows, Mac, and Linux systems.

To view the Windows only tag in the policy and task options, you must have installed the licensingextension on your McAfee ePO.

For the list of features supported for Microsoft Windows, Macintosh, and Linux operating system, seeMcAfee KnowledgeBase article KB84410.

8



Manage policiesMcAfee Endpoint Security for Mac policies provide options to configure features, featureadministration, and to log details on managed systems.You can find these policies on the Policy Catalog page under Product:• Endpoint Security Threat Prevention

• Endpoint Security Firewall

• Endpoint Security Web Control

• Endpoint Security Common

Configure these policies with your preferences, then assign them to groups of the managed Mac. Forgeneric information about policies, see the product guide for your version of McAfee ePO.

Create or modify policiesYou can create and edit policies for a specific group in the System Tree.



2 From the Policy Catalog, select a Product and Category.

3 Perform these steps to create or modify a policy.

To create a policy To modify a policy

1 Click New Policy.

2 Type the Policy Name.

3 Click OK.

4 Configure the settings.

1 Click the policy you want to modify.

2 Modify the settings.

4 Click Save.

Assign policiesWhen you have created or modified policies, assign them to the systems that are managed by McAfeeePO.



2 Navigate to System Tree, select a group or systems, then click the Assigned Policies tab.

3 Select a product from the product list, select a policy, then click Edit Assignment.

4 Select the policy to assign, select appropriate inheritance options, then click Save.

8 Managing the software with McAfee ePO and McAfee ePO CloudManage policies


Monitor the McAfee Agent statusMonitor the McAfee Agent status for information about the collection and transmission of properties onthe managed Mac.

You can also send events, enforce policies, collect and send properties, and check for new policies andtasks.


1 On the managed Mac, click the McAfee menulet on the status bar, then select McAfee Agent StatusMonitor.

2 Select one of these options as required:

• Collect and Send Props — Send properties to the McAfee ePO server.

• Send Events — Send events to the McAfee ePO server.

• Check New Policies — Trigger the agent to communicate with the server to update policy and tasks.

• Enforce Policies — Enforce all configured policies on the managed system on demand.

• Save Contents to Desktop — Save the content of the McAfee Agent log to desktop.

• Close — Close the McAfee Agent Status Monitor interface.

Threat Prevention policyThreat Prevention checks for malware and other threats by scanning items on your managed Macsystems.

Use Endpoint Security Threat Prevention policy to configure scanning settings for your managed Mac.

Product Category Available options

Endpoint Security ThreatPrevention

On-Access Scan • Enable or disable on-access scanning on managed Mac.

• Specify time limit to scan each file.

• Specify when to scan files.

• Scan specific types of files.

• Define actions for detected items and unwanted programs.

• Exclude files and directories.

On-Demand Scan • Run full scan and quick scan on managed Mac.

• Scan specific directories and their subdirectories.

• Scan specific types of files.

• Define actions for detected items and unwanted programs.

• Exclude files and directories from scanning.

For the list of features supported for Microsoft Windows and Macintosh operating system, see McAfeeKnowledgeBase article KB84410.

Managing the software with McAfee ePO and McAfee ePO CloudThreat Prevention policy 8



Configure On-Access Scan policyCreate an on-access policy to enable or disable on-access scan, define scanning time limit for eachfile, and to define exclusions.



2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Access Scanas the category.

3 Click New Policy, type a name for the policy, then click OK.

4 Click the policy that you created, click Show Advanced.

5 In the On-Access Scan section, define these settings.

In... Configure...

On-AccessScan

• Enable On-Access Scan — Enables or disables on-access scanning on managed Mac.

• Specify maximum number of seconds for each file scan — Specify the scan timeout value to scaneach item. If you unselect this option, the value is set to 45 seconds.

McAfee GTI • Enable McAfee GTI — Enables McAfee GTI, a heuristic network look up for suspiciousfiles.

Select the Sensitivity level as required:• Very low — The detections and risk of false positives are the same as with regular DAT

content files. A detection is made available to Threat Prevention when McAfee Labspublishes it instead of waiting for the next DAT content file update.

• Low — This setting is the minimum recommendation for systems with a strongsecurity footprint.

• Medium — Use this level when the regular risk of exposure to malware is greater thanthe risk of a false positive. McAfee Labs proprietary, heuristic checks result indetections that are likely to be malware. However, some detections might result in afalse positive. With this setting, McAfee Labs checks that popular applications andoperating system files don't result in a false positive.

• High — Use this setting for deployment to systems or areas which are regularlyinfected.

• Very high — Detections found with this level are presumed malicious, but haven't beenfully tested to determine if they are false positives. McAfee recommends to use thislevel for systems that require highest security.

ProcessSettings

Use Standard settings for all processes — Applies standard settings when performingon-access scanning.

8 Managing the software with McAfee ePO and McAfee ePO CloudThreat Prevention policy


In... Configure...

In the Standard process type:• In Specify when to scan:

• When writing to disk — Scans files when they are written to.

• When reading from disk — Scans all files when they are read.

• Let McAfee decide — Scans files when written to or read.

• On network drives — Scans files in mounted-network volumes.

• In File type to scan:

• All files — Scans files with any extension.

• Default and specified file types — Scans files with extensions defined in the software, andthe extensions you specify. For the list of the default file types, see McAfeeKnowledgeBase article KB 84411.

• Also scan for macros in all files — Scans macros in the files.

• Specified file types only — Scans only files with extensions that you specify, andoptionally, files with no extension.

• In Specify what to scan:

• Compressed archive files — Scans the contents of compressed archive files.

Scanning compressed archive files requires additional time.

• Compressed MIME-encoded files — Scans Apple email messages.

• Detect unwanted programs — Enables the scanner to detect potentially unwantedprograms.

In Actions | Threat detection first response:

• Deny access to files — Prevents users from accessing any files with potential threats.

• Delete files — Deletes files that contain malware.

• Clean files — Removes threats from the detected file.

You can also configure a secondary response using the If first response fails option, in casethe primary response is unsuccessful.

In Unwanted program first response:• Clean files — Removes the threat from the detected file.

• Delete files — Deletes the file that contains threats.

• Deny access to files — Prevents users from accessing files with potential threats.

• Allow access to files — Allows users to access the detected file.


In the Exclusions section, click:• Add — To add files to the exclusion list.

• Edit — To edit the exclusion settings.

• Delete — To remove the selected item from the exclusion list.

• Clear All — To remove all items from the exclusion list.




In... Configure...

Enable Overwrite exclusions configured on the client to overwrite the exclusions list created bythe managed Mac user.

For more information about configuring exclusions, see Exclude files or directoriesfrom scanning.

6 Click Save.

Configure On-Demand Scan policy (Full Scan)Configure On-Demand Full Scan policy settings for your managed Mac.


1 Log on to McAfee ePO as an administrator.

2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Demand Scanas the category.


4 Click the policy that you created, click the Full Scan tab, then define these settings.

In... Configure...

Full Scan • Detect unwanted programs — Enables the scanner to detect potentially unwantedprograms.

• Decode MIME encoded files — Scans Apple mail messages.

• Scan inside archives — Scans the contents of compressed archive files.


• Find unknown program threats — Detects files that contain code resembling malware.

• Find unknown macro threats — Detects unknown macro threats.

ScanLocations

• Scan subfolders — Examines all subfolders in the specified volumes when any of theseoptions are selected.

• Home folder • All local drives

• Temp folder • All fixed drives

• User profile folder • All removable drives

• File or folder • All mapped drives

You can add locations by clicking . Click to remove the locations from scanning.



In... Configure...

File Types toScan

• All files — Scans all files regardless of extension.

McAfee strongly recommends that you enable All files to make sure that no malwarethreat resides in your managed Mac systems.

• Default and specified file types — Scans files with extensions defined in the software andextensions you specify. For the list of the default file types, see McAfeeKnowledgeBase article KB 84411.Also scan for macros in all files — Enables scanning for macros in all files.

• Specified file types only — Scans only files with extensions that you specify. Select Includefiles with no extension to scan files that contains no extension.

McAfee GTI • Enable McAfee GTI — Enables McAfee GTI, a heuristic network look up for suspiciousfiles.

Select the Sensitivity level as required:• Very low — The detections and risk of false positives are the same as with regular

DAT content files. A detection is made available to Threat Prevention when McAfeeLabs publishes it instead of waiting for the next DAT content file update.

• Low — This setting is the minimum recommendation for systems with a strongsecurity footprint.

• Medium — Use this level when the regular risk of exposure to malware is greater thanthe risk of a false positive. McAfee Labs proprietary, heuristic checks result indetections that are likely to be malware. However, some detections might result in afalse positive. With this setting, McAfee Labs checks that popular applications andoperating system files don't result in a false positive.

• High — Use this setting for deployment to systems or areas which are regularlyinfected.

• Very high — Detections found with this level are presumed malicious, but haven'tbeen fully tested to determine if they are false positives. McAfee recommends touse this level for systems that require highest security.

Exclusions In the Exclusions section, click:• Add — To add files to the exclusion list.




For more information about configuring exclusions, see Exclude files or directoriesfrom scanning.




In... Configure...

Actions In Threat detection first response:• Continue scanning — Continues scanning files when a threat is detected. The scanner

doesn't move items to the quarantine.

• Clean files — Removes the threat from the detected file.

• Delete files — Delete the file that contains malware.


In Unwanted program first response:• Continue scanning — Continues scanning files when a threat is detected. The scanner



• Delete files — Delete the file that contains malware.


ScheduledScan Options

• Scan only when the system is idle — Runs the scan only when the system is idle. Thesystem is considered as idle when there is no keyboard or mouse activity for 5minutes.

The User can resume paused scans option is not supported for Mac systems.

• Scan anytime — Runs the scan even if the user is active and specifies options for thescan.

The User can defer scans, User can pause and cancel scans, and Do not scan when the system is inpresentation mode options are not supported for Mac systems.

• Do not scan when the system is on battery power — Postpones the scan when the system isusing battery power.

5 Click Save.

For scheduling the task, see the product guide for your version of McAfee ePO.

Endpoint Security for Mac does not support the Right-Click Scan option.

Configure an On-Demand Scan policy (Quick Scan)Configure an On-Demand Quick Scan policy settings for your managed Mac.



2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Demand Scanas the category.


4 Click the policy that you created, click the Quick Scan tab, then define these settings.



In... Configure...

Quick Scan • Detect unwanted programs — Enables the scanner to detect potentially unwantedprograms.

• Decode MIME encoded files — Scans Apple mail messages.

• Scan inside archives — Scans the contents of compressed archive files.


• Find unknown program threats — Detects files that contain code resembling malware.

• Find unknown macro threats — Detects unknown macro threats.

ScanLocations

• Scan subfolders — Examines all subfolders in the specified volumes when any of theseoptions are selected.

• Home folder

• Temp folder

• File or folder

• All removable drives

Select the directory from the Specify locations drop-down list. You can add directories byclicking . Click to remove the directory from scanning.

File Types toScan

• All files — Scans all files regardless of extension.

Best Practice: Enable All files to make sure that no malware threat resides in yourmanaged Mac.

• Default and specified file types — Scans files with extensions defined in the software andextensions you specify. For the list of the default and specified file types, seeMcAfee KnowledgeBase article KB 84411.Also scan for macros in all files — Enables scanning for macros in all files.

• Specified file types only — Scans only files with extensions that you specify. Select Includefiles with no extension to scan files that contains no extension.

McAfee GTI • Enable McAfee GTI — Enables McAfee GTI, a heuristic network check for suspiciousfiles.

Exclusions In the Exclusions section, click• Add — To add files to the exclusion list.




For more information on configuring exclusions, see Exclude files or directories fromscanning.




In... Configure...

Actions In Threat detection first response:• Continue scanning — Continues scanning files when a threat is detected. The scanner



• Delete files — Deletes the file that contains malware.

You can also configure a secondary response using the If first response fails option, incase the primary response is unsuccessful.

In Unwanted program first response:• Continue scanning — Continues scanning files when a threat is detected. The scanner



• Delete files — Deletes the file that contains malware.

You can also configure a secondary response using the If first response fails option, incase the primary response is unsuccessful.

ScheduledScan Options

• Scan only when the system is idle — Runs the scan only when the system is idle.

The User can resume paused scans option is not supported for Mac.

• Scan anytime — Runs the scan even if the user is active and specifies options for thescan.

The User can defer scans, User can pause and cancel scans, and Do not scan when the system is inpresentation mode options are not supported for Mac.

• Do not scan when the system is on battery power — Postpones the scan when the system isusing battery power.

5 Click Save.

For scheduling the task, see the product guide of your version of McAfee ePO.

Endpoint Security for Mac does not support the Right-Click Scan option.

Exclude files or directories from scanningExclude files or directories from on-access scanning and on-demand scanning.



2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Access Scanor On-Demand Scan as required.

3 Click the policy, then click Show Advanced.

If you haven't created a policy, click New Policy, type a name for the policy, then click OK.

4 In the Exclusion area under Process Settings, click Add and define these settings as required, then clickSave.



In... Configure...

What toexclude

• Pattern (can include wildcards * or ?) — Specifies the file pattern to exclude.For example, to exclude all files in the desktop from scanning, specify the path as /Users/user/Desktop/*

• Also exclude subfolders — Excludes files and directories from the specified location.

• File type (can include wildcard ?) — Excludes files that contains the extension.

• File Age — Excludes files based on their age in terms of creation date and modifieddate.

• Modified — Excludes files that were edited earlier to the days specified in the Minimumage in days field.

• Created — Excludes files that were created earlier to the days specified in theMinimum age in days field.

• Accessed —Excludes files that were accessed earlier to the days specified in theMinimum age in days field.

The Accessed option is applicable for On-Demand Scan policies only.

Select the option Overwrite exclusions configured on the client to overwrite the client exclusionlist.

You can apply this option for On-Access Scan policies only.

When toexclude

• On read — Excludes from scanning when the file is accessed.

• On write — Excludes from scanning when the file is changed.

These two options are applicable for On-Access Scan policies only.

Schedule a full or quick scan on managed MacSchedule an on-demand scan to detect malware threats in the managed Mac.



2 Click Menu | Systems | System Tree, then select a group or systems.

3 Click the Assigned Client Tasks tab, then click Actions | New Client Task Assignment.

a For Product, select Endpoint Security Threat Prevention.

b For Task Type, select Policy Based On-Demand Scan, then select the task from the Task Name list.

4 Click Next.

5 Define these parameters, then click Next.• Schedule status • Start time

• Schedule type • Task runs according to

• Effective period • Options

6 In the Summary page, click Save.



7 In the System Tree, select the systems or groups where you assigned the task.

8 In the right pane, click the Group Details tab, then click Wake Up Agents.

9 In Force policy update, select Force complete policy and task update, then click OK.

Schedule a custom on-demand scanSchedule a custom on-demand scan for managed Mac.



2 Click Menu | Client Task Catalog.

3 In Client Task Types, expand Endpoint Security Threat Prevention, select Custom On-Demand Scan, then click NewTask.

4 Select Custom On-Demand Scan from the Task Type drop-down list.

5 Define these settings, then click Save.• Name • McAfee GTI

• Description • Exclusions

• Scan Options • Actions

• Scan Locations • Scheduled scan options

• File Types to Scan

6 On the Client Task Catalog page, select the custom scan that you created, click Assign, select a group toassign the task, then click OK.

7 On the Select Task page, define the settings, then click Next.

8 On the Schedule page, define the settings, then click Next.

9 On the Summary page, review the settings, then click Save.

Schedule the DAT update Schedule an update to keep the content files and engine up to date.



2 Click Menu | Systems | System Tree, then select a group or systems.

3 On the Assigned Client Tasks tab, click Actions, then select New Client Task Assignment.

a For product, select McAfee Agent.

b For Task Type, select Product Update.

c Click Create New Task to open the Client Task Catalog.



d Type a name for the task, select Mac Engine and DAT in Signatures and engines from Package types, thenclick Save. The task is listed under Task Name.

e Select the task, then click Next.

4 On the Schedule page, define the schedule for the task.

a In the System Tree, select the systems or groups where you want to assign the task.

b Set these values, then click Next.• Schedule status • Start time

• Schedule type • Task runs according to

• Effective period • Options

5 On the Summary page, click Save.

6 In the right pane, select Group Details, then click Wake Up Agents.

7 In Force policy update, select Force complete policy and task update, then click OK.

Queries and reportsRun predefined queries to generate reports, or modify them to generate custom reports.

Queries for Threat PreventionHere is the list of queries that you can view or customize for Threat Prevention.

Query... Displays...

Endpoint Security Threat Prevention: Hotfixes Installed The hotfixes installed for the software.

Endpoint Security Threat Prevention: On-Access ScanCompliance Status

This is the On-Access Scan compliance status.

Endpoint Security Threat Prevention: Duration ofCompleted Full Scans in the Last 7 Days

The duration of completed Full Scan in the last sevendays.

Endpoint Security Threat Prevention: Systems NotCompleted a Full Scan in the Last 7 Days

The number of systems that have not completed a FullScan in the last seven days but within the last month.

Endpoint Security Threat Prevention: Systems NotCompleted a Full Scan in the Last Month

The number of systems that have not completed a FullScan in the last month.

Endpoint Security Threat Prevention: Duration ofCompleted Quick Scans in the Last 7 Days

The duration of completed Quick Scan in the last sevendays.

Endpoint Security Threat Prevention: DetectionResponse Summary

The number of threats on which an action was taken(Clean, or Delete), versus the number threats on whichno action was taken, in the last three months.

Endpoint Security Threat Prevention: Threats DetectedOver the Previous 2 Quarters

The threats detected in the previous two quarters. Nocookies.

Endpoint Security Threat Prevention: Threat Count bySeverity

Slice count is the number of events. Slices are thedifferent event severities. All in the last three months.

Endpoint Security Threat Prevention: Top 10 DetectedThreats

The top 10 detected items in the last three months.

Endpoint Security Threat Prevention: Top 10 ThreatSources

The top 10 computers which are the source for a threatin the last three months.

Managing the software with McAfee ePO and McAfee ePO CloudQueries and reports 8


Query... Displays...

Endpoint Security Threat Prevention: Top 10 Computerswith the Most Detections

The 10 ten computers with the most detections in thelast three months.

Endpoint Security Threat Prevention: Top 10 ThreatsPer Threat Category

The top 10 threats per threat category in the last threemonths, grouped by threat category then by threatname.

Endpoint Security Threat Prevention: Top 10 Users withthe Most Detections

The top 10 users with the most detections in the lastthree months.

Endpoint Security Threat Prevention On-Access ScanMcAfee GTI Sensitivity level

This reports displays the McAfee GTI sensitivity level forOn-Access Scans.

Endpoint Security Threat Prevention On-Demand ScanFull Scan GTI sensitivity level

This reports displays the McAfee GTI sensitivity level forOn-Demand Full Scans.

Endpoint Security Threat Prevention On-Demand ScanQuick Scan GTI sensitivity level

This reports displays the McAfee GTI sensitivity level forOn-Demand Quick Scans.

Other queriesRun these queries to generate reports, or modify them to generate custom reports.

Query.. Displays...

Endpoint Security: Top Infected Users in the Last 7Days

The list of top infected users in the last seven days.

Endpoint Security: Primary Vectors of Attack in theLast 7 Days

The list of Primary Vectors of Attack in the last sevendays.

Endpoint Security: Top Threats in the Last 48 Hours The list of top threats in the last forty-eight hours.

Endpoint Security: Threats Detected in the Last 24Hours

The number of threat events generated in the lasttwenty-four hours.

Endpoint Security: Threats Detected in the Last 7Days

The number of threat events generated in the last sevendays.

Endpoint Security: Summary of Threats Detected inthe Last 24 Hours

The summary of threats detected in the last twenty-fourhours.

Endpoint Security: Summary of Threats Detected inthe Last 7 Days

The summary of threats detected in the last seven days.

Endpoint Security: Currently Enabled Technology The list of technology that are currently enabled on eachmanaged Mac.

Endpoint Security: Policy Compliance by ComputerName

Two lists of computers which do and do not have thelatest policy applied.

Endpoint Security: Policy Compliance by Policy Name A boolean pie chart showing which policies have and havenot been updated on the client Mac.

Endpoint Security: Self Protection Compliance Status The list of self-protection compliance status report.

Endpoint Security Platform: Hotfixes Installed The list of hot fixes installed for the software.

Endpoint Security: Installation Status Report The stacked bar chart of multiple modules and theirinstallation status.

8 Managing the software with McAfee ePO and McAfee ePO CloudQueries and reports


Index

Aabout this guide 7anti-malware

best practices 35

configuring anti-malware 35

defining exclusions 35

Bbrowser

supported versions 45

Ccheck-in package, ePolicy Orchestrator

checking in package 46

client softwareinstallation 53

installing using url 48

installing with URL 54

command-line installation 16

configurationproxy settings 37

repository list 37

scan task 26

scheduling anti-malware engine update 38

content files update, ePolicy Orchestratorscheduling 66

conventions and icons used in this guide 7creation

installation url 53

DDAT update, ePolicy Orchestrator

scheduling 66

debug logenabling debug log 38

default settingsfirewall 18

general 18

repository list 18

threat prevention 18

web control 18

deployment, ePolicy Orchestrator 48

detection statusviewing detection details 24

documentationaudience for this guide 7product-specific, finding 8typographical conventions and icons 7

Eevents

viewing summary 24

Ffeatures

product 10

protection, viewing status 23

Iinstallation

client software 47, 48, 53

command line 16

extensions 46

silent 16

testing 18

using software manager 47

using url 48

using URL 54

using urls 47

using wizard 16

installation URLsMcAfee ePO cloud 53

installation, standalone Maccommand line 16

wizard 16

Mmalware

quarantine 25

removing quarantined items 25

restoring quarantined items 25

managed environmenthardware requirements 45

software requirements 45


McAfee ServicePortal, accessing 8

Nneed for security 9

Oon-access scan 32

on-demand scan 26

configuring preferences 34

creating a task 27

removing scan task 28

scheduling custom scans 66

scheduling for standalone Mac 27

scheduling from ePolicy Orchestrator 65

on-demand-scanviewing detection details 24

Ppackage

checking in 46

packageschecking in 46

policiesassign 56

create 56

management 56

modify 56

post installation tasks 20

Qquarantine

malware 25

removing malware 25

restoring malware 25

Rremoval of quarantined item 25

removal of software 50

removal of software extension 49

requirementsbrowser 15

requirements (continued)hardware 15, 45

operating system 15

software 45

Sscan

scheduling custom scans 66

scan taskcreate 27

modify 27

ServicePortal, finding product documentation 8silent installation 16

softwarerepair 41

updating DAT files 26

statusmonitoring McAfee Agent status 57

scan task 24

viewing events summary 23

viewing protections enabled 23

viewing security status 23

summaryviewing recent events 23

system requirementsmanaged Mac 52

Ttechnical support, finding product information 8

Uurls

installing client software 47

Wworkflow

on-access scanning 31

on-demand scanning 31

Index


0-00