VirusScan Enterprise 7.0 Product Guide - McAfeedownloadcenter.mcafee.com/products/japan/virusscan/... · 2004-07-16 · No part of this publication may be reproduced, transmitted,

VirusScan® Enterprise version 8.0i

Product GuideRevision 1.0

COPYRIGHTCopyright © 2004 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 5000 Headquarters Drive, Plano, Texas 75024, or call +1-972-963-8000.

TRADEMARK ATTRIBUTIONSActive Firewall, Active Security, ActiveSecurity (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, Bomb Shelter, Certified Network Expert, Clean-Up, CleanUp Wizard, ClickNet, CNX, CNX Certification Certified Network Expert and design, Covert, Design (Stylized E), Design (Stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, Entercept, Enterprise SecureCast, Enterprise SecureCast (in Katakana), ePolicy Orchestrator, EZ SetUp, First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HomeGuard, Hunter, IntruShield, Intrusion Prevention Through Innovation, IntruVert Networks, LANGuru, LANGuru (in Katakana), M and Design, McAfee, McAfee (in Katakana), McAfee and design, McAfee.com, McAfee VirusScan, NA Network Associates, Net Tools, Net Tools (in Katakana), NetCrypto, NetOctopus, NetScan, NetShield, NetStalker, Network Associates, Network Associates Coliseum, NetXray, NotesGuard, Nuts & Bolts, Oil Change, PC Medic, PCNotary, PrimeSupport, Recoverkey, Recoverkey - International, Registry Wizard, RingFence, Router PM, SecureCast, SecureSelect, Sniffer, Sniffer (in Hangul), SpamKiller, Stalker, TIS, TMEG, Total Network Security, Total Network Visibility, Total Network Visibility (in Katakana), Total Virus Defense, Trusted Mail, UnInstaller, Virex, Virus Forum, ViruScan, VirusScan, WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall, What’s The State Of Your IDS?, Who’s Watching Your Network, WinGauge, Your E-Business Defender, Zip Manager are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer® brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICHSETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSEYOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THATACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILEON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOTAGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCTTO NETWORK ASSOCIATES OR THE PLACE OF PURCHASE FOR A FULL REFUND.

AttributionsThis product includes or may include:

Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). Cryptographic software written by Eric A. Young andsoftware written by Tim J. Hudson. Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or othersimilar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access tothe source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source codealso be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licensesrequire that Network Associates provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rightsshall take precedence over the rights and restrictions herein. Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer.

Software originally written by Robert Nordier, Copyright © 1996-7 Robert Nordier. Software written by Douglas W. Sauder. Software developed by theApache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. International Components for Unicode (“ICU”) Copyright © 1995-2002 International Business Machines Corporation and others. Software developedby CrystalClear Software, Inc., Copyright © 2000 CrystalClear Software, Inc. FEAD® Optimizer® technology, Copyright Netopsystems AG, Berlin, Germany.

Outside In® Viewer Technology © 1992-2001 Stellent Chicago, Inc. and/or Outside In® HTML Export, © 2001 Stellent Chicago, Inc. Software copyrighted byThai Open Source Software Center Ltd. and Clark Cooper, © 1998, 1999, 2000. Software copyrighted by Expat maintainers. Software copyrighted by TheRegents of the University of California, © 1989. Software copyrighted by Gunnar Ritter. Software copyrighted by Sun Microsystems®, Inc.© 2003. Softwarecopyrighted by Gisle Aas. © 1995-2003. Software copyrighted by Michael A. Chase, © 1999-2000. Software copyrighted by Neil Winton, © 1995-1996.

Software copyrighted by RSA Data Security, Inc., © 1990-1992. Software copyrighted by Sean M. Burke, © 1999, 2000. Software copyrighted by MartijnKoster, © 1995. Software copyrighted by Brad Appleton, © 1996-1999. Software copyrighted by Michael G. Schwern, © 2001. Software copyrighted byGraham Barr, © 1998. Software copyrighted by Larry Wall and Clark Cooper, © 1998-2000. Software copyrighted by Frodo Looijaard, © 1997. Softwarecopyrighted by the Python Software Foundation, Copyright © 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org.

Software copyrighted by Beman Dawes, © 1994-1999, 2002. Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek © 1997-2000 University ofNotre Dame. Software copyrighted by Simone Bordet & Marco Cravero, © 2002. Software copyrighted by Stephen Purcell, © 2001. Software developedby the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). Software copyrighted by International Business Machines Corporation and others,© 1995-2003. Software developed by the University of California, Berkeley and its contributors. Software developed by Ralf S. Engelschall<[email protected]> for use in the mod_ssl project (http://www.modssl.org/). Software copyrighted by Kevlin Henney, © 2000-2002. Softwarecopyrighted by Peter Dimov and Multi Media Ltd. © 2001, 2002. Software copyrighted by David Abrahams, © 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, © 2000. Software copyrighted byBoost.org, © 1999-2002. Software copyrighted by Nicolai M. Josuttis, © 1999. Software copyrighted by Jeremy Siek, © 1999-2001. Software copyrightedby Daryle Walker, © 2001. Software copyrighted by Chuck Allison and Jeremy Siek, © 2001, 2002. Software copyrighted by Samuel Krempp, © 2001. Seehttp://www.boost.org for updates, documentation, and revision history. Software copyrighted by Doug Gregor ([email protected]), © 2001, 2002. Softwarecopyrighted by Cadenza New Zealand Ltd., © 2000. Software copyrighted by Jens Maurer, © 2000, 2001. Software copyrighted by Jaakko Järvi([email protected]), © 1999, 2000. Software copyrighted by Ronald Garcia, © 2002. Software copyrighted by David Abrahams, Jeremy Siek, and DaryleWalker, © 1999-2001. Software copyrighted by Stephen Cleary ([email protected]), © 2000. Software copyrighted by Housemarque Oy <http://www.housemarque.com>, © 2001. Software copyrighted by Paul Moore, © 1999. Software copyrighted by Dr. John Maddock, © 1998-2002. Softwarecopyrighted by Greg Colvin and Beman Dawes, © 1998, 1999. Software copyrighted by Peter Dimov, © 2001, 2002. Software copyrighted by Jeremy Siek andJohn R. Bandela, © 2001. Software copyrighted by Joerg Walter and Mathias Koch, © 2000-2002.

PATENT INFORMATIONProtected by US Patents 6,006,035; 6,029,256; 6,035,423; 6,151,643; 6,230,288; 6,266,811; 6,269,456; 6,457,076; 6,496,875; 6,542,943; 6,594,686; 6,611,925; 6,622,150.

Issued JULY 2004 / VirusScan® Enterprise software version 8.0iDOCUMENT BUILD 007-EN

http://www.openssl.org/

http://www.apache.org/

http://www.apache.org/licenses/LICENSE-2.0.txt

http://www.apache.org/licenses/LICENSE-2.0.txt

http://www.python.org

http://www.boost.org/libs/bind/bind.html

http://www.boost.org/libs/bind/bind.html

http://www.boost.org

http://www.housemarque.com

http://www.housemarque.com

Contents

Section 1: Getting Started

1 Introducing VirusScan Enterprise . . . . . . . . . . . . . . . . . . . . . . . . 13

What’s new in this release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Product components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Prevention and detection strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Getting product information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Contacting McAfee Security & Network Associates . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Links from the VirusScan Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Help Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Virus Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Submit a Sample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2 Setting Up The User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Introducing the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Start menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

VirusScan Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Menu bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Task list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Status bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Right-click menus and scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

System tray . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Product Guide iii

Contents

Setting user interface options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Display options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Password options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Unlocking and locking the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Setting up remote administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Section 2: Preventing Intrusions

3 Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Port blocking properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Configuring port blocking properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Port blocking sample rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

File, share, and folder protection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuring file, share, and folder protection properties . . . . . . . . . . . . . . . . . . . . . . 50

File and folder blocking sample rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Reports properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

4 Buffer Overflow Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Buffer overflow protection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Configuring buffer overflow protection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Creating an exclusion from a buffer overflow detection . . . . . . . . . . . . . . . . . . . . . . . 67

Reports properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

5 Unwanted Programs Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Specifying unwanted programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Excluding unwanted programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

User-defined detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Section 3: Detecting Intrusions

6 On-Access Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Overview of on-access scan properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Overview of per process configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

iv VirusScan® Enterprise software version 8.0i

Contents

Configuring process settings differently . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Defining processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Assigning risk to a process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring the on-access scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

General properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

ScriptScan properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Blocking properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Message properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Reports properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Process Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Processes properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

All processes properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Default processes properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Low-risk processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

High-risk processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Actions properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Unwanted programs properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Viewing scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Responding to virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

What happens when a virus is detected? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Taking action on detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Messenger service notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

On-access scan messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Submit a virus sample to AVERT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

7 On-Demand Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Creating on-demand scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

From the Start menu or system tray . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

From the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Configuring on-demand scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Where properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128



Product Guide v

Contents



Reports properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Adding, removing, and editing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Adding items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Removing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Editing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Resetting or saving default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Scheduling on-demand scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Scanning operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Running on-demand scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Pausing and restarting on-demand scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Stopping on-demand scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Resumable scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Viewing scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Responding to virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

What happens when a virus is detected? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Taking action on virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Messenger service notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

VirusScan Alert dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

On-Demand Scan Progress dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Submit a virus sample to AVERT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

8 E-mail Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Configuring the e-mail scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154


On-delivery e-mail scan detection properties . . . . . . . . . . . . . . . . . . . . . . . . . 155

On-demand e-mail scan detection properties . . . . . . . . . . . . . . . . . . . . . . . . . 158



Alerts properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167


Reports properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Running the on-demand e-mail task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Viewing e-mail scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

On-delivery e-mail scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

vi VirusScan® Enterprise software version 8.0i

Contents

Scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

On-demand e-mail scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Viewing results from the On-Demand Scan dialog box . . . . . . . . . . . . . . . . . . 178

Viewing results in the activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

9 Virus Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Configuring Alert Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Alert properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Alert filtering properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Configuring recipients and methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Adding alert methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Sending a test message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Setting the alert priority level for recipients . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Viewing the Summary page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Forwarding alert messages to another computer . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Sending an alert as a network message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Sending alert messages to e-mail addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Sending alert messages to a printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Sending alert messages via SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Launching a program as an alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Logging alert notifications in an event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Sending a network message to a terminal server . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Using centralized alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Customizing alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Enabling and disabling alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Editing alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Changing alert priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Editing alert message text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Using Alert Manager system variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

10 Updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Update strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

AutoUpdate tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

AutoUpdate task overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Creating an AutoUpdate task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Configuring an AutoUpdate task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Running AutoUpdate tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Product Guide vii

Contents

Running the update task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Activities that occur during an update task . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Viewing the activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

AutoUpdate repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Configuring the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Importing the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Editing the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Mirror tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Creating a mirror task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Configuring a mirror task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Running mirror tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Viewing the mirror task activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Roll back DAT files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Manual updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Updating from DAT file archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

11 Adding, Specifying, & Excluding Scanning Items . . . . . . . . . . 257

Adding file type extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Specifying user-defined file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Excluding files, folders and drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

12 Scheduling Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Tasks that can be scheduled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Task properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Log on privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Schedule properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Schedule task frequencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Advanced schedule options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Scheduling tasks by frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Weekly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Once . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

At System Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

At Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

When Idle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Run Immediately . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

viii VirusScan® Enterprise software version 8.0i

Contents

Run On Dialup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Section 4: Appendices, Glossary, & Index

A Command-Line Scanner Program . . . . . . . . . . . . . . . . . . . . . . . 287

General command-line options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

On-demand scanning command-line options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Update command-line options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

B Secure Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Alert Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

McUpdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

On-Access Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

On-Demand Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Task Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

VirusScan Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

C Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Troubleshooting utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Minimum Escalation Requirements Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Repair Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Error Reporting Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Updating error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Product Guide ix

Contents

x VirusScan® Enterprise software version 8.0i

S E C T I O N 1 : G E T T I N G S T A R T E D

Chapter 1, Introducing VirusScan Enterprise

Chapter 2, Setting Up The User Interface

®
xii VirusScan Enterprise software version 8.0i

1
Introducing VirusScan Enterprise
McAfee VirusScan Enterprise offers easily scalable protection, fast performance, and mobile design to protect you from viruses, worms, Trojan horses, as well as potentially unwanted code and programs. It can be configured to scan local and network drives, as well as Microsoft Outlook and Lotus Notes e-mail messages and attachments, and you can configure the application to respond to any infections the scanners find, and generate reports on its actions.

These topics are included in this section:

What’s new in this release

Product components

Prevention and detection strategies

Using this guide

Resources

Product Guide 13


What’s new in this releaseThis release of VirusScan Enterprise provides several new features that help to prevent and more effectively detect intrusions:

Access Protection — This feature protects ports, files, shares, and folders from intrusions by restricting access to them. You can create rules to block either inbound or outbound ports, restrict access to shares, and create rules to block access to files and folders. If an outbreak occurs, the administrator can restrict access to the infected areas to prevent further infection until a DAT is released. See Access Protection on page 41.

Source IP (On-access scanning) — When the on-access scanner detects a virus, the detected Source IP displays in the on-access scan messages dialog box.

Blocking (On-access scanning) — This feature blocks connections from remote computers which have infected files in a shared folder. You can specify how long to block these connections. You also have the option to unblock all connections before the specified time limit from the on-access scanning statistics dialog box. See Blocking properties on page 92.

Script Scanning (On-access scanning) — This feature Scans Java Script and VBScript scripts before they are executed. The script scanner operates as a proxy component to the real Windows scripting host component. It intercepts the execution of these scripts and scans them. If they are clean, they are passed on to the real scripting host. If the script is infected, it is not executed. See ScriptScan properties on page 91.

Buffer Overflow Protection — This feature blocks exploited buffer overflows from executing code on your computer. To avoid false positives, VirusScan Enterprise protects approximately 20 applications. These applications are defined in a separate DAT file. See Buffer Overflow Protection on page 63.

Unwanted Programs Policy — This feature detects undesirable programs, such as Spyware and Adware, and takes the actions that you specify. You can select categories of programs from the categories included in the current DAT file, exclude specific categories or files, or add your own programs to detect. Configuration is a two-step process. First, you configure what programs you want to detect in the Unwanted Programs Policy, then you independently enable the policy for each scanner and specify what actions you want the scanner to take when an unwanted program is detected. See Unwanted Programs Policy on page 71.

Lotus Notes (E-mail scanning) — This feature allows you to scan Lotus Notes messages and databases in addition MAPI-based e-mail, such as Microsoft Outlook. You configure one set of properties that apply to the e-mail client(s) you have installed. See E-mail Scanning on page 153.

14 VirusScan® Enterprise software version 8.0i

Product components

Selective Updating (AutoUpdate) — This feature allows you to selectively update just the DAT, scanning engine, product upgrades, HotFixes, Patches, Service Packs, etc. using the AutoUpdate task in the VirusScan Console. See Configuring an AutoUpdate task on page 226.

Repair Installation — This feature allows the administrator to restore the product to the original installation settings or reinstall the program files from the VirusScan Console. This feature is available from the Help menu in the Console.

The user must have administrative rights to perform these functions. The administrator can protect this feature by setting a password for it from the User Interface Options, Password Options dialog box.

Error Reporting Service — When enabled, the Error Reporting Service provides constant background monitoring of Network Associates applications and prompts the user when it detects a problem. When an error is detected, the user can choose either to submit data to Network Associates to be used in future releases or to ignore the error. This feature is available from the Tools menu in the Console.

Alert Manager (Local Alerting) — This features allows you to generate SNMP traps and local event log entries without installing Alert Manager Server locally. See Configuring Alert Manager on page 182.

Product componentsThe VirusScan Enterprise software consists of several components that are installed as features. Each feature plays a part in defending your computer against viruses and potentially unwanted software.

VirusScan Console. The console is the control point that allows you to create, configure, and run VirusScan Enterprise tasks. See VirusScan Console on page 27.

AutoUpdate. The AutoUpdate feature allows you to selectively update virus definition (DAT) files, the scanning engine, service packs, and other updates from the McAfee Security download site. See Updating on page 221.

Access Protection. Restrict access to specified ports, files, shares, and folders to block intrusions from accessing the computer until a DAT file is released. See Access Protection on page 41.

Buffer Overflow Protection. Buffer overflow protection prevents exploited applications from executing arbitrary code on your computer. See Buffer Overflow Protection on page 63.

Unwanted Programs Policy. The unwanted programs policy blocks undesirable programs from accessing your computer. See Unwanted Programs Policy on page 71.

Product Guide 15


Script scanner. The script scanner allows you to scan Java Script and VBScript scripts before they are executed by the Windows Scripting Host. This feature is configured in the on-access scanning property pages. See ScriptScan properties on page 91.

On-access scanner. The on-access scanner provides continuous anti-virus protection from viruses that arrive on disks, from your network, or from various sources on the Internet. The scanner can be configured to allow scanning policies to be linked to applications that are defined as either low-risk or high-risk. See On-Access Scanning on page 81.

On-demand scanner. The on-demand scanner allows you to initiate a scan at any time; specify scan targets and exclusions; determine how you want the scanner to respond when it detects a virus; and see virus incident reports and alerts. See On-Demand Scanning on page 123.

E-mail scanner. Scan your Microsoft Outlook or Lotus Notes messages, attachments, or public folders to which you have access, directly on the computer. See E-mail Scanning on page 153.

Scheduler. This feature allows you to schedule on-demand, update, and mirror tasks at specific times or intervals. See Scheduling Tasks on page 267.

Command-line scanner. The command-line scanner can be used to initiate targeted scan operations from the Command Prompt dialog box. SCAN.EXE, a scanner for Windows NT environments only, is the primary command-line interface. See Command-Line Scanner Program on page 287.

Alert Manager. This product gives you the ability to receive or send virus related alert messages. See Virus Alerting on page 181.


Prevention and detection strategies

Prevention and detection strategiesDeveloping an effective strategy is the best way to protect your environment from intrusion. Your strategy should include all of these elements:

1 Define your security needs. Viruses are unexpected. Ensure that scanners are configured to scan all of your data sources.

For example, if you do not have the scanner configured to scan floppy disks during shutdown, leaving a disk in your drive as you start your computer could load a virus into memory before the on-access scanner service starts.

2 Update regularly. Ensure that you are using the most current version of the DAT file, scanning engine, and the product. The AutoUpdate feature allows you to selectively update each of these.

3 Prevent intrusions before they can infect your environment. Use these features to prevent intrusions:

Access protection.

Buffer overflow protection.

Unwanted programs policy.

Script scanner

4 Detect intrusions and stop them before they do damage. Use these features to detect intrusions:

On-access scanning.

On-demand scanning.

E-mail scanning.

Product Guide 17


Using this guideThis guide includes the following information:

Overview of the product.

Descriptions of all new features in this release of the product.

Descriptions of product features.

Detailed instructions for configuring the product.

Procedures for performing tasks.

Troubleshooting information.

Glossary of terms.

When using this guide, consider the following:

Audience

Conventions

AudienceThis information is intended primarily for two audiences:

Network administrators who are responsible for their company’s anti-virus and security program.

Users who are responsible for updating virus definition (DAT) files on their workstation, or configuring the software’s detection options.


Using this guide

ConventionsThis guide uses these conventions:

Bold All words from the user interface, including options, menus, buttons, and dialog box names.

ExampleType the User name and Password of the desired account.

Courier The path of a folder or program; a web address (URL); text that represents something the user types exactly (for example, a command at the system prompt).

ExamplesThe default location for the program is:

C:\Program Files\Network Associates\VirusScan

Visit the Network Associates web site at:http://www.networkassociates.com

Run this command on the client computer:C:\SETUP.EXE

Italic For emphasis or when introducing a new term; for names of product manuals and topics (headings) within the manuals.

ExampleRefer to the VirusScan Enterprise Product Guide for more information.

<TERM> Angle brackets enclose a generic term.

ExampleIn the console tree under ePolicy Orchestrator, right-click <SERVER>.

NOTE Supplemental information; for example, an alternate method of executing the same command.

WARNING Important advice to protect a user, computer system, enterprise, software installation, or data.

Product Guide 19


ResourcesRefer to these sections for additional resources:

Getting product information

Contacting McAfee Security & Network Associates

Links from the VirusScan Console

Getting product information

Installation Guide *† System requirements and instructions for installing and starting the software.

Product Guide * Product introduction and features, detailed instructions for configuring the software, information on deployment, recurring tasks, and operating procedures.

VirusScan Enterprise Product Guide

Alert Manager™ Product Guide

ePolicy Orchestrator® Product Guide

Help § High-level and detailed information on configuring and using the software.

What’s This? field-level help.

Configuration Guide * For use with ePolicy Orchestrator. Procedures for configuring, deploying, and managing your McAfee Security product through ePolicy Orchestrator management software.

Implementation Guide * Supplemental information for product features, tools, and components.

Release Notes ‡ ReadMe. Product information, resolved issues, any known issues, and last-minute additions or changes to the product or its documentation.

Contacts ‡ Contact information for McAfee Security and Network Associates services and resources: technical support, customer service, AVERT (Anti-Virus Emergency Response Team), beta program, and training. This file also includes phone numbers, street addresses, web addresses, and fax numbers for Network Associates offices in the United States and around the world.

* An Adobe Acrobat .PDF file on the product CD or the McAfee Security download site.

† A printed manual that accompanies the product CD. Note: Some language manuals may be available only as a .PDF file.

‡ Text files included with the software application and on the product CD.

§ Help accessed from the software application: Help menu and/or Help button for page-level help; right-click option for What’sThis? help.


Resources

Contacting McAfee Security & Network Associates

Technical Support

Home Page http://www.networkassociates.com/us/support/

KnowledgeBase Search https://knowledgemap.nai.com/phpclient/homepage.aspx

PrimeSupport Service Portal * http://mysupport.nai.com

McAfee Security Beta Program http://www.networkassociates.com/us/downloads/beta/

Security Headquarters — AVERT (Anti-Virus Emergency Response Team)

Home Page http://www.networkassociates.com/us/security/home.asp

Virus Information Library http://vil.nai.com

Submit a Sample — AVERT WebImmune

AVERT DAT Notification Service

http://vil.nai.com/vil/submit-sample.asp

http://vil.nai.com/vil/join-DAT-list.asp

Download Site

Home Page http://www.networkassociates.com/us/downloads/

DAT File and Engine Updates http://www.networkassociates.com/us/downloads/updates/

ftp://ftp.nai.com/pub/antivirus/datfiles/4.x

Product Upgrades * https://secure.nai.com/us/forms/downloads/upgrades/login.asp

Training

McAfee Security University http://www.networkassociates.com/us/services/education/mcafee/university.htm

Network Associates Customer Service

E-mail [email protected]

Web http://www.nai.com/us/index.asp

http://www.networkassociates.com/us/support/default.asp

US, Canada, and Latin America toll-free:

Phone +1-888-VIRUS NO or +1-888-847-8766

Monday – Friday, 8 a.m. – 8 p.m., Central Time

For additional information on contacting Network Associates and McAfee Security— including toll-free numbers for other geographic areas — see the Contact file that accompanies this product release.

* Logon credentials required.

Product Guide 21

http://www.networkassociates.com/us/support/

https://knowledgemap.nai.com/phpclient/homepage.aspx

http://mysupport.nai.com

http://www.networkassociates.com/us/downloads/beta/

http://www.networkassociates.com/us/security/home.asp

http://vil.nai.com

http://vil.nai.com/vil/submit-sample.asp

http://vil.nai.com/vil/join-DAT-list.asp

http://www.networkassociates.com/us/downloads/

http://www.networkassociates.com/us/downloads/updates/

ftp://ftp.nai.com/pub/antivirus/datfiles/4.x

https://secure.nai.com/us/forms/downloads/upgrades/login.asp

http://www.networkassociates.com/us/services/education/mcafee/university.htm

http://www.networkassociates.com/us/services/education/mcafee/university.htm

mailto:[email protected]

http://www.nai.com/us/index.asp

http://www.networkassociates.com/us/support/default.asp


Links from the VirusScan ConsoleThe Help menu in the VirusScan Console provides links to some useful resources.


Help Topics

Virus Information

Submit a Sample

Technical Support

About

Help TopicsUse this link to access the VirusScan Enterprise online Help topics.

Virus InformationUse this link to access the McAfee Security Anti-Virus Emergency Response Team (AVERT) Virus Information Library. This web site has detailed information on where viruses come from, how they infect your system, and how to remove them.

In addition to genuine viruses, the Virus Information Library contains useful information on virus hoaxes, such as virus warnings you receive via e-mail. A Virtual Card For You and SULFNBK are two of the best-known hoaxes but there are many others. Next time you receive a well-meaning virus warning, view our hoax page before you pass the message on to your friends.

To access the Virus Information Library:

1 Open the VirusScan Console. See VirusScan Console on page 27 for instructions.

2 Select Virus Information from the Help menu.


Resources

Submit a SampleUse this link to access the McAfee Security AVERT WebImmune web site. If you have a suspicious file that you believe contains a virus, or experience a system condition that might result from an infection, McAfee Security recommends that you send a sample to its anti-virus research team for analysis. Submission not only initiates an analysis, but a real-time fix, if warranted.

To submit a sample virus to AVERT:


2 Select Submit a Sample from the Help menu.

3 Follow the directions on the web site.

Technical SupportUse this link to access the McAfee Security PrimeSupport KnowledgeCenter Service Portal web site. Browse this site to view frequently asked questions (FAQs), documentation, and perform a guided knowledge search.

To access the Technical Support web site:


2 Select Technical Support from the Help menu.

3 Follow the directions on the web site.

Product Guide 23


AboutThe About dialog box provides important information about the product, license, Buffer Overflow Protection Definitions DAT file version, Virus Definitions DAT file version and date, version of the scanning engine, and extra driver information.

Figure 1-1. About dialog box


2
Setting Up The User Interface
This section provides an overview of the user interface and describes how to configure it.


Introducing the user interface

Setting user interface options

Setting up remote administration

Product Guide 25


Introducing the user interfaceThe VirusScan Enterprise software gives you the flexibility to perform an action using several different methods. Although the specific details may vary, many of the actions can be performed from the console, the toolbar, or a menu. Each method is detailed in the following sections.

These interfaces are addressed in this section:

Start menu

VirusScan Console

Right-click menus and scanning

System tray

Command line

Start menuClick Start, then select Programs|Network Associates to access these items:

VirusScan Console.

VirusScan On-Access Scan property pages.

VirusScan On-Demand Scan property pages. This is a one-time unsaved on-demand scan.

Other McAfee Security products if installed.



VirusScan ConsoleThe VirusScan Console is the control point for all of the program’s activities.

Use either of these methods to open the VirusScan Console:

Click Start, then select Programs|Network Associates|VirusScan Console.

Right-click the VShield icon in the system tray, then select VirusScan Console.


Menu bar

Toolbar

Task list

Status bar

Figure 2-1. The VirusScan Console

Menu barToolbar

Task list

Status bar

Product Guide 27


Menu barThe VirusScan Console includes menus with commands that allow you to create, delete, configure, run, start, stop, and copy scan tasks to suit your most demanding security needs. You can also connect to a remote VirusScan Enterprise computer. All of the commands are available from the menus. Some commands are also available when you right-click a task in the VirusScan Console.

NOTEEach menu and item on the menu has an associated shortcut key. The shortcut key is underlined for each item. These shortcut keys may not be available on some operating systems unless you use the keyboard (F10 or ALT) to access the menus.

These menus are available from the VirusScan Console:

Task menu — Create and configure tasks, and view statistics and activity logs.

Edit menu — Perform editing functions on selected tasks.

View menu — Specify whether to show the toolbar and status bar, and to refresh the console.

Tools menu — Specify user interface options, lock or unlock user interface security, enable the error reporting service, configure alerts, access the event viewer, open a remote computer when configuring a remote console, import or edit the repository list, and roll back DAT files to a previous version.

Help menu — Access these items:

Help Topics displays VirusScan Enterprise Online Help topics.

Virus Information links to the Virus Information Library.

Submit a Sample links to the Anti-Virus Emergency Response Team (AVERT) web site.

Technical Support links to the McAfee Security Support web site.

Repair Installation allows the administrator to restore settings to the installation defaults and reinstall all of the VirusScan Enterprise program files. The administrator can protect this feature by adding password protection via the User Interface Options.

About displays product version, copyright information, license type and expiration date, Buffer Overflow Protection Definitions DAT file version, virus definitions DAT file version and date, scanning engine version, and extra driver information.



ToolbarThe toolbar gives you quick access to many commands by clicking an icon. The icons are:

Connect to a computer.

Create a new on-demand scan task.

Display properties of the selected task.

Copy the selected task.

Paste the selected task.

Delete the selected task

Start the selected task.

Stop the selected task.

Access the Virus Information Library.

Open the event viewer.

Configure alerting options.

Product Guide 29


Task listWhen installed, the VirusScan Enterprise provides a pre-defined set of tasks that can be configured. These tasks are shown in the VirusScan Console task list.

New tasks can be created from the Task menu and are added to the task list in the VirusScan Console as you create them. For example:

New on-demand scan task. See Creating on-demand scan tasks on page 124.

New update task. See AutoUpdate tasks on page 223.

New mirror task. See Mirror tasks on page 246.

To configure a task, select the task in the Console, then click , or double-click the task to open its property pages.

In addition, you can view tasks created via ePolicy Orchestrator if you choose to do so.

ePO Task. If you are using ePolicy Orchestrator 3.0 or later to manage the VirusScan Enterprise software, you can choose to view ePolicy Orchestrator tasks in the VirusScan Console. This applies to on-demand, update, and mirror tasks. See the VirusScan Enterprise Configuration Guide for use with ePolicy Orchestrator for information about enabling ePolicy Orchestrator task visibility.

Status barThe status bar shows the status of the current activity.



Right-click menus and scanningUse right-click menus for quick access to commonly used actions such as creating new tasks, viewing task statistics and logs, opening task property pages, or scanning a specific file or folder for viruses.

Right-click menus from the console

These menus vary, depending on whether you have selected a task in the task list, and on which task you select. You can access two types of right-click menus from the console:

When a task is selected, right-click to access its properties. Depending on which task you select, you may also be able to start or stop the task, enable or disable the task, view statistics, or view the activity log. In some cases, you can also rename or delete a task.

When no task is selected, right-click a blank area in the console to configure user interface options or create a new scan, update, or mirror task.

Right-click scan of selected files or folders

You can perform an immediate on-demand scan of a selected file or folder by right-clicking on the file or folder in Windows Explorer, then selecting Scan for viruses. This type of scanning is useful if you are concerned that a specific folder or file may be infected and you want to scan it immediately.

You cannot customize scan options when performing this type of right-click scan. The on-demand scanner is invoked directly with all scan settings, such as archive scanning and heuristic scanning enabled. Once invoked, the scanner continues until it completes scanning of the selected file or folder. If a file or folder is found to be infected, it is displayed in a list view with the details of the infected item at the bottom of the scanning dialog box. You can take action on the infected item by right-clicking on it in the list view, and selecting either the clean, delete, or move action.

To customize the scan options or create a new on-demand scan task, see Creating on-demand scan tasks on page 124 for more information.

Right-click scan from the system tray

Use this feature to create a one-time, unsaved on-demand scan or update task. This is useful when you want to quickly scan a drive, folder, or file at a time other than your regularly scheduled on-demand scan or perform an immediate update. You can configure this type of right-click scan.

Right-click in the system tray to display the menu.

Product Guide 31


System trayWith a typical installation, the on-access scanner installs and activates itself by default. See the VirusScan Enterprise Installation Guide for more information.

Once active, the scanner displays the Vshield icon in the Windows system tray:

Double-click in the system tray to view On-Access Scan Statistics.

Right-click in the system tray to display the menu.

The system tray menu includes these options:

VirusScan Console. Displays the VirusScan Console.

Disable On-Access Scan. Deactivates the on-access scanner. This function toggles between disable and enable.

On-Access Scan Properties. Opens the on-access scanner property pages.

On-Access Scan Statistics. View on-access scanner statistics from which you can enable or disable the on-access scanner and open the on-access scanner property pages.

On-Access Scan Messages. View the on-access scanner messages from which you can take action on messages or files in the list.

On-Demand Scan. Opens the on-demand scanner property pages and allows you to run an on-demand scan.

Update Now. Performs an immediate default update task.

NOTEUpdate Now only works with the default update task which was created when you installed the product. You can rename and reconfigure the default update task, but if you delete the default task, Update Now is disabled.

About VirusScan Enterprise. Displays product version, copyright information, license type and expiration date, buffer overflow DAT file version, virus DAT file version and date, scanning engine version, and extra driver information.

Command lineUse the command line feature to perform activities from the Command Prompt. See Command-Line Scanner Program on page 287 for more information.



Setting user interface optionsUse these options to configure display and password settings.


Display options

Password options

Unlocking and locking the user interface

Product Guide 33


Display optionsDetermine which system tray options users can access and whether to allow connections to remote consoles.

To set display options from the VirusScan Console:

1 Select Tools|User Interface Options, then select the Display Options tab.

2 Under System tray icon, select which system tray options you want users to see:

Show the system tray icon with all menu options (Default). Allow users to see all options on the system tray menu.

Show the system tray icon with minimal menu options. Limit the options on the system tray menu to About VirusScan Enterprise and On-Access Scan Statistics. All other menu items are hidden.

Do not show the system tray icon. Prevent users from seeing the system tray icon.

3 Select Allow this system to make remote console connections to other systems to let users connect to remote computers.

4 Click Apply, then OK to save these settings and close the dialog box.

Figure 2-2. Display Options



Password optionsSet password security for either the entire system or the items you select.

Setting a password has the following impact for users:

Non-administrators — Users who do not have administrator rights. Non-administrators always run VirusScan Enterprise applications in read-only mode. They can view some configuration parameters, run saved scan tasks, and run immediate scans and updates. They cannot change any configuration parameters or create, delete, or modify saved scan and update tasks.

Administrators — Users who have administrator rights. Permissions vary depending on whether a password has been set.

If a password is not set, administrators run all VirusScan Enterprise applications in read/write mode. They can view and change all configuration parameters, run tasks, and create, delete, and modify saved scan and update tasks.

If a password is set, administrators see the protected tabs and controls in read-only mode if they have not entered the security password. Administrators can lock or unlock the user interface through the console. See Unlocking and locking the user interface on page 37 for more information.

NOTEA red locked padlock indicates that a password is required for the item. An green unlocked padlock indicates that the item is read/write accessible.

Product Guide 35


To set password protection from the VirusScan Console:

1 Select Tools|User Interface Options, then select the Password Options tab.

2 Choose one of these options:

No password (Default).

Password protection for all items listed. Specify one password for all items listed. Users must type the specified password before they can access any locked tabs or controls in the software.

Password protection for the selected items below. Specify one password for selected items in the list. Items not locked do not require a password.

3 Click Apply to save these settings, then click OK to close the dialog box.

Figure 2-3. Password Options

a Select Password protection for all items listed,

b Type and confirm the password.

a Select Password protection for the selected items below.

b Type and confirm the password.

c Select all of the items for which this password applies.



Unlocking and locking the user interfaceAdministrators can unlock and lock protected tabs and controls through the console.

NOTEIf password protection is selected for any item, the User Interface Options dialog box is automatically protected as well. If password protection has been set for any item and the user logs out, the user interface is automatically locked again.

To unlock the user interface


2 Select Tools|Unlock User Interface.

3 Type the password.

4 Click OK.

To lock the user interface


2 Select Tools|Lock User Interface.

Product Guide 37


Setting up remote administrationYou can connect to remote computers to perform operations such as modifying or scheduling scanning or update tasks, or enabling and disabling the on-access scanner on a remote computer. To do so, you must have administrator rights and the Remote Registry Service must be running.

NOTEIf you do not have administrator rights to connect to the remote computer, you receive an Insufficient user rights, access denied error message.

When you start the VirusScan Console, the name of the computer you are connected to appears in the console title bar, and in the menu at the left of the console toolbar. If you have not connected to a computer elsewhere on the network, the title bar shows the name of your local computer.

To administer a remote computer on which the VirusScan Enterprise program is installed:

1 From the Tools menu, select Open Remote Console or click in the toolbar.

The Connect to Remote Computer dialog box appears.

2 Under Connect to computer, type the name of the computer that you want to administer, click to select a computer from the list, or click Browse to locate the computer on the network.

WARNINGIf environment variables are used while configuring the path name of the file or folder for a remote task, be sure that the environmental variable exists on the remote computer. The VirusScan Console cannot validate environmental variables on the remote computer.

3 Click OK to make a connection attempt to the destination computer.

When you connect to the remote computer, the title bar changes to reflect that computer’s name, and the tasks in the task list are those for the remote computer. You can add, delete, or reconfigure tasks for the remote computer.

The console reads the remote computer’s registry and displays the tasks of the remote computer.

You can open multiple remote consoles. When you close the Connect to Remote Computer dialog box, the connection to the remote computer closes as well.


S E C T I O N 2 : P R E V E N T I N G I N T R U S I O N S

Chapter 3, Access Protection

Chapter 4, Buffer Overflow Protection

Chapter 5, Unwanted Programs Policy

®
40 VirusScan Enterprise software version 8.0i

3
Access Protection
Prevent intrusions by restricting access to specified ports, files, folders, and shares. This can be critical both before and during virus outbreaks. You can block access to ports and port ranges, lock down shares, files, and directories to read-only, block the execution of a specific file, and generate log entries and/or Alert Manager and ePolicy Orchestrator events when attempts are made to access blocked items. If an outbreak occurs, you can block destructive code from accessing the computer until a DAT file is released.


Port blocking properties

File, share, and folder protection properties

Reports properties

Product Guide 41

Access Protection

Port blocking propertiesBlock incoming or outgoing traffic on specified ports and choose whether to log entries when attempts are made to access blocked ports. When you block a port, both Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) accesses are blocked.


Configuring port blocking properties

Port blocking sample rules

Configuring port blocking properties1 Open the VirusScan Console, then open the Access Protection Properties dialog

box using one of these methods:

Right-click Access Protection in the console, then select Properties.

Double-click Access Protection in the console.

Highlight Access Protection in the console, then click in the console toolbar.



2 Select the Port Blocking tab.

3 To report attempts to access blocked items, select Report access attempts in the log file and/or by generating Alert Manager and ePO events (Default).

In Minimum time interval between reports specify the number of minutes (between 1 and 999) that you want to wait between reports.

4 Under Ports to block, add, edit, or remove port blocking rules.

NOTESome sample rules may be provided with the software. Select a rule in the list to enable it or deselect a rule to disable it. See Port blocking sample rules on page 45 for more information.

Figure 3-1. Access Protection — Port Blocking tab

Product Guide 43

Access Protection

a To create a new rule, click Add.

Under Rule Name, type the name of the new rule.

In the First Port text box, type the port number.

In the Ending Port text box, type the ending port number. This field is only required if you are entering a range of ports.

Under Direction, select whether to block Inbound or Outbound accesses for the port(s) you specified.

NOTEIf you want to block both inbound and outbound accesses for the specified ports, you must create two separate rules.

Under Excluded Processes, type the name of one or more processes to exclude from this rule. Use commas to separate multiple process names. The processes you list here can access the port(s) you blocked.

Click OK to return to the Port Blocking tab.

WARNINGIf you block a port that is used by the ePolicy Orchestrator agent or the Entercept agent, the agents processes are trusted and are allowed to communicate with the blocked port. All other traffic not related to these agent processes is blocked.

Figure 3-2. Add or edit port blocking range



b To edit an existing rule, select it in the Ports to block list, then click Edit. Make changes, then click OK to return to the Port Blocking tab.

c To delete a rule, select it in the Ports to block list, then click Remove.

5 Click Apply to save these settings.

Port blocking sample rulesThese are examples of rules that can be used to restrict access to ports:

Mass Mailing Worms

Inbound IRC Connections

Outbound IRC Connections

Internet Downloads

WARNINGThese sample rules are not intended to provide complete protection for your environment. The restrictions that you need depend on your environment. The sample rules that we provide here are intended to provide examples of what port blocking does and how it can be used to prevent some specific threats.

Product Guide 45

Access Protection

Mass Mailing Worms

Use this rule to prevent mass-mailing worms from sending mail.

1 On the Port Blocking tab, click Add.

2 Under Rule Name, type the name for this rule.

3 Under Ports to block, type 25 in the First port text box.

4 Under Direction, select Outbound.

5 Under Excluded Processes, type the processes that you want to exclude from this rule. For this example, type these processes:

6 Click OK to return to the Port Blocking tab, then click Apply to save these settings.

Figure 3-3. Mass-mailing worms — Sample rule

amgrsrvc.exe, tomcat.exe, outlook.exe, msimn.exe, agent.exe, eudora.exe, nlnotes.exe, mozilla.exe, netscp.exe, opera.exe, winpm-32.exe, pine.exe, poco.exe, thebat.exe, thunderbird.exe



Inbound IRC Connections

Use this rule to prevent inbound IRC connections:



3 Under Ports to block:

a Type the first port number that you want to block in the First port text box.

b Type the ending port number for the range of ports in the Ending port text box.

4 Under Direction, select Inbound.


Figure 3-4. Inbound IRC Connections — Sample rule

Product Guide 47

Access Protection

Outbound IRC Connections

Use this rule to prevent outbound IRC connections:



3 Under Ports to block:

a Type the first port number that you want to block in the First port text box.

b Type the ending port number for the range of ports in the Ending port text box.



Figure 3-5. Outbound IRC connections — Sample rule



Internet Downloads

Use this rule to prevent downloads from the internet:



3 Under Ports to block, type 80 in the First port text box.


5 Under Excluded Processes, type the processes that you want to exclude from this rule. For this example, type these processes:


Figure 3-6. Internet Downloads — Sample rule

outlook.exe, msimn.exe, iexplore.exe,mozilla.exe, netscp.exe, opera.exe, thunderbird.exe, msn6.exe, neo20.exe, mobsync.exe, waol.exe

Product Guide 49

Access Protection

File, share, and folder protection propertiesPrevent read or write access to files, shares, and folders. This feature can be very powerful in preventing intrusions as well as stopping intrusions from spreading during virus outbreaks. Once you restrict access to a file, share, or folder, the restriction remains in place until the administrator removes it.


Configuring file, share, and folder protection properties

File and folder blocking sample rules

Configuring file, share, and folder protection properties1 Open the Access Protection Properties dialog box, then select the File, Share,

and Folder Protection tab.

Figure 3-7. Access Protection — File, Share, and Folder Protection tab



2 Under Shares, select the restriction option that applies and choose whether to log attempts to access blocked items:

Leave shares with their existing access rights. (Default).

Make all shares read only.

Block read and write access to all shares.

WARNINGKeep in mind that selecting either the read-only option or the option to block read and write access enforces these restrictions on all users, including administrators. Setting either of these options may result in users contacting the Help Desk for an explanation.

If you selected Make all shares read only or Block read and write access to all shares, specify what action to take when an attempt is made to access a blocked item:

Warning mode (Report access attempts, but do not block). Records attempts to access blocked items in the log file, but does not block the item.

NOTEWarning mode is useful when the full impact of a new rule is unknown. Use the rule in Warning mode for a short time then review the log file to help determine whether to change to one of the blocking modes.

Block access attempts, but do not report. Blocks the restricted item but does not record the attempt to access the blocked item in the log file.

Block and report access attempts. Blocks the restricted item and records the attempt o access it in the log file.

3 Under Files and folders to block, add, edit, or remove file and folder blocking rules.

NOTESome sample rules may be provided with the software. Select a rule in the list to enable it or deselect a rule to disable it. See File and folder blocking sample rules on page 53 for more information.

Product Guide 51

Access Protection

a To create a new rule, click Add.

Under Rule Name, type the name for this rule.

Under What to block, type the process that you want to block.

Under File or folder name to block, type the file or folder name.

NOTEWildcards are allowed when specifying files or folders. Be careful when using wildcards to ensure that you do not accidentally restrict access to the wrong file or folder.

Under File actions to prevent, select the actions that you want to restrict for this rule.

Under How to react, select the action that you want to take when an attempt is made to access the blocked item.

Click OK to save the rule and return to the File, Share, and Folder Protection tab.

b To change an existing rule, select it in the list, then click Edit or double-click it in the list. Change the rule, then click OK to save the rule and return to the File, Share, and Folder Protection tab.

c To delete a rule, select it in the Files and folders to block list, then click Remove.




File and folder blocking sample rulesThese are examples of rules that can be used to restrict access to files and folders:

Internet Explorer

Microsoft Outlook

Outlook Express

Packager

TFTP.EXE

Share-hopping worms

WARNINGThese sample rules are not intended to provide complete protection for our environment. The restrictions that you need depend on your environment. The sample rules that we provide here are intended to provide examples of what file and folder blocking does and how it can be used to prevent some specific threats.

Product Guide 53

Access Protection

Internet Explorer

Use this rule to prevent Internet Explorer from launching anything from any temporary directory:

1 On the File, Share, and Folder Protection tab, click Add.


3 Under What to block, type iexplore.exe.

4 Under File or folder name to block, type **\temp*\**. For this example, a double asterisk (**) indicates any number of directories that the asterisk matches, up to a back slash (\) character.

5 Under File actions to prevent, select Files being executed.

6 Under How to react, select Block and report access attempts.

7 Click OK to save the rule and return to the Files, Shares, and Folders Protection tab, then click Apply to save these settings.

Figure 3-8. Internet Explorer — Sample rule



Microsoft Outlook

Use this rule to prevent Microsoft Outlook from launching anything from any temporary directory:



3 Under What to block, type OUTLOOK.EXE.





Figure 3-9. Microsoft Outlook — Sample rule

Product Guide 55

Access Protection

Outlook Express

Use this rule to prevent Outlook Express from launching anything from any temporary directory:



3 Under What to block, type msimn.exe.





Figure 3-10. Outlook Express — Sample rule



Packager

Use this rule to prevent packager from launching anything from the any temporary directory:



3 Under What to block, type packager.exe.





Figure 3-11. Packager — Sample rule

Product Guide 57

Access Protection

TFTP.EXE

Use this rule to prevent all access to TFTP.EXE because some worms use it to download the remainder of themselves after initial infection.



3 Under What to block, type *.

4 Under File or folder name to block, type **\tftp.exe.

5 Under File actions to prevent, select all options.



Figure 3-12. TFTP.EXE — Sample rule



Share-hopping worms

Use this rule to prevent worms that hop from share to share by infecting executable files on the network or by copying themselves to other computers.



3 Under What to block, type System:Remote. System:Remote is a special case process name and refers to all file outcomes made from a different computer.

4 Under File or folder name to block, type **\*.exe.

5 Under File actions to prevent, select Write access to files, New files being created, and Files being deleted.



Figure 3-13. Share hopping worms — Sample rule

Product Guide 59

Access Protection

Reports propertiesTo specify whether to record activity in a log file and configure the location, size limit, and format of the log file:

1 Open the Access Protection Properties dialog box, then select the Reports tab.

2 Under Log file, select from these options:

Log to file. (Default). Record attempts to access blocked items in a log file.

In the text box, accept the default log file name and location, type a different name and location, or click Browse to locate a file elsewhere on your computer or network.

By default, the scanner writes log information to the ACCESSPROTECTIONLOG.TXT file in this folder:

<drive>:\Documents and Settings\All Users\Application Data\Network

Associates\VirusScan\

NOTEThis location may vary depending on what operating system you are using.

Figure 3-14. Access Protection — Reports tab


Reports properties

Limit size of log file (Default). Select this option then specify the maximum size for the log file.

Maximum log file size. Accept the default size (1MB) or set a different size for the log between 1MB and 999MB.

NOTEIf the data in the log file exceeds the file size you set, the oldest 20 percent of the log file entries are deleted and new data is appended to the file.

Format. Select the format of the log file: Unicode (UTF8) (Default), Unicode (UTF16), or ANSI.

NOTEThe format you choose depends on how important size of file and data integrity is to you. ANSI format is usually the smallest file, which may work well if you are storing western text (every character is one byte) but may not work well with eastern text (every character is one or two bytes). If you are sharing information within a multi-national organization we recommend using one of the Unicode formats; either UTF8 or UTF16.

View Log. View the existing log file.


Product Guide 61

Access Protection


4
Buffer Overflow Protection
A buffer overflow exploit is an attack technique that exploits a software design defect in an application or process to force it to execute code on the computer. Applications have fixed-size buffers that hold data. If an attacker sends too much data or code into one of these buffers, the buffer overflows. The computer then executes the code that overflowed as a program. Since the code execution occurs in the security content of the application, which is often at a highly-privileged or administrative level, intruders gain access to execute commands not usually accessible to them. An attacker can use this vulnerability to execute custom hacking code on the computer and compromise its security and data integrity.

Buffer overflow protection prevents exploited buffer overflows from executing arbitrary code on your computer. It monitors usermode API calls and recognizes when they are called as a result of buffer overflow.

VirusScan Enterprise protects approximately 20 applications, including Internet Explorer, Microsoft Outlook, Outlook Express, Microsoft Word, and MSN Messenger. These applications are defined in a separate Buffer Overflow Protection Definitions DAT file. The version number for this DAT file can be viewed in the About dialog box from the Help menu and in the activity log. This DAT file can be updated using the AutoUpdate task.


Buffer overflow protection properties

Reports properties

Product Guide 63


Buffer overflow protection propertiesConfigure how to protect your computer from buffer overflow exploits and whether to log entries when attempts are made to access blocked items.


Configuring buffer overflow protection properties

Creating an exclusion from a buffer overflow detection

Configuring buffer overflow protection properties1 Open the VirusScan Console, then open the Buffer Overflow Protection

Properties dialog box using one of these methods:

Right-click Buffer Overflow Protection in the console, then select Properties.

Double-click Buffer Overflow Protection in the console.

Highlight Buffer Overflow Protection in the console, then click in the console toolbar.



2 On the Buffer Overflow Protection tab, configure these options:

3 Select Enable buffer overflow protection, then choose the protection mode:

Warning mode. Provides a warning when a buffer overflow is detected. No other action is taken.

NOTEWarning mode is useful when the full impact of a new rule is unknown. Use the rule in Warning mode for a short time then review the log file to help determine whether to change to Protection mode.

Protection mode. Blocks a buffer overflow when it is detected and the detected thread is terminated. This may result in the application terminating as well.

4 Select Show the messages dialog box when a buffer overflow is detected to display the VirusScan On-Access Scan Messages dialog box when a detection occurs.

Figure 4-1. Buffer Overflow Protection tab

Product Guide 65


5 Under Buffer Overflow exclusions, add, edit, or remove exclusions for processes that you do not want to detect. These may be processes that generate a false positive.

a To configure a new exclusion, click Add.

In the Process name text box, type the name of the process that you want to exclude from detection. You can type just the process name or the process name including the path to the process. If you type just the process name, such as OUTLOOK.EXE, that process is excluded whenever it is executed no matter where it is located. If you type the process name including the path, such as C:\Program files\OUTLOOK.EXE, that process is only excluded when it is executed from the specified path.

In the Module name text box, type the name of the module that you want to exclude from detection. The Module name is not always used, consequently this field may be blank.

In the API name text box, type the name of the API that you want to exclude from detection.

When finished, click OK to return to the Buffer Overflow Protection tab.

NOTEIf you are adding an exclusion as a result of a buffer overflow detection, see Creating an exclusion from a buffer overflow detection on page 67.

b To change an exclusion, select it in the list, then click Edit, or double-click it in the list. Change the exclusion, then click OK.

Figure 4-2. Add buffer overflow exclusion



c To delete an exclusion, select it in the list, then click Remove.


Creating an exclusion from a buffer overflow detectionWhen a buffer overflow is detected, you can use the information in the log file, event, or the VirusScan On-Access Scan Messages dialog box to create an exclusion. This example uses the information in the VirusScan On-Access Scan Messages dialog box

1 View the VirusScan On-Access Scan Messages dialog box.

NOTEThe VirusScan On-Access Scan Messages dialog box displays an alert notification when a buffer overflow is detected, if you configured it to do so, or you can access the VirusScan On-Access Scan Messages dialog box from the Vshield icon

in the Windows system tray.

The Name column provides the information that you need to create the exclusion. It includes the Process name, the Module name, and the API name, in this format:

Process name:Module name:API name

Figure 4-3. Sample buffer overflow detection

Product Guide 67


This example displays this information:

The Process name is services.exe.

The Module name is not provided.

NOTEThe Module name is not always used and is not required to create a buffer overflow exclusion. If the information displays a double colon (::) where the Module name would be, then there is no Module name for the buffer overflow exclusion.

The API name is LoadLibraryA.

2 Open the Buffer Overflow Protection Properties dialog box, select the Buffer Overflow Protection tab, then click Add.

Enter the information for this exclusion, then click OK to return to the Buffer Overflow Protection tab.


Figure 4-4. Sample buffer overflow exclusion


Reports properties

Reports propertiesTo specify whether to record activity in a log file and configure the location, size limit, and format of the log file:

1 Open the Buffer Overflow Protection Properties dialog box.

2 Select the Reports tab.


Log to file (Default). Record buffer overflow detections in a log file.


By default, the scanner writes log information to the BUFFEROVERFLOWPROTECTIONLOG.TXT file in this folder:




Figure 4-5. Buffer Overflow Protection — Reports tab

Product Guide 69






NOTEThe format you choose depends on how important size of file and data integrity is. ANSI format is usually the smallest file, which may work well if you are storing western text (every character is one byte) but may not work well with eastern text (every character is one or two bytes). If you are sharing information within a multi-national organization we recommend using one of the Unicode formats; either UTF8 or UTF16.




5
Unwanted Programs Policy
Unwanted programs, such as Spyware and Adware can be both a nuisance and a security risk. VirusScan Enterprise allows you to define programs as unwanted, then take the actions that you specify on the detected programs. You can select whole categories of programs, or specific programs within those categories, from a pre-defined list which comes from the current DAT file. You can also add your own programs to detect.

The actual detection and subsequent cleaning of unwanted programs is determined by the DAT file, just as it is for a virus. If you detect a program and the primary action is set to Clean, the DAT file tries to clean the program using the information in the DAT file. If the detected program cannot be cleaned, or is not in the DAT file, for example a user-defined program, the clean action fails and the secondary action is taken.

Configuration is a two-step process:

1 You configure what programs to detect in the Unwanted Programs Policy. This section provides information about how to do this.

2 You independently configure each of the scanners to enable the policy and specify what actions you want the scanner to take when an unwanted program is detected. See these sections for more information about configuring these options:

Configuring the on-access scanner on page 87.

Configuring on-demand scan tasks on page 127.

Configuring the e-mail scanner on page 154.


Detection properties

User-defined detection properties

Product Guide 71


Detection propertiesUse the options on the Detection tab to specify categories of programs or specific files to detect or to exclude from detection.


Specifying unwanted programs

Excluding unwanted programs

Specifying unwanted programs

1 Open the VirusScan Console, then open the Unwanted Programs Policy dialog box using one of these methods:

Right-click Unwanted Programs Policy in the console, then select Properties.

Double-click Unwanted Programs Policy in the console.

Highlight Unwanted Programs Policy in the console, then click in the console toolbar.

2 Select the Detection tab.

Figure 5-1. Unwanted Programs Policy — Detection tab



3 Under Detection From DATS, select the program categories that you want to detect.


Excluding unwanted programsEven though you selected a category for detection, there may be specific files within that category that you want to exclude from detection.

1 On the Detection tab, under Unwanted program exclusions, click Exclusions.

2 Click Add to include a program in the list of exclusions.

Figure 5-2. Unwanted Programs Policy — Set exclusions

Figure 5-3. Unwanted Program Policy — Add exclusion

Product Guide 73


3 Choose from these options:

Type the name of a specific program, then click OK to return to the Detection tab.

Click Browse to view the list of unwanted programs that are included in the current DAT file.

Figure 5-4. Unwanted Program Policy — Select program



Select a specific program using one of these methods:

Click OK three times to return to the Detection tab.

4 To edit an exclusion, select it in the list, then click Edit. Make the changes as required, then click OK to return to the Detection tab.

5 To delete an exclusion, select it in the list, then click Remove.

6 To remove all items from the list, click Clear.


Under Potentially unwanted programs that DAT version XXXX can detect, select one or more programs.

Under Filter List, select only the categories for which you want to view programs in the Potentially unwanted programs that DAT version XXXX can detect list.

Under Search by substring, type a string or file name to locate it in the Potentially unwanted programs that DAT version XXXX can detect list.

Product Guide 75


User-defined detection propertiesUse these options to add individual files to be treated as unwanted programs.

1 Open the Unwanted Programs Policy dialog box, then select the User-Defined Detection tab.

2 To add, edit, or remove a file:

a Click Add to include a specific file in the list of unwanted programs.

Figure 5-5. Unwanted Programs Policy — User-Defined Detection tab

Figure 5-6. Unwanted Programs Policy — Add user-defined file


User-defined detection properties

Under Filename, type the name of the file or program that you want to detect.

Under Description, type the description that you want to display in the notification when the specified file is detected.

Click OK to return to the User-Defined Detection tab.

b To change a user-defined unwanted program, select it in the list, then click Edit.

Make the necessary changes, then click OK to return to the User-Defined Detection tab.

c To delete a user-defined unwanted program, select it in the list, then click Remove.


Product Guide 77



S E C T I O N 3 : D E T E C T I N G I N T R U S I O N S

Chapter 6, On-Access Scanning

Chapter 7, On-Demand Scanning

Chapter 8, E-mail Scanning

Chapter 9, Virus Alerting

Chapter 10, Updating

Chapter 11, Adding, Specifying, & Excluding Scanning Items

Chapter 12, Scheduling Tasks

®

6
On-Access Scanning
The on-access scanner provides your computer with continuous, real-time virus detection and response based on the settings you configure. You can configure the same settings for all processes or differently based on whether you classify processes as having a low-risk or a high-risk of infection. Scanning takes place when files are read from or written to your computer.

When an infection is detected, the on-access scanner records a message with details about the infected file if you have configured it to do so, then allows you to quickly access the message, and take immediate action on the infected file.


Overview of on-access scan properties

Overview of per process configuration

Configuring the on-access scanner

Viewing scan results

Responding to virus detections

Product Guide 81

On-Access Scanning

Overview of on-access scan propertiesThe On-Access Scan Properties dialog box allows you to configure general settings and three classes of processes; default, low-risk, and high-risk. The icons in the left pane of the dialog box give you access to the configurable options. When you select an icon in the left pane, the tabs for that selection display in the right pane.

When the On-Access Properties dialog box first opens, the default view provides access to properties for General Settings and All Processes.

General Settings. When you select this icon, you can configure the general, script scanning, blocking, messages, and reports options that apply to all processes. See General Settings on page 88 for more information about setting these options.

Figure 6-1. On-Access Scan Properties — General Settings



All Processes. When you select this icon, you can specify whether to use the settings on the detection, advanced, actions, and unwanted programs tabs for all processes, or whether to configure them differently for default, low-risk and/or high-risk processes. See Process Settings on page 97 for more information.

NOTEIf you choose to configure settings differently for default, low-risk and/or high-risk processes, this is called per process scanning. See Overview of per process configuration for information about defining processes and assigning risk to processes.

Overview of per process configurationYou can configure on-access scanning properties by process. Properties can be configured to be the same for all processes, or differently for default processes, low-risk processes, and/or high-risk processes, depending on your security needs.

Configuring process settings differently

Defining processes

Assigning risk to a process

Figure 6-2. On-Access Scan Properties — All Processes

Product Guide 83

On-Access Scanning

Configuring process settings differentlyIf you choose to configure settings differently for default, low-risk, and/or high-risk processes, you must first specify that by selecting the All Processes icon in the left pane then selecting Use different settings for high-risk and low-risk processes in the right pane.

Figure 6-3. On-Access Scan Properties — Use the same settings



When you select Use different settings for high-risk and low-risk processes, the All Processes icon is replaced by the Default Processes icon, and the Low-Risk Processes and High-Risk Processes icons appear in the left pane.

Now you are ready to define which processes are configured as low-risk and high-risk. Any process that is not defined as either of these is considered to be a default process. See Defining processes on page 86.

Figure 6-4. On-Access Scan Properties — Use different settings

Product Guide 85

On-Access Scanning

Defining processesA process is a program in execution. A program may initiate one or more processes. When deciding which risk or scanning policy to assign to a process, remember that only the child processes of the defined parent process adhere to the scanning policy. For example, if you define the Microsoft Word executable file, WINWORD.EXE, as a high-risk scanning process, any Microsoft Word documents that are accessed would be scanned according to the high-risk scanning policy. However, when the parent process Microsoft Word is launched, the WINWORD.EXE file would be scanned according to the policy of the process that launched it.

You can assign two types of risks to processes:

Low-risk processes are defined as those processes with a lower possibility of spreading or introducing a virus. These can be processes that access a lot of files, but do so in a way that has a lower risk of spreading viruses. Some examples are:

Backup software.

Compiling processes.

High-risk processes are defined as those processes with a higher possibility of spreading or introducing a virus. Some examples are:

Processes that launch other processes; for example, Microsoft Windows Explorer, or the command prompt.

Processes that execute scripts or macros; for example, WINWORD or CSCRIPT.

Processes used for downloading from the Internet; for example, browsers, instant messengers, and mail clients.

NOTEWhen you install VirusScan Enterprise with default settings, the Use the settings on these tabs for all processes option is selected. If you select Use different settings for high-risk and low-risk processes, some processes are predefined as high-risk. You can change this list to meet your needs.

Any process that is not defined as either low-risk or high-risk is considered to be a default process and is scanned with the properties that you set for default processes.

See Assigning risk to a process on page 87 for more information.


Configuring the on-access scanner

Assigning risk to a processTo determine which risk to assign to which processes, complete these steps:

1 Decide why you want to have different scanning policies. When balancing performance against risk, the two most common reasons are:

To scan some processes more thoroughly than is accomplished by the default scanning policy.

To scan some processes less thoroughly than the default scanning policy, based on the risk and impact on performance. For example, backup applications.

2 Decide which processes are low-risk and which are high-risk. First determine which program is responsible for each process, then determine the risk. Use the Windows Task Manager or Windows Performance Monitor to help you understand which processes are using the most CPU time and memory. Once you have this information you can associate each process with a scanning policy based on the processes’ performance and risk.

3 Configure the scanning policies for each of the three levels: default, low-risk and high-risk.

NOTEWe do not recommend reducing the default level of scanning for high-risk processes. The high-risk scanning policy is initially set the same as default processes to ensure that high-risk processes maintain an in-depth level of scanning.

Configuring the on-access scannerTo ensure optimal performance on your computer or in your network environment, you need to configure the scanner to determine what you want it to scan, what you want it to do if it finds a virus, and how it should notify you when it does.

The on-access scanner comes configured with most response properties enabled. By default, the scanner is set to clean a virus when it finds one. If the virus is not cleanable, the default secondary action is to deny access to the virus. The scanner also records the incident in the log file.


General Settings

Process Settings

Product Guide 87

On-Access Scanning

General SettingsUse the options on these tabs to configure the on-access scanning settings that apply to all processes.


General properties

ScriptScan properties

Blocking properties

Message properties

Reports properties


General Settings

General propertiesUse the options on the General tab to configure basic properties for on-access scanning.

1 Open the VirusScan Console, then open the On-Access Scan Properties using one of these methods:

Select On-Access Scanner Properties from the console’s Task menu.

Right-click On-Access Scanner in the console, then select Properties.

Highlight On-Access Scanner in the console, then click in the console toolbar.

2 Select General Settings in the left pane, then select the General tab.

Figure 6-5. General Settings — General tab

Product Guide 89

On-Access Scanning

3 Under Scan, choose which parts of the computer you want the scanner to examine. Select from these options:

Boot sectors (Default). Include the disk boot sector during scanning activities. The scanner scans the disk boot sector when a disk is mounted. In some situations it may be appropriate to disable boot sector analysis when a disk contains a unique or abnormal boot sector that cannot be subjected to virus scanning.

Floppy during shutdown (Default). Scan the boot sector of any floppy disk left in your drive as you shut down your computer. If the disk is infected, the computer does not shut down until the disk is removed.

4 Under General, select from these options:

Enable on-access scanning at system startup (Default). Start the on-access scanner service when you start your computer.

Quarantine Folder. Accept the default location and name for the quarantine folder, type a different location and name, or click Browse to locate a folder on your local drive.

The default location and name for the quarantine folder is:

<drive>:\quarantine

NOTEThe quarantine folder cannot be located on a floppy drive or CD drive. It must be located on a hard drive.

5 Under Scan time, specify the maximum archive and scanning time, in seconds, for all files. If a file takes longer than the specified time to scan, the scan stops cleanly and a message is logged. If the scan cannot be stopped cleanly, it terminates and restarts, and a different message is logged. Select from these options:

Maximum archive scan time (seconds) (Default = 15 seconds). Accept the default or select the maximum number of seconds the scanner should spend scanning an archive file. The time you select for the archive scan must be less than the time you select for scanning all files.

Enforce a maximum scanning time for all files (Default). Define a maximum scanning time and enforce it for all files.

Maximum scan time (seconds) (Default = 45 seconds). Accept the default or select the maximum number of seconds the scanner should spend scanning a file.



General Settings

ScriptScan propertiesUse the options on the ScriptScan tab to configure script scanning properties. This feature scans JavaScript and VBScript scripts before they are executed. The script scanner operates as a proxy component to the real Windows scripting host component. It intercepts these scripts, then scans them. If the script is clean, it is passed on to the real scripting host component. If the script is infected, it is not executed. In addition, an alert is generated based on the settings you configured on the Messages tab, and information is recorded in the activity log based on the settings you configured on the Reports tab.

1 Open the On-Access Scan Properties dialog box, then select General Settings in the left pane.

2 Select the ScriptScan tab.

3 Select Enable ScriptScan.


Figure 6-6. General Settings — ScriptScan tab

Product Guide 91

On-Access Scanning

Blocking propertiesUse the options on the Blocking tab to configure blocking properties for connections from remote computers. This feature blocks connections from remote computers which have infected files in a shared folder. Specify whether to send a message to the user, whether to block the connection from a remote computer and for how long. You can also block the connection from a remote computer if an unwanted program is detected.


2 Select the Blocking tab.

3 Under Message, select Send a message to notify the network user on the remote computer, then type a custom message in the text box.

WARNINGThe Windows Messenger service must be running on the remote computer to receive this message.

4 Under Block, specify the blocking options for the network user on the remote computer. This blocks the connection for the number of minutes you specify.

Block the connection (Default). Blocks the connection to any network user on a remote computer who attempts to read from, or write to, an infected file in the shared folder.

Figure 6-7. General Settings — Blocking tab


General Settings

Unblock connections after (minutes) (Default = 10 minutes). Unblocks the connection after the specified number of minutes. Enter a number between 1 and 9999.

Block if an unwanted program is detected. Blocks the connection to any user on a remote computer who attempts to write an unwanted program to the computer. For information about defining unwanted programs, see Unwanted Programs Policy on page 71.

NOTEThe On-Access Scan Statistics dialog box displays a list of computers that have been blocked.


Message propertiesUse the options on the Messages tab to configure user message properties for on-access scanning.


2 Select the Messages tab.

Figure 6-8. General Settings — Messages tab

Product Guide 93

On-Access Scanning

3 Under Messages for local users, select message options. Some options apply to all users and some apply only to users without administrator rights.

These options apply to all users:

Show the messages dialog when a virus is detected (Default). Display the On-Access Scan Messages dialog box when a virus is detected. See Responding to virus detections on page 119 for more information.

Text to display in message. Accept the default message or type a custom message that displays when an infection is detected. The default message is VirusScan Alert!

These options apply to the actions that users without administrator rights are allowed to take on messages listed in the On-Access Scan Messages dialog box. Select any combination of these options:

Remove messages from the list (Default). Allow users without administrator rights to remove messages from the list.

Clean files (Default). Allow users without administrator rights to clean infected files referenced by the messages in the list.

Delete files. Allow users without administrator rights to delete infected files referenced by the messages in the list.

Move files to the quarantine folder (Default). Allow users without administrator rights to move infected files referenced by the messages in the list, to the quarantine folder.



General Settings

Reports propertiesUse the options on the Reports tab to specify whether to record activity in a log file and configure the location, size limit, and format of the log file.

NOTEThe log file can serve as an important management tool for tracking virus activity on your network and for noting which settings you used to detect and respond to any virus that the scanner found. The incident reports recorded in the file can help determine which files you need to either replace from backup copies or delete from your computer. See Activity log on page 118 for information on viewing the log.

To configure Reports properties:



Figure 6-9. General Settings — Reports tab

Product Guide 95

On-Access Scanning


Log to file (Default). Record on-access scanning activity in a log file.


By default, the scanner writes log information to the ONACCESSSCANLOG.TXT file in this folder:











Process Settings

4 Under What to log in addition to virus activity, select the additional information that you want to record in the log file:

Session settings. Record the properties that you chose for each scanning session in the log file.

Session summary (Default). Summarize the scanner’s actions during each scanning session and add the information to the log file. Summary information includes the number of files scanned, the number and type of viruses detected, the number of files moved, cleaned, or deleted, and other information.

Failure to scan encrypted files (Default). Record the name of encrypted files that the scanner failed to scan.

User name (Default). Record the name of the user logged on to the computer at the time the scanner records each log entry.


Process SettingsConfigure the on-access scanning process options to be the same for all processes or differently for a specific process class (default, low-risk, and/or high-risk).


Processes properties


Advanced properties

Actions properties

Unwanted programs properties

Product Guide 97

On-Access Scanning

Processes propertiesUse the options on the Processes tab to choose whether to configure the same settings for all processes, or whether to configure them differently for default, low-risk and/or high-risk processes.

The procedure for setting options on the Processes tab is different according to what options you select.

To configure options to be the same for all processes, see All processes properties on page 99.

To configure options for default processes, see Default processes properties on page 100.

To configure options for low-risk processes, see Low-risk processes on page 101.

To configure options for high risk processes, see High-risk processes on page 103.


Process Settings

All processes propertiesConfigure the detection, advanced, actions, and unwanted programs properties to be the same for all processes.

1 Open the On-Access Scan Properties dialog box, then select All Processes in the left pane.

2 Select the Processes tab, if it is not already selected, then select Use the settings on these tabs for all processes (Default). Set the same on-access scanning properties for all processes.


4 Go to Detection properties on page 105.

Figure 6-10. All Processes — Processes tab

Product Guide 99

On-Access Scanning

Default processes propertiesConfigure detection, advanced, actions, and unwanted programs properties for default processes. A default process is any process that is not defined as either low-risk or high-risk.


2 Select the Processes tab, if it is not already selected, then select Use different settings for high-risk and low-risk processes.

NOTEWhen you select this option, the All Processes icon is replaced by the Default Processes icon, and the Low-Risk Processes, and High-Risk Processes icons become visible in the left pane.

3 Select the Default Processes icon in the left pane.



Figure 6-11. Default Processes — Processes tab


Process Settings

Low-risk processesConfigure detection, advanced, actions, and unwanted programs properties for processes that you define as having a low-risk of spreading or introducing a virus. For information about defining processes and assigning risk to a process, see Overview of per process configuration on page 83.




3 Select the Low-Risk Processes icon in the left pane.

Figure 6-12. Low-risk processes

Product Guide 101

On-Access Scanning

Some processes have been defined as low-risk by default.

4 To add new processes to the list, click Add.

a Select the processes you want to add or click Browse to locate them.

b When you have finished selecting processes, click OK to return to the Processes tab. The processes you selected appear in the list.

5 To delete a process, select it in the list, then click Remove.



Figure 6-13. Select application


Process Settings

High-risk processesConfigure detection, advanced, actions, and unwanted programs properties for processes that you define as having a high-risk of spreading or introducing a virus. For information about defining processes and assigning risk to a process, see Overview of per process configuration on page 83.




3 Select the High-Risk Processes icon in the left pane.

Figure 6-14. High-risk processes

Product Guide 103

On-Access Scanning

Some processes have been defined as high-risk by default.

4 To add new processes to the list, click Add.

a Select the processes you want to add or click Browse to locate them.

b When you have finished selecting processes, click OK to return to the Processes tab. The processes you selected appear in the list.

5 To delete a process, select it in the list, then click Remove.



Figure 6-15. Select application


Process Settings

Detection propertiesUse the options on the Detection tab to specify what types of files you want the on-access scanner to examine and when you want to scan them. You can configure the detection properties to be the same for all processes or differently for each process class.

NOTEIf you are configuring properties differently for default processes, low-risk processes, and high-risk properties, you will repeat this procedure for each process class.



Select Use the settings on these tabs for all processes (Default) to the same properties for all processes.

Select Use different settings for high-risk and low-risk processes, then select one of these icons in the left pane; Default Processes, Low-Risk Processes, or High-Risk Processes.


Figure 6-16. On-Access Scan — Detection tab

Product Guide 105

On-Access Scanning

4 Under Scan Files, select any combination of these scanning options:

WARNINGIf you are copying or moving files from one computer to another, it is important that all computers be configured identically. Configuring computers differently may allow an infected file to be copied from or written to a computer.

When writing to disk (Default). Scan all files as they are written to or modified on the computer or other data storage device.

When reading from disk (Default). Scan all files as they are read from the computer or other data storage device.

On network drives. Include resources on mapped network drives during on-access scans.

NOTEScanning network resources could affect performance.

5 Under What to scan, choose from these options:

All files. Scan all files regardless of extension.

Default + additional file types (Default). Scan the default list of extensions plus any additions you specify. The default list of file type extensions is defined by the current DAT file.

Select the Default + additional file types option, then click Additions to open the Additional File Types dialog box.

Figure 6-17. Additional File Types


Process Settings

Add the file type extensions that you want to scan in addition to the extensions that are scanned by default. For more information, see Adding file type extensions on page 258.

NOTEYou cannot delete file types from the Scanned by default list. If you want to exclude file types from this list, use the Exclusions feature. For more information, see Excluding files, folders and drives on page 262.

Click OK to return to the Detection tab.

Also scan for macro viruses in all files. Scan all files, regardless of extension, for macro viruses. This option is only available when the Default + additional file types option is selected.

NOTEScanning for macro viruses in all files could affect performance.

Specified file types. Create a list of user-specified file type extensions to be scanned during scanning operations. You can also use this feature to remove any of the user-specified file type extensions you added previously.

Select the Specified file types option, then click Specified to open the Specified File Types dialog box.

Specify the file type extensions that you want to scan. For more information, see Specifying user-defined file types on page 260.


Figure 6-18. Specified File Types

Product Guide 107

On-Access Scanning

6 Under What not to scan, add files, folders, and drives to exclude from scanning operations, or remove exclusions that you previously specified.

a Click Exclusions to open the Set Exclusions dialog box

b Add files, folders, or drives and edit or remove an item in the list. For more information about setting exclusions, see Excluding files, folders and drives on page 262.

c Click OK to save these settings and return to the Detection tab.


Advanced propertiesUse the options on the Advanced tab to specify advanced scan options for heuristics and compressed files. You can configure the advanced properties to be the same for all processes or differently for each process class.






Figure 6-19. Set Exclusions


Process Settings

3 Select the Advanced tab..

4 Under Heuristics, specify whether you want the scanner to evaluate the probability that an unknown piece of code or a Microsoft Office macro is a virus. When this feature is enabled, the scanner analyzes the likelihood that the code is a variant of a known virus. Select any combination of these options:

Find unknown program viruses (Default). When the scanner finds executable files that have code resembling a virus, treat as if they were infected. The scanner applies the action you choose on the Actions tab.

Find unknown macro viruses (Default). When the scanner finds embedded macros that have code resembling a virus, treat as if they were infected. The scanner applies the action you choose on the Actions tab.

NOTEThis option is not the same as Also scan for macro viruses in all files on the Detection tab, which instructs the scanner to find all known macro viruses. This option instructs the scanner to assess the probability that an unknown macro is a virus.

Figure 6-20. Per process scanning — Advanced tab

Product Guide 109

On-Access Scanning

5 Under Compressed files, specify which types of compressed files you want the scanner to examine. Select any combination of these options:

Scan inside archives. Examine archive files and their contents. An archive file is a compressed file and the files within it must be extracted before they can be accessed. Files contained inside archives are scanned when they are written to disk.

Decode MIME encoded files. Detect Multipurpose Internet Mail Extensions (MIME) encoded files, decode them, then scan them.

NOTEAlthough it provides better protection, scanning compressed files can increase the amount of time required to perform a scanning activity.


Actions propertiesUse the options on the Actions tab to specify the primary and secondary actions you want the scanner to take when it detects a virus. You can configure the actions properties to be the same for all processes or differently for each process class.







Process Settings

3 Select the Actions tab.

4 Under Primary Action, select the first action that you want the scanner to take when a virus is detected.

Click to select one of these actions:

Clean files automatically (Default). The scanner tries to remove the virus from the infected file. If the scanner cannot, or if the virus has damaged the file beyond repair, the scanner performs the secondary action. See Step 5 for more information.

Deny access to files. Deny all users access to any infected files the scanner finds. Be sure to enable the Log to file property on the General Settings, Reports tab, so that you have a record of which files are infected.

NOTEWhen the scanner denies access to infected files, it also renames files that cannot be cleaned and new infected files by appending the filename with a .VIR extension, when the file is saved.

Move files to a folder. The scanner moves infected files to a folder that is named quarantine by default. You can change the name of the folder in the Quarantine Folder text box on the General Settings, General tab.

Figure 6-21. All or Default Processes — Actions tab

Product Guide 111

On-Access Scanning

Delete files automatically. The scanner deletes infected files as soon as it detects them. Be sure to enable the Log to file property on the General Settings, Reports tab, so that you have a record of which files were infected.

If you select this option, you are required to confirm your selection.

WARNINGIf you selected Find unknown macro viruses on the Advanced tab, the action you select here applies to any macro that has code resembling a virus. If you select Delete files automatically, any file that has code resembling a macro virus is deleted, and any archive that contains an infected file is deleted. If that is not your intention, be certain that your choice of action corresponds with your choice of action for macros.

5 Under Secondary Action, select the next action that you want the scanner to take if the first action fails. The available options depend on the primary action you selected.

Click to select the secondary action:

Move files to a folder (Default). The scanner moves infected files to a folder that is named quarantine by default. You can change the name of the folder in the Quarantine Folder text box on the General Settings, General tab.

Deny access to files.

Delete files automatically.




Process Settings

Unwanted programs propertiesUse the options on the Unwanted Programs tab to enable the Unwanted Programs Policy you configured in the Console, and specify the primary and secondary actions you want the scanner to take when it detects an unwanted program. You can configure the advanced properties to be the same for all processes or differently for each process class.







Product Guide 113

On-Access Scanning

3 Select the Unwanted Programs tab.

4 Under Detection, select Detect unwanted programs.

WARNINGThis option must be selected to enable the Unwanted Programs Policy you configured in the Console, or the on-access scanner will not detect unwanted programs.

5 Under Primary Action, select the first action that you want the scanner to take when an unwanted program is detected.


Allow access to files. The scanner allows the detected program to run and the program information is logged in the activity log. This action is useful when you want to discover what programs are present before deciding what actions to take. Some programs may not be considered unwanted. You can use the information in the activity log to determine if any of the detected programs should be excluded from the Unwanted Programs Policy so they are not detected again.

No secondary action is allowed for this action.

Figure 6-22. All or Default Processes — Unwanted Programs tab


Process Settings

Clean files automatically (Default). The scanner tries to remove the virus from the unwanted program. If the scanner cannot, or if the virus has damaged the unwanted program beyond repair, the scanner performs the secondary action. See Step 6 for more information.

Deny access to files. Denies all users access to any unwanted program the scanner finds. Be sure to enable the Log to file property on the General Settings, Reports tab, so that you have a record of which unwanted programs are detected.

Move files to a folder. The scanner moves unwanted programs to a folder that is named quarantine by default. You can change the name of the folder in the Quarantine Folder text box on the General Settings, General tab.

Delete files automatically. The scanner deletes unwanted programs as soon as it detects them. Be sure to enable the Log to file property on the General Settings, Reports tab, so that you have a record of which unwanted programs were detected.




Allow access to files. The scanner allows the detected program to run and the program information is logged in the activity log.

Deny access to files.

Move files to a folder (Default). The scanner moves unwanted programs to a folder that is named quarantine by default. You can change the name of the folder in the Quarantine Folder text box on the General Settings, General tab.

Delete files automatically.



Product Guide 115

On-Access Scanning

Viewing scan resultsYou can view the results from your on-access scanning operation in the statistics summary and the activity log.


Scan statistics

Activity log

Scan statisticsThe On-Access Scan Statistics summary shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response. It also displays blocked connections and allows you to unblock all connections.

1 Open the VirusScan Console, then use either of these methods to open the On-Access Scan Statistics dialog box:

Double-click in the system tray.

Right-click the on-access scan task in the task list and select Statistics.

Under Last file scanned, view the location and name of the file.

Figure 6-23. On-Access Scan Statistics



Under Statistics, view the information about scanned files.

Under Connections that are now blocked, view the Source IP and time remaining until the connection is unblocked. All connections remain blocked for the time you specified on the Blocking tab or until you click Unblock All Connections here.

2 You can disable or enable the on-access scanner and configure on-access scanning properties from this dialog box if you have administrator rights, and type the password if it is required.

Click Disable to deactivate the on-access scanner. This function toggles between Disable and Enable.

Click Properties to open the On-Access Scan Properties dialog box, change the scan properties you want to modify, then click Apply to save these settings. If you change the properties, the scan runs with your new settings immediately.

NOTEThe Disable and Properties buttons are hidden if the user interface is configured to show minimal menu options on the Tools|User Interface Options|Display Options tab.

3 Click Close when finished.

Product Guide 117

On-Access Scanning

Activity logThe on-access scan activity log shows specific details about the scanning operation. For example, it shows the engine and DAT version numbers that were in effect when the scanning activity took place, the number of files that the scanner examined, the number of viruses it found, and the actions it took in response.

1 Open the VirusScan Console. and open the activity log file using any of these methods:

Highlight the task, then select View Log from the Task menu.

Right-click the task in the task list and select View Log.

From the On-Access Scan Properties, Reports tab, click View Log.

The activity log provides the date, time, statistics, and the engine and DAT version that were used for the scanning activity.

2 To close the activity log, select Exit from the File menu.

Figure 6-24. On-access scanner — Activity log



Responding to virus detectionsThe on-access scanner looks for viruses based on the configuration settings you selected in the On-Access Scan Properties dialog box. See Configuring the on-access scanner on page 87 for more information.


What happens when a virus is detected?

Taking action on detections

What happens when a virus is detected?When a virus is detected, these actions occur:

The scanner takes action on the detection according to the configuration you specified on the Actions tab.

The on-access scanner records a message in the On-Access Scan Messages dialog box.

A Messenger Service notification displays if you configured Alert Manager to do so. See Configuring Alert Manager on page 182 for more information.

The On-Access Scan Messages dialog box displays if you configured it to do so on the Messages tab.

If you have not configured the on-access scanner or Alert Manager to send notification, you do not receive a network message or a VirusScan Alert. However, you can always see detected viruses in the On-Access Scan Messages dialog box.

Taking action on detectionsThis section describes the actions that you can take when a virus is detected:

Messenger service notification

On-access scan messages

Submit a virus sample to AVERT

Product Guide 119

On-Access Scanning

Messenger service notificationIf you configured Alert Manager to do so, a Messenger Service notification displays when a detection occurs. The message provides details about the infected file, such as the name and location of the file, type of virus detected, and the scanning engine and the DAT file versions used to detect the virus.

View the message details, then click OK to close it.

On-access scan messagesWhen a detection occurs, a message is recorded in the On-Access Scan Messages dialog box and if you configured it to do so, the On-Access Scan Messages dialog box displays when the virus is detected.

If the On-Access Scan Messages dialog box displays when a virus is detected you can take action on the detection immediately or close the dialog box and take action at a later time.

1 Open the On-Access Scan Messages dialog box, if it is not already open. Right-click in the system tray and select On-Access Scan Messages.

Figure 6-25. Messenger Service

Figure 6-26. On-Access Scan Messages



2 Highlight one or more messages in the list, then select any one of the following actions. Actions can be accessed from the File menu, by right-clicking the highlighted message(s), or by using the buttons.

Clean File — Attempts to clean the file referenced by the selected message.

In some cases, a file cannot be cleaned, either because it has no cleaner or because the virus has damaged the file beyond repair. If the file cannot be cleaned, the scanner appends a .VIR extension to the file name and denies access to it. An entry is recorded in the log file.

NOTEIf a file cannot be cleaned, we recommend that you delete the file and restore it from an uninfected backup copy.

Delete File — Deletes the file referenced by the selected message. The file name is recorded in the log, so that you can restore it from a backup copy.

Remove Message from List (CTRL+D) — Removes the selected message from the list. Messages that have been removed from the list are still visible in the log file.

Remove All Messages — Removes all message from the list. Messages that have been removed from the list are still visible in the log file.

NOTEIf an action is not available for the current message, the corresponding icon, button, and menu items are disabled. For example, Clean File is not available if the file has already been deleted, or Delete File is not available if the administrator has suppressed the action.

Open Log File — Opens the activity log file. This option is available only from the File menu.

3 Close — Closes the On-Access Scan Messages dialog box.

Submit a virus sample to AVERTWhen a virus is detected, you can send a virus sample to AVERT for analysis. See Submit a Sample on page 23 for more information.

Product Guide 121

On-Access Scanning


7
On-Demand Scanning
The on-demand scanner provides you with a method for scanning all parts of your computer for viruses, at convenient times or at regular intervals. Use it to supplement the continuous protection that the on-access scanner offers, or to schedule regular scan operations when they do not interfere with your work.

In memory process scanning and incremental scanning make virus detection more efficient than ever.

In memory process scanning examines all active processes prior to running the on-demand scan. Where infected processes are found, the infection is highlighted and the process is stopped. This means that only a single pass with the on-demand scanner is required to remove all instances of a virus.

Incremental, or resumable scanning allows the scanner to start where it last left off. You can define a start and stop time for scheduled scans. The on-demand scanner logically works through each folder and related files. When the time limit is reached, the scan is stopped. With incremental scanning on the next scheduled scan, the on-demand scan continues from the point in the file and folder structure where the previous scan stopped.


Creating on-demand scan tasks

Configuring on-demand scan tasks

Resetting or saving default settings

Scheduling on-demand scan tasks

Scanning operations



Product Guide 123

On-Demand Scanning

Creating on-demand scan tasksYou can create on-demand scan tasks using three methods. The type of scan you create, saved or unsaved, depends on the method you use. Choose from these options:

From the Start menu — Tasks created from the Start menu are one-time, unsaved tasks, unless you choose to save the task for future use.

From the icon in the system tray — Tasks created from the system tray are one-time, unsaved tasks, unless you choose to save the task for future use.

From the VirusScan Console — Tasks created from the console are automatically saved in the task list for future use.


From the Start menu or system tray

From the console


Creating on-demand scan tasks

From the Start menu or system trayThe on-demand scan task you create from either the Start menu or the system tray is a one-time, unsaved task that you can use for those times when you need to quickly configure and perform a one-time scan. You can configure and run it, but unless you choose to save it, the task is discarded when you close the On-Demand Scan Properties dialog box. If you do save the task, then you can schedule it.

1 Open the On-Demand Scan Properties dialog box using one of these methods:

Click Start, then select Programs|Network Associates|VirusScan On-Demand Scan.

Right-click in the system tray and select On-Demand Scan.

The On-Demand Scan Properties (Unsaved Task) dialog box appears.

NOTEYou can identify this as an unsaved on-demand scan task because the title bar shows (Unsaved Task). Click Save As to save the task to the console for use again. When you save the task, the On-Demand Scan Properties title bar changes from (Unsaved Task) to the task name you specify.

Figure 7-1. On-Demand Scan Properties — (Unsaved Task)

Product Guide 125

On-Demand Scanning

2 Configure the one-time, unsaved on-demand scan task. See Configuring on-demand scan tasks on page 127 for detailed instructions.


4 To schedule the task, you must first save the task, then click Schedule. You cannot schedule an unsaved task. See Scheduling Tasks on page 267 for detailed instructions.

5 To run the task, click Start. See Running on-demand scan tasks on page 145 for more information.

From the consoleVirusScan Enterprise provides a default on-demand scan task; Scan All Fixed Disks. You can rename this task and/or create an unlimited number of on-demand scan tasks.

To create a new on-demand scan task from the console:

1 Open the VirusScan Console, then create a new scan task using one of these methods:

Right-click a blank area in the console, without selecting an item in the task list, then select New Scan Task.

Select New Scan task from the Task menu.

Click in the console toolbar.

A new on-demand scan task appears, highlighted, in the VirusScan Console task list.



2 Type a new name for your task, then press ENTER to open the On-Demand Scan Properties dialog box.

Configuring on-demand scan tasksYou can configure the on-demand scanner to determine where and what you want to scan, what you want it to do if it finds a virus, and how it should notify you when it has.


Where properties


Advanced properties

Actions properties


Reports properties

Adding items

Removing items

Editing items

Figure 7-2. On-Demand Scan Properties

Product Guide 127

On-Demand Scanning

Where propertiesUse the options on the Where tab to specify the locations you want to scan for viruses.

1 Open the On-Demand Scan Properties dialog box for the task you are configuring, then select the Where tab.

NOTEBy default, the dialog box lists all of the drives on your computer and all of the subfolders they contain. A scan operation this inclusive can take a long time. You may want to narrow this scan for regular use later.

2 Under Item name, specify where you want scanning to take place.

NOTEIf you are configuring the existing on-demand scan task, All fixed drives and Running processes are listed by default.

If you are creating a new scan task, All local drives and Running processes are listed by default.

Use the Add, Remove, and/or Edit buttons to specify the items to scan. See Adding, removing, and editing items on page 141 for detailed instructions.

Figure 7-3. On-Demand Scan Properties — Where tab



3 Under Scan options, specify additional scanning criteria. Select from these options:

Include subfolders (Default). The scanner examines all subfolders in the volumes you target for scanning. To scan only the root level of your chosen volumes, deselect Include subfolders.

Scan boot sectors (Default). The scanner examines the disk boot sector. It may be appropriate to disable boot sector analysis when a disk contains a unique or abnormal boot sector that cannot be subjected to virus scanning.


Detection propertiesUse the options on the Detection tab to specify which types of files you want the on-demand scanner to examine, and when you want to scan them.

1 Open the On-Demand Scan Properties dialog box for the task you are configuring, then select the Detection tab.

Figure 7-4. On-Demand Scan Properties — Detection tab

Product Guide 129

On-Demand Scanning

2 Under What to scan, choose from these options:

All files. Scan all files regardless of extension.

Default + additional file types (Default). Scan the default list of extensions plus any additions you specify. The default list of file type extensions is defined by the current DAT file.





Also scan for macro viruses in all files. Scan all files, regardless of extension, for macro viruses. This option is only available when the Default + additional file types option is selected.

NOTEScanning for macro viruses in all files could affect performance.









Product Guide 131

On-Demand Scanning

3 Under What not to scan, add files, folders, and drives to exclude from scanning operations, or remove exclusions that you previously specified.

a Click Exclusions to open the Set Exclusions dialog box

b Add files, folders, or drives and edit or remove an item in the list. For more information about setting exclusions, see Excluding files, folders and drives on page 262.

c Click OK to save these settings and return to the Detection tab.

4 Under Compressed files, specify which types of compressed files you want the scanner to examine:

Scan inside archives. Examine archive files and their contents. An archive file is a compressed file and the files within it must be extracted before they can be accessed. Files contained inside archives are scanned when they are written to disk.

Decode MIME encoded files. Detect Multipurpose Internet Mail Extensions (MIME) encoded files, decode them, then scan them.






Advanced propertiesUse the options on the Advanced tab to specify advanced scanning properties, such as scanning for unknown viruses and files that have been moved to storage, as well as setting the system utilization level.

1 Open the On-Demand Scan Properties dialog box for the task you are configuring, then select the Advanced tab.





Figure 7-8. On-Demand Scan Properties— Advanced tab

Product Guide 133

On-Demand Scanning

3 Under Miscellaneous, select Scan files that have been migrated to storage to scan files that have been moved to offline storage.

NOTEIf you are using Remote Storage to extend disk space on your server, the on-demand scanner can scan the cached files.

Remote Storage data storage is hierarchical, with two defined levels. The upper level, called local storage, includes the NTFS disk volumes of the computer running Remote Storage on Windows 2000 Server. The lower level, called remote storage, is located on the robotic tape library or stand-alone tape drive that is connected to the server computer.

Remote Storage automatically copies eligible files on your local volumes to a tape library, then monitors space available on the local volumes. File data is cached locally so that it can be accessed quickly as needed. When necessary, Remote Storage moves data from the local storage to remote storage. When you need to access a file on a volume managed by Remote Storage, open the file as usual. If the data for the file is no longer cached on your local volume, Remote Storage recalls the data from a tape library.

4 Under System utilization, use the slider to set the utilization level for the scan task. Each scan task runs independently; unaware of the limits for other tasks. 100% is selected by default.

When an on-demand scan starts, CPU and IO samples are taken over the first 30 seconds, then the scan is performed based on the utilization level you set here.

NOTEThe system utilization you specify does not apply when scanning encrypted files. The decryption is done by LSASS.EXE, not by the SCAN32 process. Scanning encrypted files is CPU intensive, therefore even if the system limit on the scanning thread is low, it is still scanning files fast enough that LSASS.EXE must keep busy to supply the decrypted data.




Actions propertiesUse the options on the Actions tab to specify the primary and secondary actions you want the scanner to take when it detects a virus.

1 Open the On-Demand Scan Properties dialog box for the task you are configuring.


3 Under Primary Action, select the first action you want the scanner to take when a virus is detected.


Clean files (Default). The scanner tries to remove the virus from the infected file. If the scanner cannot, or if the virus has damaged the file beyond repair, the scanner performs the secondary action. See Step 4 for more information.

Prompt for action. Prompt the user for action when a virus is detected. If you select this option, you can also select which actions are allowed under Allowed action in Prompt dialog box.

No secondary action is allowed for this option.

Continue scanning. Continue scanning when an infected file is found.


Figure 7-9. On-Demand Scan Properties — Actions tab

Product Guide 135

On-Demand Scanning

Move files to a folder. The scanner moves infected files to the quarantine folder you specified under Move To Folder.

Delete files. The scanner deletes infected files as soon as it detects them. Be sure to enable Log to file on the Reports tab, so that you have a record of which files are infected.


WARNINGIf you selected Find unknown macro viruses on the Advanced tab, the action you select here applies to any macro that has code resembling a virus. If you select Delete infected files, any file that has code resembling a macro virus is deleted, and any archive that contains an infected file is deleted. If that is not your intention, be certain that your choice of action corresponds with your choice of action for macros.

4 Under Secondary Action, select the next action you want the scanner to take if the first action fails.


Move files to a folder (Default). The scanner moves infected files to the quarantine folder you specified under Move To Folder.

Prompt for action. If you select this option, you can also select which actions are allowed under Allowed action in Prompt dialog box.


Clean files. The scanner tries to remove the virus from the infected file. If the scanner cannot, or if the virus has damaged the file beyond repair, the scanner performs the secondary action. See Step 4 for more information.

Delete files. The scanner deletes infected files as soon as it detects them. Be sure to enable Log to file on the Reports tab, so that you have a record of which files are infected.

5 Under Move To Folder, accept the default location and name for the quarantine folder, type a path to a different location, or click Browse to locate a suitable folder on your local drive.

The default location and name for the quarantine folder is:

<drive>:\quarantine

NOTEThe quarantine folder must not be located on a floppy drive or CD drive. It must be located on a hard drive.



6 Under Allowed actions in Prompt dialog box, select from these options:

Clean file. Allow the infected file to be cleaned.

Delete file. Allow the infected file to be deleted.

Move file. Allow the infected file to be moved.


Unwanted programs propertiesUse the options on the Unwanted Programs tab to enable the Unwanted Programs Policy you configured in the Console, and specify the primary and secondary actions you want the scanner to take when it detects an unwanted program.


1 Open the On-Demand Scan Properties dialog box, then select the Unwanted Programs tab.

Figure 7-10. On-Demand Scan Properties — Unwanted Programs tab

Product Guide 137

On-Demand Scanning


WARNINGThis option must be selected to enable the Unwanted Programs Policy you configured in the Console, or the on-demand scanner will not detect unwanted programs.

3 Under Primary Action, select the first action that you want the scanner to take when an unwanted program is detected.


Prompt for action (Default). If you select this option, the options you selected under Allowed actions in Prompt dialog box on the Actions tab apply here as well.



Clean files. The scanner tries to remove the virus from the unwanted program. If the scanner cannot, or if the virus has damaged the unwanted program beyond repair, the scanner performs the secondary action. See Step 4 for more information.

Move files to a folder. The scanner moves unwanted programs to a folder that is named quarantine by default. You can change the name of the folder on the Actions tab under Move To Folder.

Delete files. The scanner deletes unwanted programs as soon as it detects them. Be sure to enable the Log to file property on the Reports tab, so that you have a record of which unwanted programs were detected.




Prompt for action (Default). If you select this option, you can also select what actions are allowed in addition to Stop and Continue on the Actions tab.


Move files to a folder. The scanner moves unwanted programs to a folder that is named quarantine by default. You can change the name of the folder in the Quarantine Folder text box on the General Settings, General tab.



Delete files.



Reports propertiesUse the options on the Reports tab to specify whether to record activity in a log file and configure the location, size limit, and format of the log file:

NOTEThe log file can serve as an important management tool for tracking virus activity on your network and to note which settings you used to detect and respond to any virus that the scanner found. The incident reports recorded in the file can help you determine which files you need to replace from backup copies, examine in quarantine, or delete from your comActivity log on page 148

1 Open the On-Demand Scan Properties dialog box.


Figure 7-11. On-Demand Scan Properties — Reports tab

Product Guide 139

On-Demand Scanning


Log to file (Default). Record on-demand scanning virus activity in a log file.


By default, the scanner writes log information to the ONDEMANDSCANLOG.TXT file in this folder:

<drive>:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\










4 Under What to log in addition to virus activity, select the additional information that you want to record in the log file:



Failure to scan encrypted files (Default). Record the name of encrypted files that the scanner failed to scan.

User name (Default). Record the name of the user logged on to the computer at the time the scanner records each log entry.


Adding, removing, and editing itemsFollow these procedures to Add, Remove, or Edit items in the Item name list of the On-Demand Scan Properties.

Adding items

Removing items

Editing items

Adding items1 Open the On-Demand Scan Properties dialog box for the task you are

configuring.

2 On the Where tab, click Add to open the Add Scan Item dialog box.

Figure 7-12. Add Scan Item

Product Guide 141

On-Demand Scanning

3 Click to select a scan item from the list. Choose from these options:

My computer (Default). Scans all local and mapped drives.

All local drives. Scans all of the drives on your computer and all of the subfolders they contain.

All fixed drives. Scans hard drives physically connected to your computer.

All removable drives. Scans only floppy disks, CD-ROM discs, Iomega ZIP disks, or similar storage devices physically attached to your computer.

All mapped network drives. Scans network drives logically mapped to a drive letter on your computer.

Running processes. Scans the memory of all running processes. This scan occurs before all other scans.

Home folder. Scans the home folder of the user who starts the scan.

User profile folder. Scans the profile folder of the user who starts the scan. This includes the My Documents folder.

Recycle bin. Scans the contents of the recycle bin.

Drive or folder. Scans a specific drive or folder. Type the path to the drive or folder in the Location text box, or click Browse to locate and select a drive or folder.

When you have finished browsing, click OK to return to the Add Scan Item dialog box.

File. Scan a specific file. Type the path to the file in the Location text box, or click Browse to open the Select Item To Scan dialog box where you can locate and select a file.

When you have selected an item, click Open to return to the Add Scan Item dialog box.

4 Click OK to save these settings and return to the On-Demand Scan Properties dialog box.


Removing items1 Open the On-Demand Scan Properties dialog box for the task you are

configuring.

2 On the Where tab, select one or more items that you want to delete in the Item name list, then click Remove.

3 Click Yes to confirm that you want to remove the item.




Editing items1 Open the On-Demand Scan Properties dialog box for the task you are

configuring.

2 On the Where tab, select an item in the Item name list, then click Edit to open the Edit Scan Item dialog box.

3 Click to select a scan item from the Item to scan list.

NOTEThe options you have here are the same as the options in Adding items. See Step 3 on page 142 for a complete list and description of available options.

4 Click OK to return to the On-Demand Scan Properties dialog box.


Resetting or saving default settingsAfter you have configured the on-demand scan task, you have the option of resetting the configuration settings to the default settings or saving the current configuration settings as the default.

If you do not want to reset the defaults or save the current settings as the default, skip these steps.

1 Select from these options:

Reset to Default. Restores the default scan settings.

Save as Default. Saves the current scanning configuration as the default configuration. If you Save as Default, all new tasks are created with this configuration.


Figure 7-13. Edit Scan Item

Product Guide 143

On-Demand Scanning

Scheduling on-demand scan tasksAfter you have configured an on-demand scan task, you can schedule it to run at specific dates and times, or intervals.

1 Open the On-Demand Scan Properties dialog box for the task you are configuring.

2 Click Schedule. See Scheduling Tasks on page 267 for detailed instructions about how to schedule a task.

Figure 7-14. On-Demand Scan Properties — Schedule


Scanning operations

Scanning operationsYou can run scheduled on-demand scan tasks unattended, start immediate scan tasks, and pause, stop, and restart tasks during the scanning operation.


Running on-demand scan tasks

Pausing and restarting on-demand scan tasks

Stopping on-demand scan tasks

Resumable scanning

Running on-demand scan tasksOnce you have configured your task with the scan properties you want, you can allow the task to run as scheduled or start the scan immediately. A progress bar has been added to the On-Demand Scan Progress dialog box.

NOTEFor the scanner to run your task, your computer must be active. If your computer is down when the task is scheduled to start, the task starts at the next scheduled time if the computer is active, or when the computer starts if you selected the Run missed task option on the Schedule Settings, Schedule tab.

Scan as scheduled. If you scheduled the scan, it automatically runs according to the schedule you specified. A scheduled scan is not visible while it is running unless you choose to view its progress.

To view the progress of the scheduled scan when it is running, right-click the task in the Console and select Show Progress or open the On-Demand Scan Properties dialog box and click Progress.

Scan immediately. You can start on-demand scan tasks immediately using several methods:

Create an on-demand scan task from the system tray or by selecting Start | Program Files | Network Associates | VirusScan On-Demand Scan. From the On-Demand Scan Properties dialog box, configure the scan, then click Start. This type of immediate scan is not saved unless you choose to save it from the On-Demand Scan Properties dialog box.

From the VirusScan Console, right-click an on-demand scan task and select Start. This type of scan uses the configuration settings you previously specified in the On-Demand Scan Properties dialog box.

From Windows Explorer, right-click a file, folder, drive, or other item, then select Scan for viruses. This type of scan cannot be configured or saved.

Product Guide 145

On-Demand Scanning

The On-Demand Scan Progress dialog box appears.

Before the scan actually starts an estimate is calculated on which the progress is based. To stop the calculation, click Stop calculating estimate. To restart the calculation, click Calculate estimate. If you choose to calculate an estimate, the scan starts automatically upon completion of the estimate. If you choose not to calculate an estimate, the scan starts immediately.

During the scan you can use the items in the Scan and Detection menus to take action on the on-going scan. The Scan menu allows you to pause, continue, stop, start, open the properties dialog box, calculate an estimate or stop calculating an estimate for the ongoing scan. The Detection menu allows you to take action on detections.

Figure 7-15. On-Demand Scan - Calculate estimate

Figure 7-16. On-Demand Scan - Progress



You can also click Properties to open the On-Demand Scan Properties dialog box, change the scan properties you want to modify, then click Apply to save these settings.

The scan runs with your new settings when the next on-demand scan starts. If an on-demand scan is in process when you change the scan properties, the new settings do not take effect until the next on-demand scan starts.

To exit the statistics dialog box, select Exit from the Scan menu.

Pausing and restarting on-demand scan tasksYou can pause and restart an on-demand scan task during the scanning operation.

To pause an on-demand scan task, click Pause in the On-Demand Scan Progress dialog box.

To restart an on-demand scan task, click Continue in the On-Demand Scan Progress dialog box.

Stopping on-demand scan tasksYou can stop an on-demand scan task during the scanning operation using one of these methods:

Click Stop in the On-Demand Scan Progress dialog box.

Right-click the on-demand scan in the Console and select Stop.

Resumable scanningThe on-demand scanner automatically resumes scanning where it left off if the scan is interrupted before it completes. The incremental scan feature of the on-demand scanner recognizes the last file it scanned, so the next time the scan starts, it resumes from where it left off.

Viewing scan resultsYou can view the results from your on-demand scanning operation in the statistics summary and the activity log.


Scan statistics

Activity log

Product Guide 147

On-Demand Scanning

Scan statisticsThe On-Demand Scan Statistics summary shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response.

To see statistics and results for your task:

1 Open the VirusScan Console, then right-click the on-demand scan task in the task list, and select Statistics.

The On-Demand Scan Statistics dialog box shows the status of the last completed scan. The upper pane shows the start time, run time and result of the scan. The lower pane shows a statistical summary of the scan results.

2 When you have finished reviewing scan statistics, click Close.

Activity logThe on-demand scan activity log shows specific details about the scanning operation. For example, it shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response.

1 Open the VirusScan Console, then use either of these methods to open the activity log file:

Highlight the task, then select Activity Log from the Task menu.



Figure 7-17. On-Demand Scan Statistics



Responding to virus detectionsThe on-demand scanner looks for viruses based on the configuration settings you selected in the On-Demand Scan Properties dialog box. See Configuring on-demand scan tasks on page 127 for more information.


What happens when a virus is detected?

Taking action on virus detections

What happens when a virus is detected?When a virus is detected, these actions occur:

The scanner takes action on the detection according to the configuration you specified on the Actions tab.

An alert dialog box displays when a virus is detected, if you configured the on-demand scanner to Prompt for action as either the primary or secondary action on the Actions tab. See Actions properties on page 135 for more information.

A Messenger Service notification displays, if you configured Alert Manager to do so. See Configuring Alert Manager on page 182 for more information.

The On-Demand Scan Progress dialog box displays while the on-demand scanner is performing a task. If any infections are found, they appear in the lower pane of the dialog box.

You may receive more than one notification depending on how you have configured Alert Manager and the on-demand scanner.

If you have not configured the on-demand scanner or Alert Manager to send notification, you do not receive a network message or a VirusScan Alert. However, you can always see detected viruses in the On-Demand Scan Progress dialog box, during the scan operation.

Taking action on virus detectionsThis section describes the actions that you can take when a virus is detected.

Messenger service notification

VirusScan Alert dialog box

On-Demand Scan Progress dialog box

Submit a virus sample to AVERT

Product Guide 149

On-Demand Scanning

Messenger service notificationIf you configured Alert Manager to do so, a Messenger Service notification displays when a detection occurs. The message provides details about the infected file, such as the name and location of the file, type of virus detected, and the scanning engine and the DAT file versions used to detect the virus.

View the message details, then click OK to close it.

The scanner displays a notification when a detection occurs. This message displays the scanning engine and DAT versions used to detect the infected file(s).

Figure 7-18. Alert Manager Messenger Service

Figure 7-19. Detection Messenger Service



VirusScan Alert dialog boxThe VirusScan Alert dialog box appears to notify you of a virus detection if you have configured the on-demand scanner to Prompt for action. It provides information about where the detected file is located and what type of virus it detected in the file.

Select an action to perform on the infected file:

Continue — Continues the scanning operation, records each detection in the activity, and lists each detected file in the On-Demand Scan dialog box.

Stop — Stops the scanning operation immediately.

Clean — Attempts to clean the file referenced by the selected message.

If the file cannot be cleaned, either because it has no cleaner or because the virus has damaged the file beyond repair, an entry is recorded in the log file. Alternative responses may be suggested. For example, if a file cannot be cleaned, you should delete the file and restore it from a backup copy.

Delete — Deletes the file referenced by the selected message. The file name is recorded in the log, so that you can restore it from a backup copy.

Move File to — Moves the file referenced by the selected message, to the folder you select from the dialog box.

Figure 7-20. VirusScan Alert

Product Guide 151

On-Demand Scanning

On-Demand Scan Progress dialog boxThe On-Demand Scan Progress dialog box displays when the on-demand scanner is performing tasks. The lower pane shows viruses detected during the on-demand scan operation.

1 Take action on the detected virus using one of these methods:

Right-click the name of the file in the lower pane and select an action that you want to take from the Detection menu.

Highlight the name of the file in the lower pane and select an action to take from the Scan menu.

2 When you have finished taking actions on all the virus detections in the list, select Exit from the Scan menu to close the dialog box.

Submit a virus sample to AVERTWhen a virus is detected, you can send a virus sample to AVERT for analysis. See Submit a Sample on page 23 for more information.

Figure 7-21. On-Demand Scan Progress — Virus detected


8
E-mail Scanning
The e-mail scanner consists of two separate functional components. The first works with MAPI based e-mail, such as Microsoft Outlook. The second works with Lotus Notes. The two client scanners have some behavior differences that are described in this document.

E-mail scan provides two methods of scanning e-mail folders, attachments, and message bodies for either Microsoft Outlook or Lotus Notes:

The on-delivery e-mail scanner, when activated, automatically examines e-mail messages and attachments. The on-delivery e-mail scanner scans mail differently depending on whether you are using Microsoft Outlook or Lotus Notes. When using Microsoft Outlook, e-mail is scanned on delivery; when using Lotus Notes, e-mail is scanned when accessed. The settings you configure apply to both Microsoft Outlook and Lotus Notes.

The on-demand e-mail scanner is activated by the user. It examines e-mail messages and attachments that are already in the user’s mailbox, personal folders, or Lotus Notes databases. You can configure and start the on-demand e-mail scanner from either Microsoft Outlook or Lotus Notes.

Use the on-demand e-mail scanner to supplement the protection that the on-delivery e-mail scanner provides. For example, if you have had Microsoft Outlook or Lotus Notes closed or you are installing the VirusScan Enterprise product for the first time, we recommend running an on-demand e-mail scan first.


Configuring the e-mail scanner

Running the on-demand e-mail task

Viewing e-mail scan results

Product Guide 153

E-mail Scanning

Configuring the e-mail scanner The configuration settings you specify here apply to Microsoft Outlook and Lotus Notes.



Advanced properties

Actions properties

Alerts properties


Reports properties



Detection propertiesUse the options on the Detection tab to specify which attachments and file type extensions you want to scan.

The Detection Properties for on-delivery scanning are different from the on-demand e-mail scanning properties.

For on-delivery e-mail, see On-delivery e-mail scan detection properties on page 155.

For on-demand e-mail, see On-demand e-mail scan detection properties on page 158.

On-delivery e-mail scan detection properties1 Open the VirusScan Console, then open the On-Delivery Scan Properties dialog

box using one of these methods:

Highlight On-Delivery E-mail Scanner in the task list, then click .

Right-click On-Delivery E-mail Scanner in the task list and select Properties.

Double-click On-Delivery E-mail Scanner in the task list.


Figure 8-1. On-Delivery Scan Properties — Detection tab

Product Guide 155

E-mail Scanning

3 Under Attachments to scan, choose from these options:

All file types (Default). Scan all files regardless of extension.

Default + additional file types. Scan the default list of extensions plus any additions you specify. The default list of file type extensions is defined by the current DAT file.





Also scan for macro viruses in all attachments. Scan all attachments, regardless of extension, for macro viruses. This option is only available when the Default + additional file types option is selected.

NOTEScanning for macro viruses in all attachments could affect performance.








NOTEExcluding file types is not supported for e-mail scanning.



Product Guide 157

E-mail Scanning

On-demand e-mail scan detection propertiesUse the options on the Detection tab to specify which attachments and file type extensions you want to scan.

1 Start Microsoft Outlook or Lotus Notes, then open the On-Demand E-mail Scan Properties dialog box using the method that applies to the e-mail client that you are using:

When using Microsoft Outlook, use one of these methods:

Select E-mail Scan Properties from the Tools menu.

Click in the Outlook or Lotus Notes toolbar.

NOTEIf the icon is not visible in the Outlook or Lotus Notes toolbar, click on the right side of the standard toolbar, then select the icon.

When using Lotus Notes, select On-Demand Scan Properties from the Actions.


Figure 8-4. On-Demand E-mail Scan Properties — Detection tab



3 Under Messages to scan, specify what messages you want to scan. You have these options:

All highlighted item(s). This option is selected by default. Scan selected e-mail messages or folders.

All messages in the Inbox folder. Scan all messages currently in the Inbox folder and its subfolders.

Scan unread messages only. Scan only unread messages in the Inbox folder and its subfolders. If you did not select All messages in the Inbox folder, this option is disabled.

4 Under Attachments to scan, choose from these options:

All file types (Default). Scan all files regardless of extension.

Default + additional file types. Scan the default list of extensions plus any additions you specify. The default list of file type extensions is defined by the current DAT file.



Product Guide 159

E-mail Scanning




Also scan for macro viruses in all attachments. Scan all attachments, regardless of extension, for macro viruses. This option is only available when the Default + additional file types option is selected.

NOTEScanning for macro viruses in all attachments could affect performance.








NOTEExcluding file types is not supported for e-mail scanning.


Advanced propertiesUse the options on the Advanced tab to specify advanced scanning properties, such as scanning for unknown program viruses, compressed files, and e-mail message bodies.

1 Open either the On-Delivery Scan Properties dialog box from the VirusScan Console or open the On-Demand E-mail Scan Properties dialog box using the method that applies to the e-mail client that you are using:






NOTEIf you are configuring properties differently for on-delivery e-mail scanning and on-demand e-mail scanning, you will repeat this process for each type of e-mail scanning.

Product Guide 161

E-mail Scanning

2 Select the Advanced tab.





Figure 8-7. E-mail Scan Properties — Advanced tab



Find attachments with multiple extensions. When the scanner finds attachments that have multiple extensions, treat as if they were infected. The scanner applies the action you choose on the Actions tab to those files.

When you select this option, the E-mail Scan Warning dialog box appears.

E-mail Scan Warning. Read the warning carefully. Click OK to continue and accept the selection to treat attachments that have multiple extensions as if they were infected, or click Cancel to deselect the option.

4 Under Compressed files, specify which types of compressed files you want the scanner to examine. You have these options:

Scan inside archives (Default). Examine archive files and their contents. An archive file is a compressed file and the files within it must be extracted before they can be accessed. Files contained inside archives are scanned when they are written to disk.

Decode MIME encoded files (Default). Detect Multipurpose Internet Mail Extensions (MIME) encoded files, decode them, then scan them.


5 Under E-mail message body, select Scan e-mail message body (Default). If you deselect this option, e-mail message bodies are not scanned.

NOTEThis option is not supported for Lotus Notes.


Figure 8-8. E-mail Scan Warning

Product Guide 163

E-mail Scanning

Actions propertiesUse the options on the Actions tab to specify the primary and secondary actions you want the scanner to take when it detects a virus.











3 Under Primary Action, select the first action you want the scanner to take when a virus is detected.


Clean attachments (Default). The scanner tries to remove the virus from the infected attachment. If the scanner cannot, or if the virus has damaged the attachment beyond repair, the scanner performs the secondary action. See Step 4 for more information.

Prompt for action. Prompt the user for action when a virus is detected. If you select this option, you can also select which actions are allowed under Allowed action in Prompt dialog box.


Continue scanning. Continue scanning when an infected attachment is found.


Move attachments to a folder. The scanner moves infected attachments to the quarantine folder you specified under Move To Folder.

Figure 8-9. E-mail Scan Properties — Actions tab

Product Guide 165

E-mail Scanning

Delete attachments. The scanner deletes infected attachments as soon as it detects them. Be sure to enable Log to file on the Reports tab, so that you have a record of which attachments are infected.


4 Under Secondary Action, select the next action you want the scanner to take if the first action fails.


Move attachments to a folder (Default). The scanner moves infected attachments to the quarantine folder you specified under Move To Folder.

Prompt for action. If you select this option, you can also select which actions are allowed under Allowed action in Prompt dialog box.

Continue scanning. Continue scanning when an infected attachment is found.

Clean attachments. The scanner tries to remove the virus from the infected attachment.

Delete attachments. The scanner deletes infected attachments as soon as it detects them. Be sure to enable Log to file on the Reports tab, so that you have a record of which attachments are infected.

5 Under Move To Folder, accept the default location and name for the quarantine folder, type a path to a different location, or click Browse to locate a suitable folder on your local drive.

The default location for the quarantine folder varies depending on whether you are using Microsoft Outlook or Lotus Notes. When using Microsoft Outlook the quarantine folder is located in the Microsoft Outlook mailbox. When using Lotus Notes, the quarantine folder is in the file system.

NOTEThe quarantine folder must not be located on a floppy drive or CD drive. It must be located on a hard drive.

6 Under Allowed actions in Prompt dialog box, select from these options:

Clean file. Allow the infected file to be cleaned.

Delete file. Allow the infected file to be deleted.

Move file. Allow the infected file to b moved.




Alerts propertiesUse the options on the Alerts tab to configure how to warn users that an infected e-mail message or attachment has been detected.








Product Guide 167

E-mail Scanning

2 Select the Alerts tab.

3 Under E-mail alert, select Send alert mail to user to notify the mail sender and another user when an infected mail message is detected. then click Configure to open the Send Mail Configuration dialog box.

Type the required information in the To, Cc, Subject, and Virus Information sections, then click OK.

Figure 8-10. E-mail Scan Properties — Alerts tab

Figure 8-11. E-mail Scan — Send Mail Configuration




5 Under If Prompt for Action is selected, specify how you want to notify users when an infected e-mail is detected. You have these options:

Display custom message. (Default). Notify the user with a custom message. If you select this option, you can accept the default message or type the custom message in the text box.

The default message is McAfee VirusScan Enterprise E-mail Scanner Alert!

NOTEIf you do not select this option, VirusScan Enterprise displays action suggestions based on detection types.


Unwanted programs propertiesUse the options on the Unwanted Programs tab to enable the Unwanted Programs Policy you configured in the Console, and specify the primary and secondary actions you want the scanner to take when it detects an unwanted attachment.

The actual detection and subsequent cleaning of unwanted attachments is determined by the DAT file, just as it is for a virus. If you detect an attachment and the primary action is set to Clean, the DAT file tries to clean the attachment using the information in the DAT file. If the detected attachment cannot be cleaned, or is not in the DAT file, for example a user-defined program, the clean action fails and the secondary action is taken.








Product Guide 169

E-mail Scanning

2 Select the Unwanted Programs tab.


WARNINGThis option must be selected to enable the Unwanted Programs Policy you configured in the Console, or the e-mail scanner will not detect unwanted attachments.

4 Under Primary Action, select the first action that you want the scanner to take when an unwanted attachment is detected.


Prompt for action (Default). If you select this option, the options you selected under Allowed actions in Prompt dialog box on the Actions tab apply here as well.

Continue scanning. Continue scanning when an unwanted attachment is found.


Figure 8-12. E-mail Scan — Unwanted Programs tab



Clean attachments. The scanner tries to remove the virus from the unwanted attachment. If the scanner cannot, or if the virus has damaged the unwanted attachment beyond repair, the scanner performs the secondary action. See Step 5 for more information.

Move attachments to a folder. The scanner moves unwanted attachments to a folder that is named quarantine by default. You can change the name of the folder on the Actions tab under Move To Folder.

Delete attachments. The scanner deletes unwanted attachments as soon as it detects them. Be sure to enable the Log to file property on the Reports tab, so that you have a record of which unwanted attachments were detected.




Prompt for action (Default). If you select this option, you can also select what actions are allowed in addition to Stop and Continue on the Actions tab.

Continue scanning. Continue scanning when an unwanted attachment is found.

Move files to a folder. The scanner moves unwanted attachments to a folder that is named quarantine by default. You can change the name of the folder in the Quarantine Folder text box on the General Settings, General tab.

Delete files.



Product Guide 171

E-mail Scanning

Reports propertiesUse the options on the Reports tab to specify whether to record activity in a log file and configure the location, size limit, and format of the log file.

NOTEThe log file can serve as an important management tool for tracking virus activity on your network and to note which settings you used to detect and respond to any virus that the scanner found. The incident reports recorded in the file can help you determine which files you need to replace from backup copies, examine in quarantine, or delete from your computer. See Viewing e-mail scan results on page 176 for more information.




Click in the Outlook or Lotus Notes toolbar. If the icon is not visible in the Outlook or Lotus Notes toolbar, click on the right side of the standard toolbar, then select the icon.







Log to file (Default). Record e-mail scanning virus activity in a log file.


By default, the scanner writes log information to either the EMAILONDELIVERYLOG.TXT or the EMAILONDEMANDLOG.TXT file in this folder:



This location may vary depending on what operating system you are using.

Figure 8-13. E-mail Scan Properties — Reports tab

Product Guide 173

E-mail Scanning







4 Under What to log in addition to virus activity, select the additional information to record in the log file:



Failure to scan encrypted files (Default). Record the name of encrypted files that the scanner failed to scan in the log file.

User name (Default). Record the name of the user logged on to the computer at the time the scanner records each log entry in the log file.



Running the on-demand e-mail task

Running the on-demand e-mail taskTo run an on-demand e-mail task:

1 Start Microsoft Outlook or Lotus Notes, then select the method for the e-mail client that you are using:


Select Scan for viruses from the Tools menu.

Click in the Outlook toolbar.

NOTEIf the icon is not visible in the Outlook toolbar, click on the right side of the standard toolbar, then select the icon.

When using Lotus notes, select Scan open database(s) from the Actions menu. All open local notes databases are scanned.

The On-Demand E-mail Scan dialog box appears when the scan starts.

2 You can stop, pause, and start the scan.

3 Close the dialog box when the on-demand e-mail scan completes.

Figure 8-14. On-Demand E-mail Scan

Product Guide 175

E-mail Scanning

Viewing e-mail scan resultsYou can view the results from your scanning operation in the statistics summary and the activity log.


On-delivery e-mail scan results.

On-demand e-mail scan results

On-delivery e-mail scan resultsView on-delivery e-mail scanning results in these dialog boxes:

Scan statistics

Activity log

Scan statisticsThe On-Delivery E-mail Scan Statistics summary shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response.

1 Open the VirusScan Console, then use either of these methods to open the On-Delivery E-mail Scan Statistics dialog box:

Highlight the e-mail scan task in the task list, then select Statistics from the Task menu.

Right-click the e-mail scan task in the task list and select Statistics.

The On-Delivery E-mail Scan Statistics dialog box shows the Last attachment scanned in the upper pane, and a statistical summary in the lower pane.

If your scan is still in progress, it shows the file that the scanner is currently examining, and the status of the scan operation.

Figure 8-15. On-Delivery E-mail Scan Statistics



2 You can disable or enable the on-access scanner and configure e-mail scanning properties from this dialog box if you have administrator rights, and type the password if it is required.

Click Disable to deactivate the e-mail scanner. This function toggles between Disable and Enable.

Click Properties to open the On-Delivery E-mail Scan Properties dialog box, change the scan properties you want to modify, then click Apply to save these settings. If you change the properties, the scan runs with your new settings immediately.

NOTEThe Disable and Properties buttons are hidden if the user interface is configured to show minimal menu options on the Tools|User Interface Options|Display Options tab.

The scan runs with your new settings immediately.

3 When you have finished viewing scan statistics, click Close.

Activity logThe on-delivery scan activity log shows specific details about the scanning operation. For example, it shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response.


2 Use either of these methods to open the activity log file:

Highlight the e-mail scan task, then select Activity Log from the Task menu.

Right-click the e-mail scan task in the task list and select View Log.

From the On-delivery Scan Properties Reports tab, click View Log.


Product Guide 177

E-mail Scanning

On-demand e-mail scan resultsView the results from your scanning operation in the On-Demand E-Mail Scan dialog box while the scan is running, or in the activity log after the scan completes.


Viewing results from the On-Demand Scan dialog box

Viewing results in the activity log

Viewing results from the On-Demand Scan dialog boxView the results from your scanning operation in the On-Demand E-Mail Scan dialog box while the scan is running or upon completion. The information varies depending on whether you are using Microsoft Outlook or Lotus Notes.

When using Microsoft Outlook, the On-Demand E-Mail Scan dialog box displays Name, In Folder, Subject, From, Detected As, and Status.

When using Lotus Notes, the On-Demand E-Mail Scan dialog box displays Name, In Database, Note Id, Detected As, Detection Type, and Status.

Figure 8-16. Lotus Notes scan



Viewing results in the activity logView the results of the on-demand e-mail scan activity in the log file.

1 Open the on-demand e-mail scan activity log using one of these methods:

From the On-Demand E-mail Scan Properties dialog box, on the Reports tab, click View Log.

Navigate to the EMAILONDEMANDLOG.TXT file in this location:





Product Guide 179

E-mail Scanning


9
Virus Alerting
VirusScan Enterprise software provides several methods for informing you of the progress and outcome of scanning activities. For example, you can review the results of any scan after it has concluded by examining the activity log. You can also see the results of all scans on the VirusScan Console. But neither of these methods notifies you immediately when the scanner detects a virus on the computer. Although the console also includes a real-time display of scanning activities, it is not practical to be watching the screen at all times. Providing you with immediate notification that a virus has been detected is the function of Alert Manager, a discrete component that is incorporated into VirusScan Enterprise software and other Network Associates client/server security and management solutions.

Alert Manager handles alerts and events generated by your anti-virus software in real time. In a typical configuration, Alert Manager resides on a central server and listens for alerts sent to it by client or server anti-virus software applications on the network. This client software can be workstation or server applications. Alert Manager allows you to configure two basic aspects of alerting:

Where and how alerts are sent.

What the alert message is.

See the Alert Manager Product Guide for more detailed information.


Configuring Alert Manager

Configuring recipients and methods

Customizing alert messages

Product Guide 181

Virus Alerting

Configuring Alert ManagerUse the options on the Alert Properties dialog box to determine when and how you are notified when the scanner detects a virus.


Alert properties

Alert filtering properties

Alert propertiesTo open the Alert Properties dialog box:


2 Select Alerts from the Tools menu.

3 Select the Alert Manager Alerts tab

Figure 9-1. Alert Manager Alerts



4 Under Which components will generate alerts, select the components that you want to communicate with Alert Manager. Choose any combination of these options:

On-Access Scan (Default).

On-Demand Scan and scheduled scans (Default).

AutoUpdate (Default).

5 Under Alert Manager destination selection, click Destination to open the Alert Manager Client Configuration dialog box.

You can disable or enable the alerting feature, determine which method of alerting to use when an event occurs, and specify which server receives alerts.

Figure 9-2. Alert Manager Client Configuration

Product Guide 183

Virus Alerting

a Under Alerting Options, specify the alerting method that meets your needs:

Disable Alerting. Do not send an alert when an event occurs.

Enable Alert Manager alerting (Default). Activates the Alert Manager alerting method.

Configure. If you selected Enable Alert Manager alerting, click Configure to open the Select Alert Manager Server dialog box.

Under Destination for Alerts, type the location for the Alert Manager Server to receive alerts, or click Browse to navigate to the location.

Click OK to save these settings and return to the Alert Manager Client Configuration dialog box.

Enable Centralized alerting. Activates the Centralized alerting method. Centralized alerting provides an alternative to using regular Alert Manager messages. See Using centralized alerting on page 212 for more information.

Due to security issues with shared folders, McAfee Security recommends that you do not use centralized alerting.

Figure 9-3. Select Alert Manager Server



Configure. If you selected the option to Enable Centralized alerting, click Configure to open the Central Alerting Configuration dialog box.

Under Destination for Alerts, type the location for the Central Alerting Shared Directory, or click Browse to navigate to location.

Click OK to save these settings and return to the Alert Manager Client Configuration dialog box.

b Click OK to save these settings and return to the Alert Properties dialog box.

6 Under Configure the selected Alert Manager:

a Click Alert Messages to configure the Alert Manager Messages. See Customizing alert messages on page 214 for detailed instructions.

b Click Recipients to configure the Alert Manager Properties. See Configuring recipients and methods on page 187 for detailed instructions.

c Click Alert Messages to configure the Alert Manager Messages. See Customizing alert messages on page 214 for detailed instructions.

d When you have finished configuring Alert Manager Properties and Alert Manager Messages, click OK to close the Alert Properties dialog box.

NOTEThe buttons are disabled if Alert Manager is not installed.

Figure 9-4. Centralized Alerting Configuration

Product Guide 185

Virus Alerting

Alert filtering propertiesUse the options on the Additional Alerting Options tab to limit alert traffic and configure filters for locally generated alerts. This allows you to configure local alerting without installing Alert Manager on all computers.

1 Select Alerts from the Tools menu.

2 Select the Additional Alerting Options tab.

3 Under Alert Filters, choose from these options:

Don’t filter alerts. Send all alerts.

Suppress informational alerts. Suppresses informational alerts with a severity of less than one.

Suppress informational and warning alerts. Suppresses informational and warning alerts with a severity of less than two.

Suppress informational, warning, and low. Suppresses informational, warning, and low severity alerts with a severity of less than three.

Suppress all except severe alerts. Suppresses all alerts except those with a severity of more than four.

Suppress all alerts. Do not send any alerts.

Figure 9-5. Additional Alerting Options



4 Under Local Alerting, specify which alerts to send locally.

Log to local application event log.

Send SNMP trap using SNMP service. If you are using SNMP, you can send SNMP trap alerts.


Configuring recipients and methodsThe Alert Manager component allows you to configure the recipients of alert messages sent out by Alert Manager, and the method by which recipients receive alert messages. Recipients can be e-mail addresses or computers on your network. The notification methods can include e-mail messages or network messages.To configure the recipients for an alert method:

1 Click Start on the Windows desktop, then select Programs | Network Associates | Alert Manager Configuration to open the Alert Manager Properties dialog box.

2 Select the appropriate tab for a given alert method, such as Logging.

3 Configure the recipients that you want to receive alert notifications using that alert method.

Figure 9-6. Alert Manager Properties

Product Guide 187

Virus Alerting

4 Click other tabs to configure recipients for any additional alert methods as required.

5 When finished, click OK to save the configurations and close the Alert Manager Properties dialog box.


Adding alert methods on page 188.

Viewing the Summary page on page 191.

Forwarding alert messages to another computer on page 192.

Sending an alert as a network message on page 196.

Sending alert messages to e-mail addresses on page 198.

Sending alert messages to a printer on page 202.

Sending alert messages via SNMP on page 204.

Launching a program as an alert on page 205.

Logging alert notifications in an event log on page 208.

Sending a network message to a terminal server on page 210.

Using centralized alerting on page 212.

Adding alert methodsThe tabs of the Alert Manager Properties dialog box allow you to configure alerting methods. As you add each new method to your configuration, you have two options:

Sending a test message.

Setting the alert priority level for recipients.



Sending a test messageWhen adding new alert notification recipients, such as a network computer or an e-mail address, you can test whether the destination can receive the message.

To send the selected destination a test message when configuring that method, click Test. The message should appear at the configured destination if all is configured correctly.

NOTEAn e-mail alert may take some time to reach its destination, depending on both your SMTP server and the receiving e-mail server.

Test messages that do not reach the target

If the target does not receive the message, review and confirm these items:

Any communication service required to implement the selected alerting method, such as e-mail or SNMP, is enabled.

Any device required to transmit or receive the message exists and is operational. For example, a modem or pager.

Any program that is to be executed in response to virus detection is located at the path specified and is installed properly.

Any destination printer or computer that you have targeted exists on your network.

Your network is functioning properly.

The configuration information you have provided is accurate and complete. Some property pages include secondary pages. For example, the E-Mail Properties page links to a Mail Settings page. Be certain to review the information on these secondary pages as well.

If you installed Alert Manager using an account and password, make sure that the specified account has sufficient rights for the action you are trying to perform.

Setting the alert priority level for recipientsYou can specify a priority level for each recipient that you add to your Alert Manager configuration. Alert Manager only sends alert notifications of that priority level or higher to the specified recipient.

Product Guide 189

Virus Alerting

Setting a priority level is useful for filtering alert notifications. For example, you may want to record alert messages of all priority levels to a computer’s event log using the Logging tab of the Alert Manager Properties dialog box (see Logging alert notifications in an event log on page 208). However, you may want Alert Manager to send only serious alert notifications to a network administrator’s pager via e-mail. To do this, set separate priority thresholds for your logging and e-mail recipients.

To set the alert priority level for a specific recipient:

1 On the Properties dialog box for an alert method, click the Priority Level button.

2 In the Priority Level dialog box, drag the slider right or left to set the priority level.

Drag to the right to send the recipient fewer, higher priority messages. Drag the slider to the left to send the recipient more alert messages, including lower priority messages.

3 Click OK to save the priority settings.

NOTEOn the Priority Level dialog box, you can specify the priority level for specific recipients, such as a computer on a network or an e-mail address. However, you cannot set the priority of individual alert messages here. For information on setting the priority levels of individual alert messages, see Customizing alert messages on page 214.

Figure 9-7. Priority Level



Viewing the Summary pageThe Summary tab of the Alert Manager Properties dialog box lists the recipients to which Alert Manager sends any alert notifications it receives. Recipients are grouped by alert method, such as E-mail, Logging, and Network Message.

Click next to each alert method to display the recipient computers, printers, or e-mail addresses. To remove an alert notification recipient, select it, then click Remove. To change the configuration options for a listed recipient, select it, then click Properties to open the Properties dialog box for that alert method.

When you install Alert Manager, it is by default configured to send network messages to the computer on which it is installed and to log alert notifications in that computer’s event log. If you have not yet configured Alert Manager to send alert notifications to any recipients, the Summary tab displays only these two methods. Alert Manager sets priority levels for these two default methods to send alert notifications of all priorities except for the lowest, Informational. See Setting the alert priority level for recipients on page 189 for details on priority.

The following sections describe the options available for each method.

Figure 9-8. Alert Manager Properties — Summary tab

Product Guide 191

Virus Alerting

Forwarding alert messages to another computerAlert Manager can forward the alert messages received from McAfee Security anti-virus products to another computer on your network that has Alert Manager installed. Typically, you would forward messages to another Alert Manager server for further distribution.

NOTEAlert Manager can only forward alert notifications to, and receive alerts forwarded from, servers running the same version of Alert Manager. Forwarding alert notifications between servers running older versions of Alert Manager is not supported.

Forwarding alerts in a large organization

In a large organization you can use the forwarding feature to send alert notifications to a central notification system or to an MIS (Management Information System) department for tracking virus statistics and problem areas. Also, large organizations tend to be spread out geographically, often with offices in several countries. In this case, you may want to use a single Alert Manager installed on a local server to handle alerting for that local subnetwork. You can then configure that local Alert Manager server to forward high priority alert notifications to another server in another part of your network for further distribution.



This diagram shows what happens when alerts are forwarded to another Alert Manager server:

Configure the local Alert Manager to forward alerts to the computer on which the second Alert Manager is installed, then configure the second Alert Manager to distribute alert notifications as desired. See Configuring alert forwarding options on page 194 for instructions.

Figure 9-9. Forward alerts to another Alert Manager

Product Guide 193

Virus Alerting

Forwarding alerts in a small organization

In a small organization, forwarding can also be useful. For example, you want to send all high priority alert notifications to a specific pager via e-mail, but only one server on your network has direct Internet access.

To satisfy this requirement:

1 Configure Alert Manager on each Alert Manager server to forward high priority alert messages to the modem-equipped computer.

2 Configure Alert Manager on the modem-equipped computer to send high priority messages to the target pager’s e-mail address.

Configuring alert forwarding options

To configure forwarding options:

1 From the Alert Manager Properties dialog box, select the Forward tab.

The Forward page appears with a list of all of the computers you have chosen to receive forwarded messages. If you have not yet chosen a destination computer, this list is blank.

Figure 9-10. Alert Manager Properties — Forward tab



2 To update this list, you can do any of the following:

To add a computer, click Add to open the Forward Properties dialog box, then type the name of the computer that receives forwarded messages. You can type the computer name in Universal Naming Convention (UNC) notation, or click Browse to locate the computer on the network.

To remove a listed computer, select one of the destination computers listed, then click Remove.

To change configuration options, select one of the destination computers listed, then click Properties. Alert Manager opens the Forward Properties dialog box. Type the name of the computer to which you want Alert Manager to forward messages, or click Browse to locate the computer on the network.

3 Click Priority Level to specify which types of alert messages the destination computer receives. See Setting the alert priority level for recipients on page 189.

4 Click Test to send the destination computer a test message. See Sending a test message on page 189.

5 Click OK to return to the Alert Manager Properties dialog box.

Figure 9-11. Forward Properties

Product Guide 195

Virus Alerting

Sending an alert as a network messageAlert Manager can send alert messages to other computers. A standard message appears as a pop-up message on the recipient’s computer screen and requires the recipient to acknowledge it.

It is not necessary for the recipient computers to have Alert Manager installed. However, you might need to have the appropriate messaging client software for your operating system running on the recipient computer. This messaging software is always pre-installed on newer versions of the Windows operating system, such as Windows NT, Windows 2000, and Windows XP. It is usually running by default.

To configure Alert Manager to send alert notifications as network messages:

1 Open the Alert Manager Properties dialog box.

2 Select the Network Message tab. The Network Message page appears with a list of the computers that you have configured to receive a network message. If you have not yet chosen a recipient computer, this list is blank.

Figure 9-12. Alert Manager Properties — Network Message tab




To add a computer, click Add to open the Network Message Properties dialog box. Specify a recipient computer by either typing the name of the computer directly into the Computer text box in UNC format, or by selecting Browse to locate the computer on the network.

To remove a listed computer, select one of the recipient names listed, then click Remove.

To change configuration options, select one of the recipient names listed, then click Properties to open the Network Message Properties dialog box. Change the information in the Computer text box as necessary.

4 Click Priority Level to specify which types of alert messages the recipient receives. See Setting the alert priority level for recipients on page 189.

5 Click Test to send the recipient a test message. See Sending a test message on page 189.


Figure 9-13. Network Message Properties

Product Guide 197

Virus Alerting

Sending alert messages to e-mail addressesAlert Manager can send alert messages to a recipient’s e-mail address via Simple Mail Transfer Protocol (SMTP). Alert messages appear in the recipient’s mailbox. If your message is urgent, you can supplement an e-mail message with other methods, such as network messages, to ensure that your recipient sees the alert in time to take appropriate action.

NOTEAn e-mail alert may take some time to reach its destination, depending on both your SMTP server and the receiving e-mail server.

To configure Alert Manager to send e-mail alert notifications to recipients:


2 Select the E-Mail tab.

The E-Mail page appears with a list of the e-mail addresses that you have chosen to receive alert messages. If you have not yet chosen an e-mail address, this list is blank.

Figure 9-14. Alert Manager Properties — E-Mail tab




To add an e-mail address to the list, click Add to open the E-Mail Properties dialog box. Type the e-mail address for your alert notification recipient in the Address text box, type a subject in the Subject text box, then type your e-mail address in the From text box. Use the standard Internet address format <username>@<domain>, such as [email protected].

To control the truncation of longer messages, for example, a message containing a long file and path name, append the address with a “*”, like this: [email protected]*. For more information, see Forcing truncation of messages sent to specific e-mail addresses on page 201.

To remove a listed address, select one of the e-mail addresses listed, then click Remove.

To change configuration options, select one of the e-mail addresses listed, then click Properties to open the E-Mail Properties dialog box. Change the information in the text boxes as necessary.

Figure 9-15. E-Mail Properties

Product Guide 199

Virus Alerting

4 Click Mail Settings to specify the network server you use to send Internet mail via SMTP.

WARNINGDo not skip this step.You must click Mail Settings and specify an SMTP server to be able to send e-mail alert notifications. After configuring your SMTP mail settings the first time, you are not be required to configure them again unless your SMTP mail server information changes.

a In the dialog box that appears, type the mail Server. You can type the server name as an Internet Protocol (IP) address, as a name your local domain name server can recognize, or in Universal Naming Convention (UNC) notation.

b If your SMTP server requires it, type a Login name to use for the mail server.

NOTEOnly type a login name in the Login field if your SMTP mail server is configured to use a login. Review your SMTP configuration to determine if this is required. Typing a login name here when your mail server is not configured to use it may cause problems with e-mail alerting.

c Click OK to return to the E-Mail Properties dialog box.

5 Click Priority Level to specify which types of alert messages the recipient computer receives. See Setting the alert priority level for recipients on page 189.

Figure 9-16. SMTP Mail Settings



6 Click Test to send the recipient computer a test message. See Sending a test message on page 189.

7 If the test message is successful, click OK to return to the Alert Manager Properties dialog box.

Forcing truncation of messages sent to specific e-mail addresses

Alert notification messages can become long, particularly when containing %FILENAME% system variables populated with file names containing long path information. Alert messages containing long file names and path information can be confusing and inconvenient. For example, when e-mail messages are sent to a pager, some pager services truncate long messages abruptly, potentially removing important information from the message. On the other hand, if a pager does receive a long message, the recipient might be required to scroll through lines of path information in a file name to get to the critical information contained in the alert.

You have two options for managing long messages in e-mail alert notifications:

Append e-mail addresses with an asterisk (*), such as [email protected]*. Alert Manager truncates alerts sent to e-mail addresses that are appended with an asterisk according to the current system SMTP message length settings. The default SMTP length is 240 characters.

This is valuable if Alert Manager sends alerts to pagers via e-mail. Some pager services have a short message length limit, for example 200 characters. If a message is intended to be delivered to a pager via an e-mail address, appending the address with an asterisk (*) lets you, rather than a pager company, control where the message is truncated.

You can also edit the message text in the Alert Manager Messages dialog box to ensure important message content is preserved in truncated messages. To do this, you could either abbreviate some parts of the message or move critical information to the beginning of the message, perhaps leaving long file names for the end of the message.

Product Guide 201

Virus Alerting

Sending alert messages to a printerAlert Manager can send alert notifications to a printer to print hardcopy messages. To configure Alert Manager to send alert notifications to a print queue:


2 Select the Printer tab.

The Printer page appears with a list of all of the printer queues that you have chosen to receive alert messages. If you have not yet chosen a printer queue, this list is blank.

Figure 9-17. Alert Manager Properties — Printer tab




To add a print queue to the list, click Add to open the Printer Properties dialog box, then type the name of the print queue to which you want to send messages. You can type the print queue name or click Browse to locate the printer on the network.

To remove a listed print queue, select one of the printers listed, then click Remove.

To change configuration options, select one of the printers listed, then click Properties. Alert Manager opens the Printer Properties dialog box. Change the information in the Printer text box as necessary.

4 Click Priority Level to specify which types of alert notifications the recipient printer receives. See Setting the alert priority level for recipients on page 189.

5 Click Test to send the recipient printer a test message. See Sending a test message on page 189.


Figure 9-18. Printer Properties

Product Guide 203

Virus Alerting

Sending alert messages via SNMPAlert Manager can send alert messages to other computers via the Simple Network Management Protocol (SNMP). To use this option, you must install and activate the Microsoft SNMP service on your computer; see your operating system documentation for details. To view the alert messages that the client anti-virus software sends, you must also have an SNMP management system configured properly with an SNMP viewer. For more information about setting up and configuring your SNMP management system, see the documentation for your SNMP management product.

To configure the scanner to send alert messages via SNMP:


2 Select the SNMP tab.

3 Select Enable SNMP traps.

4 If Alert Manager is installed on a computer running the Windows NT 4 operating system, you can click Configure SNMP to display your Windows Network dialog box and configure the Microsoft SNMP service. See your operating system documentation for details.

Figure 9-19. Enable SNMP alerting




6 Click Test to send the recipient computer a test message via SNMP. See Sending a test message on page 189.

7 Click OK to save these settings and return to the Alert Manager Properties dialog box.

Launching a program as an alertWhenever Alert Manager receives an alert that a virus has been detected, it can automatically start any executable program on your computer or anywhere on your network. By default, Alert Manager runs VIRNOTFY.EXE, which is installed in your Alert Manager installation folder. VIRNOTFY.EXE displays names of infected files in a scrolling dialog box on the screen of the computer where Alert Manager is installed.

NOTEAlert Manager only launches a program when it receives alerts specifically pertaining to viruses. The %VIRUSNAME% and %FILENAME% system variables must be present in the alert message. See Using Alert Manager system variables on page 218. Alert Manager does not start a program unless these fields are present in the alert, regardless of the priority level set for the Program method. See Setting the alert priority level for recipients on page 189 for more information about priority levels.

Product Guide 205

Virus Alerting

To configure Alert Manager to execute a program when it finds a virus:


2 Select the Program tab to open the Program dialog box.

3 Select Execute program.

4 Type the path and file name of the executable program that you want to run when your anti-virus software finds a virus, or click Browse to locate the program file on your computer or network.

Figure 9-20. Alert Manager Properties — Program tab



5 Select one of the following:

To start the program only when your anti-virus software first finds a virus, click First Time.

To start the program every time the scanner finds a virus, click Every Time.

NOTEIf you select First time, the program you designate starts as soon as the scanner initially encounters a virus. For example, if you designate VirusOne and the scanner finds more than one occurrence of VirusOne in the same folder, it does not start the program again. However, if, after encountering VirusOne, the scanner then encounters a different virus (VirusTwo), then encounters VirusOne again, the program starts in response to each encounter; in this example, three times in a row. Starting multiple instances of the same program might cause your server to run out of memory.


Remember that the Program method does not run a program unless the alert pertains specifically to viruses. In other words, the alert must contain the %VIRUSNAME% and %FILENAME% system variables. All other alerts, regardless of priority level, are ignored.


Product Guide 207

Virus Alerting

Logging alert notifications in an event logAlert Manager can log alert messages to the local event log on your computer or the event log of another computer on your network.

To configure logging options:


2 Select the Logging tab.

The Logging dialog box appears with a list of all of the computers you have chosen to receive messages for logging. If you have not yet chosen a recipient computer, this list is blank.

Figure 9-21. Alert Manager Properties — Logging tab




To add a computer, click Add to open the Logging Properties dialog box, then type the name of the computer that receives forwarded messages in the text box. You can type the computer name in Universal Naming Convention (UNC) notation, or click Browse to locate the computer on the network.

To remove a listed computer, select the computer in the list, then click Remove.

To change configuration options, select one of the recipient computers listed, then click Properties. Alert Manager opens the Logging Properties dialog box. Type the name of the computer to which you want Alert Manager to forward messages for logging. Click Browse to locate the destination computer.




Figure 9-22. Logging Properties

Product Guide 209

Virus Alerting

Sending a network message to a terminal serverAlert Manager can send alert messages to a terminal server. Pop-up network messages display to the user whose session originated the alert.

The Alert Manager Properties dialog box only displays the Terminal Server tab if the computer on which Alert Manager is installed is a terminal server.

To configure Alert Manager to send a message to a terminal server:


2 Select the Terminal Server tab.

3 To enable terminal server alerting, select Enable alerting to client.

Figure 9-23. Alert Manager Properties — Terminal Server tab



4 Click Test to send the recipient computer a test message. The Select client for test message dialog box appears, listing the current terminal server user sessions for that computer.

5 Select a user from the list and click OK to send that user a test message and return to the Alert Manager Properties dialog box.

6 Click Priority Level to specify which types of alert messages the terminal server users should receive. See Setting the alert priority level for recipients on page 189.

7 Click OK to save the terminal server settings and return to the Alert Manager Properties dialog box.

Figure 9-24. Send a terminal server user a test message

Product Guide 211

Virus Alerting

Using centralized alertingCentralized alerting provides an alternative to using regular Alert Manager messaging. With centralized alerting, alert messages generated by anti-virus software, such as VirusScan, are saved to a shared folder on a server. Then, Alert Manager is configured to read alert notifications from that same folder. When the contents of the shared folder change, Alert Manager sends new alert notifications using whatever alerting methods Alert Manager is already configured to use, such as sending e-mail messages to a pager.

WARNINGDue to security issues with shared folders, McAfee Security recommends that you do not use centralized alerting. Instead, you should configure your client anti-virus software to use the regular Alert Manager alert notification methods.

To configure centralized alerting:

1 Configure the anti-virus software on client computers to send alert messages to the appropriate alert folder. See your anti-virus software documentation for instructions on how to do this.

NOTETo allow other workstations on your network to send messages to this folder, you must give scan, write, create and modify permissions for this folder to all users and computers. See your operating system documentation for details.

2 Make sure that all your users and computers are able to read and write to this shared alert folder. If the folder is located on a computer running Windows NT, you must properly configure a null session share. See your operating system documentation for details.



3 Configure Alert Manager to monitor the centralized alerting folder for activity. To do this:

a From the Alert Manager Properties dialog box, select the Centralized Alert tab.

b Select Enable centralized alerts.

c Type the location of the alert folder or click Browse to locate a folder elsewhere on your server or on the network. This must be the same folder that your anti-virus software on client computers is using for centralized alerts (see Step 1). The default location of the alert folder is:

C:\Program Files\Network Associates\Alert Manager\Queue\



6 Click OK to save your centralized alerting settings and return to the Alert Manager Properties dialog box.

Figure 9-25. Alert Manager Properties — Centralized Alert tab

Product Guide 213

Virus Alerting

Customizing alert messagesThe Alert Manager Messages Config component allows you to configure the alert messages themselves. You can edit message text and set priority levels for specific alerts.

Alert Manager comes with a wide range of alert messages suited to nearly all of the situations you may encounter when a virus is detected on a computer in your network. The alert messages include a preset priority level and incorporate system variables that identify the infected file and system, the infecting virus, and other information that you can use to get a quick but thorough overview of the situation.

You can enable or disable individual alert messages or change the contents and priority level for any message to meet your individual needs. Because Alert Manager still activates the alert message in response to specific trigger events, you should try to retain the overall sense of any alert messages you choose to edit.

From here, you can do either of the following:

Enabling and disabling alert messages.

Editing alert messages.

Figure 9-26. Alert Manager Messages



Enabling and disabling alert messagesAlthough Alert Manager can alert you whenever your anti-virus software finds a virus or whenever nearly any aspect of its normal operation changes significantly, you might not want to receive alert messages in each of these circumstances. Use the options in the Alert Manager Messages dialog box to disable specific alert messages that you do not want to receive.

By default, all of the available alert messages are enabled. To enable or disable alert messages:

1 Click Start on the Windows desktop, then select Programs | Network Associates | Alert Manager Messages Config to open the Alert Manager Messages dialog box.

2 Select or deselect the option for any alert messages that you want to enable or disable.

3 Click OK to save these settings and close the Alert Manager Messages dialog box.

Editing alert messagesYou can edit alert messages in the following two ways:

Changing alert priority.

Editing alert message text.

Product Guide 215

Virus Alerting

Changing alert prioritySome of the alerts that Alert Manager receives from your client anti-virus software require more immediate attention than others. A default priority level is set for each alert message, corresponding to the urgency most system administrators would assign them. You can reassign these priority levels to suit your own needs. Use them to filter the messages that Alert Manager sends to your recipients so your recipients can concentrate on the most important ones first.

To change the priority level assigned to an alert message:

1 On the Alert Manager Messages dialog box (see Customizing alert messages on page 214), click a message in the list to select it.

2 Click Edit to open the Edit Alert Manager Message dialog box.

Figure 9-27. Edit the priority and text of an alert message



3 Choose a priority level from the Priority list. You can assign each alert message a Critical, Major, Minor, Warning, or Informational priority.

The icons shown beside each message listed in the Alert Manager Messages dialog box identify the priority level currently assigned to a message. Each icon corresponds to a choice in the Priority drop-down list. The priority levels are:

NOTEWhen you reassign the priority for a message, the icon beside it changes to show its new priority status.

4 Click OK.

Filtering messages by priority level

To filter your messages, configure each alert method you have set up in Alert Manager to accept only messages of a certain priority. For example, suppose you want to have Alert Manager page you whenever your client anti-virus software finds a virus on your network, but do not want it to send routine operational messages. To do this, you would assign a Critical or Major priority to virus alerts, and a Minor, Warning, or Informational priority to the routine informational messages. Then, configure Alert Manager to send only high priority messages to the e-mail address that goes to your pager.

See Setting the alert priority level for recipients on page 189 for information about applying priority level filters for specific recipients.

Critical

Indicates your anti-virus software detected viruses in files that could not be cleaned, quarantined or deleted.

Major

Indicates either that successful virus detection and cleaning has occurred or that serious errors and problems that might cause your anti-virus software to stop working. Examples include “Infected file deleted,” “No licenses are installed for the specified product,” or “Out of memory!”

Minor

Indicates lesser detection or status messages.

Warning

Indicates status messages that are more serious than informational messages. These often relate to non-critical problems encountered during scanning.

Informational

Indicates standard status and informational messages. For example, On-Access scan started or Scan completed. No viruses found.

Product Guide 217

Virus Alerting

Editing alert message textTo help you respond to a situation that requires your attention, Alert Manager includes enough information in its messages to identify the source of whatever problem it has found and some information about the circumstances in which it found the problem. You can edit the message text as desired. For example, you can add comments to the alert message that describe more about the problem or list support contact information.

NOTEAlthough you can edit the alert message text to state what you want, you should try to keep its essence intact because Alert Manager sends each message only when it encounters certain conditions. For example, Alert Manager sends the “task has started” alert message only when it starts a task.

To edit the alert message text:

1 From the Alert Manager Messages dialog box, select the alert message in the list.

2 Click Edit to open the Edit Alert Manager Message dialog box.

3 Edit the message text as desired. Text enclosed in percentage signs, such as %COMPUTERNAME%, represents a variable that Alert Manager replaces with text at the time it generates the alert message. See Using Alert Manager system variables on page 218.

4 Click OK to save these settings and return to the Alert Properties dialog box.

Using Alert Manager system variablesAlert Manager includes system variables that you can use in alert message text. These variables refer to system features such as system date and time, file names, or computer names. When sending alert notifications, Alert Manager dynamically replaces the variable with a specific value.

For example, the major alert Infected file successfully cleaned (1025) listed in the Alert Manager Messages dialog is by default set to the following:

The file %FILENAME% was infected with %VIRUSNAME% %VIRUSTYPE%. The file was successfully cleaned with Scan engine version %ENGINEVERSION% and DAT version %DATVERSION%.

When this alert is sent to Alert Manager from an anti-virus application, Alert Manager dynamically populates the system variables with real values, for example replacing MYDOCUMENT.DOC for the %FILENAME% variable.



Some of the most commonly-used system variables are:

WARNINGBe careful when editing message text to include system variables that might not be used by the event generating that alert message. Using system variables in alerts that do not use that system variable field could cause unexpected results, including garbled message text or even a system failure.

%DATVERSION% The version of the current DAT files used by the anti-virus software that generated the alert.

%ENGINEVERSION% The version of the current anti-virus engine used by the anti-virus software to detect an infection or other problem.

%FILENAME% The name of a file. This could include the name of an infected file it found, or the name of a file it excluded from a scan operation.

%TASKNAME% The name of an active task, such as an on-access scan or AutoUpdate task in VirusScan. Alert Manager might use this to report the name of the task that found a virus, or the name of a task that reported an error during a scan operation.

%VIRUSNAME% The name of an infecting virus.

%DATE% The system date of the Alert Manager computer.

%TIME% The system time of the Alert Manager computer.

%COMPUTERNAME% The name of a computer as it appears on the network. This could include an infected computer, a computer that reported a device driver error, or any other computer with which the program interacted.

%SOFTWARENAME% The file name of an executable file. This could include the application that detected a virus, an application that reported an error, or any other application with which the program interacted.

%SOFTWAREVERSION% The version number taken from an active software package. This could include the application that detected a virus, an application that reported an error, or any other application with which the program interacted.

%USERNAME% The login name of the user currently logged on to the server. For example, you can use this to identify the user name of the person that cancelled a scan.

Product Guide 219

Virus Alerting

Following is a complete list of the Alert Manager system variables that can be used in Alert Manager messages:

%ACCESSPROCESSNAME%

%CLIENTCOMPUTER%

%COMPUTERNAME%

%DATVERSION%

%DOMAIN%

%ENGINESTATUS%

%ENGINEVERSION%

%EVENTNAME%

%FILENAME%

%GMTDAY%

%GMTHOUR%

%GMTMIN%

%GMTMONTH%

%GMTSEC%

%GMTTIME%

%GMTYEAR%

%INFO%

%MAILIDENTIFIERINFO%

%MAILSUBJECTLINE%

%MAILTONAME%

%NOTEID%

%NOTESDBNAME%

%NOTESSERVERNAME%

%LANGUAGECODE%

%LOCALDAY%

%LOCALHOUR%

%LOCALMIN%

%LOCALMONTH%

%LOCALSEC%

%LOCALTIME%

%LOCALYEAR%

%LONGDESCRIPT%

%MAILCCNAME%

%MAILFROMNAME%

%NUMCLEANED%

%NUMDELETED%

%NUMQUARANTINED%

%NUMVIRS%

%OBRULENAME%

%OS%

%PROCESSORSERIA%

%RESOLUTION%

%SCANRETURNCODE%

%SEVERITY%

%SHORTDESCRIPT%

%SOFTWARENAME%

%SOFTWAREVERSION%

%SOURCEIP%

%SOURCEMAC%

%SOURCESEG%

%TARGETCOMPUTERNAME%

%TARGETIP%

%TARGETMAC%

%TASKID%

%TASKNAME%

%TRAPID%

%TSCLIENTID%

%URL%

%USERNAME%

%VIRUSNAME%

%VIRUSTYPE%


10
Updating
The VirusScan Enterprise software depends on information in the virus definition (DAT) files to identify viruses. Without updated DAT files, the product software might not detect new virus strains or respond to them effectively. Software that is not using current DAT files can compromise your virus-protection program.

New viruses appear at the rate of more than 500 per month. To meet this challenge, McAfee Security releases new DAT files every week, incorporating the results of its ongoing research into the characteristics of new or mutated viruses. The AutoUpdate feature makes it easy to take advantage of this service. It allows you to download the latest DAT files, scanning engine, product updates, Service Packs, Patches, and EXTRA.DAT simultaneously, using an immediate or scheduled update.


Update strategies

AutoUpdate tasks

AutoUpdate repository list

Mirror tasks

Roll back DAT files

Manual updates

Product Guide 221

Updating

Update strategiesUpdates can be performed using many methods. You can use update tasks, manual updates, login scripts, or you can schedule updates with management tools. This section describes using the AutoUpdate task and updating manually. Any other implementations are beyond of the scope of this guide.

An efficient updating strategy generally requires that at least one client or server in your organization retrieve updates from the Network Associates download site. From there, the files can be replicated throughout your organization, providing access for all other computers. Ideally, you should minimize the amount of data transferred across your network by automating the process of copying the updated files to your share sites.

For efficient updating, the main factors to consider are the number of clients and the number of sites. Additional considerations may affect your update schema, for example, the number of systems at each remote site and how remote sites access the Internet. However, the basic concepts of populating your share sites and scheduling updates apply to any size organization.

Using an update task to perform updates allows you to:

Schedule network-wide DAT file rollouts at convenient times and with minimal intervention from either administrators or network users. You might, for example, stagger your update tasks, or set a schedule that phases in, or rotates, DAT file updates to different parts of the network.

Split rollout administration duties among different servers or domain controllers, among different regions of wide-area networks, or across other network divisions. Keeping update traffic primarily internal can also reduce the potential for network security breaches.

Reduce the likelihood that you need to wait to download new DAT or upgraded engine files. Traffic on McAfee computers increases dramatically on regular DAT file publishing dates and whenever new product versions appear. Avoiding the competition for network bandwidth enables you to deploy your new software with minimal interruptions.


AutoUpdate tasks

AutoUpdate tasksThe AutoUpdate task is used to perform scheduled or immediate updates. You can update DAT files, the scanning engine, and the EXTRA.DAT file.

The VirusScan Enterprise product provides a default update task that is scheduled to update every day at 5:00 p.m. with one-hour randomization. The default update task is named AutoUpdate.You can rename and reconfigure the default AutoUpdate task. You can also create additional update tasks to meet your updating requirements.


AutoUpdate task overview

Creating an AutoUpdate task

Configuring an AutoUpdate task

Running AutoUpdate tasks

Viewing the activity log

Product Guide 223

Updating

AutoUpdate task overviewThis diagram shows an overview of an AutoUpdate task:

Figure 10-1. AutoUpdate task overview


AutoUpdate tasks

Creating an AutoUpdate taskTo create a new AutoUpdate task:


2 Create a new update task using one of these methods:

Right-click a blank area in the console without selecting an item in the task list, then select New Update Task.

Select New Update task from the Task menu.

A new update task appears, highlighted, in the VirusScan Console task list.

3 Accept the default task name or type a new name for your task, then press ENTER to open the AutoUpdate Properties dialog box. See Configuring an AutoUpdate task on page 226 for detailed configuration information.

NOTEIf you create update tasks via ePolicy Orchestrator 3.0 or later, and enable task visibility, these update tasks are visible in the VirusScan Console. These ePolicy Orchestrator tasks are read-only and cannot be configured from the VirusScan Console. See the VirusScan Enterprise Configuration Guide for use with ePolicy Orchestrator for more information.

Product Guide 225

Updating

Configuring an AutoUpdate taskYou can configure and schedule an AutoUpdate task to meet your requirements.


2 Open the AutoUpdate Properties dialog box using one of these methods:

Highlight the task in the console task list, then select Properties from the Task menu.

Double-click the task in the task list.

Right-click the task in the task list, then select Properties.

Highlight the task in the task list, then click .

NOTEConfigure the update task before you click either Schedule or Update Now.

Figure 10-2. AutoUpdate Properties — New Update Task


AutoUpdate tasks

3 Under Log file choose from these options,

In the text box, accept the default log file name and location, type a different name and location, or click Browse to locate a file elsewhere on your computer or network. System variables are supported.

NOTEBy default, log information is written to the UPDATELOG.TXT file in this folder:

<drive>:\Documents and Settings\All Users\Application

Data\Network Associates\VirusScan\




4 Under Update options, specify which updates you want to check for:

Get newer detection definition files if available.

Get newer detection engines if available.

Get other available updates (service packs, upgrade, etc.).

5 Under Run options, you can specify an executable file to start after the AutoUpdate task finishes running. For example, you might use this option to start a network message utility that notifies the administrator that the update operation completed successfully.

Enter the executable to be run after the Update has completed. Type the path of the executable you want to run, or click Browse to locate it.

Product Guide 227

Updating

Only run after successful update. Run the executable program only after a successful update. If the update is not successful, the program you specified does not run.

NOTEThe program file that you specify must be executable by the currently logged on user. If the currently logged on user does not have access to the folder containing the program files, or if there is no currently logged on user, the program does not run.

6 Click Schedule to schedule the update task. See Updating on page 221 for more information.

NOTEWe do not recommend that you schedule an update task and a mirror task to run at the same time. Since both tasks use the McAfee Common Framework service, running both tasks at the same time may result in a conflict.


8 To run the update task immediately, click Update Now.

9 Click OK to close the AutoUpdate Properties dialog box.

NOTEThe update task uses the configuration settings in the AutoUpdate repository list to perform the update. See AutoUpdate repository list on page 233 for more information.


AutoUpdate tasks

Running AutoUpdate tasksOnce you have configured your task with the update properties you want, you can run the update task.


Running the update task

Activities that occur during an update task

Running the update taskUpdates can be executed immediately as needed or scheduled for a convenient time. If the update task is interrupted during execution, it automatically resumes.

Tasks that are updating from an HTTP, UNC, or local site. If the update task is interrupted for any reason during the update, the task resumes where it left off the next time the update task starts.

Tasks that are updating from an FTP site. The task does not resume if interrupted during a single file download. However, if a task is downloading several files and is interrupted, the task resumes before the file that was being downloaded at the time of the interruption.

To run an update task:


2 Run the update task using one of these methods:

Update as scheduled. If you scheduled the update, allow the task to run unattended.

NOTEYour computer must be active to run an update task. If your computer is not operating when the task is scheduled to start, the task starts at the next scheduled time if the computer is active, or when the computer starts if you selected the Run missed task option on the Schedule Settings, Schedule tab.

Update immediately. You can start update tasks immediately using any of these methods:

Update Now command for the default update task.

Start command for all update tasks.

Update Now command for all update tasks.

Product Guide 229

Updating

Update Now command for the default update task

You can use Update Now to immediately start the default update task.

NOTEUpdate Now only works with the default update task which was created when you installed the product. You can rename and reconfigure the default update task, but if you delete the default task, Update Now becomes disabled.


2 Use one of these methods to perform an immediate update using Update Now:

From the VirusScan Console, select Update Now from the Task menu.

Right-click in the system tray, then select Update Now.

3 When the task finishes, click Close to exit the McAfee Updater dialog box, or wait for the dialog box to close automatically.

Start command for all update tasks

You can use Start from the VirusScan Console to immediately begin any update task.


2 Use one of these methods to start an immediate update from the VirusScan Console:

Highlight the task in the console task list, then select Start from the Task menu.

Right-click the task in the task list, then select Start.




AutoUpdate tasks

Update Now command for all update tasks

You can use Update Now in the AutoUpdate Properties dialog box to immediately begin any update task.


2 Open the AutoUpdate Properties dialog box for the selected update task. For instructions, see Configuring an AutoUpdate task on page 226.

3 Click Update Now in the AutoUpdate Properties dialog box.


Activities that occur during an update taskThese activities occur when you run an AutoUpdate task:

A connection is made to the first enabled repository (update site) in the repository list. If this repository is not available, the next repository is contacted, and so on until a connection is made, or until the end of the list is reached.

An encrypted CATALOG.Z file downloads from the repository. The CATALOG.Z file contains the fundamental data required to complete updating. This data is used to determine what files and/or updates are available.

The software versions in the CATALOG.Z are checked against the versions on the computer. If new software updates are available, they are downloaded.

Once the update is checked into the repository, the update is verified to confirm that it is applicable to VirusScan Enterprise and that the version is newer than the current version. Once this is verified, VirusScan Enterprise downloads the update when the next update task runs.

Product Guide 231

Updating

An EXTRA.DAT file can be used in an emergency to detect a new threat until the new virus is added to the weekly DAT file. The EXTRA.DAT file is downloaded from the repository on each update. This ensures that if you modify and re-check the EXTRA.DAT in as a package, all VirusScan Enterprise clients download and use the same updated EXTRA.DAT package. For example, you may use the EXTRA.DAT as an improved detector for the same virus or additional detection for other new viruses. VirusScan Enterprise supports using only one EXTRA.DAT file.

NOTEWhen you have finished using the EXTRA.DAT file, you should remove it from the master repository and run a replication task to ensure it is removed from all distributed repository sites. This stops VirusScan Enterprise clients from attempting to download the EXTRA.DAT file during an update.

By default, detection for the new virus in the EXTRA.DAT is ignored once the new virus definition is added to the weekly DAT files.

See AutoUpdate task overview on page 224 for a diagram of the updating process.

Viewing the activity logThe update task activity log shows specific details about the updating operation. For example, it shows the updated DAT file and engine version numbers.

To view the activity log:








AutoUpdate repository listThe AutoUpdate repository list (SITELIST.XML) specifies repositories and configuration information necessary to perform an update task.

For example:

Repository information and location.

Repository order preference.

Proxy settings, where required.

Credentials required to access each repository.

NOTEThese credentials are encrypted.

The AutoUpdate repository list (SITELIST.XML) is located at different locations depending on your operating system.

For example, for Windows NT:

C:\Program Files\Network Associates\Common Framework\Data

For example, for Windows 2000:

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework


AutoUpdate repositories

Configuring the AutoUpdate repository list

Product Guide 233

Updating

AutoUpdate repositoriesA repository is a location from which you receive updates.

The VirusScan Enterprise software comes pre-configured with two repositories:

http://update.nai.com/Products/CommonUpdater

ftp://ftp.nai.com/CommonUpdater

The HTTP repository is the default site. If you plan to use the HTTP repository to perform updates, you are automatically configured to do so after the VirusScan Enterprise installation process completes.

You can use either of these sites to download the latest updates if you are using VirusScan Enterprise exclusively, or if you are using VirusScan Enterprise in a mixed environment with VirusScan 4.5.1 or NetShield 4.5.

You can reorganize the repositories in the list or create new repositories to meet your requirements. The number of repositories that you need depends on your updating requirements. See Editing the AutoUpdate repository list on page 236 for more information.

Configuring the AutoUpdate repository listYou can configure the AutoUpdate repository list (SITELIST.XML) before installation, during installation, or after installation.

This guide addresses post installation options.


Importing the AutoUpdate repository list

Editing the AutoUpdate repository list





Importing the AutoUpdate repository listTo import an AutoUpdate repository list from another location:


2 Select Tools|Import AutoUpdate Repository List.

3 In the Look in box, type the location for the .XML file, or click to navigate to the location, then select a file.

4 Click Open to import the AutoUpdate repository list.

NOTETo import a customized AutoUpdate repository list, to specify source repositories from which to obtain software, or to use multiple update locations that can replicate from a master repository, you must use the McAfee AutoUpdate Architect™ utility with VirusScan Enterprise. Refer to the McAfee AutoUpdate Architect Product Guide for more information.

Figure 10-3. Import AutoUpdate Repository List

Product Guide 235

Updating

Editing the AutoUpdate repository listUse the Edit AutoUpdate Repository List dialog box to add new AutoUpdate repositories to the list, configure them, edit and remove existing repositories, and organize the repositories in the list.


Adding and editing repositories

Removing and reorganizing repositories

Specifying proxy settings

Adding and editing repositoriesAutoUpdate repositories can be added or edited from the Edit AutoUpdate Repository List dialog box.

NOTEYou can also create repositories using McAfee AutoUpdate Architect and export them to VirusScan Enterprise. See the McAfee AutoUpdate Architect Product Guide for more information about using it to create and export AutoUpdate repositories.

AutoUpdate repositories can have a state of Enabled or Disabled.

Enabled — A defined repository that may be used during the AutoUpdate process.

Disabled — A defined repository that you do not want to access during the AutoUpdate process.

To add or edit a repository in the AutoUpdate repository list:


2 Select Tools|Edit AutoUpdate Repository List.



3 Select the Repositories tab. The HTTP repository is the default download site.

Figure 10-4. Edit AutoUpdate Repository List — Repositories tab

Product Guide 237

Updating

4 Choose from these actions:

To add a repository, click Add to open the Repository Settings dialog box.

To edit a repository, highlight it in the Repository Description list, then click Edit to open the Repository Settings dialog box.

5 In the Repository description text box, type the name or description for this repository.

6 Under Retrieve files from, select the repository type or path from these choices:

HTTP repository (Default). Use the HTTP repository location that you designate as the repository from which you retrieve the update files.

NOTEAn HTTP site, like FTP, offers updating independent of network security, but supports higher levels of concurrent connections than FTP.

Figure 10-5. Repository Settings



FTP repository. Use the FTP repository location that you designate as the repository from which you retrieve the update files.

NOTEAn FTP site offers flexibility of updating without having to adhere to network security permissions. FTP has been less prone to unwanted code attack than HTTP, so it may offer better tolerance.

UNC path. Use the UNC path that you designate as the repository from which you retrieve the update files.

NOTEA UNC site is the quickest and easiest to set up. Cross domain UNC updates require security permissions for each domain, which makes update configuration more involved.

Local path. Use the local site that you designate as the repository from which you retrieve the update files.

7 Under Repository details, the information you type depends on the repository type or path you selected under Retrieve files from. System variables are supported.

If you selected HTTP repository or FTP repository, see HTTP or FTP repository details on page 240 for detailed instructions.

If you selected UNC path or Local path, see UNC path or Local path repository details on page 241 for detailed instructions.

Product Guide 239

Updating

HTTP or FTP repository details

If you selected HTTP or FTP repository:

1 Under Repository details, type the path to the repository you selected, the port number, and specify security credentials for accessing the repository.

a URL. Type the path to the HTTP or FTP repository location:

b Port. Type the port number for the HTTP or FTP server you selected.

Figure 10-6. Repository details — HTTP or FTP site

HTTP. Type the location for the HTTP server and folder where the update files are located. The default McAfee HTTP repository for DAT file updates is located at:


FTP. Type the location for the FTP server and folder where the update files are located. The default McAfee FTP repository for DAT file updates is located at:






c Use authentication or Use anonymous login. The title differs depending on whether you have selected HTTP path or FTP path. Specify security credentials for accessing the repository. Type a User name and Password, then Confirm password.

NOTEDownload credentials are required for FTP and UNC repositories, but are optional for HTTP repositories. The credentials you specify are used by AutoUpdate to access the repository so that it can download the required update files. When configuring the account credentials on the repository, you ensure that the account has read permissions to the folders containing the update files.

FTP updates support anonymous repository connections.

2 Click OK to save these settings and return to the AutoUpdate Repositories List dialog box.

UNC path or Local path repository details

If you selected UNC or Local path:

Figure 10-7. Repository details — UNC or Local path

Product Guide 241

Updating

1 Under Repository details, type the path to the repository you selected and determine whether to use the logged on account or add security by specifying a user name and password. System variables are supported.

a Path. Type the path to the location from which you want to retrieve the update files.

UNC path. Using UNC notation (\\servername\path\), type the path of the repository where the update files are located.

Local path. Type the path of the local folder in which you have placed the update files, or click Browse to navigate to the folder.

The path can be that of a folder on a local drive or a network drive.

b Use logged on account. Determine which account you want to use:

Select Use logged on account to use the account that is currently logged on.

Deselect Use logged on account to use a different account, then type the Domain, User name, Password, and Confirm password.

NOTEDownload credentials are required for FTP and UNC repositories, but are optional for HTTP repositories. The credentials you specify are used by AutoUpdate to access the repository so that it can download the required update files. When configuring the account credentials on the repository, you ensure that the account has read permissions to the folders containing the update files.

With UNC updates, you have the additional option to use the logged on account. This allows the update task to make use of the logged on users’ permissions to access the repository.

2 Click OK to save these settings and return to the Repositories tab.



Removing and reorganizing repositoriesTo remove or reorganize repositories in the repository list:



3 Select the Repositories tab.

4 To remove or reorganize repositories in the repository list, choose from the following:

To remove a repository, highlight it in the list, then click Delete.

To reorganize the repositories in the list, highlight a repository, then click Move up or Move down repeatedly until the repository has moved to the place in the list that you want it.

NOTEThe order in which the repositories are listed, is the order in which they are accessed during an update operation.

Figure 10-8. Edit AutoUpdate Repository List — Repositories tab

Product Guide 243

Updating

Specifying proxy settingsProxy servers are commonly used as part of Internet security to mask Internet users’ computers from the Internet, and improve access speed by caching commonly accessed sites.

If your network uses a proxy server, you can specify which proxy settings to use, the address of the proxy server, and whether to use authentication. Proxy information is stored in the AutoUpdate repository list (SITELIST.XML). The proxy settings you configure here apply to all the repositories in this repository list.

To specify proxy settings:



3 Select the Proxy settings tab.

Figure 10-9. Edit AutoUpdate Repository List — Proxy settings tab



4 Determine whether you want to use a proxy and, if you do, which settings you want to use. Choose from these options:

Don’t use a proxy. Do not specify a proxy server. Select this option, then click OK to save your settings and close the Edit AutoUpdate Repository List dialog box.

Use Internet Explorer proxy settings (Default). Use the proxy settings for the currently installed version of Internet Explorer. Select this option, then click OK to save your settings and close the Edit AutoUpdate Repository List dialog box.

Manually configure the proxy settings. Configure the proxy settings to meet your specific needs. Select this option, then type the address and port information for the repository you selected:

HTTP. Type the address and port number of the HTTP proxy server in the respective text boxes.

FTP. Type the address and port number of the FTP proxy server in the respective text boxes.

NOTESystem variables are supported.

5 Click Exceptions to specify proxy exceptions. If you do not want to specify exceptions, skip this step and go to Step 7.

a Select Specify exceptions, then type the exceptions, using semicolons to separate the entries.

b Click OK to save these settings and return to the Proxy settings tab.

6 Determine whether to use authentication for either the HTTP or FTP proxy server you specified. Choose from these options:

Figure 10-10. Proxy Exceptions

Product Guide 245

Updating

Use authentication for HTTP. Select this option to add authentication to the HTTP proxy, then type the HTTP user name, HTTP password, and HTTP confirm password.

Use authentication for FTP. Select this option to add authentication to the FTP proxy server, then type the FTP user name, FTP password, and FTP confirm password.

7 Click OK to save these settings and close the Edit AutoUpdate Repository List dialog box.

Mirror tasksThe VirusScan Enterprise software relies on a directory structure to update itself. The mirror task allows you to replicate the update files from the first accessible repository defined in the repository list, to a mirror site on your network. It is important to remember to replicate the entire directory structure when mirroring a site. This directory structure also supports previous versions of VirusScan and NetShield, as long as the entire directory structure is replicated in the same locations that VirusScan 4.5.1 used for updating.


Mirror tasks

The following shows the directory structure in the repository after using a mirror task to replicate the Network Associates repository:

After you replicate the Network Associates site that contains the update files, computers on your network can download the files from the mirror site. This approach is practical because it allows you to update any computer on your network, whether or not it has Internet access; and efficient because your computers are communicating with a server that is probably closer than a Network Associates Internet site, therefore economizing access and download time. The most common use of this task is to mirror the contents of the Network Associates download site to a local server.


Creating a mirror task

Configuring a mirror task

Running mirror tasks

Viewing the mirror task activity log

Figure 10-11. Mirrored site

Product Guide 247

Updating

Creating a mirror taskYou can create a mirror task for each mirror location you need.

To create a new mirror task:


2 Create a mirror task using one of these methods:

Right-click a blank area in the console without selecting an item in the task list, then select New Mirror Task.

Select New Mirror task from the Task menu.

A new mirror task appears, highlighted, in the VirusScan Console task list.

3 Accept the default task name or type a new name for your task, then press ENTER to open the AutoUpdate Properties dialog box. See Configuring a mirror task on page 249 for detailed configuration information.

NOTEIf you create mirror tasks via ePolicy Orchestrator 3.0 or later, and enable task visibility, these mirror tasks are visible in the VirusScan Console. These ePolicy Orchestrator tasks are read-only and cannot be configured from the VirusScan Console. See the VirusScan Enterprise Configuration Guide for use with ePolicy Orchestrator for more information.


Mirror tasks

Configuring a mirror taskYou can configure and schedule a mirror task to meet your requirements.


2 Open the AutoUpdate Properties dialog box using one of these methods:

Highlight the task in the console task list, then select Properties from the Task menu.

Double-click the task in the task list.

Right-click the task in the task list, then select Properties.


NOTEConfigure the mirror task before you click Schedule or Mirror Now.

3 In the Log file text box, accept the default log file name and location, type a different log file name and location, or click Browse to locate a suitable location. System variables are supported.

Figure 10-12. AutoUpdate Properties — New Mirror Task

Product Guide 249

Updating

NOTEBy default, log information is written to the VSEMIRRORLOG.TXT file in this folder:

<drive>:\Documents and Settings\All Users\Application

Data\Network Associates\VirusScan\

4 Click Mirror Location to open the Mirror Location Settings dialog box:

a Type the path to the destination on the local system that you are using for the mirror site, or click Browse to navigate to the desired location. System variables are supported.

b Click OK to return to the AutoUpdate Properties dialog box.

5 Under Update options, specify which updates you want to check for:

Get newer detection definition files if available.

Get newer detection engines if available.

Get other available updates (service packs, upgrade, etc.).

6 Under Run options, you can specify an executable file to start after the mirror task finishes running. For example, you might use this option to start a network message utility that notifies the administrator that the update operation completed successfully.

Enter the executable to be run after the Mirror has completed. Type the path of the executable you want to run, or click Browse to locate it.

Figure 10-13. Mirror Location Settings


Mirror tasks

Only run after successful mirror. Run the executable program only after a successful update. If the update is not successful, the program you selected does not run.

NOTEThe program file that you specify must be executable by the currently logged on user. If the currently logged on user does not have access to the folder containing the program files, or if there is no currently logged on user, the program does not run.

7 Click Schedule to schedule the mirror task. See Scheduling Tasks on page 267 for more information about scheduling tasks.

NOTEWe do not recommend that you schedule an update task and a mirror task to run at the same time. Since both tasks use the McAfee Common Framework service, running both tasks at the same time may result in a conflict.


9 To run the mirror task immediately, click Mirror Now.

10 Click OK to close the AutoUpdate Properties dialog box.

NOTEThe Mirror task uses the configuration settings in the repository list to perform the update. See AutoUpdate repository list on page 233 for more information.

Running mirror tasksOnce you have configured the mirror task with the properties you want, you can run the mirror task using one of these methods:

Mirror as scheduled. If you scheduled the mirror task, allow it to run unattended.

NOTEYour computer must be active to run a mirror task. If your computer is not operating when the task is scheduled to start, the task starts at the next scheduled time if the computer is active, or when the computer starts if you selected the Run missed task option on the Schedule Settings, Schedule tab.

Mirror immediately. You can start mirror tasks immediately using two methods:

Start command for mirror task.

Mirror Now command for mirror tasks.

Product Guide 251

Updating

Start command for mirror tasks

You can use Start from the VirusScan Console to immediately start any mirror task.


2 Use one of these methods to start an immediate mirror task from the VirusScan Console:

Highlight the task in the console task list, then select Start from the Task menu.

Right-click the task in the task list, then select Start.


When the task finishes, click Close to exit the McAfee Updater dialog box, or wait for the dialog box to close automatically.

Mirror Now command for mirror tasks

You can use Mirror Now in the AutoUpdate Properties dialog box to immediately start any mirror task.


2 Open the AutoUpdate Properties dialog box for the selected mirror task. For instructions, see Configuring a mirror task on page 249.

3 Click Mirror Now in the AutoUpdate Properties dialog box.


Viewing the mirror task activity logThe mirror task activity log shows specific details about the updating operation. For example, it shows the updated DAT file and engine version numbers.







Roll back DAT files

Roll back DAT filesUse this feature to roll back the DAT files to the last backed up version, if you find that the current DAT files are corrupt or incompatible for some reason. When you update DAT files, the old version is stored in this location:

<drive>:\Program Files\Common Files\Network Associates\Engine\OldDats

When you roll back the DAT files, the current DAT files are replaced with the version in the OldDats folder, and a flag is set in the registry at this location:

HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan

Enterprise\CurrentVersion\szRolledbackDATS

Once the rollback occurs, you cannot go back to the previous version again. The next time an update is performed, the DAT version in the registry is compared with the DAT files in the update repository. If the new DAT files are the same as the ones flagged in the registry, no update occurs.

Product Guide 253

Updating

To roll back the DAT files:


2 Select Tools|Rollback DATs. The McAfee Updater dialog box opens.

3 The rollback appears to be the same as an update, except that the details show Performing DAT rollback. When the rollback finishes, click Close to exit the McAfee AutoUpdate dialog box, or wait for the dialog box to close automatically.

NOTEWhen you perform a rollback, the last backup of the DAT files is restored.

Figure 10-14. Rollback DATs — Update in Progress


Manual updates

Manual updatesMcAfee Security recommends that you use the AutoUpdate task supplied with the VirusScan Enterprise software to install new DAT file or scanning engine versions. This utility offers an easy method for correctly updating the DAT files and scanning engine. To install DAT files yourself, however, you can download DAT and engine files manually from these update sites:

http:www.networkassociates.com/us/downloads/updates


Regular DAT files. McAfee Security stores these files on its FTP site as .ZIP archives with the name DAT-XXXX.ZIP. The XXXX in the file name is a series number that changes with each DAT file release. To download these files, use a web browser or FTP client to connect with:


Installable .EXE files. McAfee Security stores these files on its web site as a self-executing setup file named XXXXUPDT.EXE. Here, too, the XXXX is a series number that changes with each new DAT release. To download these files, use a web browser to connect with:

http:www.networkassociates.com/us/downloads/updates

Both files contain exactly the same DAT files. The difference between them is in how you use them to update your copy of the VirusScan Enterprise software.

To use the DAT-XXXX.ZIP archive, you must download the file, extract it from its archive, copy the files into the DAT folder, then restart the on-access scanner. See Updating from DAT file archives on page 256 for detailed steps.

To install DAT files that come with their own setup utility, you need only to download the files to a temporary folder on your hard disk, then run or double-click the XXXUPDT.EXE file. The setup utility stops the on-access scanner, copies the files to the correct folder, then restarts the on-access scanner.

NOTEYou may need administrator rights to write to the DAT folder.

Once updated, the new DAT files are picked up by the on-access scanner, the on-demand scanner, and the network appliance scanner, the next time each scanner starts.

Product Guide 255



http://www.networkassociates.com/us/downloads/updates

http://www.networkassociates.com/us/downloads/updates

Updating

Updating from DAT file archivesTo install DAT file updates directly from a .ZIP archive without using AutoUpdate:

1 Create a temporary folder on your hard disk, then copy the DAT file .ZIP archive you downloaded to that folder.

2 Back up or rename these existing DAT files.

CLEAN.DAT

NAMES.DAT

SCAN.DAT

If you accepted the default installation path, these files are located in:

drive:\Program Files\Common Files\Network Associates\Engine

3 Use WINZIP, PKUNZIP, or a similar utility to open the .ZIP archive and extract the updated DAT files.

4 Log on to the server you want to update. You must have administrator rights for the destination computer.

5 Copy the DAT files to the DAT folder.

6 Disable on-access scanning by stopping the McShield service, then enable it again by starting the McShield service.

7 Stop Microsoft Outlook, then restart it.

8 Stop on-demand scan tasks, then restart them.


11
Adding, Specifying, & Excluding Scanning Items
When configuring detection settings, each of the VirusScan Enterprise scanners; on-access scanner, on-demand scanner, and e-mail scanner, allows you to change the list of file types scanned using these features:

Adding file type extensions

Specifying user-defined file types

Excluding files, folders and drives

Product Guide 257


Adding file type extensionsTo add file type extensions to the list of items scanned by default:

1 Open the scanner’s property pages. For information about how to do this for each scanner, see:




2 On the Detection tab, under What to scan, select Default + additional file types.

3 Click Additions to open the Additional File Types dialog box.

Figure 11-1. Detection tab — Additions



Adding file type extensions

4 Under Add File Type, you can add user-specified file type extensions in two ways:

Type a file type extension in the text box, then click Add.

NOTEYou only need to type the first three letters of the file type extension. For example, if you type HTM, the scanner searches for HTM and HTML files. You can use a wildcard or any combination of characters with a wildcard.

Click Select to open the Select File Type dialog box. Select one or more file type extensions from the list, then click OK. Use CTRL + SHIFT to select more than one file type extension.

The file type extensions you add appear in the User-specified additional file types list. The maximum number of additional file type extensions that the on-access scanner can list is 1,000.

5 You can remove user-specified file type extensions from the user-specified list in two ways:

Select one or more file type extensions in the User specified additional file types list, then click Remove.

Click Clear to remove all items from the User specified additional file types list.

6 Click OK to return to the Detection tab.

Product Guide 259


Specifying user-defined file typesCreate a list of user-specified file type extensions to be scanned during scanning operations. You can also use this feature to remove any of the user-specified file type extensions you added previously.





2 On the Detection tab, select the Specified file types option.

3 Click Specified to open the Specified File Types dialog box.

Figure 11-3. Detection tab — Specified



Specifying user-defined file types

4 Under Add File Type, you can add user-specified file type extensions in two ways:

Type a file type extension in the text box, then click Add.

NOTEYou only need to type the first three letters of the file type extension. For example, if you type HTM, the scanner searches for HTM and HTML files. You can use a wildcard or any combination of characters with a wildcard.

Click Select to open the Select File Type dialog box. Select one or more file type extensions from the list, then click OK. Use CTRL + SHIFT to select more than one file type extension.

5 You can remove user-specified file type extensions from the user-specified list in two ways:

Select one or more file type extensions in the User specified additional file types list, then click Remove.

Click Clear to remove all items from the User specified additional file types list.

6 Click Set to Default to replace the current list of user-specified file type extensions with the default list. The default list of file type extensions is defined by the current DAT file.

7 Click OK to save these settings and return to the Detection tab.

Product Guide 261


Excluding files, folders and drivesSpecify files, folders, and drives to exclude from scanning operations. You can also use this feature to remove any of the exclusions you specified previously.




2 On the Detection tab, under What not to scan, use the exclusions feature.

3 Click Exclusions to open the Set Exclusions dialog box.

Figure 11-5. Detection tab — Exclusions




4 Add files, folders, or drives or edit an item in the list. The exclusion options are the same whether you are adding an exclusion item or editing it. Windows File Protection is listed by default.

To add an item, click Add to open the Add Exclusion Item dialog box.

To edit an item, double-click the item or select it, then click Edit to open the Edit Exclusion Item dialog box.

The Add Exclusion Item dialog box appears.

5 Under What to exclude, select one of these options:

By name/location (Default). Specify the name or location. This can include wildcards * and ?. You can type specific information in the text box or click Browse to locate a name or location.

You can specify full pathnames such as C:\WINNIT\SYSTEM*; file names such as PAGEFILE.SYS, or PAGEFILE.*, or P*.*, or *.SYS; or folder names such as BACKUP. For example, specifying BACKUP folder excludes all folders named BACKUP, wherever they are located.

Figure 11-7. Add Exclusion Item

Product Guide 263


When using wildcards, these limitations apply:

Also exclude subfolders. If you selected By name/location, you can exclude the subfolders of the folders that match the specified pattern.

By file type. Type a file extension in the text box or click Select to open the Select File Type dialog box, where you can select one or more extensions from the list. Click OK to save your entries and close the dialog box.

NOTEThe file extension that you specify can include wildcards. Valid wildcards are ? for excluding single characters and * for excluding multiple characters.

By file age. Specify whether you want to exclude files by age.

Access type. If you selected By file age, click to specify an access type of Modified or Created.

Minimum age in days. If you selected By file age, specify the minimum number age of the file in days. The file must be at least this many days old before it is excluded.

Valid wildcards are question mark (?) for excluding single characters and asterisk (*) for excluding multiple characters.

Wildcards can appear in front of back slashes (\) in a path.

For example, C:\ABC\*\XYZ matches C:\ABC\DEF\XYZ .

A user must append a back slash (\) to the end of a path to indicate that it is intended to match a folder (or folders in the case where wildcards are used). When the Also exclude subfolders option is not selected and a path does not end with a back slash (\), the path is treated as a file (or files in the case where wildcards are used).

An exclusion containing question mark (?) characters applies if the number of characters matches the length of the file or folder name.

For example, the exclusion W?? excludes WWW, but does not exclude WW or WWWW.

The syntax is extended to include a double asterisk (**), which means zero or more of any characters including back.slash. This allows multiple-depth exclusions.

For example, C:\ABC\**\XYZ matches C:\ABC\DEF\XYZ and C:\ABC\DEF\DEF\XYZ, etc.



Files protected by Windows File Protection. Specify that this exclusion is based on a file’s Windows File Protection status.

6 Under When to exclude, specify when to exclude the items from scanning:

On read (Default). Specify that the exclusion items are excluded from scans when read from disk. (This option is not available for on-demand scanning.)

On write (Default). Specify that the exclusion items are excluded from scans when written to disk. (This option is not available for on-demand scanning.)

7 Click OK to save these settings and return to the Set Exclusions dialog box.

8 You can remove user-specified file type extensions from the item list in two ways:

Select one or more file type extensions in the list, then click Remove.

Click Clear to remove all items from the list.

9 Click OK to save these settings and return to the Detection tab.


Product Guide 265



12
Scheduling Tasks
You have the option of scheduling VirusScan Enterprise tasks to run at specific dates and times, or intervals. Schedules can be configured to meet your company’s requirements.


Tasks that can be scheduled

Task properties

Schedule properties

Product Guide 267

Scheduling Tasks

Tasks that can be scheduledYou can schedule three types of tasks:

On-demand scan tasks — To schedule an on-demand scan task, open the On-Demand Scan Properties for the task, then click Schedule. The Schedule Settings dialog box opens.

For more information about on-demand scan tasks, see On-Demand Scanning on page 123.

AutoUpdate tasks — To schedule an AutoUpdate task, open the AutoUpdate Properties for the AutoUpdate task, then click Schedule. The Schedule Settings dialog box opens.

For more information about AutoUpdate tasks, see AutoUpdate tasks on page 223.

Mirror tasks — To schedule a mirror task, open the AutoUpdate Properties for the mirror task, then click Schedule. The Schedule Settings dialog box opens.

For more information about mirror tasks, see Mirror tasks on page 246.


Task properties

Task propertiesUse the options on the Task tab to enable scheduling, specify a limit for the task run time, and add authentication for this task.

1 Select the Task tab.

2 Under Schedule Settings, specify whether you want the task to run at a specific time. You have these options:

Enable (scheduled task runs at specified time). Schedule the task to run at a specified time.

Stop the task if it runs for. Stop the task after a limited time. If you select this option, also type in or select the hours and minutes.

NOTEIf the task is interrupted before it completes, the next time it starts it resumes scanning from where it left off, unless the DAT files have been updated and you have selected the option to rescan all files when DAT files are updated. In that case, the scan starts over instead of resuming from where it left off.

Figure 12-1. Schedule Settings — Task tab

Product Guide 269

Scheduling Tasks

3 Under Task, specify authentication credentials for this task by entering the following information:

NOTEThe use of credentials is optional. If you do not type credentials here, the scheduled task runs under the local system account.

User. Type the user ID under which this task executes.

Domain. Type the domain for the user ID you specified.

Password. Type the password for the user ID and domain you specified.


Log on privilegesIf you schedule a task using credentials, the account that you specify needs to have log on as a batch job privilege. Without this privilege, the spawned process cannot access network resources, even though it has the correct credentials. This is documented Windows NT behavior.

To give an account this privilege:

Start|Programs|Administrative Tools|Local Security Policy.

Security Settings|Local Policies|User Rights Assignments.

Double-click Log on as a batch job.

Add the user to the list.

Click OK to save these settings and close the dialog box.


Schedule properties

Schedule propertiesUse the options on the Schedule tab to specify the task frequency, when the task runs in time zones, whether you want to run the task at random times within specified intervals, whether to run missed tasks, and specify delay times for missed tasks.


Schedule task frequencies

Advanced schedule options

Scheduling tasks by frequency

Product Guide 271

Scheduling Tasks

Schedule task frequenciesThe schedule frequency you select here affects the options you have available for scheduling days, weeks, months, and other frequencies. The frequency options are:

Daily (Default). Run the task daily on the specified day(s). See Daily on page 274.

Weekly. Run the task weekly on the specified week(s) and day(s). See Weekly on page 276.

Monthly. Run the task monthly on the specified day(s) and months. See Monthly on page 277.

Once. Run the task once on the specified date. See Once on page 279.

At System Startup. Run the task at system startup and specify whether to run the task once per day and the number of minutes to delay the task. See At System Startup on page 280.

At Logon. Run the task at log on and specify whether to run the task once per day and the number of minutes to delay the task. See At Logon on page 281.

When Idle. Run the task when the computer is idle and specify the number of minutes. See When Idle on page 282.

Run Immediately. Run the task immediately. See Run Immediately on page 283.

Run On Dialup. Run the task on Dialup and specify whether to run the task once per day. See Run On Dialup on page 284.


Schedule properties

Advanced schedule options1 On the Schedule tab, under Schedule, click Advanced to open the Advanced

Schedule Options dialog box.

Start Date. Click to select a date from the calendar. This field is optional.

End Date. Click to select a date from the calendar. This field is optional.

Repeat Task. Repeat the task at the frequency selected.

Every. Type the frequency or use the arrows to select a number, then select whether you want the frequency to be in minutes or hours.

Until. Select either Time (Local) and type in or select the time, or select Duration and type in or select the hour(s) and minute(s).

2 Click OK to return to the Schedule tab.

Figure 12-2. Advanced Schedule Options

Product Guide 273

Scheduling Tasks

Scheduling tasks by frequencyYou can schedule a task for a date and/or time that meets your needs.

These task frequencies are included in this section:

Daily

Weekly

Monthly

Once

At System Startup

At Logon

When Idle

Run Immediately

Run On Dialup

Daily1 On the Schedule tab, under Schedule:

Schedule Task. Click to select Daily.

Figure 12-3. Schedule tab — Daily


Schedule properties

Start Time. Type the start time the for the scheduled task or use the arrows to select a time.

UTC Time. Coordinated Universal Time (UTC). Select this option to run the task simultaneously in all time zones.

Local Time (Default). Run the task independently in each local time zone.

Enable randomization. Run the task at a random point within the interval of time you set. If you select this option, also type in or select the hours and minutes for the maximum time lapse.

You can type in or select a time lapse interval between one minute (minimum) and 24 hours (maximum). For example, setting the task schedule to 1:00 and the randomization to three hours, would cause the task to run at any time between 1:00 and 4:00.

Run missed task. To ensure that missed tasks run when the computer starts up again. If the computer was offline when a task was scheduled to be run, it may have been missed. This feature ensures that remote users and the network are fully protected if they happen to be offline when a task is scheduled to run.

Delay missed task by. Type the number of minutes by which you want to delay the missed task, or use the arrows to select the number of minutes. Choose from 0 to 99 minutes.

Advanced. Set advanced scheduling properties. See Advanced schedule options on page 273 for more information.

2 Under Schedule Task Daily, type in or select frequency in number of days, or use the arrows to select a number.

NOTEDaily tasks can be run every so many days, or every day Monday through Sunday. If you only want to run the task on specific days of the week, other than every day Monday through Sunday, we recommend that you use the weekly task frequency.

3 Click OK to save your settings and close the Schedule Settings dialog box.

Product Guide 275

Scheduling Tasks

Weekly1 On the Schedule tab, under Schedule:

Schedule Task. Click to select Weekly.





You can type a time lapse interval between one minute (minimum) and 24 hours (maximum). For example, setting the task schedule to 1:00 and the randomization to three hours, would cause the task to run at any time between 1:00 and 4:00.


Figure 12-4. Schedule tab — Weekly


Schedule properties



2 Under Schedule Task Weekly:

Every. Type the frequency in number of weeks.

Week(s) on. Select the days of the week.


Monthly1 On the Schedule tab, under Schedule:

Schedule Task. Click to select Monthly.




Figure 12-5. Schedule tab — Monthly

Product Guide 277

Scheduling Tasks

Enable randomization. Run the task at a random point within the interval of time you set. If you select this option, also type the hours and minutes for the maximum time lapse.

You can type a time lapse interval between one minute (minimum) and 24 hours (maximum). For example, setting the task schedule to 1:00 and the randomization to three hours, would cause the task to run at any time between 1:00 and 4:00.




2 Under Schedule Task Monthly, choose from these options:

Day of the month. Select the option and the day of the month.

Weekday of the month. Select this option to run the task on a specific day of the month (for example, first Sunday or second Wednesday).

Click Select Months to select specific months:


a Select First, Second, Third, Fourth, or Last option.

b Select the day of the week on which to run this task each month.

a Select the months for which you want to run the task.

NOTEAll months are selected by default.

b Click OK to return to the Schedule tab.


Schedule properties

Once1 On the Schedule tab, under Schedule:

Schedule Task. Click to select Once.







Figure 12-6. Schedule tab — Once

Product Guide 279

Scheduling Tasks



2 Under Schedule Task Once, click to select the date on which you want to run the task.


At System Startup1 On the Schedule tab, under Schedule:

Schedule Task. Click to select At System Startup.

Figure 12-7. Schedule tab — At System Startup


Schedule properties

2 Under Schedule Task at System Startup:

Only run this task once per day. Select this option to run this task once a day. If you do not select this option, the task runs every time startup occurs.

Delay task by. Select the number of minutes to delay the task. Choose from 0 to 99 minutes. This allows time for logon scripts to execute or user logon time.


At Logon1 On the Schedule tab, under Schedule:

Schedule Task. Click to select At Logon.

2 Under Schedule Task at Logon:

Only run this task once per day. Select this option to run this task once a day. If you do not select this option, the task runs every time log on occurs.

Delay task by. Type the number of minutes to delay the task. Choose from 0 to 99 minutes. This allows time for logon scripts to execute or user logon time.


Figure 12-8. Schedule tab — At Logon

Product Guide 281

Scheduling Tasks

When Idle1 On the Schedule tab, under Schedule:

Schedule Task. Click to select When Idle.

2 Under Schedule Task When Idle, type in or select the number of minutes that you want the computer to be idle before it starts the task. Choose from 0 to 999 minutes.


Figure 12-9. Schedule tab — When Idle


Schedule properties

Run Immediately1 On the Schedule tab, under Schedule:

Schedule Task. Click to select Run Immediately.




Figure 12-10. Schedule tab — Run Immediately

Product Guide 283

Scheduling Tasks

Run On Dialup1 On the Schedule tab, under Schedule:

Schedule Task. Click to select Run On Dialup.



2 Under Schedule Task Run On Dialup, select whether to run the task once per day.

NOTEScheduling a task to Run On Dialup may be more useful for an AutoUpdate task than an on-demand scan task.


Figure 12-11. Schedule tab — Run On Dialup


S E C T I O N 4 : A P P E N D I C E S , G L O S S A R Y , & I N D E X

Appendix A, Command-Line Scanner Program

Appendix B, Secure Registry

Appendix C, Troubleshooting

Glossary

Index

®

A
Command-Line Scanner Program
A typical installation of the VirusScan Enterprise software includes the command-line scanner program. That program can be run from a Windows command-line prompt or from the Run dialog box.


General command-line options

On-demand scanning command-line options

Update command-line options

General command-line optionsTo run the command-line scanner program, change to the folder in which the file SCAN.EXE is located, and type SCAN. If you installed the VirusScan Enterprise program to its default location, the file can be found in:

<drive>:\Program Files\Common Files\Network Associates\Engine\

1 Open the Windows command-line component with one of these methods:

Select Command Prompt from the Start menu.

Select Run from the Start menu.

2 Type the command line you want to use at the command prompt or in the Run dialog box.

The SCAN command-line syntax looks like this:

SCAN PROPERTY=VALUE[,VALUE] [/option]

This syntax does not require any specific order in its elements, except that you may not separate a property and its value. The syntax consists of:

File name — The name of the executable file: SCAN.EXE.

Options — Any options are preceded by a forward slash (/) character and are not case-sensitive. The installation scenarios that appear later in this guide discuss some of the available options.

See Table A-1 on page 288 for a list of options that can be added to the SCAN command.

Product Guide 287


Table A-1. General command-line options

Command-line Option Description

/? or /HELP Displays a list of VirusScan command-line options, each with a brief description.

You may find it helpful to add a list of scanning options to the report files that the VirusScan program creates. To do this, type scan /? /REPORT <file name> at the command prompt. The results of your scanning report are appended with the full set of options available for that scan task.

/ADL Scan all local drives—including compressed drives and PC cards, but not disks—in addition to any other drive(s) specified on the command line.

To scan both local and network drives, use the /ADL and /ADN commands together in the same command line.

/ADN Scan all network drives—including CD-ROM—for viruses, in addition to any other drive(s) specified on the command line.

Note: To scan both local drives and network drives, use the /ADL and /ADN commands together in the same command line.

/ALERTPATH <dir> Designates the directory <dir> as a network path to a remote NetWare volume or Windows NT directory, monitored by Centralized Alerting.

VirusScan sends an .ALR text file to the server when it detects an infected file.

From this directory, VirusScan Enterprise, through its Centralized Alerting feature, broadcasts or compiles the alerts and reports according to its established configuration.

Requirements:

You must have write-access to the directory you specify.

The directory must contain the VirusScan Enterprise-supplied CENTALRT.TXT file.

/ALL Overrides the default scan setting by scanning all infectable files—regardless of extension.

Notes: Using the /ALL option substantially increases the scanning time required. Use it only if you find a virus or suspect that you have one.

To get a current list of file type extensions run /EXTLIST at the command prompt.

/ANALYZE Sets the software to scan using its full heuristics, both program and macro.

Note: /MANALYZE targets macro viruses only; /PANALYZE targets program viruses only.



/APPEND Used with /REPORT <file name> to append report message text to the specified report file instead of overwriting it.

/BOOT Scan boot sector and master boot record only.

/CLEAN Clean viruses from all infected files and system areas.

/CLEANDOCALL As a precautionary measure against macro viruses, /CLEANDOCALL cleans all macros from Microsoft Word and Office documents if a single infection is found.

Note: This option deletes all macros, including macros not infected by a virus.

/CONTACTFILE <file name>

Display the contents of <file name> when a virus is found. It is an opportunity to provide contact information and instructions to the user when a virus is encountered. (McAfee Security recommends using /LOCK in tandem with this option.)

This option is especially useful in network environments, because you can easily maintain the message text in a central file instead of on each workstation.

Note: Any character is valid in a contact message except a backslash (\). Messages beginning with a slash (/)or a hyphen (-) should be placed in quotation marks.

/DAM A repair switch: deletes all macros in the event an infected macro is found. If no infected macro is found, no deletions are made.

If you suspect that there is an infection in your file, you may choose to strip all macros from a data file to minimize any possible exposure to a virus. To pre-emptively delete all macros in a file, use this option with /FAM:

scan <file name> /fam /dam

When using these two options in tandem, all found macros are deleted, whether or not an infection is found.

/DEL Deletes infected files permanently.

/EXCLUDE <file name> Do not scan the files listed in <file name>.

Use this option to exclude specific files from a scan. List the complete path to each file that you want to exclude on its own line. You may use wildcards * and ?

/EXTLIST Use this option to get a current list of file type extension from the current DAT file.

Table A-1. General command-line options (Continued)


Product Guide 289


/FAM Find all macros: not just macros suspected of being infected. It causes any macro found to be treated as a possible virus detection. No deletion of the found macros is made unless used in conjunction with the /DAM option.

If you suspect that there is an infection in your file, you may choose to strip all macros from a data file to minimize any possible exposure to a virus. To pre-emptively delete all macros in a file, use this option with /FAM:

scan <file name> /fam /dam

When using these two options in tandem, all found macros are deleted, whether or not an infection is found.

/FREQUENCY <n > Do not scan <n> hours after the previous scan.

In environments where the risk of viral infection is low, use this option to prevent unnecessary scans.

Remember, the greater the scan frequency, the better your protection against infection.

/HELP or /? Displays a list of scanning options, each with a brief description.

You may find it helpful to add a list of scanning options to the report files the VirusScan program creates. To do this, type scan /? /REPORT <file name> at the command prompt. The results of your scanning report are appended with the full set of options available for that scan task.

/LOAD <file name> Load scanning options from the named file.

Use this option to perform a scan you’ve already configured by loading custom settings saved in an ASCII-formatted file.

/MANALYZE Enables heuristic scanning target macro viruses.

Note: /PANALYZE targets program viruses only; /ANALYZE targets both program and macro viruses.

/MANY Scans multiple disks consecutively in a single drive. The program prompts you for each disk.

Use this option to examine multiple disks quickly.

You cannot use the /MANY option if you run the VirusScan software from a boot disk and you have only one floppy drive.

/MOVE <dir> Moves all infected files found during a scan to the specified directory, preserving drive letter and directory structure.

Note: This option has no effect if the Master Boot Record or boot sector is infected, since these are not files.

/NOBEEP Disables the tone that sounds whenever the scanners find a virus.





/NOBREAK Disables CTRL+C and CTRL+BREAK during scans.

Users are not be able to halt scans in progress with /NOBREAK in use.

/NOCOMP Skips the examination of compressed executables created with the LZ.EXE or PkLite file-compression programs.

This reduces scanning time when a full scan is not needed. Otherwise, by default, VirusScan examines inside executable, or self-decompressing files by decompressing each file in memory and checking for virus signatures.

/NODDA No direct disk access. This prevents the scanners from accessing the boot record.

This feature has been added to allow the scanners to run under Windows NT.

You might need to use this option on some device-driven drives.

Using /NODDA with the /ADN or /ADL switches may generate errors when accessing empty CD-ROM drives or empty Zip drives. If this occurs, type F (for Fail) in response to the error messages to continue the scan.

/NOXMS Does not use extended memory (XMS).

/PANALYZE Enables heuristic scanning for program viruses.

Note: /MANALYZE targets macro viruses only; /ANALYZE targets both program and macro viruses.

/PAUSE Enables screen pause.

The “Press any key to continue” prompt appears when the program fills a screen with messages. Otherwise, by default, the program fills and scrolls a screen continuously without stopping, which allows it to run on PCs with multiple drives or that have severe infections without needing your input.

McAfee Security recommends omitting /PAUSE when using the report options (/REPORT, /RPTALL, /RPTCOR, and /RPTERR).



Product Guide 291


/REPORT <file name> Creates a report of infected files and system errors, and saves the data to <file name> in ASCII text file format.

If <file name> already exists, /REPORT overwrites it. To avoid overwriting, use the /APPEND option with /REPORT: the software adds report information to the end of the file, instead of overwriting it.

You can also use /RPTALL, /RPTCOR, and /RPTERR to add scanned files, corrupted files, modified files, and system errors to the report.

You may find it helpful to add a list of scanning options to the report files the VirusScan program creates. To do this, type /? /report <file name> at the command prompt. The results of your scanning report are appended with the full set of options available for that scan task.

You can include the destination drive and directory (such as D:\VSREPRT\ALL.TXT), but if the destination is a network drive, you must have rights to create and delete files on that drive.

McAfee Security recommends omitting /PAUSE when using any report option.

/RPTALL Includes the names of all scanned files in the /REPORT file.

You can use /RPTCOR with /RPTERR on the same command line.


/RPTCOR Include corrupted files in /REPORT file.

When used with /REPORT, this option adds the names of corrupted files to the report file. Corrupted files that the VirusScan scanners find may have been damaged by a virus.

You can use /RPTCOR with /RPTERR on the same command line.

There may be false readings in some files that require an overlay or another executable to run properly (that is, a file that is not executable on its own).






/RPTERR Include errors in /REPORT file.

When used with /REPORT, this option adds a list of system errors to the report file.

/LOCK is appropriate in highly vulnerable network environments, such as open-use computer labs.

You can use /RPTERR with /RPTCOR on the same command line.

System errors can include problems reading or writing to a disk or hard disk, file system or network problems, problems creating reports, and other system-related problems.


/SUB Scans subdirectories inside a directory.

By default, when you specify a directory to scan other than a drive, the VirusScan scanners examine only the files it contains, not its subdirectories.

Use /SUB to scan all subdirectories within any directories you have specified. It is not necessary to use /SUB if you specify an entire drive as a target.

/UNZIP Scan inside compressed files.

/VIRLIST Displays the name of each virus that the VirusScan software can detect.

This file is over 250 pages long. This is too large for the MS-DOS “Edit” program to open. McAfee Security recommends using Windows Notepad or another text editor to open the virus list.



Product Guide 293


On-demand scanning command-line optionsThe VirusScan Enterprise on-demand scanner can be run from the Windows command line prompt, or from the Start menu’s Run dialog box. To run the program, change to the folder in which the file SCAN32.EXE is located, and type SCAN32. If you installed the VirusScan Enterprise program to its default location, the file can be found in:

<drive>:\Program Files\Network Associates\VirusScan\





The SCAN32 command-line syntax looks like this:

SCAN32 PROPERTY=VALUE[,VALUE] [/option]


File name — The name of the executable file: SCAN32.EXE.

Options — Any options are preceded by a forward slash (/) character and are not case-sensitive.

See Table A-2 on page 295 for a list of options that can be added to the SCAN32 command.


On-demand scanning command-line options

Table A-2. On-Demand Command-line Options


ALL Scan all files in the target folder.

ALLOLE Scan default files plus all Microsoft Office documents.

ALWAYSEXIT Forces exit from on-demand scan, even if scan completed with error/failure.

APPLYNVP Scan for the unwanted programs that are defined in the Unwanted Programs Policy.

ARCHIVE Scan archive files such as .ZIP, .CAP. LZH, and .UUE files.

AUTOEXIT Exits the on-demand scanner upon completion of a non-interactive scan.

CLEAN Cleans the infected target file when a virus is detected.

CLEANA Clean the file when a unwanted program is detected.

CONTINUE Scanning continues after a virus is detected.

CONTINUE2 Scanning continues after a virus is detected and the primary action has failed.

CONTINUEA Scanning continues after an unwanted program is detected.

CONTINUEA2 Scanning continues after an unwanted program is detected and the primary action has failed.

DEFEXT File extensions that you add, as parameters following this argument, are added to the list of selected file types that are included in scanning.

DELETE Delete the infected file when a virus is detected.

DELETE2 Delete the infected file when a virus is detected and the primary action has failed.

DELETEA Delete the file when an unwanted program is detected.

DELETEA2 Delete the file when a virus is detected and the primary action has failed.

EDIT Display the scan task properties dialog.

EXT File extensions that you add, as parameters following this argument, replace the extensions on the list of selected file types that are included in scanning.

LOG Log infection reports to previously specified log file.

LOGFORMAT <value> Use the specified format for the log file. Valid values are ANSI, UTF8, or UTF16.

LOGSETTINGS Log the configuration settings of a scan task.

LOGSUMMARY Log a summary of scan task results.

LOGUSER Log identifying information about the user who executes a scan task.

MHEUR Enable heuristic detection of macro viruses.

Product Guide 295


MIME Detect viruses in MIME (Multipurpose Internet Mail Extensions) encoded files.

MOVE Move (quarantine) the infected file to a pre-specified quarantine folder when a virus is detected.

MOVE2 Move (quarantine) the infected file to a pre-specified quarantine folder when a virus is detected and the primary action has failed.

MOVEA Move (quarantine) the file to a pre-specified quarantine folder when an unwanted program is detected.

MOVEA2 Move (quarantine) the file to a pre-specified quarantine folder when an unwanted program is detected and the primary action has failed.

NOESTIMATE Do not calculate scan task size before beginning scanning of files. Progress bar does not display.

PHEUR Enable heuristic detection of non-macro viruses.

PRIORITY Sets the priority of the scan task relative to other CPU processes. Requires an additional numerical parameter. A value of 1 assigns priority to all other CPU processes. A value of 5 assigns the highest priority to the scan task.

PROMPT Prompt user for action when a virus is detected.

PROMPT2 Prompt user for action when a virus is detected and the primary action has failed.

PROMPTA Prompt user for action when an unwanted program is detected.

PROMPTA2 Prompt user for action when an unwanted program is detected and the primary action has failed.

RPTSIZE Sets the size of the alert log, in Megabytes.

START Run the scan task. Do not display the properties dialog.

TASK Launches the on-demand scanner task specified in the VirusScan Console. Requires additional parameter specifying the specified task ID as recorded in the registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\Tasks

UINONE Launch the scanner without making the user interface dialog visible.

Table A-2. On-Demand Command-line Options (Continued)



Update command-line options

Update command-line optionsYou can perform AutoUpdate or Rollback DATs tasks from the Windows command line prompt, or from the Start menu’s Run dialog box. To run the program, change to the folder in which the file MCUPDATE.EXE is located, and type MCUPDATE. If you installed the VirusScan Enterprise program to its default location, the file can be found in:






The MCUPDATE command-line syntax looks like this:

MCUPDATE [/<type> [/TASK <guid>]] [/option]


File name — The name of the executable file: MCUPDATE.EXE.

Options — Any options are preceded by a forward slash (/) character and are not case-sensitive.

The /TASK clause is optional, however if you use it, you must also specify an update task ID (guid). The task ID you select must be for an update or a rollback DATs task; do not select a scan task ID. If you do not specify a task ID, the default UPDATE task is used. Task IDs are located at:

HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\Tasks\

The /OPTION clause is not required, however to perform a silent update task use /QUIET.

NOTEThe /QUIET option is not supported for use with the Rollback DATs task.

This example performs a silent update task:

MCUPDATE [/UPDATE] [/QUIET]

See Table A-3 on page 298 for task types and options that can be used with the MCUPDATE command.

Product Guide 297


Table A-3. Update command-line options


ROLLBACKDATS Roll the current DAT file back to the last backed up version.

UPDATE Perform an update of the DAT file, scanning engine, product, or EXTRA.DAT.

/TASK Launches the AutoUpdate or Rollback DATs task specified in the VirusScan Console. Requires additional parameter to specify the task ID as recorded in the registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\Tasks

/QUIET Performs the task silently.


B
Secure Registry
The VirusScan Enterprise program is compatible with the Windows secure registry feature. The program writes registry entries based on the limits imposed by the user's security permissions. Any program feature to which the user has no permission appear disabled and are unselectable or unresponsive. Previous releases of the product sometimes generated errors when the program attempted to write a registry entry for a function to which the user did not have permission.

This section lists registry keys that require write access and the results that can be expected if a user does not have adequate permission to write to those keys.

All the registry keys shown in this table are subkeys of:

HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\

These features are included in this section:

Alert Manager

McUpdate

On-Access Scanner

On-Demand Scanner

Task Manager

VirusScan Console

Product Guide 299

Secure Registry

Alert Manager

McUpdate

Program or Windows Service Registry key(s) and result if write access is not available

NAI Alert Manager

A component that provides immediate notification that the scanner has detected a virus, or that the event scheduler has encountered a problem.

KEY: Shared Components\Alert Manager

The user can see the property pages for the alerting methods and messages, but cannot change the configuration.


McUpdate.exe

This program is used to perform updating of DAT files, scanning engine, product upgrades, Patches, and Service Packs.

KEY: VirusScan Enterprise\CurrentVersion\

DAT information is not updated.

KEY: Shared Components\On-Access Scanner\McShield\Configuration

McShield might not reload the DAT.

KEY: VirusScan Enterprise\CurrentVersion\Tasks

Status information cannot be communicated to the VirusScan Console.


On-Access Scanner

On-Access Scanner

On-Demand Scanner


Network Associates McShield Service

This Windows service runs under the local System account and performs a scan whenever a file is accessed.

KEY: Shared Components\On-Access Scanner

Ordinarily not affected because the service runs under a System account. However, if this service does not have write access to this key, the on-access scanner does not function.

ShCfg32.exe

This program runs the on-access configuration interface.


The user can see the on-access scanner property pages, but cannot change the configuration.

ShStat.exe

This program gathers statistics on the activities of the on-access scanner. It also places the VirusScan Enterprise icon in the system tray. Right-clicking the icon allows the user to view scanning statistics, disable and enable the program, and open several program components.


The user cannot enable or disable the on-access scanner using the icon in the system tray.


ScnCfg32.exe

This program runs the on-demand configuration interface.

KEY: VirusScan Enterprise\CurrentVersion


KEY: VirusScan Enterprise\CurrentVersion\DefaultTask

If write access fails for any of these keys, The user can see the on-demand scanner property pages, but cannot change the configuration.

Scan32.exe

This program performs on-demand scanning activities of targets specified on the VirusScan Console.



KEY: Shared Components\VirusScan Engine\4.0.xx

If Scan32 does not have a writable key to it's own task, then it runs but does not update statistics, nor does it generate scanning results data.

This does not affect scheduled on-demand scan tasks, which are controlled by the Task Manager service described in the following section.

Product Guide 301

Secure Registry

Task Manager

VirusScan Console


Network Associates Task Manager Service

This Windows service runs under a System account or an administrator’s account. It allows scheduling of scanning and updating activities.


KEY: VirusScan Enterprise\CurrentVersion\Alerts

KEY: VirusScan Enterprise\CurrentVersion\Tasks <all subkeys>

KEY: Shared Components\On-Access Scanner\McShield


Ordinarily not affected because the service runs under a system or administrator account. However, if this service does not have read/write access to any of these keys, the service fails to start.


McConsole.exe

This program runs the administrative interface for the VirusScan Enterprise program.


DAT updates do not function reliably. The user can see the current screen refresh rate, but cannot change it.

KEY: VirusScan Enterprise\CurrentVersion\Alerts\CurrentVersion

The Alert Manager settings visible by selecting Alerts from the Tools menu appear disabled and do not respond when selected. Some start/stop tasks that the VirusScan Console controls may not be generated.


These options appear disabled and do not respond when selected:

Enable/Disable the on-access scanner.

Copy, Paste, Delete, Rename, Import, and Export tasks.

Stop.


The on-access scanner cannot be configured, enabled, or disabled.

KEY: VirusScan Enterprise\CurrentVersion\Tasks\Xxxx

Any key that has been locked down cannot be configured.


C
Troubleshooting
This section contains troubleshooting information for the VirusScan Enterprise product.


Troubleshooting utilities

Frequently asked questions

Updating error codes

Troubleshooting utilitiesThe VirusScan Enterprise installation package includes two utilities to assist with troubleshooting the Network Associates software on your system. These utilities are automatically installed as part of the VirusScan Enterprise installation and are present on each computer on which VirusScan Enterprise runs.

Minimum Escalation Requirements Tool

Repair Installation

Error Reporting Service

Product Guide 303

Troubleshooting

Minimum Escalation Requirements ToolThe McAfee Minimum Escalation Requirements Tool (MERTool) is a utility that is designed to gather reports and logs for the Network Associates software on your system. The tool must be launched manually and only collects information following user input. The information obtained can be used to help analyze problems.

To get more information about MERTool and access the utility, click the MERTool file that was installed with the VirusScan Enterprise product.

This file is located in the installation folder. If you accepted the default installation path, this file is located in:


When you click the MERTool file, it accesses the URL for the MERTool web site. Follow the instructions on the web site.

Repair InstallationYou can restore the programs default installation settings and/or reinstall all of the VirusScan Enterprise program files.

WARNINGRestoring default settings may result in losing customized settings. Reinstalling all program files may overwrite any HotFix, Patch, and/or Service Packs that have been installed.

1 Open the VirusScan Console, then select Repair Installation from the Help menu.

2 Select from these options:

Restore all settings to installation defaults.

Reinstall all program files.

3 Click OK to save these setting and close the dialog box.

Figure C-1. Repair Installation


Troubleshooting utilities

Error Reporting ServiceThe Network Associates Error Reporting Service provides constant background monitoring of Network Associates applications and prompts the user when it detects a problem.

To enable the Error Reporting Service:

1 Open the VirusScan Console, then select Error Reporting Service from the Tools menu.

2 Select Enable error reporting service, then click OK to close the dialog box.

This utility only collects information from the computer on which it is installed. If this computer is connected to a network that has Alert Manager installed, then Alert Manager notifies the network administrator that the Error Reporting Service has detected a problem. The network administrator may need to tell the user what action to take and what to do with the data files created, in accordance with departmental or company policy.

When a failure of the Network Associates software is detected on a user’s computer, a dialog box is displayed. Choose from these options:

Submit Data — When you select this option, the Error Reporting Service connects to the Network Associates Technical Support web site and prompts you for any additional information that is required. This information may be used to open a support case. You may be asked to launch MERTool to obtain additional information. Follow the instructions on the web site.

Ignore Error — The error information is saved to the hard disk so that it is available for future use. No further activity occurs.

Figure C-2. Error Reporting Service

Product Guide 305

Troubleshooting

Frequently asked questionsThis section contains troubleshooting information in the form of frequently asked questions. The questions are divided into the following categories:

Installation

Scanning

Virus

General



Installation

I just installed the software using the Silent Install method, and there is no VirusScan Enterprise icon in the Windows system tray.

The icon does not appear in the system tray until you restart your system. However, even though there is no icon, VirusScan Enterprise is running, and your computer is protected.

You can verify this by checking the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

ShStatEXE="C:\Program Files\Network

Associates\VirusScan\SHSTAT.EXE"/STANDALONE

Why can some users on my network configure their own settings in VirusScan Enterprise and others cannot?

If the administrator configures the user interface to password protect the tasks, users cannot change the settings.

Different Microsoft Windows operating systems have different user privileges. Windows NT users have permission to write to the system registry, while Windows XP or Windows 2000 users do not. Refer to your Microsoft Windows documentation for more information about user permissions.

During a command-line installation, how can I prevent users who do not have administrator rights from obtaining administrator rights through the VirusScan Console?

You can prevent users from obtaining administrator rights during a command-line installation by adding the following property:

DONOTSTARTSHSTAT=True

This prevents the SHSTAT.EXE from starting upon completion of installation.

Product Guide 307

Troubleshooting

Scanning

In On-Access Scanning, what is the difference between scanning “when writing to disk” and scanning “when reading from disk”?

Scanning when writing is a file-writing action. It scans the following:

Incoming files being written to the local hard drive.

Files being created on the local hard drive or a mapped network drive (this includes new files, modified files, or files being copied or moved from one drive to another).

Scanning when reading is a file-reading action. It scans the following:

Outgoing files being read from the local hard drive.

NOTESelect on network drives in the On-Access Scan Properties dialog box to include remote network files.

Any file being executed on the local hard drive.

Any file opened on the local hard drive.

Any file being renamed on the local hard drive, if the file properties have changed.

Virus

I suspect I have a virus but VirusScan Enterprise is not detecting it.

You can download the latest DAT file while it is still being tested prior to the official release. To use the daily DAT file, refer to:


I cannot get VirusScan Enterprise installed, but I think I have a virus. How can I determine if my computer is infected?

If you have not been able to install VirusScan Enterprise, you can still run a scan at the command line, using a single file downloaded from the Network Associates web site. To run a command-line scan on a computer that does not have anti-virus software installed:

1 Create a folder in the root of your C drive named Scan.

2 Right-click the Scan folder and select Properties. Make sure that the read-only attribute is selected.

3 Go to http://www.networkassociates.com/us/downloads/updates/.





4 Click SDATFile (Engine + DAT) to open the SuperDAT files window, then click SDATXXX.EXE for Windows-Intel to start the download.

5 Download this file into your new folder (C:\Scan).

6 From the Start menu, select Run and type C:\Scan\sdatxxxx.exe /e in the text box. Click OK.

NOTEWe recommend that you disconnect the system from the network before scanning.

7 Open a DOS prompt (also called a Command Prompt). At the prompt, type:

cd c:\Scan.

Your prompt now looks like this:

C:\Scan>

8 At the prompt, type:

scan.exe /clean /all /adl /unzip /report report.txt

This scans all local drives and create a report in a file named REPORT.TXT.

9 After scanning, browse to your C:\Scan directory and read the REPORT.TXT file.

On Windows 2000 and Windows XP systems, boot into Safe Mode Command Prompt only to perform the scan. On Windows NT systems, run the scan from VGA Mode, then a command prompt.

We recommend that you rerun the command-line scanner until no virus files are found. You may want to rename the report text file as REPORT2.TXT to record the second scan and REPORT3.TXT for the third scan, and so on, to avoid overwriting the reports file each time.

WARNINGYou may receive an error that an application is attempting to directly access the hard disk on Windows NT systems. Click Ignore to continue. If you do not click Ignore, the scan terminates.

Product Guide 309

Troubleshooting

General

The VirusScan Enterprise icon in my system tray appears to be disabled.

If there is a red circle and line covering the VirusScan Enterprise icon, that indicates that On-Access Scan is disabled. Here are the most common causes and solutions. If none of these solves your problem, contact technical support.

1 Make sure that the On-Access Scan is enabled. To do this:

a Right-click the VirusScan Enterprise icon in the system tray. If the on-access scanner is disabled, the words Enable On-Access Scan appear in the menu.

b Select Enable On-Access Scan to enable the on-access scanner.

2 Make sure that the service is running. To do this:

a Open the Services Control Panel using one of these methods:

b If it is not started, highlight Network Associates McShield on the list of services and click Start or Resume.

You can also select Start|Run, then type NetStart McShield

3 Make sure that the service is set to start automatically. To do this, open the Services Control Panel using one of these methods:

For Windows NT, select Start|Settings|Control Panel|Services and confirm that Network Associates McShield has a Startup Type of Automatic.

If it is not set to Automatic, highlight Network Associates McShield on the list of services, click Startup, then select Automatic as the Startup Type.

For Windows 2000 or XP, select Start|Settings|Control Panel|Admin Tools|Services and confirm that Network Associates McShield has a Startup Type of Automatic.

If it is not set to Automatic, right-click Network Associates McShield on the list of services, select Properties and General tab, then select Automatic as the Startup Type.

For Windows NT, select Start|Settings|Control Panel|Services and confirm that Network Associates McShield has a Status of Started.

For Windows 2000 or XP, select Start|Settings|Control Panel|Admin Tools|Services and confirm that Network Associates McShield has a Status of Started.



I get an error that I cannot download catalog.z.

This error can be caused by many things. Here are a few suggestions to help determine the source of the problem.

If you are using the Network Associates default download site for updates, determine if you can download the CATALOG.Z file via a web browser. To do this, go to the URL:

http://update.nai.com/Products/CommonUpdater/catalog.z

and try to download the file.

If you are not able to download the file, but you can see it (in other words, your browser does not allow you to download it), that means you have a proxy issue and need to talk to your network administrator.

If you are able to download the file, that means VirusScan Enterprise should be able to download it as well. Contact technical support for assistance in troubleshooting your installation of VirusScan Enterprise.

If you are using a mirror site for updates, make sure that your mirror site is pointing to the correct site for updates. If you are unsure, try changing your settings to use the default Network Associates site.

I have some computers that will continue using VirusScan 4.5.1 and others using VirusScan Enterprise. Can all the computers use the same repository for DAT files?

Yes, a network of computers running multiple versions of VirusScan can all use the same repository for DAT files. First, make sure that you are using the correct directory structure in the repository list for VirusScan 4.5.1, then, make sure that in the McAfee AutoUpdate Architect console, you have selected the option I want to make my site compatible with legacy software. See the McAfee AutoUpdate Architect Product Guide for more information.

Product Guide 311


Troubleshooting

Where is the location of the HTTP download site?

The CATALOG.Z file, which contains the latest updates, can be downloaded from the web site:


Where is the location of the FTP download site?

The CATALOG.Z file, which contains the latest updates, can be downloaded from the FTP site:

ftp://ftp.nai.com/CommonUpdater/catalog.z

If I do detect a virus and I have chosen “prompt user for action,” what action should I choose (Clean, Delete, Move)?

Our general recommendation is to choose Clean if you are not sure what to do with an infected file. The VirusScan Enterprise default action is to Clean a file, then Move it.

I tried to Move or Delete a file and it failed.

This can happen when a file is locked by another program, or you do not have permissions to move or delete the file. As a workaround, you can look in the VirusScan Enterprise log and see where the file is located, then move or delete it manually using Windows Explorer.


ftp://ftp.nai.com/CommonUpdater/catalog.z


Updating error codes

Updating error codesWhen your AutoUpdate fails, review the update log. See Viewing the activity log on page 232 for information about how to view the log file. Following are common error codes that you may encounter:

-215: Failed to get site status — The software cannot verify if the repository is available. Attempt to manually download the PKGCATALOG.Z file using the network protocol. If this fails, verify the path and user credentials.

-302: Failed to get the agent’s framework interface — The scheduler interface is not available. Stop and restart the framework service.

-409: Master site not found — The master repository for the update is not available, is inaccessible, or is in use. Attempt to manually download the PKGCATALOG.Z file using the network protocol. If this fails, verify the path and user credentials.

-414: Verify the Domain, User Name, and Password you provided are typed correctly. Verify that the user account has permissions to the location where the repository resides — While creating the repository, the credentials entered were determined invalid when Verify was selected. Either now, or after the repository is created, correct the credential information. Click Verify again. Repeat this process until the credentials are verified.

-503: Product package not found — Update files are not present in the repository or may be corrupt. Ensure that the repository is populated with the update files. If these files are present, create a replication or pull task to overwrite the current task setting. If the files were not present, populate the repository, then attempt to update again.

-530: Site catalog not found — You performed a pull task from a repository that does not have a catalog file, or contains a corrupted catalog file. To correct this issue, verify that the source repository contains a valid catalog directory.

-531: Package catalog not found — The PKGCATALOG.Z was not found in the repository. Try to download the file using the network protocol. If it cannot be downloaded, perform a replication or pull task (depending on the type of repository).

Product Guide 313

Troubleshooting

-601: Failed to download file — The repository is not accessible. Try to download the file using network protocol. If it cannot be downloaded, verify the path and user rights. If the file is downloaded, try stopping and starting the service.

-602: Failed to upload file — You performed a pull task but the master repository credentials or settings are invalid (or the location is not available). Verify the credentials and location.

-804: Sit status not found — You performed a replication task but the master repository is not available (or the credentials are invalid). Verify that the master repository is active, accessible, and that the credentials are valid.

-1113: Replication has been done partially — One or more repositories may be inaccessible at the time of replication. Consequently, not all repositories are up-to-date. Verify that all repositories are accessible and that no files are marked as read-only, then perform the task again.


Glossary

action takenHow McAfee Security anti-virus or security products responded to detected infections; for example, “cleaned” indicates that the detected infection was successfully removed from the corresponding file.

agentSee VirusScan Enterprise agent.

alertA message or notification regarding computer activity such as virus detection. It can be sent automatically according to a predefined configuration, to system administrators and users, via e-mail, pager, or phone.

See also Alert Manager.

Alert ManagerMcAfee alert notification utility that can be configured to use various notification methods when it receives an alert, such as a pager message or e-mail message. The utility allows you to select which events, such as a virus detection, trigger alert messages.

ANSIAmerican National Standards Institute.

anti-virus policySee policy.

AutoUpdateThe automatic program in the McAfee Security software that updates that software program with the latest virus definition (DAT) files and scanning engine.

AutoUpgradeThe automatic program that upgrades McAfee Security products to the latest available version. It also provides the ability to update products with the latest virus definition (DAT) files and scanning engine.

AVERTAnti-Virus Emergency Response Team, a division of Network Associates, Inc.; an anti-virus research center that supports the computing public and Network Associates customers by researching the latest threats, and by uncovering threats that may arise in the future.

buffer overflow exploitAn attack technique that exploits an application’s buffer overflow to force it to execute arbitrary code.

Centralized AlertingAn alternative to using regular Alert Manager. Alert messages generated by anti-virus software, such as VirusScan, are saved to a shared folder on a server. Alert Manager is configured to read alert notifications from that same folder. When the contents of the shared folder change, Alert Manager sends new alert notifications using whatever alerting methods Alert Manager is already configured to use, such as sending e-mail messages to a pager.

See also Alert Manager.

Product Guide 315

Glossary

clean, cleaningAn action taken by the scanner when it detects a virus, a Trojan horse or a worm. The cleaning action can include removing the virus from a file and restoring the file to usability; removing references to the virus from system files, system .INI files, and the registry; ending the process generated by the virus; deleting a macro or a Microsoft Visual Basic script that is infecting a file; deleting a file if it is a Trojan horse or a worm; renaming a file that cannot be cleaned.

client computerA computer on the client-side of the program.

client tasksTasks that are executed on the client-side of the software.

command-line scannerThe McAfee Security anti-virus scanner that runs from the Command Prompt.

common frameworkThe architecture that allows different McAfee Security products to share the common components and code, which are the Scheduler, AutoUpdate, and the ePolicy Orchestrator agent.

computersThe physical computers on the network.

configuration settingsSee policy.

DAT filesVirus definition files, sometimes referred to as signature files, that allow the anti-virus software to recognize viruses and related potentially unwanted code embedded in files.

See also EXTRA.DAT file, incremental DAT files, and SuperDAT.

default processIn VirusScan, any process that is not defined as a low-risk process or high-risk process.

denial-of-service attack (DoS)A means of attack, an intrusion, against a computer, server or network that disrupts the ability to respond to legitimate connection requests. A denial-of-service attack overwhelms its target with false connection requests, so that the target ignores legitimate requests.

deploy, deploymentThe act of distributing and installing Setup programs to client computers from a central location.

distributed software repositoriesA collection of web sites or computers located across the network in such a way as to provide bandwidth-efficient access to client computers. Distributed repositories store the files that client computers need to install supported products and updates to these products.

download siteThe McAfee Security web site from which you retrieve product or DAT updates.

See also update site.

EICAR test fileEuropean Institute of Computer Anti-Virus Research has developed a file consisting of a string of characters that can be used to test the proper installation and operation of anti-virus software.

error reporting utilityA utility specifically designed to track and log failures in the Network Associates software on your system. The information that is obtained can be used to help analyze problems.


Glossary

EXTRA.DAT fileSupplemental virus definition file that is created in response to an outbreak of a new virus or a new variant of an existing virus.

See also DAT files, incremental DAT files, and SuperDAT.

heuristic analysis, heuristicsA method of scanning that looks for patterns or activities that are virus-like, to detect new or previously undetected viruses.

high-risk processIn VirusScan, processes that McAfee Security considers to have a higher possibility of being infected. For example, processes that launch other processes, such as Microsoft Windows Explorer or the command prompt; processes that execute, such as WINWORD or CSCRIPT; processes used for downloading from the Internet, such as browsers, instant messengers, and mail clients.

See also default process and low-risk process.

HotFix releases (now Patches)Intermediate releases of the product that fix specific issues.

incremental DAT filesNew virus definitions that supplement the virus definitions currently installed. Allows the update utility to download only the newest DAT files rather than the entire DAT file set.

See also DAT files, extra.DAT file and SuperDAT.

incremental virus definition (DAT) filesSee incremental DAT files

joke programA non-replicating program that may alarm or annoy an end user, but does not do any actual harm to files or data.

log fileA record of the activities of a component of McAfee anti-virus software. Log files record the actions taken during an installation or during the scanning or updating tasks.

See also events.

low-risk processIn VirusScan, processes that McAfee Security considers to have a lower possibility of being infected. For example, backup software or code compiler/linker processes.

See also default process and low-risk process.

macro virusA malicious macro — a saved set of instructions created to automate tasks within certain applications or systems — that can be executed inadvertently, causing damage or replicating itself.

mass mailer virusViruses such as Melissa and Bubbleboy that propagate themselves rapidly using e-mail services.

mirror, mirroringThe act of copying the contents of one distributed software repository to another outside of the normal replication process.

.MSI fileA Microsoft Windows Installer package that includes installation and configuration instructions for the software being deployed.

Product Guide 317

Glossary

on-access scanningAn examination of files in use to determine if they contain a virus or other potentially unwanted code. It can take place whenever a file is read from the disk and/or written to the disk.

Compare to on-demand scanning.

on-demand scanningA scheduled examination of selected files to determine if a virus or other potentially unwanted code is present. It can take place immediately, at a future scheduled time, or at regularly scheduled intervals.

Compare to on-access scanning.

package catalog fileA file that contains details about each update package, including the name of the product for which the update is intended, language version, and any installation dependencies.

packed executableA file that, when run, extracts itself into memory only, never to disk.

Patch releases (previously HotFix release)Intermediate releases of the product that address specific issues.

PKGCATALOG.ZSee package catalog file.

potentially unwanted programA program that performs some unauthorized (and often harmful or undesirable) act such as viruses, worms, and Trojan horses.

propertiesAttributes or characteristics of an object used to define its state, appearance, or value.

quarantineEnforced isolation of a file or folder — for example, to prevent infection by a virus or to isolate a spam e-mail message — until action can be taken to clean or remove the item.

RepositoryThe location that stores policy pages used to manage products.

repository list (SITELIST.XML)The SITELIST.XML file that is used by those McAfee anti-virus products that include the AutoUpdate program; it is used to access distributed repositories and retrieve packages.

ruleThe description of how the product responds to undesirable content in an e-mail message, governed by the McAfee SpamAssassin anti-spam engine.

rule groupA group of content rules.

See rule.

scan actionThe action that takes place when an infected file is found.

scan taskA single scan event.

scan, scanningAn examination of files to determine if a virus or other potentially unwanted code is present.

See on-access scanning and on-demand scanning.


Glossary

scanning sessionThe period of time that the scanner remains loaded in memory on your computer. It ends when you either unload the program or restart your computer.

signature filesSee DAT files.

silent installationAn installation method that installs a software package onto a computer silently, without need for user intervention.

SITELIST.XMLSee repository list.

SuperDATA utility that installs updated virus definition (SDAT*.EXE) files and, when necessary, upgrades the scanning engine.

See also DAT files, EXTRA.DAT file, and incremental DAT files.

SuperDAT (SDAT*.EXE) filesA standard application that you can double-click to start from within Microsoft Windows. The Microsoft version of the Installer includes a wizard that provides instructions in a series of panels.

SuperDAT Package InstallerAn installation program that upgrades McAfee Security software programs. It automatically shuts down any active scans, services, or other memory-resident components that could interfere with the upgrade, then copies new files to their proper locations so that your software can use them immediately.

supplemental virus definition fileSee EXTRA.DAT file.

system scanA scan of the designated system.

task An activity (both one-time such as on-demand scanning, and routine such as updating) that is scheduled to occur at a specific time, or at specified intervals.

Compare to policy.

Trojan horseA program that either pretends to have, or is described as having, a set of useful or desirable features, but actually contains a damaging payload. Trojan horses are not technically viruses, because they do not replicate.

update packagePackage files from Network Associates that provide updates to a product. All packages are considered product updates with the exception of the product binary (Setup) files.

update siteThe repository from which you retrieve product or DAT updates.

See also download site.

updatingThe process of installing updates to existing products or upgrading to new versions of products.

UTC timeCoordinated Universal Time (UTC). This refers to time on the zero or Greenwich meridian.

Product Guide 319

Glossary

UTFUnicode Transformation Format.

verbose log filesOptional files that contain information useful for debugging or support purposes. Sometimes called verbose reports.

virusA program that is capable of replicating with little or no user intervention, and the replicated program(s) also replicate further.

virus definition (DAT) filesSee DAT files.

virus outbreakSee outbreak.

VirusScan consoleThe control point for the program’s activities.

virus-scanning engineThe mechanism that drives the scanning process.

warning priorityThe value that you assign each alert message for informational purposes. Alert messages can be assigned a Critical, Major, Minor, Warning, or Informational priority.

wormA virus that spreads by creating duplicates of itself on other drives, systems, or networks.


Index

Aabout dialog box, 24access protection

file, share, and folder protection properties, 50port blocking properties, 42reports properties, 60sample rules

files and folders, 53port blocking, 45

activity log foraccess protection, 60AutoUpdate task, 232buffer overflow, 69mirror task, 252on-access scanning, 118on-demand scanning, 148

adding file type extensions, Additions button, 258Alert folder, function, 212Alert Manager

configurationalert filtering, 186alerts, 182e-mail alert, 198forwarding an alert, 192launching a program, 205network broadcasting, 196printed messages, 202recipients and methods, 187SNMP, 204

Summary page, 191system variables, 218

alert messagesbroadcasting a network alert, 196Centralized Alerting, 212customizing, 214disabling, 215editing, 218

e-mail, 198enabling, 215forwarding, 192launching a program in response to, 205sending to a printer, 202sending via SNMP traps, 204truncating, 201variables in, 219

alert method, configuring recipients for, 187alert priority

changing, 216types, 217

arguments, applicable to on-demand scanner, 294audience for this manual, 18AutoUpdate

activities during update, 231activity log, viewing, 232configuring tasks, 226creating tasks, 225description, 223download sites, 234

FTP default download site, 240, 255FTP site, 234HTTP default download site, 234, 240

error codes, 313overview of update process, 224proxy settings, 244repository list, 233

adding repositories, 236editing repositories, 236importing repositories, 235removing and reorganizing

repositories, 243

Product Guide 321

Index

running tasks, 229from the console, 229from the Start menu, 230immediate update, 229resumable update, 229using Update Now, 231

scheduling, 229AVERT (Anti-Virus Emergency Response Team),

contacting, 21

Bbeta program, contacting, 21blocking, on-access scanner, 92boot sectors, scanning

from command line, 289with on-access scanning, 90with on-demand scanning, 129

broadcasting network messages, 196buffer overflow protection, 63

exclusions, 66creating from a detection, 67

protection properties, 64reports properties, 69

CCATALOG.Z file, 231Centralized Alerting, 212command line, Windows, 287, 294

general options, 287on-demand scan options, 294update options, 297

configuringAutoUpdate tasks, 226mirror task, 249on-access scanning, 87on-demand scanning, 127via ePolicy Orchestrator (See Configuration

Guide)connecting to remote servers, 38console (See VirusScan Console)contacting McAfee Security, 21customer service, contacting, 21

DDAT file

rolling back, 253updates, web site, 21

date and time, recorded in log file, 97, 141, 174definition of terms (See Glossary)detections, virus

on-access scanningtaking action, 119

on-demand scanningreceiving notification, 149taking action, 149

display options, 34documentation for the product, 20download web site, 21

EEdit menu, 28e-mail scanning

configuring tasksreports properties, 172

e-mail scanning, on-deliverytasks, configuring

actions properties, 164advanced properties, 161alert properties, 167detection properties, 155unwanted programs properties, 169

e-mail scanning, on-demandtasks, configuring

detection properties, 158tasks, running, 175

e-mail, sending virus alert via, 198enable randomization, 275error reporting service, 305excluding files, folders, and drives, Exclusions

button, 262EXTRA.DAT, 221, 232

FFAQ (frequently asked questions), 306features, descriptions of, 15file and folder restrictions, sample rules, 53


Index

file type extensionswhat not to scan

excluding file types, Exclusions button, 262

what to scanadding file types, Additions button, 258specifying file types, Specified button, 260

file, share, and folder protection, 50forwarding alerts

large organization, 192small organization, 194

frequently asked questions (FAQ), 306FTP default download site, 240, 255FTP site, 234

Ggeneral options, 287general questions, troubleshooting, 310getting information, 20getting started, 25, 41glossary, 315 to 320

HHelp menu, 28high-risk processes, 103

defining, 86definition, 86

HTTP default download site, 234, 240

Iinstallation questions, troubleshooting, 307

KKnowledgeBase search, 21

Llist of tasks in VirusScan Console, 30lockdown registry, 299locking user interface, 37log file

AutoUpdate task, 232limiting log file size, 61, 70, 96, 140, 174mirror task, 252

on-access scanning, 118on-demand scanning, 148

low-risk processes, 101defining, 86definition, 86

Mmail server, configuring for e-mail alerting, 200manuals, 20McAfee Security University, contacting, 21menu bar, 28menus

in VirusScan Console, 28Start, 26

MERTool (Minimum Escalation Requirements Tool), 304

messages, on-access scanning, 93clean infected files referenced, 94delete infected file referenced, 94move infected file referenced, 94remove messages from list, 94show messages dialog box, 94text to display, 94

Minimum Escalation Requirements Tool (MERTool), 304

Mirror Now command, 252mirror task, 246

activity log, viewing, 252configuring, 249creating, 248running, 251

as scheduled, 251from the Start command, 252immediately, 251using Mirror Now, 252

scheduling, 251

Nnew features, 14

Oon-access scanning

actions properties, 110

Product Guide 323

Index

activity logfile format, 61, 70, 96, 140, 174, 227viewing, 61, 70, 96, 118, 140, 174, 227

advanced properties, 108blocking properties, 92configuring, 87detection properties, 105general properties, 89message properties, 93overview, 82per process scanning, 83

assigning risk to process, 87defining processes, 86

process properties, 98high-risk processes, 103low-risk processes, 101

reports properties, 95scan statistics, viewing, 116ScriptScan properties, 91unwanted programs properties, 113virus detections, responding, 119

on-demand scan options, 294on-demand scanning

activity log, viewing, 148configuring tasks, 127

actions properties, 135advanced properties, 133detection properties, 129reports properties, 139unwanted programs properties, 137where properties, 128

creating tasks, 124from the console, 126from the Start menu, 125from the system tray, 125

resumable scanning, 147running tasks

from the console, 145from the Windows command line, 294pausing, 147restarting, 147stopping, 147

scan statistics, viewing, 148

scheduling, 144system utilization, 134virus detections, responding, 149

Ppassword options, 35pausing on-demand scan tasks, 147port blocking, 42port blocking, sample rule, 45PrimeSupport, 21prioritizing messages sent

across the network, 195, 207to another computer, 190

priority level, setting for alerts, 189product documentation, 20product features, 15product training, contacting, 21proxy settings for updating, 244

Rregistry, secure, 299remote administration, 38Remote Connection, in Tools menu, 38repair installation, 304reports properties, configuring

access protection, 60e-mail scanning, 172on-access scanning, 95on-demand scanning, 139

reports, access protection, 60repositories, 243repository list

adding repositories, 236editing repositories, 236importing repositories, 235removing and reorganizing repositories, 243

resourcesabout dialog box, 24submitting a sample virus, 23Technical Support, 23Virus Information Library, 22

restarting on-demand scan tasks, 147resumable scanning, 147


Index

right-click menus, 31from the console, 31

Ssample rules for restricting access

files and folders, 53ports, 45

Scan menuStatistics, 176 to 177

scan time, on-access scanning, 90scanning

floppy during shutdown, 90immediately, 145on-access, 81on-demand, 124results, viewing

AutoUpdate activity log, 232mirror task activity log, 252on-access scan

activity log, 118statistics, 116

on-demand scanactivity log, 148statistics, 148

right-click scan from system tray, 31right-click scan of selected files or folders, 31shell extension scan, 31troubleshooting questions, 308

scanning, per process, 83scheduling tasks, 267

advanced options, 273enable randomization., 275schedule properties, 271task frequencies, 272task properties, 269

ScriptScan, 91secure registry, 299security headquarters, contacting AVERT, 21service portal, PrimeSupport, 21session settings, recorded in log file, 97, 141, 174session summary, recorded in log file, 97, 141, 174SMTP mail server, configuring for e-mail

alerting, 200

SNMP, sending alerts via, 204specifying file type extensions, Specified

button, 260Start menu, 26startup, scanning at, 90Statistics, in Scan menu, 176 to 177statistics, viewing

on-access scanning, 116on-demand scanning, 148

status bar, 30strategies for prevention and detection, 26submitting a sample virus, 21, 23system startup, scanning at, 90system tray, setting options, 32system variables

alerting, 218

Ttask list, 30Task menu, 28tasks

AutoUpdate, 229configuring, 226creating, 225

definition of, 30mirror

configuring, 249creating, 248running, 251

on-access scanning, configuring, 87on-demand scanning

configuring, 127creating, 124scheduling, 144

pausing, 147restarting, 147running immediately, 145stopping, 147types available in VirusScan Enterprise, 30

Technical Support, 23technical support, 21test alerting configuration, 189toolbar, 28

Product Guide 325

Index

Tools menu, 28training web site, 21troubleshooting, 303

error reporting service, 305frequently asked questions

general, 310installation, 307scanning, 308viruses, 308

Minimum Escalation Requirements Tool, 304repair installation, 304update error codes, 313

truncating alert message, forced, 201

Uunlocking user interface, 37unwanted programs

enabling for e-mail scanning, on-delivery, 169enabling for on-access scanner, 113enabling for on-demand scanner, 137

unwanted programs policy, 71detection properties, 72user-defined detection properties, 76

Update Now command, 231updating

activities, 231configuring tasks, 226download sites, 234

FTP default download site, 240, 255FTP site, 234HTTP default download site, 234, 240

error codes, 313manually, 255mirror task, 249proxy settings, 244repository list, 233

editing repositories, 236removing and reorganizing

repositories, 243running tasks

immediate updates, 229resumable update, 229

strategies, 222

upgrade web site, 21user interface options

display, 34locking, 37password, 35setting, 33unlocking, 37

user name, recorded in log file, 97, 141, 174UTC Coordinated Universal Time (UTC), 275

VView menu, 28Virus Information Library, 21 to 22virus, submitting a sample, 21viruses

frequently asked questions, 308on-access scanning detections, 119on-demand scanning detections, 149submitting a sample, 23

VirusScan Console, 27configuring

AutoUpdate via (See AutoUpdate)mirror task via (See mirror task)on-access scanning via (See on-access

scanning)on-demand scanning via (See on-demand

scanning)connecting to remote servers via, 38menus (See menus)status bar, 30task list, 30toolbar, 28

Wwhat’s new in this release, 14
