Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

McAfee® MOVE AntiVirus Multi-Platform

advertisement 
Product Guide
McAfee MOVE AntiVirus Multi-Platform
3.5.0
For use with ePolicy Orchestrator 4.6.7, 4.6.8, 5.1.0 Software
COPYRIGHT
Copyright © 2014 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy
Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource,
VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other
names and brands may be claimed as the property of others.
Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Contents
1
2
Preface
7
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
7
7
8
Introduction
9
Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee® MOVE AntiVirus Multi-Platform . . . . . . . . . . . . . . . . . . . . . . . .
How the software works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Components and what they do . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Before you start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 9
11
11
12
13
Installation and configuration
15
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Download McAfee MOVE AV Multi-Platform packages . . . . . . . . . . . . . . . . . . .
Install McAfee MOVE AV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install the extension packages . . . . . . . . . . . . . . . . . . . . . . . . .
Install the VirusScan Enterprise for Linux extension . . . . . . . . . . . . . . . . .
Deploy the McAfee MOVE AV offload scan server . . . . . . . . . . . . . . . . . .
Deploy the McAfee MOVE AV client . . . . . . . . . . . . . . . . . . . . . . . .
Deploy in a XenDesktop or VMware View environment . . . . . . . . . . . . . . . .
Install the McAfee MOVE AV client manually . . . . . . . . . . . . . . . . . . . .
Uninstall McAfee MOVE AV Multi-Platform . . . . . . . . . . . . . . . . . . . . . . . .
Uninstall the client and offload scan server with ePolicy Orchestrator . . . . . . . . . .
Remove the client or offload scan server package from ePolicy Orchestrator . . . . . . .
Uninstall the extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Uninstall the SVA Manager . . . . . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting installation issues . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
Upgrade McAfee MOVE AV Multi-Platform
29
Upgrade the extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Upgrade the MOVE AV offload scan server with ePolicy Orchestrator . . . . . . . . . . . . .
Upgrade persistent virtual machines . . . . . . . . . . . . . . . . . . . . . . . . . .
Upgrade non-persistent virtual machines . . . . . . . . . . . . . . . . . . . . . . . .
Upgrade the MOVE AV client with ePolicy Orchestrator . . . . . . . . . . . . . . . . . . .
Create a MOVE AV client upgrade task . . . . . . . . . . . . . . . . . . . . . .
Assign the McAfee MOVE AV client upgrade task to virtual systems . . . . . . . . . .
4
McAfee SVA Manager
29
30
31
31
32
32
32
35
OSS assignment made easy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set up the SVA Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring SVA Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the SVA Manager policy . . . . . . . . . . . . . . . . . . . . . . . . . .
Add or edit an SVA Manager assignment rule using IP address . . . . . . . . . . . .
McAfee MOVE AntiVirus Multi-Platform 3.5.0
15
17
17
18
18
19
21
23
24
25
25
26
26
27
27
35
35
36
37
37
Product Guide
3
Contents
Add or edit an SVA Manager assignment rule using McAfee ePO tag . . . . . . . . . . 39
Configure an offload scan server policy . . . . . . . . . . . . . . . . . . . . . . . . . 40
Configure a client policy: Assign OSS to clients using SVA Manager . . . . . . . . . . . . .
42
5
Monitoring and management
43
Integration with ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . .
Policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assign a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring permissions sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . .
Queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modify the VirusScan Enterprise compliance query results . . . . . . . . . . . . . .
Default queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dashboards and monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MOVE Multi-Platform dashboard . . . . . . . . . . . . . . . . . . . . . . . . .
Report visibility and health of the offload scan server . . . . . . . . . . . . . . . .
Global Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Change the Global Threat Intelligence level . . . . . . . . . . . . . . . . . . . .
Create a policy specifying offload scan server . . . . . . . . . . . . . . . . . . .
Handling potentially malicious files . . . . . . . . . . . . . . . . . . . . . . . . . .
Isolating malicious files in quarantine . . . . . . . . . . . . . . . . . . . . . .
Change threat quarantine behavior . . . . . . . . . . . . . . . . . . . . . . .
Restore quarantined items . . . . . . . . . . . . . . . . . . . . . . . . . . .
Change the primary threat response . . . . . . . . . . . . . . . . . . . . . . .
Run the scan diagnostic tool . . . . . . . . . . . . . . . . . . . . . . . . . .
Change when files are scanned . . . . . . . . . . . . . . . . . . . . . . . . .
Enable and configure on-demand scans . . . . . . . . . . . . . . . . . . . . . .
Targeted on-demand scan . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable and configure RAM disk . . . . . . . . . . . . . . . . . . . . . . . . .
Communication between virtual machines and offload scan servers . . . . . . . . . . . . .
Change the offload scan server settings . . . . . . . . . . . . . . . . . . . . .
Change the offload scan server port . . . . . . . . . . . . . . . . . . . . . . .
McAfee MOVE AV Multi-Platform client alerts . . . . . . . . . . . . . . . . . . . . . .
Triggered events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Change the client alert behavior . . . . . . . . . . . . . . . . . . . . . . . .
Change the offload scan server alert behavior . . . . . . . . . . . . . . . . . . .
Self-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A
Client command-line interface reference
69
Access the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ftypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
loglevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Password protected CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set password for client CLI . . . . . . . . . . . . . . . . . . . . . . . . . .
B
4
Server command-line interface reference
McAfee MOVE AntiVirus Multi-Platform 3.5.0
43
43
44
45
45
46
46
47
47
47
49
49
50
52
52
53
53
54
54
55
55
56
57
59
59
61
62
62
63
63
64
64
65
65
69
69
71
71
71
72
72
72
73
73
74
74
74
77
Product Guide
Contents
Access the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
loglevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
C
77
77
78
79
79
79
80
Install the offload scan server
81
Index
83
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
5
Contents
6
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Preface
This guide provides the information you need to configure, use, and maintain your McAfee product.
Contents
About this guide
Find product documentation
About this guide
This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
•
Administrators — People who implement and enforce the company's security program.
Conventions
This guide uses these typographical conventions and icons.
Book title, term,
emphasis
Title of a book, chapter, or topic; a new term; emphasis.
Bold
Text that is strongly emphasized.
User input, code,
message
Commands and other text that the user types; a code sample; a displayed
message.
Interface text
Words from the product interface like options, menus, buttons, and dialog
boxes.
Hypertext blue
A link to a topic or to an external website.
Note: Additional information, like an alternate method of accessing an
option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
7
Preface
Find product documentation
Find product documentation
After a product is released, information about the product is entered into the McAfee online Knowledge
Center.
Task
8
1
Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center.
2
Enter a product name, select a version, then click Search to display a list of documents.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
1
Introduction
McAfee Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) is an
anti-virus solution for virtual environments. It removes the need to install an anti-virus application on
every virtual machine (VM), yet provides the protection and performance adequate for your
organization requirements.
MOVE AntiVirus brings advanced malware protection to your virtualized environments, and integrates
real-time threat intelligence with security management across your physical and virtual infrastructure.
Contents
Features
McAfee® MOVE AntiVirus Multi-Platform
How the software works
Components and what they do
Before you start
Features
MOVE AntiVirus features are important for your organization's system security, protection, and
performance.
Centralized management
MOVE AntiVirus integrates fully into McAfee ePO, leveraging its infrastructure for automated security
reporting, monitoring, deployment, and policy administration.
Optimized scanning
MOVE AntiVirus provides higher operational benefits, and minimizes the performance impact on virtual
servers with enhanced scan avoidance and scanning based on overall work load of the hypervisor.
Flexible deployment
McAfee® MOVE AntiVirus offers the flexibility to choose your preferred deployment model:
•
One option works across multiple virtualization platforms
•
An agentless option that leverages the VMware vShield technology
Greater Data Center visibility
McAfee Data Center Connector, which is also part of the Data Center Security suite, provides a
complete view into virtual data centers and imports key properties like servers, hypervisors, virtual
machines through the McAfee ePO console.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
9
1
Introduction
Features
You can register a cloud account for VMware vSphere, Amazon Web Services (AWS), or OpenStack
with McAfee ePO to discover and gain visibility into all VMs, and protect them using MOVE AntiVirus.
For details, see the product documentation for your version of Data Center Connector.
McAfee SVA (Security Virtual Appliance) Manager
McAfee SVA Manager integrates fully into McAfee MOVE AV Multi-Platform, and it automatically assigns
the MOVE Offload Scan Servers to McAfee MOVE AV Multi-Platform clients based on configurable
parameters like Scan Server load, McAfee ePO tags, and IP address ranges.
The SVA Manager component:
•
Simplifies administrative management by automating the assignment of clients to the offload scan
servers.
•
Provides visibility of scan server status by monitoring the health of the offload scan servers.
•
Performs load-balancing of offload scan servers.
Scan diagnostic tool
You can run the scan diagnostic tool to easily find frequently scanned files, extensions, and VMs, then
include these results in the path exclusion policies to exclude them from being scanned. A good set of
exclusions improves the performance of the virtual infrastructure.
Restore quarantined items
McAfee MOVE AV deletes any items that are detected as threats, converts a copy of the item to a
non‑executable format, and saves it in the Quarantine folder. These quarantined items can be restored
later.
Quarantined items can include files, cookies, and registries.
Targeted on-demand scan
The targeted on-demand scan feature allows the administrator to select a system or a group of
systems from the System Tree in McAfee ePO and assign a client task to initiate the on-demand scan
immediately.
The OSS runs the specified Maximum concurrent targeted scans per Offload Scan Server in addition to the Maximum
concurrent scans per Offload Scan Server defined in the policy.
RAM disk for scanning
RAM disk is used by the OSS for file scanning and it significantly reduces the disk I/O on the offline
scan server. You can enable the RAM disk option in the ePolicy Orchestrator server. RAM disk is created
by the OSS and it improves the OSS performance by enhancing the scan time.
10
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Introduction
McAfee® MOVE AntiVirus Multi-Platform
1
McAfee® MOVE AntiVirus Multi-Platform
McAfee® MOVE AntiVirus Multi-Platform is an anti-virus solution for virtual environments that removes
the need to install an anti-virus application on every virtual machine (VM). This document covers
installation, configuration, and product usage information for McAfee MOVE AV Multi-Platform.
How the software works
Traditional security solutions for virtual environments run as an anti-virus application on every VM on
the hypervisor. This setup places a heavy burden on disk, CPU, and memory usage and results in
reduced VM density per hypervisor.
The Multi-Platform deployment option offloads all scanning to a dedicated VM — an offload scan server
— that runs McAfee VirusScan Enterprise software. Guest VMs are no longer required to run
anti-virus software locally, which results in improved performance for anti-virus scanning, and
increased VM density per hypervisor.
®
®
McAfee MOVE AV Multi-Platform 3.5 supports both on-access and on-demand scanning:
On-access scanning — Examines files on your computer as they are accessed, providing continuous,
real-time detection of threats.
On‑demand scanning — Examines all files on virtual machines for potential threats. On‑demand
scans supplement the continuous protection of on‑access scanning. You can also schedule regular
scans at times that do not interfere with your work.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
11
1
Introduction
Components and what they do
Components and what they do
Each component performs specific functions to keep your environment protected.
12
•
ePolicy Orchestrator — Communicates with the McAfee Agent, manages the Multi-Platform
configuration, and provides reports on malware discovered within your virtual environment.
•
Hypervisor — Allows multiple operating systems to run concurrently on a hosted system. The
hypervisor is a virtual operating platform that manages the execution of the guest operating
system.
•
McAfee Agent — Communicates with ePolicy Orchestrator, applies policies to each virtual
machine, and deploys the McAfee MOVE AV client.
•
McAfee MOVE AV client — Allows virtual machines to consult with the offload scan server (OSS)
for file scanning and malware detection. Enforces actions on the client when a threat is detected.
•
McAfee MOVE AV Offload Scan Server — Provides offloaded scanning support for virtual
machines, which minimizes the performance impact on virtual desktops.
•
McAfee MOVE AV client extension — Provides policies and controls for configuring and
managing the behavior of the McAfee MOVE AV client through ePolicy Orchestrator.
•
McAfee MOVE AV Offload Scan Server extension — Provides policies and controls for
configuring and managing the behavior of the McAfee MOVE AV offload server through ePolicy
Orchestrator.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Introduction
Before you start
1
•
VirusScan Enterprise — Provides anti-virus protection for the offload scan server VM and
communicates with the GTI servers.
•
McAfee SVA Manager— Automatically assigns offload scan servers to MOVE Multi-Platform clients
based on configurable parameters like Scan Server load, McAfee ePO tags, and IP address ranges.
•
Data Center Connector for vSphere — Integrates the management and automation feature of
McAfee ePO to discover and manage your guest VMs.
For information about the other products in the solution, download their documentation from the
McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
Before you start
Perform the following before starting installation and configuration of McAfee MOVE AV software.
•
Remove or disable any anti-virus application installed on target virtual machines, such as VirusScan
Enterprise or Windows Defender, before deploying McAfee MOVE AV client software.
•
If VirusScan Enterprise is installed, create an ePolicy Orchestrator product deployment client task
to uninstall it from each virtual machine that receives the McAfee MOVE AV client.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
13
1
Introduction
Before you start
14
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
2
Installation and configuration
To set up your environment for the Multi-Platform deployment option, download the McAfee MOVE AV
Multi-Platform components, and deploy the McAfee MOVE AV client and offload scan server to target
systems.
Contents
Requirements
Download McAfee MOVE AV Multi-Platform packages
Install McAfee MOVE AV
Uninstall McAfee MOVE AV Multi-Platform
Troubleshooting installation issues
Requirements
Make sure that your environment includes these components, and that they meet these requirements.
Software requirements
•
ePolicy Orchestrator 4.6.7, 4.6.8, or 5.1.0
•
McAfee Agent 4.6 and later
•
VirusScan Enterprise 8.8
To prevent multiple DAT updates to VirusScan Enterprise from occurring at the same time, we
recommend distributing the policy between primary and secondary offload scan servers.
For details about system requirements and instructions for setting up the ePolicy Orchestrator
environment, see the McAfee ePolicy Orchestrator Installation Guide.
System requirements
The offload scan server requires a dedicated virtual machine with VirusScan Enterprise 8.8 installed.
The virtual machine must meet these requirements:
Operating system
• Windows 2008 R2 SP1, or
• Windows 2008 SP2 (64-bit), or
• Windows 2012 R2
CPU
CPU 4 vCPU, 2 GHz or higher
Memory
6 GB RAM or higher
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
15
2
Installation and configuration
Requirements
Free disk space
8 GB or higher
Other requirements
Static IP address
This is required only when configuring the policies using the IP address.
The McAfee MOVE AV client software requires one of these operating systems:
•
Windows XP SP3 (32-bit)
•
Windows 2003 R2 SP2 (32-bit)
•
Windows Vista (32-bit or 64-bit)
•
Windows 2008 SP2 (32-bit or 64-bit)
•
Windows 7 (32-bit or 64-bit)
•
Windows 2008 R2 SP1 (64-bit)
•
Windows 8 (32-bit or 64 bit)
•
Windows 2012
•
Windows 8.1 (32-bit or 64 bit)
•
Windows 2012 R2 (64-bit)
Windows XP virtual machines require 512 MB of RAM or more. All other operating systems require 1
GB of RAM or more.
Requirements for SVA Manager
Hypervisors
• VMware ESXi 5.0 or above
• Citrix XenServer 6.0 or above
CPU
2 vCPU
Memory
2 GB RAM or higher
To deploy on Hyper-V, convert the .vmdk file, part of SVA Manager appliance, into a .vhd file, then
attach .vhd file as hard disk to a new VM in Hyper-V.
To convert .vmdk to .vhd, you can use the Microsoft Virtual Machine Converter standalone
tool (v2.0) software.
16
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
2
Installation and configuration
Download McAfee MOVE AV Multi-Platform packages
Download McAfee MOVE AV Multi-Platform packages
You must download the McAfee MOVE AV Multi-Platform package before the components can be
deployed to virtual systems or installed on ePolicy Orchestrator.
•
From the McAfee download site (http://www.mcafee.com/us/downloads/), download the product
package MOVE 3.5.0 <build number>(ENU‑LICENSED‑RELEASE‑MAIN).zip, which has these
individual packages.
Package name
Description
MOVE‑AV_Offload_Scan_Server_3500.zip Offload scan server package
MOVE‑AV_Client_3500_WIN.zip
Client deployment package
MOVE‑AV_Ext_3.5.0_Licensed.zip
License extension; upgrades evaluation extension to a
fully licensed extension. This package installs all
extensions for OSS, client, MOVE SVA Manager, and
license.
McAfee_MOVE‑MP_SVA_MANAGER.zip
MOVE SVA Manager package
vSphere_Ext_3.5.0.<bldnumber>.zip
Data Center Connector for vSphere package
MOVE‑AV_DOCS_3.5.0.zip
MOVE AV Multi-Platform documentation package
MOVE‑AV_HELP_3.5.0.zip
This installs the McAfee ePO Help extension for MOVE
AV Multi-Platform.
Upgrade is not supported for version 3.5.0 Help
extension. Make sure that you remove the previous
version of the Help extension, then install version
3.5.0 extension.
Install McAfee MOVE AV
These installation tasks must be performed and can be completed in the order specified here.
You can use Data Center Connector for vSphere, which discovers and imports both running and
stopped machine instances from VMware vCenter to the McAfee ePO server. This product integrates
the management feature of McAfee ePO with the VMware vCenter server, displaying the imported
virtual machines security and scan status on McAfee ePO.
You can use this report to install the MOVE AV Multi-Platform product to the target virtual systems,
which are discovered and imported with the Data Center Connector. For details about installing and
configuring the Data Center Connector for vSphere, see Data Center Connector for vSphere Product
Guide.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
17
2
Installation and configuration
Install McAfee MOVE AV
Tasks
•
Install the extension packages on page 18
The McAfee MOVE AV client and offload scan server extension packages must be installed in
ePolicy Orchestrator before you can manage McAfee MOVE AV on your virtual machines.
•
Install the VirusScan Enterprise for Linux extension on page 18
Install this extension only to manage the VirusScan Enterprise for Linux policy on the SVA
Manager.
•
Deploy the McAfee MOVE AV offload scan server on page 19
After the McAfee MOVE AV offload scan server package has been added to McAfee ePO, you
can deploy the offload scan server to virtual machines.
•
Deploy the McAfee MOVE AV client on page 21
After the McAfee MOVE AV client package has been added to McAfee ePO, you can deploy
the client to virtual machines.
•
Deploy in a XenDesktop or VMware View environment on page 23
When operating in a XenDesktop or VMware View environment, follow these steps to avoid
creating duplicate systems in ePolicy Orchestrator.
•
Install the McAfee MOVE AV client manually on page 24
It is possible to install the client manually without deploying it from ePolicy Orchestrator.
Install the extension packages
The McAfee MOVE AV client and offload scan server extension packages must be installed in ePolicy
Orchestrator before you can manage McAfee MOVE AV on your virtual machines.
Before you begin
Download the extension file MOVE‑AV_Ext_3.5.0_Licensed.zip from the McAfee download
site.
Task
For option definitions, click ? in the interface.
1
From the ePolicy Orchestrator console, click Menu | Software | Extensions | Install Extension.
2
Browse to and select the extension file, then click OK.
3
Verify that the product name appears in the Extensions list.
The license extension turns a trial client extension into a fully licensed extension.
Install the VirusScan Enterprise for Linux extension
Install this extension only to manage the VirusScan Enterprise for Linux policy on the SVA Manager.
VirusScan for Linux is only licensed for use on the SVA Manager, and is not licensed for use on other
Linux systems in your environment.
For instructions on how to install, configure, and create a product update task, see the McAfee
VirusScan Enterprise for Linux Configuration Guide.
18
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
2
Installation and configuration
Install McAfee MOVE AV
Task
For option definitions, click ? in the interface.
1
From the ePolicy Orchestrator console, click Menu | Software | Extensions | Install Extension.
2
Browse to and select each extension file, then click OK.
3
Extension
File
McAfee Agent
EPOAGENTMETA.ZIP
McAfee VirusScan for Linux
LYNXSHLD2000.ZIP
McAfee VirusScan for Linux reports
LYNXSHLD2000PARSER.ZIP
Verify that the product name appears in the Extensions list.
Deploy the McAfee MOVE AV offload scan server
After the McAfee MOVE AV offload scan server package has been added to McAfee ePO, you can
deploy the offload scan server to virtual machines.
Tasks
•
Check in the offload scan server package on page 19
Check in the McAfee MOVE AV Multi-Platform offload scan server and client packages to the
master repository so that ePolicy Orchestrator can deploy it.
•
Create a product deployment client task on page 20
Deploying the McAfee MOVE AV offload scan server from ePolicy Orchestrator requires two
tasks. You must first create a deployment client task, then assign that task to virtual
machines.
•
Assign a client task on page 20
The McAfee Agent must already be deployed to target virtual systems before running client
tasks.
Check in the offload scan server package
Check in the McAfee MOVE AV Multi-Platform offload scan server and client packages to the master
repository so that ePolicy Orchestrator can deploy it.
Task
For option definitions, click ? in the interface.
1
From the ePolicy Orchestrator console, click Menu | Software | Master Repository, then click Actions | Check
In Package.
2
Select the Package type, then browse to and select the package file MOVE AV_Offload_Scan_Server
_3500.
3
Click Next to open the Package Options page.
4
Confirm or configure the following:
•
Package info — Confirm this is the correct package.
•
Branch — Select the required branch. If your environment requires testing new packages before
deploying them throughout the production environment, we recommend using the Evaluation
branch to check in packages. Once you finish testing the packages, you can move them to the
Current branch by clicking Menu | Software | Master Repository.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
19
2
Installation and configuration
Install McAfee MOVE AV
•
5
Options — Select whether to:
•
Move the existing package to the Previous branch — When selected, moves packages in the master
repository from the Current branch to the Previous branch when a newer package of the same
type is checked in. Available only when you select Current in Branch.
•
Package signing — Specifies if the package is signed by McAfee or is a third-party package.
Click Save to begin checking in the package, then wait while the package is checked in.
The offload scan server package appears in the Packages list on the Master Repository tab.
Create a product deployment client task
Deploying the McAfee MOVE AV offload scan server from ePolicy Orchestrator requires two tasks. You
must first create a deployment client task, then assign that task to virtual machines.
Before you begin
You must check in the McAfee MOVE AV Multi-Platform offload scan server package before
you can create a client task.
Task
For option definitions, click ? in the interface.
1
From the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog.
2
Select Product Deployment in the Client Task Types menu, then click Actions | New Task.
3
Select Product Deployment from the list, then click OK to open the Client Task Builder wizard.
4
Type a name for the task you are creating, and add any descriptive information in the Description
field.
5
Make sure that Windows is the only Target platform selected.
6
For Products and components:
7
a
For offload scan server, select MOVE AV [Multi-Platform] Offload Scan Server 3.5.0 from the drop-down list.
b
Set the Action to Install, set the Language to Language Neutral, and set the Branch to Current.
c
Leave the Command line setting blank.
Review the task settings, then click Save.
The task is added to the list of client tasks for the selected client task type.
Assign a client task
The McAfee Agent must already be deployed to target virtual systems before running client tasks.
Before you begin
You must check in the McAfee MOVE AV Multi-Platform offload scan server package before
you can run a client task.
20
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Installation and configuration
Install McAfee MOVE AV
2
Task
For option definitions, click ? in the interface.
1
From the ePolicy Orchestrator console, click Menu | Policy | Client Task Assignments, then click the
Assigned Client Tasks tab.
2
Click Actions | New Client Task Assignment.
3
Select these settings, then click Next.
•
Product — McAfee Agent
•
Task Type — Product Deployment
•
Task Name — The name of the task you used when you created the client task
4
On the Schedule tab, enter the information appropriate to this task.
5
Examine the settings on the Summary tab, then click Save to assign the task.
Deploy the McAfee MOVE AV client
After the McAfee MOVE AV client package has been added to McAfee ePO, you can deploy the client to
virtual machines.
Tasks
•
Check in the client package on page 21
Check in the McAfee MOVE AV Multi-Platform client package to the master repository so
that ePolicy Orchestrator can deploy it.
•
Create a product deployment client task on page 22
Deploying the McAfee MOVE AV client from ePolicy Orchestrator requires two tasks. You
must first create a deployment client task, then assign that task to virtual machines.
•
Assign a client task on page 22
The McAfee Agent must already be deployed to target virtual systems before running client
tasks.
Check in the client package
Check in the McAfee MOVE AV Multi-Platform client package to the master repository so that ePolicy
Orchestrator can deploy it.
Task
For option definitions, click ? in the interface.
1
From the ePolicy Orchestrator console, click Menu | Software | Master Repository, then click Actions | Check
In Package.
2
Select the Package type, then browse to and select the package file MOVE‑AV_Client_3500_WIN.
3
Click Next to open the Package Options page.
4
Confirm or configure the following:
•
Package info — Confirm this is the correct package.
•
Branch — Select the required branch. If your environment requires testing new packages before
deploying them throughout the production environment, we recommend using the Evaluation
branch to check in packages. Once you finish testing the packages, you can move them to the
Current branch by clicking Menu | Software | Master Repository.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
21
2
Installation and configuration
Install McAfee MOVE AV
•
5
Options — Select whether to:
•
Move the existing package to the Previous branch — When selected, moves packages in the master
repository from the Current branch to the Previous branch when a newer package of the same
type is checked in. Available only when you select Current in Branch.
•
Package signing — Specifies if the package is signed by McAfee or is a third-party package.
Click Save to begin checking in the package, then wait while the package is checked in.
The client package appears in the Packages list on the Master Repository tab.
Create a product deployment client task
Deploying the McAfee MOVE AV client from ePolicy Orchestrator requires two tasks. You must first
create a deployment client task, then assign that task to virtual machines.
Before you begin
You must check in the McAfee MOVE AV Multi-Platform client package before you can create
a client task.
Task
For option definitions, click ? in the interface.
1
From the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog.
2
Select Product Deployment in the Client Task Types menu, then click Actions | New Task.
3
Select Product Deployment from the list, then click OK to open the Client Task Builder wizard.
4
Type a name for the task you are creating, and add any descriptive information in the Description
field.
5
Make sure that Windows is the only Target platform selected.
6
For Products and components:
7
a
For client, select MOVE AV [Multi-Platform] Client 3.5.0 from the drop-down list.
b
Set the Action to Install, set the Language to Language Neutral, and set the Branch to Current.
c
Leave the Command line setting blank.
Review the task settings, then click Save.
The task is added to the list of client tasks for the selected client task type.
Assign a client task
The McAfee Agent must already be deployed to target virtual systems before running client tasks.
Before you begin
You must check in the McAfee MOVE AV Multi-Platform client package before you can run a
client task.
22
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Installation and configuration
Install McAfee MOVE AV
2
Task
For option definitions, click ? in the interface.
1
From the ePolicy Orchestrator console, click Menu | Policy | Client Task Assignments, then click the
Assigned Client Tasks tab.
2
Click Actions | New Client Task Assignment.
3
Select these settings, then click Next.
•
Product — McAfee Agent
•
Task Type — Product Deployment
•
Task Name — The name of the task you used when you created the client task
4
On the Schedule tab, enter the information appropriate to this task.
5
Examine the settings on the Summary tab, then click Save to assign the task.
The McAfee MOVE AV client is deployed to every system in the selected group in the System Tree.
6
Confirm that the McAfee MOVE AV client is successfully installed:
a
Log on to the McAfee MOVE AV client system as an administrator.
b
Open the McAfee MOVE AV client command prompt and enter this command: mvadm status
The command line returns protection status details if the client is successfully installed.
Deploy in a XenDesktop or VMware View environment
When operating in a XenDesktop or VMware View environment, follow these steps to avoid creating
duplicate systems in ePolicy Orchestrator.
Before you begin
The McAfee Agent must already be installed on the master image, and the McAfee MOVE
AV client must already be in the master repository.
Task
1
Deploy the McAfee MOVE AV client to the master image, then verify that it was applied successfully.
2
Configure and apply McAfee MOVE AV policies to the master image, then verify that they were
applied successfully.
3
In the master image, delete the registry key AgentGUID from the location determined by your
Windows operating system.
4
•
32-bit — HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator
\Agent (32‑bit)
•
64-bit — HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy
Orchestrator\Agent (64‑bit)
Shut down the master image and clone all virtual machines from that master image.
When cloned images are turned on, new agent GUID values are automatically restored.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
23
2
Installation and configuration
Install McAfee MOVE AV
Install the McAfee MOVE AV client manually
It is possible to install the client manually without deploying it from ePolicy Orchestrator.
Before you begin
•
Download the McAfee MOVE AV installer and store it in a location accessible from the
system where it will be installed.
•
The McAfee Agent must be installed on the target system.
This procedure is used only when you don't want to use ePolicy Orchestrator to deploy the client to the
target system.
Task
1
From the McAfee MOVE AV client package, extract the appropriate client installer based on your
Windows operating system.
•
64-bit — setup‑win‑amd64.exe
•
32-bit — setup‑win‑x86.exe
2
Run the installer, then click Next in the Welcome screen.
3
In the License Agreement screen, accept the EULA, then click Next.
4
In the Customer information screen, enter a user name and organization, then click Next.
5
In the Destination folder screen, choose the default location or specify a different location, then click
Next.
6
In the Ready to install the program screen, click Install.
7
Click Finish to complete the installation.
8
To configure the manual installation, open the McAfee MOVE AV client command prompt: click Start
| Programs | McAfee | MOVE AV client Command Prompt, and run these commands.
•
mvadm status
•
mvadm config set serveraddress1=<Address of offload server 1>
•
mvadm config set serveraddress2=<Address of offload server 2>
The offload scan server address can be entered in FQDN or IPv4 format.
•
mvadm enable
The McAfee MOVE AV client is now installed and running on the target system.
24
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Installation and configuration
Uninstall McAfee MOVE AV Multi-Platform
2
Uninstall McAfee MOVE AV Multi-Platform
A full uninstall involves removing these components: McAfee MOVE AV client, McAfee MOVE AV offload
scan server, and the McAfee MOVE AV Multi-Platform extensions.
Tasks
•
Uninstall the client and offload scan server with ePolicy Orchestrator on page 25
Uninstalling the McAfee MOVE AV client with ePolicy Orchestrator requires two tasks. First
create an uninstallation client task, then assign that task to virtual systems.
•
Remove the client or offload scan server package from ePolicy Orchestrator on page 26
Remove the client or offload scan server package from the ePolicy Orchestrator console.
•
Uninstall the extensions on page 26
Uninstall the McAfee MOVE AV Multi-Platform extensions from ePolicy Orchestrator.
•
Uninstall the SVA Manager on page 27
Uninstalling the SVA Manager involves these steps.
Uninstall the client and offload scan server with ePolicy
Orchestrator
Uninstalling the McAfee MOVE AV client with ePolicy Orchestrator requires two tasks. First create an
uninstallation client task, then assign that task to virtual systems.
Tasks
•
Create an uninstallation task on page 25
You must create an uninstallation task before you can apply it to systems and remove the
software from the client.
•
Assign the uninstallation task to virtual systems on page 26
The uninstallation task must be assigned to virtual systems to take effect.
Create an uninstallation task
You must create an uninstallation task before you can apply it to systems and remove the software
from the client.
Task
For option definitions, click ? in the interface.
1
From the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog.
2
In the left column under McAfee Agent, select Product Deployment.
3
Click Actions | New Task, select Product Deployment, then click OK.
4
Type the name of the task, like Uninstall MOVE AV client on VM client, and an optional
Description.
5
Make sure that Windows is the only Target platform selected.
6
For Products and components, select the following, then click Next.
7
a
Select MOVE AV [Multi-Platform] client 3.5.0 or MOVE AV [Multi-Platform] Offload Scan Server 3.5.0 from the first
drop-down list.
b
Set the Action to Remove, set the Language to Language Neutral, and set the Branch to Current.
c
Leave the Command Line setting blank.
Select the remaining options according to your environment's best practices, then click Save.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
25
2
Installation and configuration
Uninstall McAfee MOVE AV Multi-Platform
The newly created task appears in the Client Task Catalog.
Assign the uninstallation task to virtual systems
The uninstallation task must be assigned to virtual systems to take effect.
Before you begin
The McAfee MOVE AV client is added to the Master Repository and your virtual systems are
added to the System Tree.
Task
For option definitions, click ? in the interface.
1
Select a group in the System Tree.
2
Click Menu | Policy | Client Task Assignments, then click the Assigned Client Tasks tab.
3
Click Actions | New Client Task Assignment.
4
Select these settings, then click Next.
•
Product — McAfee Agent
•
Task Type — Product Deployment
•
Task Name — The name of the task you created earlier
5
On the Schedule tab next to Schedule type, select Run Immediately from the drop-down list, set the Options
as appropriate, then click Next.
6
Examine the settings displayed on the Summary tab, then click Save to assign the task.
The McAfee MOVE AV client is removed from every system in the selected group in the System Tree.
Remove the client or offload scan server package from ePolicy
Orchestrator
Remove the client or offload scan server package from the ePolicy Orchestrator console.
Task
For option definitions, click ? in the interface.
1
From the ePolicy Orchestrator console, select Menu | Software | Master Repository.
2
Select MOVE AV [Multi-Platform] client 3.5.0 or MOVE AV [Multi-Platform] Offload Scan Server, then click Delete.
You can also use the Windows Control Panel to remove the offload scan server.
Uninstall the extensions
Uninstall the McAfee MOVE AV Multi-Platform extensions from ePolicy Orchestrator.
Task
For option definitions, click ? in the interface.
26
1
From the ePolicy Orchestrator console, click Menu | Software | Extensions.
2
From the Extensions tab under McAfee group, select MOVE-AV.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Installation and configuration
Troubleshooting installation issues
3
2
Click Remove next to each extension.
You must now uninstall both the base and license extensions. The license extension must be
removed first.
4
Delete reports and queries manually after uninstalling the extension.
Uninstall the SVA Manager
Uninstalling the SVA Manager involves these steps.
Before you begin
You must have sudo rights to perform these actions.
Task
1
Log on to SVA Manager appliance (virtual machine).
2
Run the sudo poweroff command, which shuts down the appliance.
3
Log on to the hypervisor that is hosting the SVA Manager appliance, then delete the SVA Manager
VM.
4
Remove the SVA Manager entry from the McAfee ePO server.
Troubleshooting installation issues
Common operating issues encountered in a McAfee MOVE AV deployment can be resolved by
performing these actions.
•
From the offload scan server system, check that the MOVE AV server service is running and listening
on the specified port. The default port is 9053.
•
Check that the McAfee MOVE AV client can communicate through any firewalls with the McAfee
MOVE AV offload scan server on the specified port.
•
Verify that the McAfee MOVE AV client is enabled. Run the mvadm status command from a McAfee
MOVE AV client command-line interface with administrator rights.
•
Make sure that the McAfee MOVE AV policy on ePolicy Orchestrator is configured correctly.
•
Protection State is Enabled
•
McAfee MOVE AV offload scan server addresses are configured correctly
•
Check that VirusScan Enterprise 8.8 is installed and working properly on the McAfee MOVE AV
offload scan server virtual machine, and that a recent DAT is present.
•
When configuring SVA Manager, make sure that both client and OSS are able to communicate with
SVA Manager.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
27
2
Installation and configuration
Troubleshooting installation issues
28
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
3
Upgrade McAfee MOVE AV Multi-Platform
Review this list before upgrading your environment.
•
Version 3.5 of the MOVE AV client and the offload scan server upgrades over version 2.6.2.
•
To upgrade McAfee MOVE AV Multi-Platform, you need to upgrade these components in the order
specified here:
1
Product extension
2
Offload scan server
3
MOVE AV client
The combination of offload scan server 3.5 and MOVE AV client 2.6.2 is supported, but the
combination of offload scan server 2.6.2 and MOVE AV client 3.5 is not supported.
•
VirusScan Enterprise 8.8 must be installed on the target system before you deploy the offload scan
server.
Contents
Upgrade
Upgrade
Upgrade
Upgrade
Upgrade
the extension
the MOVE AV offload scan server with ePolicy Orchestrator
persistent virtual machines
non-persistent virtual machines
the MOVE AV client with ePolicy Orchestrator
Upgrade the extension
Version 3.5 of the McAfee MOVE AV extension upgrades the 2.6.2 extension on the McAfee ePO server.
Before you begin
Make sure that the extension file is in an accessible location on the network.
Task
For option definitions, click ? in the interface.
1
From the ePolicy Orchestrator console, click Menu | Software | Extensions.
2
When the Extensions page opens, click Install Extension.
3
Browse to and select the MOVE‑AV_Ext_3.5.0_Licensed.zip file, then click OK.
4
After a confirmation message, click OK.
All policies created in version 2.6.2 exist after you upgrade to version 3.5.0.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
29
3
Upgrade McAfee MOVE AV Multi-Platform
Upgrade the MOVE AV offload scan server with ePolicy Orchestrator
Upgrade the MOVE AV offload scan server with ePolicy
Orchestrator
We recommend staggering the offload scan server upgrades so that protection is maintained on the
legacy client virtual machines.
In environments that are made up primarily of persistent images, creating additional version 3.5 offload
scan servers is preferable to upgrading existing offload scan servers.
Task
For option definitions, click ? in the interface.
1
From the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog, select McAfee Agent |
Product Deployment, then click Actions | New Task.
2
Make sure that Product Deployment is selected, then click OK.
3
Type a name for the task you are creating and add any notes.
4
Next to Target platforms, select Windows as the type of platform to use for deployment.
5
Next to Products and components, set the following:
•
Select the product from the first drop-down list.
The products listed are those for which you have already checked in a package to the master
repository. If you do not see the product you want to deploy, you must first check in that
product’s package.
•
Set the Action to Install, then select the Language of the package, and the Branch.
•
To specify command-line installation options, type command-line options in the Command line text
field. See the product documentation for information on command-line options of the product
you are installing.
You can click + or – to add or remove products and components from the displayed list.
6
(Windows only) Next to Options, select if you want to run this task for every policy enforcement
process, then click Save.
7
Click Menu | Systems | System Tree | Assigned Client Tasks, then select the required group in the System
Tree.
8
Select the Preset filter as Product Deployment (McAfee Agent).
Each assigned client task per selected category appears in the details pane.
9
Click Actions | New Client Task Assignment to open the Client Task Assignment Builder wizard.
10 On the Select Task page, select Product as McAfee Agent and Task Type as Product Deployment, then select
the task you created to deploy the product.
11 Next to Tags, select the platforms to which you are deploying the packages, then click Next.
30
•
Send this task to all computers
•
Send this task to only computers that have the following criteria — Use one of the edit links to configure the
criteria.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Upgrade McAfee MOVE AV Multi-Platform
Upgrade persistent virtual machines
3
12 On the Schedule page, select whether the schedule is enabled, and specify the schedule details,
then click Next.
13 Review the summary, then click Save.
Upgrade persistent virtual machines
Upgrading persistent virtual machines provides nearly seamless virus protection, but requires the
overhead of duplicate offload scan servers during the upgrade process.
We recommend this method for environments comprised primarily of persistent virtual machines,
where the 2.6.2 and 3.5 clients require support from the offload scan server during the client
migration process.
Task
1
Install the 3.5 package and upgrade the extension in ePolicy Orchestrator.
2
Create a new virtual server and install VirusScan Enterprise 8.8 on that server.
3
Install the offload scan server version 3.5 on the virtual server.
4
Create a new McAfee MOVE AV Multi-Platform 3.5 policy that references the offload scan server you
created in the previous step, and assign it to the virtual machines being upgraded.
The existing client policy configuration can be used during the upgrade. However, you use the new
settings specified in the client's offload scan server assignment policy, you no longer can use the
existing manual policy configuration.
5
Create an ePolicy Orchestrator client task to upgrade the McAfee MOVE AV clients to version 3.5.
As the upgrade task is executed on virtual machines, the VMs begin to use the 3.5 offload scanner
for file scanning.
6
After all clients are upgraded to version 3.5, shut down the version 2.6.2 offload scan servers.
Upgrade non-persistent virtual machines
Upgrading non-persistent virtual machines does not require creating additional offload scan servers,
although it might result in a window of time when virtual machines are unprotected.
McAfee recommends that you perform this upgrade during scheduled downtime.
Task
For option definitions, click ? in the interface.
1
Install the 3.5 Master Repository client and OSS packages and upgrade the extensions in ePolicy
Orchestrator.
2
Create a new 3.5 client policy definition that references existing offload scan server systems.
The existing client policy configuration can be used during the upgrade. However, you use the new
settings specified in the client's offload scan server assignment policy, you no longer can use the
existing manual policy configuration.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
31
3
Upgrade McAfee MOVE AV Multi-Platform
Upgrade the MOVE AV client with ePolicy Orchestrator
3
From the ePolicy Orchestrator console, upgrade all offload scan servers to version 3.5.
Virtual machines serviced by upgraded offload scan servers do not have anti-virus protection until
after this task is completed.
4
Modify the master or golden image by deploying version 3.5 of the McAfee MOVE AV client from
ePolicy Orchestrator, or by manually upgrading the client directly on the master image.
Upgrade the MOVE AV client with ePolicy Orchestrator
Upgrading MOVE AV clients from ePolicy Orchestrator requires two tasks. You must first create an
upgrade client task, then assign that task to virtual machines.
Tasks
•
Create a MOVE AV client upgrade task on page 32
Before you can upgrade the MOVE AV client, you must create a client upgrade task.
•
Assign the McAfee MOVE AV client upgrade task to virtual systems on page 32
The upgrade task must be assigned to virtual systems to take effect.
Create a MOVE AV client upgrade task
Before you can upgrade the MOVE AV client, you must create a client upgrade task.
Task
For option definitions, click ? in the interface.
1
Open the Client Task Catalog: click Menu | Policy | Client Task Catalog.
2
In the left column under McAfee Agent, select Product Deployment.
3
Click Actions | New Task, select Product Deployment, then click OK.
4
Type the name of the task, for example, Upgrade MOVE AV client on VM client, and add
information in the Description field.
5
Make sure that Windows is the only Target platform selected.
6
For Products and components:
7
a
Select MOVE AV client 3.5.0 from the first drop-down list.
b
Set the Action to Install, set the Language to Language Neutral, and set the Branch to Current.
c
Leave the Command line setting blank.
Select the remaining options according to your environment's best practices, then click Save.
The newly created task appears in the Client Task Catalog.
Assign the McAfee MOVE AV client upgrade task to virtual
systems
The upgrade task must be assigned to virtual systems to take effect.
Before you begin
You must have already added the MOVE AV client to the master repository, and added your
virtual systems to the System Tree.
32
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Upgrade McAfee MOVE AV Multi-Platform
Upgrade the MOVE AV client with ePolicy Orchestrator
3
Task
For option definitions, click ? in the interface.
1
Select a group in the System Tree.
2
Click Menu | Policy | Client Task Assignments, then click the Assigned Client Tasks tab.
3
Click Actions | New Client Task Assignment.
4
Select these settings, then click Next.
•
Product — McAfee Agent
•
Task Type — Product Deployment
•
Task Name — The name of the task you created earlier
5
On the Schedule tab next to Schedule type, select Run Immediately from the drop-down list, set the Options
as needed, then click Next.
6
Examine the settings on the Summary tab, then click Save to assign the task.
The McAfee MOVE AV client is upgraded on every system in the selected group in the System Tree.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
33
3
Upgrade McAfee MOVE AV Multi-Platform
Upgrade the MOVE AV client with ePolicy Orchestrator
34
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
4
McAfee SVA Manager
McAfee SVA Manager is a pre-packaged virtual appliance, which automatically assigns McAfee MOVE
AV Multi-Platform offload scan servers to MOVE Multi-Platform clients.
This assignment is based on configurable parameters like Scan Server load, McAfee ePO tags, and IP
address ranges.
Contents
OSS assignment made easy
Set up the SVA Manager
Configuring SVA Manager
Configuring the SVA Manager policy
Configure an offload scan server policy
Configure a client policy: Assign OSS to clients using SVA Manager
OSS assignment made easy
An offload scan server can generally be assigned to 200–400 endpoints, depending on the load of the
endpoints.
Let us consider that your organization has about 10,000 endpoints. If you assign 200 endpoints per
OSS, you need about 50 offload scan servers and 50 policies that specify which offload scan servers a
group of virtual machines uses. After you create this policy, you must assign it before it takes effect. It
is a time-consuming task to manually assign these policies to the OSS.
The McAfee SVA Manager can create IP address-based assignment rules and tag-based assignment
rules where a range of endpoints are automatically assigned to a group of OSS.
Set up the SVA Manager
You must set up and configure the SVA Manager before registering the OSS and assigning it to a group
of clients.
Before you begin
You must have administrator rights to perform this task.
Task
1
Create the SVA Manager appliance (virtual machine) by deploying the SVA Manager OVF template
and configuring a VM network for communication with the SVA Manager.
2
Turn on the VM.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
35
4
McAfee SVA Manager
Configuring SVA Manager
3
4
At the prompt, log on with these credentials:
•
User name: svaadmin
•
Password: svaadmin
Configure the VM appliance with these details:
•
IP address and host name of the McAfee ePO server
•
Network — DHCP or Static
We recommend that you select Static IP address for SVA Manager.
•
McAfee ePO credentials
Check for the correct format of the user name, for example: domain\\user name.
5
•
DNS servers
•
Time zone
Verify that these communication ports are open and reachable on the SVA Manager:
•
8080 — For communication between SVA Manager and the client
•
8081 — For communication between McAfee Agent and McAfee ePO
•
8443 — For communication between SVA Manager and the OSS
By default, these ports are already opened through the firewall installed on the appliance. However,
we recommend that you verify that the firewall settings in your environment are configured to allow
communication on these ports.
Now, the SVA Manager service can communicate with McAfee ePO through the McAfee Agent. You
must now set the required policies in McAfee ePO.
Use this command to manually run the configuration script: sudo/home/svaadmin/.sva-config
Configuring SVA Manager
The overall SVA Manager configuration and assignment process is made up of these stages.
This assumes that the user already installed McAfee ePO and the McAfee Agent is installed on client
systems, which successfully communicate with the McAfee ePO server.
36
1
Install the MOVE‑AV_Ext_3.5.0_Licensed.zip extension into McAfee ePO.
2
Check in the MOVE AV Multi-Platform software packages (MOVE‑AV_Client_3500_WIN.zip and MOVE
‑AV_Offload_Scan_Server_3500.zip) to the McAfee ePO server.
3
Deploy the MOVE AV offload scan server package to the OSS host.
4
Deploy the MOVE AV client package to the client systems.
5
Set up your SVA Manager.
6
Configure the SVA Manager policy.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
McAfee SVA Manager
Configuring the SVA Manager policy
7
Configure the offload scan server policy and assignment.
8
Assign the offload scan servers to endpoints.
4
Configuring High Availability for MOVE SVA Manager
For details on configuring High Availability for MOVE SVA Manager, see https://kc.mcafee.com/
corporate/index?page=content&id=PD25344.
Configuring the SVA Manager policy
McAfee SVA Manager automatically assigns offload scan servers to MOVE Multi-Platform clients based
on configurable parameters like Scan Server load, McAfee ePO tags, and IP address ranges.
Add or edit an SVA Manager assignment rule using IP address
Using their IP address range, assign a set of endpoints to a selected OSS or a number of offload scan
servers, so that those clients are protected by these OSS rules.
Before you begin
•
Make sure that you installed the MOVE‑AV_Ext_3.5.0_Licensed.zip extension on the
McAfee ePO server.
•
Make sure that you checked in the MOVE AV Multi-Platform software packages (MOVE‑AV
_Client_3500_WIN.zip and MOVE‑AV_Offload_Scan_Server_3500.zip) to the McAfee
ePO server.
•
Make sure that you deployed the MOVE AV offload scan server package to the OSS host.
•
Make sure that you deployed the MOVE AV client package to the client systems.
•
Make sure that you already set up the SVA Manager.
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, select MOVE-AV [Multi-Platform] SVA Manager 3.5.0 from the Product
drop-down menu, then select General from the Category drop-down list.
3
Click New Policy or click the name of an existing policy to edit it.
4
Type a name for the new policy (for example, MOVE AV SVA Manager Policy), then click OK.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
37
4
McAfee SVA Manager
Configuring the SVA Manager policy
5
In the Assignment Rules tab on the Policy Settings page, click Add to open the Add/Edit OSS Assignment Rule
dialog box and configure these settings as needed.
For this option...
Do this...
Rule name
Type a unique user-friendly name that can help you identify the rule.
Client IP Addresses
Type the IP address or a range of IP addresses of the endpoints, which
must be assigned to the OSS.
You can separate IP addresses or ranges with a comma (,) or a new line.
Offload Server IP Addresses Type the IP address of the OSS, which must be assigned to the client.
The Assign OSS if no rule is defined above for client option is used to assign the OSS to endpoints, which are
not defined in any of the rules. By default, this option is enabled.
6
In the MOVE SVA Manager Settings tab, configure these settings as needed, then click Save to commit
your changes.
For this
option...
Do this...
Threshold for OSS
Capacity Warning
Specify the OSS capacity threshold level. A warning appears when the number
of connected endpoints is more than this level.
OSS assignment rules
Prefer OSS from same subnet — Select if you need to assign the OSS from the same
subnet.
OSS Lease time
Specify the interval for automatic assignment of OSS to endpoints. The default
interval is 240 minutes. The load balancing depends on this value.
ePO Credentials
Specify the credentials of the McAfee ePO server that SVA Manager needs to
connect.
The user password must consist of ASCII characters only.
Log Settings
• Number of Log Files— Specify a number to limit the number of log files allowed
before they are rotated. This is a positive integer value. Defaults to 4.
• Log File Size — Specify a number to limit the size (in MB) of an individual log
file.
• Log Level — Select a log level from the supported log level types of McAfee
MOVE AV offload scan server modules.
Communication Ports
• OSS Port — Type the port number of the OSS. This is the port where the OSS
connects to SVA Manager.
• Client Port — Type the port number of the client. This is the port where the
MOVE AV Multi-Platform clients connect to SVA Manager.
Make sure that the firewall script present in the SVA Manager appliance at
/etc/init.d/sva‑firewall is also updated for the specified ports. You must
restart the firewall with the command sudo service sva-firewall, so that
the changes are updated.
38
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
4
McAfee SVA Manager
Configuring the SVA Manager policy
Add or edit an SVA Manager assignment rule using McAfee ePO
tag
Assign a set of endpoints to a selected OSS using their tag group, so that those clients are protected
by these OSS rules.
Before you begin
•
Make sure that you installed the MOVE‑AV_Ext_3.5.0_Licensed.zip extension into
McAfee ePO.
•
Make sure that you checked in the MOVE AV Multi-Platform software packages (MOVE‑AV
_Client_3500_WIN.zip and MOVE‑AV_Offload_Scan_Server_3500.zip) to the McAfee
ePO server.
•
Make sure that you deployed the MOVE AV offload scan server package to the OSS host.
•
Make sure that you deployed the MOVE AV client package to the client systems.
•
Make sure that you already set up the SVA Manager.
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, select MOVE-AV [Multi-Platform] SVA Manager 3.5.0 from the Product
drop-down menu, then select General from the Category drop-down list.
3
Click New Policy or click the name of an existing policy to edit it.
4
Type a name for the new policy (for example, MOVE AV SVA Manager Policy), then click OK.
5
In the Tag Assignment Rules tab on the Policy Settings page, click Add to open the Add/Edit OSS Tag Assignment
Rule dialog box and configure these settings as needed.
For this option...
Do this...
Rule name
Type a unique user-friendly name that can help you identify the
rule.
Select and add to client tags
Select the tag names of the endpoints, which must be assigned to
the OSS.
Select and add to offload Server Tags Select the tag name of the OSS, which must be assigned to the
client.
You can separate tag names with a comma (,).
The tag-based assignment rule takes priority over the IP address-based assignment rule.
The Assign OSS if no rule is defined above for client option assigns the OSS to endpoints, which are not
defined in any of the rules. By default, this option is enabled.
6
In the MOVE SVA Manager Settings tab, configure these settings as needed, then click Save to commit
your changes.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
39
4
McAfee SVA Manager
Configure an offload scan server policy
For this
option...
Do this...
Threshold for OSS
Capacity Warning
Specify the OSS capacity threshold level. A warning appears when the number
of connected endpoints is more than this level.©
OSS assignment rules
Prefer OSS from same subnet — Select if you need to assign the OSS from the same
subnet.
OSS Lease time
Specify the interval for automatic assignment of OSS to endpoints. The default
interval is 240 minutes. The load balancing depends on this value.
ePO Credentials
Specify the credentials of the McAfee ePO server that SVA Manager needs to
connect.
The user password must consist of ASCII characters only.
Log Settings
• Number of Log Files— Specify a number to limit the number of log files allowed
before they are rotated. This is a positive integer value. Defaults to 4.
• Log File Size — Specify a number to limit the size (in MB) of an individual log
file.
• Log Level — Select a log level from the supported log level types of McAfee
MOVE AV offload scan server modules.
Communication Ports
• OSS Port — Type the port number of the OSS. This is the port where the OSS
connects to SVA Manager.
• Client Port — Type the port number of the client. This is the port where the
MOVE AV Multi-Platform clients connect to SVA Manager.
Make sure that the firewall script present in the SVA Manager appliance at
/etc/init.d/sva‑firewall is also updated for the specified ports. You must
restart the firewall with the command sudo service sva-firewall, so that
the changes are updated.
Configure an offload scan server policy
Create and assign a policy that specifies which offload scan servers a group of virtual machines uses.
Before you begin
40
•
Make sure that you installed the MOVE‑AV_Ext_3.5.0_Licensed.zip extension into
McAfee ePO.
•
Make sure that you checked in the MOVE AV Multi-Platform software packages (MOVE‑AV
_Client_3500_WIN.zip and MOVE‑AV_Offload_Scan_Server_3500.zip) to the McAfee
ePO server.
•
Make sure that you deployed the MOVE AV offload scan server package to the OSS host.
•
Make sure that you deployed the MOVE AV client package to the client systems.
•
Make sure that you already set up the SVA Manager.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
McAfee SVA Manager
Configure an offload scan server policy
4
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, select MOVE-AV [Multi-Platform] Client 3.5.0 from the Product drop-down
menu, then select General from the Category drop-down list.
3
Click New Policy or click the name of an existing policy to edit it.
4
Type a name for the new policy (for example, MOVE AV Server Policy), then click OK.
5
In the General tab on the Policy Settings page, configure options as needed, then click Save to commit
your changes.
a
Select Register this Offload Scan Server with MOVE SVA Manager to make sure that the selected OSS is
registered with the available SVA Manager.
The SVA manager works only with the offload scan servers assigned with it for assignment and
reporting.
6
b
Type the MOVE SVA Manager IP address, host name, or domain name, and the MOVE SVA Manager Port. Default is
8443.
c
Enter the Number of Log Files to limit the number of log files allowed before they are rotated. This is
a positive integer value. Defaults to 20.
d
Enter the Log File Size to limit the size (in MB) of an individual log file.
Click Click to view Advanced Options and configure options as needed, then click Save to commit your
changes.
To do this...
Do this...
Specify the Maximum Enter the appropriate amount to limit the number of items that can exist in
Cache Items
the server cache.
Configure the
Concurrent Scans
Enter the appropriate number to limit the number of available file scan
request threads on the server.
Provide the Server
Port
Type the port number of the server, which is ready for client request.
Modifying the port number restarts the offload scan server.
Select the Client
Load
Select the load type, which specifies the workload and activities on
endpoints.
• Low load — More clients are present to be assigned to the OSS
• Medium load — Moderate number of clients are present to be assigned to the
OSS
• High load — Fewer clients are present to be assigned to the OSS
For example:
• A file server is high load
• A VDI VM used by a business user is low load
• A VM used by developer is high load
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
41
4
McAfee SVA Manager
Configure a client policy: Assign OSS to clients using SVA Manager
Configure a client policy: Assign OSS to clients using SVA
Manager
Create and assign a policy that specifies which offload scan servers a group of virtual machines uses.
Before you begin
•
Make sure that you installed the MOVE‑AV_Ext_3.5.0_Licensed.zip extension into
McAfee ePO.
•
Make sure that you checked in the MOVE AV Multi-Platform software packages (MOVE‑AV
_Client_3500_WIN.zip and MOVE‑AV_Offload_Scan_Server_3500.zip) to the McAfee
ePO server.
•
Make sure that you deployed the MOVE AV offload scan server package to the OSS host.
•
Make sure that you deployed the MOVE AV client package to the client systems.
•
Make sure that you already set up the SVA Manager.
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, select MOVE-AV [Multi-Platform] Client 3.5.0 from the Product drop-down
menu, then select Offload Scan Server Assignment from the Category drop-down list.
3
Click New Policy or click the name of an existing policy to edit it.
4
Type a name for the new policy (for example, OSS Assignment), then click OK.
5
Under Offload Scan Server on the Policy Settings page, configure options as needed, then click Save to
commit your changes.
•
Select Assign Offload Scan Server using SVA Manager to make sure that the given OSS is assigned to a
set of virtual machines.
•
Enter the SVA Manager IP address, host name, or domain name, and the SVA Manager Port. Default is 8080.
Now, the clients request the SVA Manager when they require an OSS. SVA Manager serves them an
OSS based on the filtering rules created in the SVA Manager policy.
42
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
5
Monitoring and management
The McAfee MOVE AV deployment option monitors the status of virtual machines to identify problems
and modify behavior from the ePolicy Orchestrator console.
Contents
Integration with ePolicy Orchestrator
Policy management
Configuring permissions sets
Queries and reports
Dashboards and monitors
Global Threat Intelligence
Handling potentially malicious files
Communication between virtual machines and offload scan servers
McAfee MOVE AV Multi-Platform client alerts
Self-protection
Integration with ePolicy Orchestrator
The McAfee MOVE AV deployment option uses the ePolicy Orchestrator framework to deliver and
enforce policies.
This approach provides a single management solution that allows for mass deployment.
ePolicy Orchestrator communicates policy information to McAfee MOVE AV clients and the offload scan
server at regular intervals via the McAfee Agent. The McAfee Agent enforces policies, collects event
information, and transmits the information back to ePolicy Orchestrator. Client-side management of
the McAfee MOVE AV client and offload scan server is available through a command-line interface
(CLI) on Windows-based clients.
Policy management
Through the ePolicy Orchestrator console, you can configure both client and offload scan server
policies from a central location.
How policies are enforced
When you change McAfee MOVE AV Multi-Platform policies in the ePolicy Orchestrator console, the
changes take effect on the targeted managed systems at the next agent-server communication. To
enforce policies immediately, send an agent wake-up call to the targeted systems from the ePolicy
Orchestrator console.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
43
5
Monitoring and management
Policy management
Policies and their categories
Policy information for the McAfee MOVE AV client and offload scan server is grouped into categories:
General and Offload Scan Server Assignment. You can create, modify, or delete as many policies as needed
under this category. ePolicy Orchestrator provides a preconfigured McAfee Default policy, which can't be
edited or deleted, but can be copied. You then modify these copies to suit your needs.
How policies are applied
Policies are applied to any System Tree group or system by inheritance or assignment. Inheritance
determines whether the policy settings for any system are taken from its parent.
By default, inheritance is enabled throughout the System Tree. You can break inheritance by direct
policy assignment. McAfee MOVE AV Multi-Platform, as managed by ePolicy Orchestrator, enables you
to create policies and assign them without regard to inheritance. When you break this inheritance by
assigning a new policy to a system, all groups and systems that are children of the selected system
inherit the new policy.
Policy tracking and tuning
The deployment and management of McAfee MOVE AV Multi-Platform clients and the offload scan
server are handled from ePolicy Orchestrator. Since McAfee MOVE AV policies apply only to virtual
machines in the System Tree, you can group the virtual machines hierarchically by attributes.
We recommend grouping the virtual machines by the McAfee MOVE AV Multi-Platform configuration
criteria, including scan settings and use of the offload scan server. You can also use tags for automatic
sorting into groups. Tags identify systems with similar characteristics. For more information on
tagging, see the McAfee ePolicy Orchestrator Product Guide.
Deploying McAfee MOVE AV Multi-Platform to thousands of systems is managed easily because most
virtual machines fit into a few usage profiles. Managing a large deployment is reduced to maintaining
a few policy rules. As a deployment grows, newly added virtual machines fit one or more existing
profiles, and can be placed under the correct group in the System Tree.
Configuring policies
You can configure the McAfee MOVE AV Multi-Platform client and offload scan server behavior with
policy settings.
Client policies
•
Which offload scan server a client uses
•
What to do when a threat is found
•
When files are scanned
•
How to handle quarantined files
•
Which files and programs to exclude from
scanning
•
How the offload scan server operates
•
Where to send alerts
Server policies
44
•
Maximum size of the server cache
•
The number of concurrent scans that an offload scan server policy can support
•
Which port the offload scan server listens to for scan requests from clients
•
The number assigned to a log file and size
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Monitoring and management
Policy management
•
Which types of files to scan
•
McAfee GTI sensitivity level
•
On-Demand Scan settings
5
Create a policy
Policies allow you to describe threat scanning behavior for specific virtual machines.
By default, policies created in McAfee ePO are not assigned to any groups or systems. When you
create a policy, you are adding a custom policy to the Policy Catalog. You can create policies before or
after a product is deployed.
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, then select McAfee MOVE AV [Multi-Platform] client or McAfee MOVE AV
[Multi-Platform] Offload Scan Server from the drop-down lists.
3
Click Actions | New Policy.
4
On the New Policy page, configure the policy settings, then click OK.
5
In the General tab of the Policy Settings page for the newly created policy, configure the settings to
control basic behavior.
6
Click Save.
Assign a policy
You must assign a policy for it to take effect.
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
In the System Tree, select the group containing the virtual machines where you want to apply the
policy.
3
Click Menu | Systems | System Tree | Assigned Policies.
4
In the Product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.5.0 or MOVE AV [Multi-Platform]
Client 3.5.0.
5
In the Actions column of the McAfee Default policy, select Edit assignments.
6
In the Inherit from list on the Policy Assignments page, select Break inheritance and assign the policy and settings
below.
7
In the Assigned Policy list, select the policy you created earlier.
8
Click Save.
9
To apply the policy immediately, perform an agent wake-up call.
The policies are not modified on client systems until the next agent-server communication that
includes a Collect and Send Properties operation. This can be initiated from the agent on the client, or by
performing an agent wake-up call from within ePolicy Orchestrator.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
45
5
Monitoring and management
Configuring permissions sets
Configuring permissions sets
A permission set is a group of permissions (or access rights) granted to a user account for specific
features of a product. Permission sets only grant permissions — they never remove a permission.
All permissions to all products and features are assigned automatically to global administrators. Other
users must have permission assigned manually. Global administrators can assign existing permission
sets when creating or editing user accounts and when creating or editing permission sets.
For more information on permission sets, see the McAfee ePolicy Orchestrator Product Guide.
McAfee MOVE AV Permission set
The McAfee MOVE AV Multi-Platform software adds a MOVE-AV [Multi-Platform] Client 3.5.0 Policy Permission and
MOVE-AV [Multi-Platform] Offload Scan Server section to the permission sets with one setting. This defines
access rights to the software features. The MOVE AV 3.5 [Multi-Platform] SVA Manager adds the MOVE SVA
Manager section to the permission sets. Global administrators must grant permissions to users to use
the McAfee MOVE AV deployment option, because no permissions are granted by default.
Other required permissions
The global administrator must give ePolicy Orchestrator permissions to handle other areas that work
with the McAfee MOVE AV including queries, dashboards, and the Threat Event Log.
For these features...
These permissions sets are required
Dashboards
Dashboards, Queries and Reports
Queries
Queries and Reports
Policies
System Tree access, Policy Assignment Rules
Events on virtual machines
Systems, System Tree access, Threat Event Log
Configure permission sets
Update the read/write permissions assigned to the user roles defined for your ePolicy Orchestrator
environment.
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | User Management | Permission Sets.
3
Select a user role from the Permission Sets list.
4
Next to MOVE-AV [Multi-Platform] 3.5 Client Policy Permission or MOVE-AV [Multi-Platform] 3.5 Offload Scan Server Policy
Permission, click Edit.
5
Select the permission level.
6
Click Save.
For more information on permission sets, see the McAfee ePolicy Orchestrator Product Guide.
46
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Monitoring and management
Queries and reports
5
Queries and reports
From the ePolicy Orchestrator console, you can extract information about your McAfee MOVE AV
Multi-Platform clients with several queries and reports.
•
View events in the threat event log.
•
Run default McAfee MOVE AV Multi-Platform queries that show important client information.
•
Create reports using data sent by the McAfee MOVE AV clients to the ePolicy Orchestrator
database.
Modify the VirusScan Enterprise compliance query results
VirusScan Enterprise queries might report virtual machines that use McAfee MOVE AV Multi-Platform
as noncompliant.
We recommend that you use the VirusScan Enterprise Compliance report to determine compliance for
systems that use the offload scan server. Use the McAfee MOVE AV client status report to determine if
client protection is enabled.
If virtual machines that use the Multi-Platform deployment option are reported incorrectly as
noncompliant in the VirusScan Enterprise 8.8 Compliance query, consider excluding those systems
from its results.
Task
For option definitions, click ? in the interface.
1
From the ePolicy Orchestrator console, click Menu | Queries and Reports.
2
Click Shared groups | VirusScan Enterprise | VSE version 8.8 Compliance.
3
Click Edit, then click the Filters tab.
4
From Available Properties, select Products Property | Installed products.
5
Select does not contain from the comparison, and type MOVE-AV in the text box.
6
Click Save to modify the query.
Default queries
The McAfee MOVE AV deployment option adds several queries to your ePolicy Orchestrator
environment.
Table 5-1 MOVE AV Multi-Platform queries
Query
Description
MOVE-AV [Multi-Platform]: Client Protection Status
Displays the status of all MOVE clients managed by the
server.
MOVE-AV [Multi-Platform]: Client connected with a
given OSS
Displays the details of the client and OSS it is assigned.
MOVE-AV [Multi-Platform]: DAT version
Displays the DAT version of all MOVE AV clients that are
managed by the server.
MOVE-AV [Multi-Platform]: Summary of Threats
Detected in the Last 24 Hours
Displays threats detected in the last 24 hours.
MOVE-AV [Multi-Platform]: Threats Detected in the
Last 24 Hours
Displays the number of threats detected in the last 24
hours by hour.
MOVE-AV [Multi-Platform]: Top 10 Computers with the
Most Detections
Displays the top ten computers with the most threat
detections in the last three months.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
47
5
Monitoring and management
Queries and reports
Table 5-1 MOVE AV Multi-Platform queries (continued)
Query
Description
MOVE-AV [Multi-Platform]: Top 10 Detected Threats
Displays the top ten detected threats in the last three
months.
MOVE-AV [Multi-Platform]: Top 10 Users with the Most Displays the top ten users with the most threat
Detections
detections in the last three months.
Table 5-2 MOVE offload scan server queries and events
Query
Description
OSS Load: Number of Connected
Endpoints
This categorizes the offload scan servers into Capacity full, Capacity Above
Threshold, and Capacity Below Threshold based on the number of connected
endpoints.
OSS with Higher Average Scan Time
in last 7 days
Specifies the top 10 offload scan servers, which have reached the
average scan time threshold and they are in this state for the longest
time in the past 7 days.
OSS with MOVE SVA Manager details Lists all offload scan servers with MOVE SVA Manager details.
OSS: Average Scan Time Events
Displays these scan time events of the OSS.
• OSS Average Scan Time
• OSS Average Scan Time Threshold
• OSS Average Scan Time Sampling Interval
OSS Capacity Events
Specifies the maximum number of endpoints with the number of
endpoints connected.
• OSS Capacity Full
• OSS Capacity Restored
• OSS Capacity Threshold hit
Table 5-3 SVA Manager queries and events
Query
Description
MOVE SVA Manager: OSS
Assignment Failed
Specifies the details and reasons of OSS assignment by the SVA Manager.
This event is reported in the ePolicy Orchestrator server.
• SVA_MANAGER_OSS_ASSIGNMENT_FAILED — This event is reported when an
OSS assignment request is sent from a client to the SVA Manager and it
is unable to complete the client request, because no registered OSS is
with full capacity.
MOVE SVA Manager: OSS
Capacity Events
Specifies the maximum number of endpoints with the number of endpoints
connected.
These events are reported in the ePolicy Orchestrator server.
• SVA_MANAGER_OSS_THRESHOLD_CAPACITY_HIT — This event is reported when
an OSS assignment request is sent from a client to the SVA Manager and
cumulative capacity of all offload scan servers eligible to serve that client
has reached the threshold value, which is set in the advanced options of
the SVA Manager policy.
• SVA_MANAGER_OSS_CAPACITY_FULL — This event is reported when an OSS
assignment request is sent from a client to the SVA Manager and all
offload scan servers eligible to serve that client have reached their full
capacity.
48
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Monitoring and management
Dashboards and monitors
5
Table 5-3 SVA Manager queries and events (continued)
Query
Description
MOVE SVA Manager: OSS
Registration Events
Displays the OSS registration events raised by the SVA Manager.
These events are reported in the ePolicy Orchestrator server.
• SVA_MANAGER_OSS_REGISTER — This event is reported whenever an OSS is
registered with SVA Manager.
• SVA_MANAGER_OSS_UNREGISTER — This event is reported whenever an OSS
is unregistered from the SVA Manager because of issues like OSS
shutdown, network interruptions.
SVA_MANAGER_STARTED
This event is reported when the SVA Manager starts.
SVA_MANAGER_STOPPED
This event is reported when the SVA Manager stops.
You can add these queries to dashboards to more efficiently track your environment by displaying
several queries at once.
The queries are constantly refreshed, or you can run them at a specified frequency. You can add them
to reports that are run on specific schedules and export them as PDF files or email messages.
The ePolicy Orchestrator Threat Event Log contains information about detections, scan failure,
on-demand scan, and targeted on-demand scan events.
OSS information
A shell script, msmclient.sh, is available with SVA Manager and it is used to retrieve the OSS details.
The script is available at /opt/McAfee/movesvamanger.
For these commands to work and retrieve the results, the SVA Manager application must be running.
Run these commands with root rights from the /opt/McAfee/movesvamanager directory:
•
sudo ./msmclient.sh osscount — Displays the number of offload scan servers attached to the
SVA Manager.
•
sudo ./msmclient.sh ossinfo — Displays some basic information about the offload scan servers
attached to the SVA Manager.
•
sudo ./msmclient.sh ossdetails — Displays some advanced information about the OSS: current
OSS load, OSS GUID, and last heartbeat time.
Dashboards and monitors
Dashboards, which are comprised of monitors, help you track key metrics from major components of
the MOVE AV Multi-Platform.
McAfee ePO 4.6 — Dashboards are grouped under Private Dashboards.
McAfee ePO 5.1 — Reports are grouped under McAfee Dashboards.
MOVE Multi-Platform dashboard
The MOVE Multi-Platform dashboard is added to your McAfee ePO server when you install the MOVE
Multi-Platform software.
The dashboard displays a collection of monitors based on the results of the default MOVE
Multi-Platform software queries.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
49
5
Monitoring and management
Dashboards and monitors
The default monitors that appear under the MOVE Multi-Platform dashboard are:
•
•
OSS Load: Number of Connected Endpoints — Displays the number of managed endpoints with load
category of the OSS.
•
Capacity Full — Indicates that the OSS limit is reached when the number of endpoints is equal to
what can be assigned.
•
Capacity Above Threshold — Appears when capacity of an OSS is more than its threshold value.
•
Capacity Below Threshold — Appears when capacity of an OSS is less than its threshold value.
OSS with Higher Average Scan Time in last 7 days — Specifies the top 10 offload scan servers, which have
reached average scan time threshold and they are in this state for the longest time in the past 7
days.
See the chapter on dashboards in the McAfee ePolicy Orchestrator Product Guide for information about
managing dashboards.
Report visibility and health of the offload scan server
You can check the product properties of MOVE AV Multi-Platform and the product component MOVE
OSS using the ePolicy Orchestrator server.
Task
For option definitions, click ? in the interface.
50
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Systems | System Tree | Systems tab.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Monitoring and management
Dashboards and monitors
3
Click an OSS system to open the System Information page.
4
Click Product tab and select the product as MOVE AV [Multi-Platform].
5
You can now see these product properties, which can be used to determine the health details of the
OSS.
Table 5-4 General
Property
Description
Installed Path
Offload scan server installation directory.
Language
Supported language
MOVE SVA Manager IP Address/Hostname
SVA Manager IP address.
MOVE SVA Manager Port
SVA Manager port number.
On Demand Scan Status
OSS triggered on-demand scan of Endpoints.
Plugin Version
Plugin version
Server Port
Port of the OSS to handle endpoint requests.
System Status
Offload scan server service status.
Table 5-5 Endpoint
Property
Description
Connected Endpoints
Number of endpoints connected to the OSS.
Connected Endpoints Threshold The offload scan server will raise an event when the number of
connected endpoints is more than this value.
Maximum number of endpoints
Maximum number of endpoints that can connect to the OSS.
Table 5-6 Scan requests
Property
Description
Pending Requests in Queue
Total number of endpoint requests in queue.
Ram Disk Size (MB)
Size of RAM disk created at the OSS.
Total AV Scan Failures
Number of failed file scan and smart scan requests at AV scanner.
Total AV Scan Requests
Number of file scan and smart scan requests to AV scanner.
Total File Transfer Requests
Total number of file scan requests from the endpoints.
Total Request Failures
Number of endpoint requests failed.
Total Response Failures
Number of response failed from the OSS.
Total Scan Requests
Total number of scan requests from the endpoints.
Total Scans on RAM Disk
Total number of file transfer scan requests performed using RAM disk.
Total Smart File Requests
Total number of smart scan request from the endpoints.
Scan request means all scan requests that include checksum, file and smart scan request.
File Scan request means the scan request where file transfer happens.
Smart Scan request means the scan request where file transfer does not happen, however, some
portion of the file is transferred.
These statistical attributes under Scan requests can help in many useful implications about the health
of the OSS and its scanning performance. For example, using the attributes like Total scans on RAM Disk
and Total File Transfer Requests you can easily confirm that what fraction of total file scan requests is
being served through RAM disk.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
51
5
Monitoring and management
Global Threat Intelligence
Table 5-7 Scan threads
Property
Description
Scan Thread Count
Number of threads on the OSS to serve scan requests.
Total Idle Threads
Number of idle threads on the OSS waiting to serve scan requests.
Table 5-8 Scan time
Property
Description
Average Request Process Time (seconds) Average time taken on the OSS to process scan requests.
Average Request Process Time (seconds) Average time taken on the OSS before scan requests are getting
served on the OSS.
Table 5-9 Scan Cache
Property
Description
Checksum Cache Hits
Number of checksum cache hits.
Number of Checksums in Cache
Number of checksum in cache.
Global Threat Intelligence
McAfee Global Threat Intelligence (GTI) File Reputation is a comprehensive, real-time, cloud-based file
reputation service that enables McAfee products to protect customers against both known and
emerging malware-based threats.
This cloud-based system receives billions of file reputation queries each month, and responds with a
score that reflects the likelihood that the file in question is malware. The score is based not only on
the collective intelligence from sensors querying the McAfee cloud and the analysis performed by
McAfee Labs researchers and automated tools, but also on the correlation of cross-vector intelligence
from web, email, and network threat data. The McAfee anti-malware engine — whether deployed as
part of an endpoint anti-malware, gateway, or other solution — uses the score to determine action
(such as block or quarantine) based on local policy.
These are the key benefits of GTI File Reputation:
•
Compresses the threat protection time period from days to milliseconds
•
Increases malware detection rates
•
Reduces downtime and remediation costs associated with malware attacks
Change the Global Threat Intelligence level
You can change the Global Threat Intelligence (GTI) sensitivity level from ePolicy Orchestrator when
required.
Higher sensitivity levels are more secure, but can degrade performance and might cause more false
positive results.
Task
For option definitions, click ? in the interface.
52
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, then from the product list select MOVE AV [Multi-Platform] Offload Scan
Server 3.5.0.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
5
Monitoring and management
Handling potentially malicious files
3
Click the name of an existing policy to edit it, then click the Scan Settings tab.
4
Select the Sensitivity level from the drop-down list. The default and recommended setting is Medium.
The GTI level is changed as specified. If the new GTI level is more sensitive than before, all previously
scanned files are flushed from the cache.
Create a policy specifying offload scan server
Create a policy that specifies which offload scan servers a group of virtual machines uses. After you
create this policy, you must assign it before it takes effect.
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, then select MOVE AV [Multi-Platform] Client 3.5.0.
3
Click New Policy.
4
Type a name for the new policy (for example, MOVE AV Server Policy), then click OK.
5
In the General tab on the Policy Settings page, configure options as needed, then click Save to commit
your changes.
•
Select Enable malware protection to make sure that the protection state is enabled. The protection
state is disabled by default.
•
Enter the Offload Scan Server 1 IP address, host name, or domain name, and the Offload Scan Server 1
Port. Default is 9053.
McAfee MOVE AV Multi-Platform 3.5 supports Fully Qualified DNS names, which allow for DNS
Round-Robin Load Balancing. This type of load balancing distributes client requests across
multiple servers.
•
Enter the Offload Scan Server 2 IP address, host name, or domain name, and the Offload Scan Server 2
Port. Default is 9053.
McAfee recommends using two different addresses when setting up the primary and secondary
servers. Using the same address for both servers results in delayed coverage, which occurs when
recovering from loss of connection to the primary server.
•
Modify the Scan Timeout, Scan Result Cache, and Cache Expiration Time settings, as needed.
Handling potentially malicious files
Policy settings determine what happens to a file after a scan determines it to be malicious.
The McAfee MOVE AV Multi-Platform deployment option can take three actions when dealing with a
potentially malicious file.
These policy settings determine which action is taken.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
53
5
Monitoring and management
Handling potentially malicious files
Primary action
Quarantine
setting
Actions taken
Delete files automatically
(default)
Enabled (default)
Back up the malicious file as a .VIR file in the quarantine
folder, then delete the original file.
Delete files automatically
Disabled
Delete the file. Nothing appears in the quarantine folder
and no backup copy of the file is made.
This causes data loss if quarantine is not enabled.
Deny access to files
Enabled or Disabled
Deny access to the file. Nothing appears in the quarantine
folder.
Isolating malicious files in quarantine
The McAfee MOVE AV Multi-Platform deployment option deals with malicious files beyond events and
notifications.
When an item is detected as a threat, an event is triggered that notifies administrators of the threat.
The malicious file can also be isolated in a quarantine folder, allowing you to perform other processes,
like remove and restore, on the quarantined items.
Quarantining is enabled by default, and quarantined items are placed in the C:\Quarantine folder on
the system where the file was discovered. Quarantined items are sorted in the quarantine folder by
threat category, and are automatically deleted after a configurable period of time. Quarantine behavior
can be modified through policy changes.
Change threat quarantine behavior
Modify the default quarantine settings to suit your organizational policies.
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Client 3.5.0.
3
Click the name of an existing policy to edit it, then click the Quarantine tab.
4
Change the threat quarantine behavior:
•
Disable the quarantine functionality by deselecting Enabled.
•
Change where quarantined items are stored by changing the Quarantine Directory setting.
Mapped network drives and UNC network path names are not supported.
5
•
If you don't want quarantined items deleted after a period, deselect Automatically delete quarantined
data after the specified number of days.
•
If you want to change how long quarantined items are stored before they are deleted, change
the Number of days to keep backed-up data in the quarantine directory setting.
Click Save to modify the policy.
The modified policy is applied after the next agent-server communication interval. If you want the
policy applied immediately, perform an agent wake-up call on the systems where the newly modified
policy is assigned.
54
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Monitoring and management
Handling potentially malicious files
5
Restore quarantined items
McAfee MOVE AV deletes any items that are detected as threats, converts a copy of the item to a
non‑executable format, and saves it in the Quarantine folder.
Before you begin
Make sure that you installed the MOVE‑AV_Ext_3.5.0_Licensed.zip extension into McAfee
ePO.
You can perform actions on quarantined items. For example, you might be able to restore an item
after downloading a later version of the DAT that contains information that cleans the threat.
Quarantined items can include various types of scanned objects, such as files, cookies, registries, or
anything McAfee MOVE AV scans for malware.
Task
For option definitions, click ? in the interface.
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Select Menu | Policy | Client Task Catalog.
3
From Client Task Types, select MOVE AV [Multi‑Platform] Client 3.5.0 | Restore From Quarantine.
4
Click the name of an existing client task or click New Task and confirm the task type.
5
Configure these settings on each tab and click Save.
Tab
Description
Task Name
Specifies a unique user‑friendly name for the task.
Description
Specifies some user‑friendly description about the task.
Detection name
Specifies the exact detection name of the item to restore from quarantine.
6
Click Assign, specify the servers where you want to assign the task, then click OK.
7
Click 2 Schedule to schedule the task.
Change the primary threat response
You can modify how the Multi-Platform deployment option handles potentially malicious files after a
threat is detected.
By default, the McAfee MOVE AV Multi-Platform policy backs up a potentially malicious file to a
quarantine folder as a .VIR file, then deletes the original. These steps change that behavior.
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Client 3.5.0.
3
Click the name of an existing policy to edit it, then click the Actions tab.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
55
5
Monitoring and management
Handling potentially malicious files
4
Change the Perform this action first setting to Delete files automatically or Deny access to files, depending on your
requirements.
The second action is set to Deny access to files if that is not the first action. Otherwise, there is no
second action. If quarantine is on, a backup of the file is made in the quarantine folder before it is
deleted.
5
Click Save.
Systems assigned this policy are updated at the next agent-server communication interval.
Run the scan diagnostic tool
You can run the scan diagnostic tool to calculate and display frequently scanned processes, files,
extensions, and VMs, so that you can include these files in the path and process exclusion policies.
These specified files are excluded from scans when they are written by a trusted process.
Before you begin
You must have administrator permissions to perform this task.
Access the offload scan server command-line interface (CLI) on the offload scan server virtual
machine to create and display this report.
Task
1
Open the McAfee MOVE AV Offload Scan Server CLI: click Start | Programs | McAfee | MOVE AV Server
command prompt.
This command prompt has administrator rights.
At this command prompt, you can type commands that activate the mvadm utility to perform
administration tasks on the Offload Scan Server.
2
56
To calculate the frequently scanned files, run this command: move_diagnose /T: <Time
Window> /O: < Output File>. Where:
•
T — The time period, in minutes, set for calculating the frequently scanned files. For example, 3
minutes.
•
O — Full path of the output file for storing the results.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Monitoring and management
Handling potentially malicious files
5
At the end of specified minutes, the tool completes the analysis and displays the results. The
default allowed time limit is 10 minutes.
You can also change the time limit by configuring the registry settings in HKLM\System
\CurrentControlSet\services\mvserver\Parameters\diagnostic
\FrequentlyScanMaxTimeOutWindow
This diagnostic tool captures these details:
•
Top 10 file scan requests
•
Top 10 file extensions
•
Top 10 processes
•
Top 10 virtual machines that are sending maximum scan and checksum requests.
This tool can be used with 2.6 clients as well.
Change when files are scanned
You can modify the client policy to determine which files are scanned for threats and when.
By default, all files are scanned when they are read from or written to disk, or when opened for
backup. The McAfee Agent program files and the User Profile Manager process are excluded from
scans.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
57
5
Monitoring and management
Handling potentially malicious files
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Client 3.5.0.
3
Click the name of an existing policy to edit it, then click the Scan Items tab.
4
Change the file scanning behavior in one of these ways:
For this...
Do this...
Scan files
Select any combination of:
• When writing to disk
• When reading from disk
• On network drives
• Opened for backup
Depending on your environment, selecting On network drives can degrade network
performance.
File types to
scan
• All files — Select to scan all files.
• Default + Additional files — Select to scan the default file types or any additional file
types. You can add, edit, and remove any additional file types, which are included
for scanning.
• Following only — Select to specify a list of file extensions to scan. You can add, edit,
and remove file extensions that are included for scanning.
Archive and MIME-encoded files are not scanned by default. This behavior is changed
by modifying the offload scan server policy.
Wildcards are not supported, and exact matches are required. Do not
include the period when specifying extensions.
Path
Exclusions
Add them to the Path Exclusions and Process Exclusions lists.
Excluding scan items — The MOVE AV Multi-Platform product allows you to
fine-tune the list of file types scanned. For example, you can exclude from scanning
individual files, folders, and disks. These exclusions might be needed because the
scanners could scan and lock a file when that file is being used by a database or
server. This could cause the database or server to fail or generate errors.
For example, path exclusion pattern .ost prevents any file with the .ost extension
from being scanned. Wildcards and regular expressions aren't supported.
Using the Import option, you can browse and select the exclusion rule file and add
path exclusions.
A path exclusion entry *.log is available, so that the log files at the client system are
not scanned. This improves the scanning performance of the client system.
Publisher
Exclusions
5
58
You can choose to trust the authenticated and signed files from different publishers,
so that the scanning performance improves by optimized use of resources at the
OSS by sending less files for scan from endpoints.
Click Save to modify the policy.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Monitoring and management
Handling potentially malicious files
5
Enable and configure on-demand scans
You can modify the offload scan server policy to enable system on-demand scans, and to determine
the schedule and frequency of scans.
Before you begin
Make sure that you installed the MOVE‑AV_Ext_3.5.0_Licensed.zip extension into McAfee
ePO.
By default, on-demand scans are not enabled. Other scan characteristics (for example, exclusions) are
inherited from the client scan policy.
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Offload Scan Server
3.5.0.
3
Click the name of an existing policy to edit it, then click the On-Demand Scan tab.
4
Configure these settings, then click Save.
To do this...
Do this...
Enable On-Demand Scanning
Select Enabled.
Specify the Maximum concurrent
scans per Offload Scan Server
Enter the appropriate amount for your environment. We
recommend 2.
Configure the Maximum
On-Demand Scan time (minutes)
Enter the appropriate amount for your environment. We
recommend 150.
Specify the On-Demand Client
Scan interval (days)
Enter the appropriate amount for your environment. We
recommend 7.
Specify the Maximum concurrent
targeted scans per Offload Scan
Server
Enter the appropriate amount for your environment. We
recommend that you set the default value 1.
A high value can affect scanning performance. The maximum
concurrent targeted on-demand scan value is 400.
Determine the On-Demand Scan
time window
Set or clear the time slots to specify available scan times. Green
indicates a time slot when a scan can start and white indicates a
time when a scan can't start.
Grid cells can be toggled between available (green) and
unavailable (white) by clicking the cell, column header, or row
header.
Targeted on-demand scan
The targeted on-demand scan feature in MOVE AV Multi-Platform allows the administrator to select a
system or a group of systems from the System Tree and assign a client task to initiate the on-demand
scan immediately.
The OSS runs the specified Maximum concurrent targeted scans per Offload Scan Server in addition to the Maximum
concurrent scans per Offload Scan Server defined by the administrator.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
59
5
Monitoring and management
Handling potentially malicious files
Configure targeted on-demand scans
Modify the offload scan server policy to enable on-demand scanning, and to set the concurrent scan
value to the default value.
Before you begin
Make sure that you have installed the MOVE‑AV_Ext_3.5.0_Licensed.zip extension into
McAfee ePO.
By default, on-demand scans are not enabled. Other scan characteristics (for example, exclusions) are
inherited from the client scan policy.
Review these assumptions before configuring targeted on-demand scans:
•
If the targeted on-demand scan task is performed on more than one VM, the targeted on-demand
scan clients are picked up randomly by the OSS.
•
If the administrator has assigned a targeted on-demand scan task to a VM, and if the OSS has
reached the maximum number of targeted on-demand scan, the recently initiated on-demand scan
is scheduled later when the targeted on-demand scan slot is available.
•
The maximum number of targeted on-demand scans cannot be greater than these values:
•
The configured maximum concurrent targeted on-demand scans per OSS
•
The configured maximum concurrent general on-demand scans per OSS
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Offload Scan Server
3.5.0.
3
Click the name of an existing policy to edit it, then click the On-Demand Scan tab.
4
Configure these settings, then click Save.
To do this...
Do this...
Enable On-Demand Scanning
Select Enabled.
Configure the Maximum On-Demand
Scan time (minutes)
Enter the appropriate amount for your environment. We
recommend 150.
Specify the Maximum concurrent
targeted scans per Offload Scan Server
Enter the appropriate amount for your environment. We
recommend that you set the default value 1.
A high value can affect scanning performance. The maximum
concurrent targeted on-demand scan value is 400.
Create and run a targeted on-demand scan client task
Select a system or a group of systems from the System Tree and assign a client task to initiate the
targeted on-demand scan immediately.
Before you begin
Make sure that you installed the MOVE‑AV_Ext_3.5.0_Licensed.zip extension into McAfee
ePO.
60
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Monitoring and management
Handling potentially malicious files
5
Task
For option definitions, click ? in the interface.
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Select Menu | Policy | Client Task Catalog.
3
From Client Task Types, select MOVE AV [Multi‑Platform] Client 3.5.0 | Targeted On Demand Scan.
4
Click the name of an existing client task or click New Task and confirm the task type.
5
Configure these settings on each tab and click Save.
Tab
Description
Task Name
Specifies a unique user‑friendly name for the task.
Description
Specifies some user‑friendly description about the task.
For this task to run successfully, make sure that the On-Demand Scanning option in the MOVE-AV
[Multi-Platform] Offload Scan Server 3.5.0 policy is enabled.
6
Click Assign, specify the servers where you want to assign the task, then click OK.
7
Click 2 Schedule to schedule the task.
Enable and configure RAM disk
RAM disk is used by the OSS for file scanning and it significantly reduces the disk I/O on the offline
scan server. You can enable the RAM disk option in the ePolicy Orchestrator server. RAM disk is created
by the OSS and it improves the OSS performance by enhancing the scan time.
Before you begin
Make sure that you installed the MOVE‑AV_Ext_3.5.0_Licensed.zip extension into McAfee
ePO.
Task
For option definitions, click ? in the interface.
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Policy | Policy Catalog, select MOVE-AV [Multi-Platform] Offload Scan Server 3.5.0 from the Product
drop-down menu, then select General from the Category drop-down list.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
61
5
Monitoring and management
Communication between virtual machines and offload scan servers
3
Click New Policy or click the name of an existing policy to edit it.
4
In the Scan Settings tab on the Policy Settings page, enable or disable RAM Disk Support.
By default, this option is enabled.
After enabling the RAM disk option on the ePolicy Orchestrator server, the RAM disk is created by
the OSS.
On enabling the RAM disk support, the RAM disk is created when the service starts. The RAM disk
size is calculated based on the total RAM size on the OSS.
Total RAM Size on OSS
RAM disk size
Less than (4 GB–100 MB)
0 MB
Equal to (4 GB+100 MB)
100 MB
Greater than 4 GB+100 MB
(50% of RAM Size – 4 GB) + 100 MB
The RAM disk volume name is “mvram”. The RAM disk is deleted when the service starts.
You can view the RAM disk size and total scans on RAM disk from the OSS product properties. For
details, see Report visibility and health of the offload scan server.
Communication between virtual machines and offload scan
servers
The McAfee MOVE AV client and the offload scan server communicate through a specific port to isolate
the communication channel.
To allow this communication to occur, the specific network port must be opened up on any firewalls
between the systems.
By default, the Multi-Platform deployment option uses port 9053. This port is not generally used by
other applications. If your network has other requirements, you can change this communication port
by modifying the policy.
Secure communication between clients and the offload scan server by placing VMs on VLANs or by using
the IPsec protocol suite. Both options impact product performance.
Change the offload scan server settings
You can modify the GTI file reputation and scan archive files, unwanted programs, and MIME files from
the Scan Settings tab.
Task
For option definitions, click ? in the interface.
62
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Monitoring and management
McAfee MOVE AV Multi-Platform client alerts
3
From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.5.0.
4
Click the Scan Settings tab, then select these options as needed:
To do this...
Use these settings...
Scan files with an archive
Select Scan Archive Files
5
Scan for unwanted programs Select Scan for Unwanted Programs
By default archive files aren't saved, so make sure that you scan
for potentially unwanted programs (PUPS).
Scan for MIME files
Select Scan MIME Files
Modify the GTI file reputation Select McAfee Global Threat Intelligence file reputation
Change the offload scan server port
The port used by the offload scan server can be changed after installation if your network environment
requires that the Multi-Platform deployment option use a different port.
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, then from the Product List select MOVE AV [Multi-Platform] Offload Scan
Server 3.5.0.
3
Click the name of an existing policy to edit it, then click the General tab.
4
Enter the corresponding server port number. Default is 9053.
5
From the ePolicy Orchestrator console, modify the policy assigned to the group of virtual machines
using this offload scan server to reflect the new port number.
See the McAfee ePolicy Orchestrator Product Guide for details on modifying policies.
6
Perform an agent wake-up call to push the modified policy to appropriate virtual machines.
The offload scan server service restarts after you receive the modified policy port number.
McAfee MOVE AV Multi-Platform client alerts
McAfee MOVE AV Multi-Platform generates alerts when protection is enabled or disabled, when a file
scan fails, or when a threat is detected.
These alerts can be displayed in any of three locations: the local system's Windows Event Log, the
ePolicy Orchestrator threat event log, or on the local system as a McAfee system tray pop-up menu.
You can configure these alerts by changing the policy.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
63
5
Monitoring and management
McAfee MOVE AV Multi-Platform client alerts
Triggered events
McAfee MOVE AV Multi-Platform displays one of these messages when the triggering event occurs.
Client events
Event ID
Level
Event message
34260
High
Threat Detected
34261
Medium
Scan Time Out
34262
Low
Protection Enabled
34263
Medium
Protection Disabled
Server events
Event ID Level Event message
34266
Info
Offload Scan Server stopped.
34269
Info
On-Demand scan started.
34270
Info
On-Demand scan complete.
34271
Info
On-Demand scan terminated. Scan time limit reached.
34272
Info
On-Demand scant terminated. Scan disabled in policy.
34273
Info
On-Demand scan terminated. Exceeded maximum number of concurrent
scans.
34274
High
On-Demand scan terminated. Scan failure on client.
34275
High
On-Demand scan terminated. Unexpected termination.
Change the client alert behavior
The default alert locations can be modified to suit your organizational policies.
By default, McAfee MOVE AV Multi-Platform displays alerts in the local system's Windows Event Log,
and the ePolicy Orchestrator threat event log. Alert notification locations can be changed by modifying
the McAfee MOVE AV Multi-Platform policy.
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Client 3.5.0.
3
Click the name of an existing policy to edit it, then click the Alerts tab.
4
Change the threat alert behavior by selecting or deselecting these locations:
5
•
Malware detections are reported to the client event log
•
Malware detection events are sent to ePolicy Orchestrator
•
Malware detections result in a pop-up on the client
Click Save to modify the policy.
The modified policy is applied after the next agent-server communication interval. If you want the
policy applied immediately, perform an agent wake-up call on the systems where the newly modified
policy is assigned.
64
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
5
Monitoring and management
Self-protection
Change the offload scan server alert behavior
The default alert locations can be modified to suit your organizational policies.
By default, McAfee MOVE AV Multi-Platform displays alerts in the local system's Windows Event Log,
and the ePolicy Orchestrator threat event log. Alert notification locations can be changed by modifying
the McAfee MOVE AV Multi-Platform policy.
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator.
2
Click Menu | Policy | Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Offload Scan
Server 3.5.0.
3
Click the name of an existing policy to edit it, then click the Alerts tab.
4
Change the threat alert behavior by selecting or deselecting these options:
5
•
Offload Scan Server events are reported to the Windows Event Log
•
Offload Scan Server events are sent to ePolicy Orchestrator
Click Save to modify the policy.
The modified policy is applied after the next agent-server communication interval. If you want the
policy applied immediately, perform an agent wake-up call on the systems where the newly modified
policy is assigned.
Self-protection
The self-protection feature defends files, services, and registry keys on virtual machines. Use the
VirusScan Enterprise access protection rules for self-protection of the offload scan server.
The self-protection feature prevents malicious attacks on MOVE AV Multi-Platform components. This
keeps your virus protection active and stable.
Protection type
Protection effects
File protection
These files and all parent folders are protected against deletion and renaming.
• <install_dir>\mvadm.exe
• <install_dir>\mvmctraypl.dll
• <install_dir>\mvagtsvc.exe
• <install_dir>\passwd
• <install_dir>\mvagntpl.dll
Registry protection
These registry keys, all subkeys, and all values under them are protected.
• services\mvagtdrv
• services\mvagtsvc
• services\EventLog\Application\MOVE AV client
All parent keys starting from services are protected from deletion and
rename.
Service stop
protection
The mvagtsvc service cannot be stopped.
The self-protection feature is controlled by the IntegrityEnabled configuration parameter. By default,
the parameter is set to 0x7, and all components of the feature are enabled.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
65
5
Monitoring and management
Self-protection
The configuration parameter accepts values from 0–7, which is a decimal representation of a 3-bit
binary value.
Decimal value
Binary value
Definition
0
000
Protection disabled
1
001
File protection
2
010
Registry protection
3
011
File and registry protection
4
100
Service protection
5
101
Service and file protection
6
110
Service and registry protection
7
111
Service, registry, and file protection
For example, to enable file and registry protection, set the parameter to 3 (0b011) with this
command:
mvadm config set IntegrityEnabled=3
To enable file and Service stop protection, but not registry protection, set the parameter to 5
(0b101) with this command:
mvadm config set IntegrityEnabled=5
To disable the self-protection feature, set the parameter to 0 with this command:
mvadm config set IntegrityEnabled=0
When Service stop protection is enabled (by setting the highest bit to 1), the mvagtsvc service
does not accept stop commands. File protection and registry protection require the agent driver be
loaded, but service stop protection does not. Use these commands to load or unload the driver.
mvadm enable
mvadm disable
McAfee MOVE AV Multi-Platform Offload Scan Server
We recommend using the following VirusScan Enterprise access protection rules for self-protection of
the offload scan server. These must be configured manually after installation.
66
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Monitoring and management
Self-protection
5
Protection type
Protection effects
File protection (via
VirusScan Enterprise
access protection)
Create a File/Folder Access Protection Rule that excludes the mvserver.exe
process, and blocks the C:\Program Files (x86)\McAfee\MOVE AV Server
\** folder. Set File actions to prevent to Write access to files, New files being created and
Files being deleted.
See McAfee VirusScan Enterprise Product Guide for details.
Registry protection
(VirusScan Enterprise
access protection)
These registry keys and all keys and values under them must be protected:
• HKCCS/Service/mvserver
• HKCCS/Service/mvserver/Parameters
• HKCCS/Service/mvserver/Parameters/ODS
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
67
5
Monitoring and management
Self-protection
68
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
A
Client command-line interface reference
You can access the McAfee MOVE AV Multi-Platform client command-line interface (CLI) on the agent
virtual machine to perform basic maintenance tasks.
The CLI is a series of commands that you can issue to the mvadm utility. Each command has arguments
that can be appended to the command to modify its behavior. This reference lists each command in
mvadm, and all argument variations.
Contents
Access the CLI
Password protected CLI
Access the CLI
A shortcut to the McAfee MOVE AV Multi-Platform command-line interface (CLI) is added to the
Windows Start menu during installation.
•
Open the McAfee MOVE AV Multi-Platform CLI: click Start | Programs | McAfee | MOVE AV Client Command
Prompt.
This command prompt has administrator rights.
At this command prompt, you can type commands that activate the mvadm utility to perform
administration tasks on the virtual machine.
config
Use the config command to display and edit the configuration settings that are applied to the current
installation.
mvadm config set NAME=VALUE
mvadm config show
Arguments
Description
set NAME=VALUE
Sets the value of the configuration setting NAME to VALUE.
show
Lists the configuration settings.
Parameter
Value
Description
AllowNetworkScan
0 (off) or 1 (on). Defaults to 0.
Enables or disables scanning of files
residing on a network path.
ConnTimeout
A positive integer value. Defaults
to 0 (no timeout).
Sets the connection timeout in
milliseconds.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
69
A
Client command-line interface reference
Access the CLI
Parameter
Value
Description
EventSink
An integer between 0 (no
notifications) and 14 (all
notifications). Defaults to 14.
Determines where threat events are sent.
The total combines the values for Windows
Event Viewer log (2), ePolicy Orchestrator
Threat Event Log (4), and McAfee system
tray pop-up menu (8).
IntegrityEnabled
An integer between 0 (no
Determines the active self-protections. The
self-protection) and 7 representing total combines the values for file (1),
a binary value. Defaults to 7 (all
registry (2), and services (4).
self-protections).
LogFileNum
A positive integer value. Defaults
to 4.
Limits the number of log files allowed
before they are rotated.
LogFileSize
An integer greater than 1024.
Defaults to 2048.
Limits the size (in KB) of an individual log
file.
MaxFileSize
A positive integer value. Defaults
to 40.
Limits the size (in MB) of files where scan
results are cached. Files up to this size are
transferred completely to the offload scan
server for scanning.
QuarantineEnabled 0 (off) or 1 (on). Defaults to 1.
70
Enables or disables quarantine services.
QuarantineFolder
A valid file path. Defaults to C:
\Quarantine.
Determines where quarantined files are
stored. Cannot be a mapped network drive
or UNC file path.
QuarantineDays
A positive integer. Defaults to 28.
Determines the number of days
quarantined files are stored before being
deleted. Submitting a 0 turns off
quarantined file deletion.
RTEMode
0 (off) or 1 (on). Defaults to 0.
Indicates protection status on the virtual
machine. This value cannot be changed
through the config command.
ScanAllFileTypes
0 (specific extensions) or 1 (all
files). Defaults to 1.
Determines whether to scan all files or only
specific extensions.
ScanFlags
An integer between 0 (no
operations scanned) and 7
representing a binary value.
Defaults to 7 (all operations
scanned).
Determines which operations trigger
scanning. The total combines the values for
Read (1), Write (2), and Backup (4).
ScanTimeout
A positive integer. Defaults to
45000.
Limits the time (in milliseconds) allowed for
file scans after which the file can be
accessed.
ServerAddress1
An IPv4 address or FQDN. No
default.
Specifies the IPv4 address or FQDN of the
primary offload scan server used by the
virtual machine.
ServerAddress2
An IPv4 address or FQDN. No
default.
Specifies the IPv4 address or FQDN of the
secondary offload scan server used by the
virtual machine.
ServerPort1
Between 1024 and 65535.
Defaults to 9053.
Specifies the port used to communicate
with the primary offload scan server.
ServerPort2
Between 1024 and 65535.
Defaults to 9053.
Specifies the port used to communicate
with the secondary offload scan server.
ThreatAction1
0 (delete) or 1 (deny access).
Defaults to 0.
Determines the primary action taken when
a threat is detected.
ThreatAction2
0 (delete) or 1 (deny access).
Defaults to 1.
Determines the secondary action taken
when a threat is detected.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Client command-line interface reference
Access the CLI
Parameter
Value
SVAManagerAddress An IPv4 address or FQDN. No
default.
Between 1024 and 65535.
Defaults to 8080.
SVAManagerPort
A
Description
Specifies the IPv4 address or FQDN of the
SVA Manager.
Specifies the port used to communicate
with SVA Manager.
disable
Use the disable command to disable the McAfee MOVE AV client on the virtual machine.
mvadm disable
Arguments
Description
default
Disables the McAfee MOVE AV client on the virtual machine.
This command removes virus protection from the virtual machine.
enable
Use the enable command to enable the McAfee MOVE AV client on the virtual machine.
mvadm enable
Arguments Description
default
Enables the McAfee MOVE AV client. This restores virus protection to the virtual
machine.
ftypes
Use the ftypes command to display and edit the list of file extensions to be sent for anti-virus
scanning.
mvadm ftypes add extn
mvadm ftypes remove extn
mvadm ftypes list
Wildcards are not supported by the ftypes command, and extensions must be an exact match.
Issuing an mvadm ftypes add doc command does not cause .DOCX files to be scanned.
Arguments
Description
add extn
Causes the files with extension extn to be included for anti-virus scanning.
remove extn Removes the files with extension extn from the list of files to be included for anti-virus
scanning.
list
Lists the file extensions to be included for anti-virus scanning.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
71
A
Client command-line interface reference
Access the CLI
help
Use the help command to display usage information for the mvadm utility.
mvadm help
mvadm help command
Arguments
Description
default
Lists the summary description for the McAfee MOVE AV client CLI commands.
command
Lists the detailed help for the provided command.
loglevel
Use the loglevel command to view and edit the log level of the McAfee MOVE AV client modules.
mvadm loglevel
mvadm loglevel enable {MODULE_NAME | ALL} {TYPES... | ALL}
mvadm loglevel disable {MODULE_NAME | ALL} {TYPES... | ALL}
Arguments
Description
default
Lists the current log level of each module that is part of the McAfee
MOVE AV client. Use this form to get a full list of modules for use with
other forms of the loglevel command.
enable {MODULE_NAME |
ALL} {TYPES... | ALL}
Sets the log level for module MODULE_NAME or all modules to the
specified log level types or to all types.
disable {MODULE_NAME |
ALL} {TYPES... | ALL}
Clears the specified log level types or all types for module MODULE_NAME
or for all modules.
These are the supported log level types:
•
Error
•
Detail
•
Warning
•
Fnentry
•
System
•
Fnexit
•
Info
pp
Use the pp command to specify trusted processes. All files acted upon by a trusted process are
excluded from scans.
Process passthru rule supports these path format:
72
•
Just the process name, for example: xyz.exe
•
Partial path, for example: abc\xyz.exe
•
Complete path, for example: C:\abc\xyz.exe
•
Windows path, for example: %windir%\abc\xyz.exe
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Client command-line interface reference
Access the CLI
A
Note these points while using the ppcommand to specify trusted processes:
•
If %abc% does not resolve, skip it from the list.
•
This format is only valid from McAfee ePO.
•
This resolves the path with respect to the system user.
mvadm pp list
mvadm pp add <process path>
mvadm pp remove <process path>
mvadm pp set <process path>
Arguments
Description
list
Displays a list of all trusted processes.
add <process image
path>
Adds the specified process (or processes) as a trusted process. As an
example:
mvadm pp add userprofilemanager.exe
All files acted upon by the userprofilemanager.exe file are excluded from
the scan.
remove <process
image path>
Removes the specified process (or processes) as a trusted process.
set <process image
path>
Removes all existing trusted processes and adds the specified process (or
processes) as trusted processes.
q
Use the q command to change McAfee MOVE AV Multi-Platform quarantine behavior.
mvadm q list
mvadm q restore <detected as>
mvadm q remove <detected as>
Arguments
Description
list
Lists the currently quarantined files and their detection type.
restore <detected as> Restores all .VIR files from the currently configured quarantine folder with
the specified <detected as> category.
remove <detected as>
Deletes all .VIR files from the currently configured quarantine folder with
the specified <detected as> category.
status
Use the status command to display the current state of the McAfee MOVE AV client in terms of
operational mode (enabled or disabled) and its McAfee MOVE AV Multi-Platform offload scan server
details.
mvadm status
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
73
A
Client command-line interface reference
Password protected CLI
Arguments
Description
default
Lists the current McAfee MOVE AV client status.
Example
C:\Program Files\McAfee\MOVE AV client>mvadm status
Scan Configuration: Enabled
Driver Status: Driver is loaded
Primary Server: 10.216.19.210:9053 [Active]
Secondary Server: NONE:9053 [Not Configured]
SVA Manager: 10.216.19.154:8080 [Connecting]
Protection Status: Enabled
version
Use the version command to display the version of the McAfee MOVE AV client installed on the virtual
machine.
mvadm version
Arguments Description
default
Displays the version of the McAfee MOVE AV client installed on the virtual machine. This
is most useful for verifying that an upgrade operation is complete, or checking if an
upgrade is needed.
Password protected CLI
Set the password protection through the client policy to prevent users from changing the AV settings,
or disabling the AV protection.
After setting the password, type the password to execute any of these commands on clients' mvadm
CLI.
•
config
•
filetypes
•
disable
•
procpassthru
•
enable
•
loglevel
Set password for client CLI
Specify the password in the ePolicy Orchestrator server to prevent users from changing the AV
settings, or disabling the AV protection on the client.
Before you begin
Make sure that you installed the MOVE‑AV_Ext_3.5.0_Licensed.zip extension into McAfee
ePO.
74
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Client command-line interface reference
Password protected CLI
A
Task
For option definitions, click ? in the interface.
1
Log on to McAfee ePO as an administrator
2
From the ePolicy Orchestrator console, click Menu | Policy | Policy Catalog, then from the Product list
select MOVE-AV [Multi-Platform] Client 3.5.0.
3
Click the name of an existing policy to edit it, then click the General tab.
4
Type the password in Local CLI Access Password, then retype it in Confirm Password.
5
Click Save to modify the policy.
You can now verify on the client system that the commands are password-protected.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
75
A
Client command-line interface reference
Password protected CLI
76
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
B
Server command-line interface reference
You can access the command-line interface (CLI) on the offload scan server virtual machine to perform
basic maintenance tasks.
The CLI is a series of commands that you can issue to the mvadm utility. Each command has arguments
that can be appended to the command to modify the command's behavior. This reference lists each
command in mvadm, and all argument variations.
Access the CLI
A shortcut to the command-line interface (CLI) for the offload scan server is added to the Windows
Start menu during installation.
Task
•
Open the McAfee MOVE AV Offload Scan Server CLI: click Start | Programs | McAfee | MOVE AV Server
Command Prompt.
This command prompt has administrator rights.
At this command prompt, you can type commands that activate the mvadm utility to perform
administration tasks on the offload scan server.
cache
Use the cache command to perform operations on the Offload Scan Server's scan cache.
mvadm cache save cfilename
mvadm cache load cfilename
mvadm cache list
mvadm cache flush
mvadm cache info
Arguments
Description
save cfilename Save the current set of checksums from the trusted checksum cache to the file
cfilename.
load cfilename Load the checksums from file cfilename to the trusted checksum cache.
list
List the checksums available in the trusted checksum cache.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
77
B
Server command-line interface reference
Access the CLI
Arguments
Description
flush
Remove all checksums from the trusted checksum cache.
info
Print details of the trusted checksum cache.
config
Use the config command to display and edit the configuration settings that are applied to current
installation.
mvadm config set NAME=VALUE
mvadm config show
Arguments
Description
set NAME=VALUE
Sets the value of the configuration setting NAME to VALUE.
show
Lists the configuration settings.
Parameters
Value
Description
ComputeCksum
0 (server) or 1 (client).
Defaults to 1.
Determines whether to use the
server-computed checksum of the file or the
checksum sent by the McAfee MOVE AV client.
ConnTimeout
A positive integer value.
Defaults to 0 (no timeout).
Sets the connection timeout in milliseconds.
GTILevel
Between 0 (disabled) and 5
Sets the Global Threat Intelligence level.
(Very High). Defaults to 1 (Very
Low).
IntegrityEnabled
0 (off) or 1 (on). Defaults to 1.
Enables or disables the self-protection feature.
LogFileNum
A positive integer value.
Defaults to 4.
Limits the number of log files allowed before
they are rotated.
LogFileSize
An integer greater than 1024.
Defaults to 2048.
Limits the size (in KB) of an individual log file.
MaxCacheItems
A positive integer value.
Defaults to 1,000,000.
Limits the number of items that can exist in
the cache.
NumThreads
Between 0 and 500. Defaults to Limits the number of available scan request
300.
threads.
ScanArchiveFiles
0 (off) or 1 (on). Defaults to 0.
Enables or disables scanning inside archive
files.
ScanPUPS
0 (off) or 1 (on). Defaults to 0.
Enables or disables checking for potentially
unwanted programs (PUPs). Scan behavior is
determined by VirusScan Enterprise settings.
ServerPort1
Between 1024 and 65535.
Defaults to 9053.
Determines the port on which the server
listens for client requests.
SVAManagerAddress An IPv4 address or FQDN. No
default.
78
Specifies the IPv4 address or FQDN of the SVA
Manager.
SVAManagerPort
Between 1024 and 65535.
Defaults to 8080.
Specifies the port used to communicate with
SVA Manager.
RAMDiskEnabled
1 (0x1)
Enables or disables the RAM disk option.
MaxNumClients
250 (0xf4240)
Maximum number of clients, which can be
connected to the OSS.
OSSGUID
<GUID>
Unique GUID required to register it to SVA
Manager.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Server command-line interface reference
Access the CLI
B
help
Use the help command to display usage information for the mvadm utility.
mvadm help
mvadm help command
Arguments Description
default
Lists the summary description for the McAfee MOVE AV Offload Scan Server CLI
commands.
command
Lists the detailed help for command command.
loglevel
Use the loglevel command to view and edit the log level of the McAfee MOVE AV Offload Scan Server
modules.
mvadm loglevel
mvadm loglevel enable {MODULE_NAME | ALL} {TYPES... | ALL}
mvadm loglevel disable {MODULE_NAME | ALL} {TYPES... | ALL}
Arguments
Description
default
Lists the current log level of each module in the McAfee MOVE AV
Offload Scan Server. Use this form to get a full list of modules for use
with the other forms of the loglevel command.
enable {MODULE_NAME |
ALL} {TYPES... | ALL}
Sets the log level for module MODULE_NAME or all modules to the
specified log level types or to all types.
disable {MODULE_NAME |
ALL} {TYPES... | ALL}
Clears the specified log level types or all types for MODULE_NAME or for
all modules.
These are the supported log level types:
•
Error
•
Detail
•
Warning
•
Fnentry
•
System
•
Fnexit
•
Info
stats
Use the stats command to display the current statistics of the McAfee MOVE AV offload scan server.
mvadm stats
Arguments Description
default
Displays current usage and performance statistics for the McAfee MOVE AV offload scan
server. The statistics are collected in real time, and the displayed data is a snapshot of
the information at the time the command was invoked. The full list of reported statistics
is shown in the example output.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
79
B
Server command-line interface reference
Access the CLI
Example output
C:\>mvadm stats
Total number of cksum req:
Total number of file transfer req:
Total number of smart file req:
Total number of scans on RAM disk:
Cksum cache hit:
Total av scan req:
Total av scan failure:
Data recv failure:
Resp send failure:
Total scan threads:
Total heart beat threads:
Total idle threads:
Number of requests in queue:
Number of items in cache:
Avg request process time:
Avg request wait time:
13125
11825
14
11825
1300
11825
0
0
0
300
0
300
0
0
0.045183 sec
0.000000 sec
version
Use the version command to display the version of the McAfee MOVE AV offload scan server
application installed on the server virtual machine.
mvadm version
Arguments Description
default
80
Displays the version number of the McAfee MOVE AV offload scan server. This is most
useful for verifying that an update has completed successfully, or checking if an update
is needed.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
C
Install the offload scan server
Here are the steps for installing the offload scan server.
Before you begin
•
A copy of the McAfee MOVE AV Multi-Platform offload scan server installation file (MOVE
‑AV_Server_Setup_x86.exe) must be accessible to the virtual machine where you want
to install the McAfee MOVE AV Multi-Platform offload scan server.
•
VirusScan Enterprise 8.8 must be installed on the virtual server.
Task
For option definitions, click ? in the interface.
1
Run the McAfee MOVE AV offload scan server installation file (MOVE‑AV_Offload_Server_Setup_x86
.exe) in the folder you downloaded the file.
McAfee recommends that you run the installation with elevated rights.
2
Read the license agreement, select Accept license agreement, then click Next.
3
Enter the user name and organization, then click Next.
4
Specify the preferred port where the MOVE AV Server service listens, then click Next.
By default, the service is configured to listen on port 9053.
The installer automatically makes an exception entry in the Windows Firewall settings on the McAfee
MOVE AV offload scan server to allow communication on the specified port. If another firewall
product is being used, configure it manually to allow communication on this port.
5
Select the Global Threat Intelligence (GTI) level.
This setting can be changed after installation using the McAfee MOVE AV offload scan server
command-line interface (CLI). GTI is also known as Artemis, and more information on Artemis can
be found in the McAfee VirusScan Enterprise Product Guide.
6
Verify the installation settings, then click Install.
7
Verify the installation:
•
Confirm that the MOVE AV Server service is running from Services control panel.
•
Confirm the following CLI access menu option has been added to the Windows Start menu: Start |
Programs | McAfee | MOVE AV Server Command Prompt.
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
81
C
Install the offload scan server
82
McAfee MOVE AntiVirus Multi-Platform 3.5.0
Product Guide
Index
A
about this guide 7
alerts
changing behavior 64
message list 64
overview 63
anti-virus software
pre-installation issues 13
communication (continued)
default port 62
config command
client 69
offload scan server 78
configuration
policy overview 43
conventions and icons used in this guide 7
D
C
client
assign upgrade task 32
checking in 21
create uninstall task 25
deploy to XenDesktop 23
install manually 24
uninstall 25
uninstall task, create and assign 26
upgrade with ePolicy Orchestrator 4.6 32
client command-line reference
accessing client 69
config command 69
disable command 71
enable command 71
ftypes command 71
help command 72
loglevel command 72
pp command 72
q command 73
status command 73
version command 74
client deployment
overview 21
client tasks
assign client upgrade task 32
assign uninstall task 26
create client uninstall task 25
create client upgrade task 32
create product deployment task 20, 22
command line
password protected 74
communication
changing ports 63
McAfee MOVE AntiVirus Multi-Platform 3.5.0
dashboards
McAfee MOVE AntiVirus queries 47
deployment
overview 12
strategy 12
disable command 71
documentation
audience for this guide 7
product-specific, finding 8
typographical conventions and icons 7
download locations 17
E
enable command 71
ePolicy Orchestrator
installation 18
integration 43
restrictions 43
ePolicy Orchestrator extension
upgrade 29
examples
creating a policy 53
extensions
uninstall 26
VirusScan for Linux 18
F
features 9
file protection 65
G
Global Threat Intelligence
benefits 52
Product Guide
83
Index
Global Threat Intelligence (continued)
changing sensitivity 52
overview 52
H
help command
client 72
offload scan server 79
I
installation
assign client upgrade task 32
client deployment overview 21
common problems 27
deploy to XenDesktop 23
download software 17
manual client install 24
oss deployment overview 19
overview 17
requirements 13
strategy 12
troubleshoot 27
upgrade ePolicy Orchestrator extension 29
upgrade scenario 31
VirusScan for Linux extension 18
installation, upgrade
create client upgrade task 32
L
loglevel command
client 72
offload scan server 79
M
McAfee MOVE AntiVirus
communication with ePolicy Orchestrator 43
communication with offload scan server 62
self-protection 65
software packages 17
upgrade strategies 29
McAfee ServicePortal, accessing 8
messages
list 64
overview 63
mvadm
cache command 77
config command 52, 63, 69, 78
disable command 71
enable command 71
ftypes command 71
help command 72, 79
loglevel command 72, 79
pp command 72
84
McAfee MOVE AntiVirus Multi-Platform 3.5.0
mvadm (continued)
q command 73
stats command 79
status command 73
version command 74, 80
O
offload scan server
changing communication port 63
checking in 19
configuring 40
self-protection 65
upgrade 30
offload scan server CLI
cache command 77
config command 78
help command 79
loglevel command 79
stats command 79
version command 80
offload scan servers
assigning 35
oss deployment
overview 19
P
policies
Alerts tab 64
application 43
applying 45
categories 43
changing quarantine behavior 54
create new 45
enforcement 43
example 53
General tab 63
inheritance 43
options summary 45
overview 43
tracking and tuning 43
Q
quarantine
changing behavior 54
command-line access 73
default behavior 54
overview 54
queries
Compliance 47
list 47
McAfee MOVE AV queries 47
VirusScan Enterprise 47
Product Guide
Index
R
System Tray icon 64
registry protection 65
reports
health and visibility 50
supplied queries 47
requirements
installation 13
operating systems 15
software 15
supported 15
S
server command-line reference
accessing offload scan server 77
cache command 77
config command 78
help command 79
loglevel command 79
stats command 79
version command 80
service protection 65
ServicePortal, finding product documentation 8
software compatibility 15
sva manager
setting up 35
SVA Manager
configuring 36
uninstalling 27
SVA Manager assignment
adding 37, 39
SVA Manager policy
configuring 37
system requirements 15
McAfee MOVE AntiVirus Multi-Platform 3.5.0
T
technical support, finding product information 8
threat event log 64
troubleshoot
installation 27
U
uninstall process
assign client task 26
client in ePolicy Orchestrator 25
create client uninstall task 25
extension 26
upgrade scenarios
create client upgrade task 32
ePolicy Orchestrator extension 29
higher downtime scenario 31
higher resource scenario 31
non-persistent VM 31
offload scan server 30
persistent VM 31
strategy 29
upgrade task
create and assign 32
W
Windows Event Log 64
X
XenDesktop
deploy client 23
Product Guide
85
00
Related documents
June 23, 2014
June 23, 2014
Name Walk around the room and
Name Walk around the room and
End point security
End point security
Dr. R. Preston McAfee
Dr. R. Preston McAfee
Document10927945 10927945
Document10927945 10927945
Download
advertisement