MCAFEE PRODUCT GUIDE

VirusScan® Enterprise

version 7.1.0

Product GuideRevision 1.0

COPYRIGHT© 2003 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 5000 Headquarters Drive, Plano, Texas 75024, or call +1-972-963-8000.

TRADEMARK ATTRIBUTIONSActive Firewall, Active Security, Active Security (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, Appera, AVERT, Bomb Shelter, Certified Network Expert, Clean-Up, CleanUp Wizard, ClickNet, CNX, CNX Certification Certified Network Expert and design, Covert, Design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, E and Design, Entercept, Enterprise SecureCast, Enterprise SecureCast (in Katakana), ePolicy Orchestrator, Event Orchestrator (in Katakana), EZ SetUp, First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HelpDesk, HelpDesk IQ, HomeGuard, Hunter, Impermia, InfiniStream, Intrusion Prevention Through Innovation, IntruShield, IntruVert Networks, LANGuru, LANGuru (in Katakana), M and design, Magic Solutions, Magic Solutions (in Katakana), Magic University, MagicSpy, MagicTree, McAfee, McAfee (in Katakana), McAfee and design, McAfee.com, MultiMedia Cloaking, NA Network Associates, Net Tools, Net Tools (in Katakana), NetAsyst, NetCrypto, NetOctopus, NetScan, NetShield, NetStalker, Network Associates, Network Performance Orchestrator, Network Policy Orchestrator, NetXray, NotesGuard, nPO, Nuts & Bolts, Oil Change, PC Medic, PCNotary, PortalShield, Powered by SpamAssassin, PrimeSupport, Recoverkey, Recoverkey – International, Registry Wizard, Remote Desktop, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, SecureSelect, Service Level Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SpamKiller, SpamAssassin, Stalker, SupportMagic, ThreatScan, TIS, TMEG, Total Network Security, Total Network Visibility, Total Network Visibility (in Katakana), Total Service Desk, Total Virus Defense, Trusted Mail, UnInstaller, VIDS, Virex, Virus Forum, ViruScan, VirusScan, WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall, What's The State Of Your IDS?, Who’s Watching Your Network, WinGauge, Your E-Business Defender, ZAC 2000, Zip Manager are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer® brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICHTYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDERDOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE(AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWAREPACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE,YOU MAY RETURN THE PRODUCT TO NETWORK ASSOCIATES OR THE PLACE OF PURCHASE FOR A FULL REFUND.

AttributionsThis product includes or may include:

Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

Cryptographic software written by Eric A. Young ([email protected]) and software written by Tim J. Hudson ([email protected]).

Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Softwarelicenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the sourcecode. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the sourcecode also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any FreeSoftware licenses require that Network Associates provide rights to use, copy or modify a software program that are broader than the rights granted inthis agreement, then such rights shall take precedence over the rights and restrictions herein.Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer.

Software originally written by Robert Nordier, Copyright © 1996-7 Robert Nordier. All rights reserved.

Software written by Douglas W. Sauder.

Software developed by the Apache Software Foundation (http://www.apache.org/).

International Components for Unicode (“ICU”) Copyright © 1995-2002 International Business Machines Corporation and others. All rights reserved.

Software developed by CrystalClear Software, Inc., Copyright © 2000 CrystalClear Software, Inc.

FEAD® Optimizer® technology, Copyright Netopsystems AG, Berlin, Germany.

Issued SEPTEMBER 2003 / VirusScan® Enterprise software version 7.1.0DOCUMENT BUILD 011-EN

http://www.openssl.org/

mailto:[email protected]


http://www.apache.org/

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Getting information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Contacting McAfee Security & Network Associates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1 Introducing VirusScan Enterprise . . . . . . . . . . . . . . . . . . . . . . . . 13

What’s new in this release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Product components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Orientation to the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Start menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

VirusScan Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Menu bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Task menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Edit menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

View menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Tools menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Help menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Task list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Status bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Right-click menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Right-click menus from the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Right-click scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

System tray . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Right-click scan or update from the system tray . . . . . . . . . . . . . . . . . . . . . . . . 26

Command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Setting user interface options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Display options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Password options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Product Guide iii

Contents

Unlocking and locking the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Setting up scanning operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

On-access scanning vs. on-demand scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Scanning automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Scanning periodically, selectively, or on schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Virus Information Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Submitting a virus sample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Setting up remote administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3 On-Access Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Configuring the on-access scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

On-access scan properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

General properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Message properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Process settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Default processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Process properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Low-risk and high-risk processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Assigning risk to a process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Process properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Adding file type extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Adding user-specified file type extensions . . . . . . . . . . . . . . . . . . . . . . . . 69

Excluding files, folders, and drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Viewing scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Viewing scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Viewing the activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Responding to virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Receiving notification of virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Viewing on-access scan messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Taking action on virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

iv VirusScan® Enterprise software version 7.1.0

Contents

4 On-Demand Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Creating on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Creating tasks from the start menu or system tray . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Creating tasks from the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Configuring on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Where properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Adding, removing, and editing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Adding items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Removing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Editing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Resetting or saving default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Scheduling on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Scanning operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Running on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Pausing and restarting on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Stopping on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Resumable scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Viewing scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Viewing scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Viewing the activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Responding to virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Receiving notification of virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Taking action on virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

VirusScan Alert dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

On-Demand Scan Progress dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

5 E-mail Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

On-delivery e-mail scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Configuring the on-delivery e-mail scan for a local or remote host . . . . . . . . . . . . . 116

Configuring the on-delivery e-mail scan properties . . . . . . . . . . . . . . . . . . . . . . . . . 117

Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Alert properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Product Guide v

Contents

Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Viewing on-delivery e-mail scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Viewing on-delivery e-mail scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Viewing the on-delivery e-mail activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

On-demand e-mail scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Configuring the on-demand e-mail task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Alert properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Running the on-demand e-mail task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Viewing on-demand e-mail scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Viewing the on-demand e-mail activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

6 Virus Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring Alert Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Configuring recipients and methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Overview of adding alert methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Sending a test message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Setting the alert priority level for recipients . . . . . . . . . . . . . . . . . . . . . . . 157

Viewing the Summary page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Forwarding alert messages to another computer . . . . . . . . . . . . . . . . . . . . . . 160

Sending an alert as a network message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Sending alert messages to e-mail addresses . . . . . . . . . . . . . . . . . . . . . . . . . 166

Sending alert messages to a printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Sending alert messages via SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Launching a program as an alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Logging alert notifications in a computer’s event log . . . . . . . . . . . . . . . . . . . . 175

Sending a network message to a terminal server . . . . . . . . . . . . . . . . . . . . . . 177

Using Centralized Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Customizing alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Enabling and disabling alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Editing alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Changing alert priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Editing alert message text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Using Alert Manager system variables . . . . . . . . . . . . . . . . . . . . . . . . . . 185

vi VirusScan® Enterprise software version 7.1.0

Contents

7 Updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Update strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

System variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

AutoUpdate tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

AutoUpdate task overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Creating an AutoUpdate task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Configuring an AutoUpdate task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Running AutoUpdate tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Running the update task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Activities that occur during an update task . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Viewing the activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

AutoUpdate repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Configuring the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Importing the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Editing the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Adding and editing repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Removing and reorganizing repositories . . . . . . . . . . . . . . . . . . . . . . . . 208

Specifying proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Mirror tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Creating a mirror task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Configuring a mirror task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Running mirror tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Viewing the mirror task activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Rollback DAT files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Manual updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Updating from DAT file archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

8 Scheduling Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Configuring task schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Task properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Schedule properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Schedule task frequencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Advanced schedule options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Scheduling tasks by frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Weekly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Product Guide vii

Contents

Once . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

At System Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

At Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

When Idle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Run Immediately . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Run On Dialup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

A Command-Line Scanner Program . . . . . . . . . . . . . . . . . . . . . . . 239

VirusScan Enterprise command-line options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

On-demand scanning command-line options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Customized installation properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

B Secure Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Registry keys requiring write access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

C Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Minimum Escalation Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Installation questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Scanning questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Virus questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

General questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Updating error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

viii VirusScan® Enterprise software version 7.1.0

Preface

This guide introduces McAfee® VirusScan® Enterprise software version 7.1.0, and provides the following information:

Overview of the product.

Descriptions of product features.

Descriptions of all new features in this release of the software.

Detailed instructions for configuring and deploying the software.

Procedures for performing tasks.

Troubleshooting information.

Glossary of terms.

AudienceThis information is intended primarily for two audiences:

Network administrators who are responsible for their company’s anti-virus and security program.

Users who are responsible for updating virus definition (DAT) files on their computer, or configuring the software’s detection options.

Product Guide 9

Preface

ConventionsThis guide uses the following conventions:

Bold All words from the user interface, including options, menus, buttons, and dialog box names.

ExampleType the User name and Password of the desired account.

Courier Text that represents something the user types exactly; for example, a command at the system prompt.

ExampleTo enable the agent, run this command line on the client computer:

FRMINST.EXE /INSTALL=AGENT /SITEINFO=C:\TEMP\SITELIST.XML

Italic Names of product manuals and topics (headings) within the manuals; emphasis; introducing a new term.

ExampleRefer to the VirusScan Enterprise Product Guide for more information.

<TERM> Angle brackets enclose a generic term.

ExampleIn the console tree under ePolicy Orchestrator, right-click <SERVER>.

NOTE Supplemental information; for example, an alternate method of executing the same command.

WARNING Important advice to protect a user, computer system, enterprise, software installation, or data.

10 VirusScan® Enterprise software version 7.1.0

Getting information

Getting informationInstallation Guide *† System requirements and instructions for installing and starting the software.

VirusScan Enterprise 7.1.0 Installation Guide

Product Guide * Product introduction and features, detailed instructions for configuring the software, information on deployment, recurring tasks, and operating procedures.

VirusScan Enterprise 7.1.0 Product Guide

Help § High-level and detailed information on configuring and using the software.

What’s This? field-level help.

Configuration Guide * For use with ePolicy Orchestrator™. Procedures for configuring, deploying, and managing your McAfee Security product through ePolicy Orchestrator management software.

Implementation Guide * Supplemental information for product features, tools, and components.

Release Notes ‡ ReadMe. Product information, resolved issues, any known issues, and last-minute additions or changes to the product or its documentation.

Contacts ‡ Contact information for McAfee Security and Network Associates services and resources: technical support, customer service, AVERT (Anti-Virus Emergency Response Team), beta program, and training. This file also includes phone numbers, street addresses, web addresses, and fax numbers for Network Associates offices in the United States and around the world.

* An Adobe Acrobat .PDF file on the product CD or the McAfee Security download site.

† A printed manual that accompanies the product CD. Note: Some language manuals may be available only as a .PDF file.

‡ Text files included with the software application and on the product CD.

§ Help accessed from the software application: Help menu and/or Help button for page-level help; right-click option for What’sThis? help.

Product Guide 11

Preface

Contacting McAfee Security & Network AssociatesTechnical Support

Home Page http://www.networkassociates.com/us/support/

KnowledgeBase Search https://knowledgemap.nai.com/phpclient/homepage.aspx

PrimeSupport Service Portal * http://mysupport.nai.com

McAfee Security Beta Program http://www.networkassociates.com/us/downloads/beta/

Security Headquarters — AVERT (Anti-Virus Emergency Response Team)

Home Page http://www.networkassociates.com/us/security/home.asp

Virus Information Library http://vil.nai.com

Submit a Sample — AVERT WebImmune

AVERT DAT Notification Service

https://www.webimmune.net/default.asp

http://www.networkassociates.com/us/downloads/updates/

Download Site

Home Page http://www.networkassociates.com/us/downloads/

DAT File and Engine Updates http://www.networkassociates.com/us/downloads/updates/

ftp://ftp.nai.com/pub/antivirus/datfiles/4.x

Product Upgrades * https://secure.nai.com/us/forms/downloads/upgrades/login.asp

Training

McAfee Security University http://www.networkassociates.com/us/services/education/mcafee/university.htm

Network Associates Customer Service

E-mail [email protected]

Web http://www.nai.com/us/index.asp

http://www.networkassociates.com/us/products/mcafee_security_home.htm

US, Canada, and Latin America toll-free:

Phone +1-888-VIRUS NO or +1-888-847-8766

Monday – Friday, 8 a.m. – 8 p.m., Central Time

For additional information on contacting Network Associates and McAfee Security— including toll-free numbers for other geographic areas — see the Contact file that accompanies this product release.

* Logon credentials required.

Technical Support


http://www.networkassociates.com/us/support/

https://knowledgemap.nai.com/phpclient/homepage.aspx

http://mysupport.nai.com

http://www.networkassociates.com/us/downloads/beta/

http://www.networkassociates.com/us/security/home.asp

http://vil.nai.com

https://www.webimmune.net/default.asp

http://www.networkassociates.com/us/downloads/

ftp://ftp.nai.com/pub/antivirus/datfiles/4.x

https://secure.nai.com/us/forms/downloads/upgrades/login.asp

http://www.networkassociates.com/us/services/education/mcafee/university.htm

http://www.networkassociates.com/us/services/education/mcafee/university.htm


http://www.nai.com/us/index.asp

http://www.networkassociates.com/us/products/mcafee/enterprise_home.asp

http://www.networkassociates.com/us/products/mcafee/enterprise_home.asp



1
Introducing VirusScan Enterprise
The VirusScan Enterprise 7.1.0 software provides protection from viruses for both servers and workstations. The software offers easy scalable protection, fast performance, and mobile design. You can specify scanning of local and network drives, as well as Microsoft Outlook e-mail messages and attachments, configure the application to respond to any infections the scanner finds, and generate reports on its actions.

The VirusScan Enterprise software is a replacement for:

VirusScan version 4.5.1 software for workstations.

NetShield® NT version 4.5 software for servers.

NetShield for Celerra™ version 4.5 for Celerra™ filers.

VirusScan Enterprise version 7.0. for workstations and servers.

This Product Guide provides information on configuring and using the VirusScan Enterprise software. For system requirements and installation instructions, refer to the VirusScan Enterprise Installation Guide.

The following topics are addressed in this section:

What’s new in this release

Product components

Product Guide 13


What’s new in this releaseThis release of VirusScan Enterprise includes the following enhancements:

Check Point™ VPN-1®/FireWall-1® SCV integration — The VirusScan Enterprise software has been enhanced to integrate with Check Point VPN-1/FireWall-1 SCV. When installed and enabled, the Check Point product can be configured to prevent clients without up-to-date anti-virus protection from accessing the corporate network through the Virtual Private Network (VPN).

See the VirusScan Enterprise 7.1.0 Installation Guide for more information about configuring Check Point.

McAfee Installation Designer™ and McAfee Desktop Firewall™ integration — Use McAfee Installation Designer to configure McAfee Desktop Firewall with VirusScan Enterprise 7.1.0. After configuration, you can deploy both products together and reduce restarts to a maximum of one.

See the McAfee Installation Designer Product Guide for more information.

Smaller installation package — The VirusScan Enterprise installation package has been optimized using Netopsystems’ Fast Electronic Application Distribution (FEAD® Optimizer®) technology. This reduces network bandwidth required in deployments. You can use McAfee Installation Designer 7.1 or later to recompose the package, then optimize the package again after changes have been made. When executing SETUP.EXE from the command line, you can apply special commands and switches to recompose the installation files.

See the VirusScan Enterprise 7.1.0 Installation Guide for more information about configuring Netopsystems’ FEAD Optimizer.

Engine and DAT files are contained in the .MSI file — The engine and DAT files have been added to the .MSI file for VirusScan Enterprise 7.1.0. This allows customers to deploy the product using a single .MSI file.

Visibility of ePolicy Orchestrator tasks — If you are using ePolicy Orchestrator 3.0 or later to manage the VirusScan Enterprise software, you can view ePolicy Orchestrator tasks for on-demand scan, update, and mirror in the VirusScan Console. This allows users to see all tasks running on their computers and also aids administrators and help desk operators in debugging ePolicy Orchestrator tasks over the phone.

See the VirusScan Enterprise 7.1.0 Configuration Guide for use with ePolicy Orchestrator 3.0 for details about enabling ePolicy Orchestrator task visibility.


Product components

Product componentsThe VirusScan Enterprise software consists of several components that are installed as features. Each feature plays a part in defending your computer against viruses and other potentially unwanted software. The features are:

VirusScan Console. The console is the control point that allows you to create, configure, and run VirusScan Enterprise tasks. A task can include anything from running a scan operation on a set of drives at a specific time or interval, to running an update operation. You can also enable or disable the on-access scanner from the console if you have administrator rights and if required, type the password.

See VirusScan Console on page 19.

On-access scanner. The on-access scanner gives you continuous anti-virus protection from viruses that arrive on disks, from your network, or from various sources on the Internet. The scanner is fully configured upon installation of the software; it starts when you start your computer, and stays in memory until you shut down. The scanner provides process-based scanning that allows scanning policies to be linked to applications such as Internet Explorer. A flexible set of property pages lets you configure the scanner to determine which parts of your system to examine, what to look for, which parts to leave alone, and how to respond to any infected files the scanner finds. In addition, the scanner can alert you when it finds a virus, and can generate reports that summarize each of its actions.

See On-Access Scanning on page 39.

On-demand scanner. The on-demand scanner allows you to initiate a scan at any time; specify scan targets and exclusions; determine how you want the scanner to respond when it detects a virus; and see virus incident reports and alerts. You can also create scan tasks that run at a specific time or within a specified interval. You can define as many different on-demand scan tasks as you require, then preserve the configured tasks for reuse.

See On-Demand Scanning on page 85.

E-mail scanner. The e-mail scanner allows you to scan your Microsoft Outlook messages, attachments, or public folders to which you have access, directly on the computer. If Outlook is running, e-mail is scanned on-delivery. You can also perform an on-demand e-mail scan at any time. This allows you to find potential infections before they make their way to your desktop.

See E-mail Scanning on page 115.

Product Guide 15


AutoUpdate. The AutoUpdate feature allows you to update virus definition (DAT) files and the scanning engine automatically, then distribute those updates to computers on your network. You can also use this feature to download HotFixes. Depending on the size of your network, you can designate one or more trusted computers, including one that hosts your internal HTTP site, to download new files automatically from the Network Associates HTTP web site.

See Updating on page 187.

NOTEAutoUpdate is one of the common core (common framework) technologies used by many products.

Scheduler. This feature allows you to schedule on-demand, update, and mirror tasks at specific times or intervals.

See Scheduling Tasks on page 221.

NOTEThe scheduler is one of the common core (common framework) technologies used by many products.

Alert Manager. The Alert Manager™ product gives you the ability to receive or send virus related alert messages. After it is installed, you can configure Alert Manager to notify you as soon as the scanner detects a virus on the computer, via e-mail, a printer, SNMP traps, or by other means. By default, Alert Manager is not preconfigured; you must configure the software before you can receive or send virus related alert messages.

See Virus Alerting on page 149 for specific details.

Command-line scanner. The command-line scanner can be used to initiate targeted scan operations from the Command Prompt dialog box. SCAN.EXE, a scanner for Windows NT environments only, is the primary command-line interface.

Ordinarily, you can use the VirusScan Enterprise interface to perform most scanning operations, but if you have trouble starting Windows or if the VirusScan Enterprise features do not run in your environment, you can use the command-line scanner as an alternative.

See Command-Line Scanner Program on page 239.


2
Getting Started
After you have installed the VirusScan Enterprise software, you can configure the features.


Orientation to the user interface

Setting user interface options

Setting up scanning operations

Virus Information Library

Submitting a virus sample

Setting up remote administration

Product Guide 17

Getting Started

Orientation to the user interfaceThe VirusScan Enterprise software gives you the flexibility of performing an action using several different methods. Although the specific details may vary, many of the actions may be performed from the console, the toolbar, a menu, or the desktop. Each of these methods is detailed in the following sections.

These interfaces are addressed in this section:

Start menu

VirusScan Console

Right-click menus

System tray

Command line

Start menuYou can use the Start menu to:

Access Alert Manager configuration, if Alert Manager is installed.

Access the VirusScan Console.

Open the on-access scan property pages.

Open the on-demand scan property pages. This is a one-time unsaved on-demand scan.

Click Start, select Programs|Network Associates, then select a feature.

Figure 2-1. VirusScan — Start menu



VirusScan ConsoleThe VirusScan Console is the control point for all of the program’s activities.

Use either of these methods to open the VirusScan Console:

Click Start, select Programs|Network Associates|VirusScan Console.

Right-click the VShield icon in the system tray, then select VirusScan Console.


Menu bar

Toolbar

Task list

Status bar

Figure 2-2. The VirusScan Console

Menu barToolbar

Task list

Status bar

Product Guide 19

Getting Started

Menu barThe VirusScan Console includes menus with commands that allow you to create, delete, configure, run, start, stop, and copy scan tasks to suit your most demanding security needs. You can also connect and disconnect from a remote VirusScan Enterprise computer. All of the commands are available from the menus. Some commands are also available when you right-click a task in the VirusScan Console.

The following menus are addressed in this section:

Task menu

Edit menu

View menu

Tools menu

Help menu

Task menuUse the Task menu to create and configure tasks, and view statistics and activity logs.

NOTEThe menu items Start, Stop, Disable, Delete, Rename, Statistics, Activity Log, and Properties apply to the selected task.

Figure 2-3. Task menu



Edit menuUse the Edit menu to copy and paste selected tasks.

View menuUse the View menu to specify whether to show the toolbar and status bar, or refresh the console.

Tools menuUse the Tools menu to configure alerts, launch the event viewer, specify user interface options, lock or unlock user interface security, connect or disconnect a computer when configuring a remote console, import or edit the repository list, and roll back DAT files to a previous version.

Figure 2-4. Edit menu

Figure 2-5. View menu

Figure 2-6. Tools menu

Product Guide 21

Getting Started

Help menuUse the Help menu to access online Help topics, the virus information library, or the Technical Support web site. You can also submit a sample virus to the Anti-Virus Emergency Response Team (AVERT). The About dialog box gives you product, DAT file version, and scanning engine information.

ToolbarThe toolbar gives you quick access to many commands just by clicking an icon. The icons are:

Connect to a computer.

Disconnect from a computer.

Create a new task.

Display properties of the selected item.

Copy the selected item.

Paste the selected item.

Delete the selected item.

Start the selected item.

Stop the selected item.

Access the Virus Information Library.

Open the event viewer.

Configure alerting options.

Figure 2-7. Help menu



Task listThe VirusScan Console includes a list of tasks that VirusScan Enterprise can perform. A task is a set of instructions to run a program or scan operation, in a specific configuration, at a certain time.

To configure a task, select the task, then click or double-click the task to open its property pages. The following default tasks come with the VirusScan Enterprise software:

On-Access Scan. This task allows you to perform automatic on-access scanning. This task is unique and cannot be copied. To configure the on-access scanner, see On-Access Scanning on page 39.

AutoUpdate. This task allows you to download the latest virus definition (DAT) files and scanning engine. You can use this default update task and create other update tasks to meet your requirements. To create, configure, and schedule update tasks, see Updating on page 187.

E-mail Scan. This task allows you to perform on-delivery e-mail scanning. This task is unique and cannot be copied. To configure an on-delivery or on-demand e-mail task, see E-mail Scanning on page 115.

Scan All Fixed Disks. This task allows you to perform on-demand scanning. You can use this default on-demand scan task and create others to meet your requirements. To create, configure, and schedule on-demand tasks, see On-Demand Scanning on page 85.

Figure 2-8. Task list

Product Guide 23

Getting Started

Other tasks that you create from the VirusScan Console are added to the task list. For example:

New mirror task. This task allows you to create a mirror site for use in downloading update files. You can create any number of mirror tasks. For more information about mirror tasks see Mirror tasks on page 212.

In addition, you can view tasks created via ePolicy Orchestrator if you choose to do so.

ePO Task - task name. If you are using ePolicy Orchestrator 3.0 or later to manage the VirusScan Enterprise software, you can choose to view ePolicy Orchestrator tasks in the VirusScan Console. This applies to on-demand, update, and mirror tasks. See the VirusScan Enterprise Configuration Guide for use with ePolicy Orchestrator 3.0 for information about enabling ePolicy Orchestrator task visibility.

Status barThe status bar shows the status of the current activity.

Right-click menusUse right-click menus for quick access to commonly used actions; such as creating new tasks, viewing task statistics and logs, opening task property pages, or scanning a specific file or folder for viruses.

Right-click menus from the console. The right-click menus available from the VirusScan Console vary, depending on whether you have selected a task in the task list, and on which task you select. See Right-click menus from the console on page 25 for details.

Right-click scan. This right-click scan feature allows you to select a specific file or folder and immediately scan it for viruses. See Right-click scan on page 25 for details.

Right-click scan from the system tray. This right-click scan feature allows you to create a one-time, unsaved on-demand scan task. See Right-click scan or update from the system tray on page 26 for details.



Right-click menus from the consoleYou have these options when you right-click an item in the task list:

On-access Scan. If you right-click the on-access scan task in the task list, you can enable or disable the task, view task statistics, view the activity log, and open the property pages.

Update. If you right-click an update task in the task list, you can start or stop the task, delete the task, rename the task, view the activity log, and open the property pages.

E-mail Scan. If you right-click an e-mail scan task in the task list, you can enable or disable the task, view task statistics, view the activity log, and open the property pages.

On-demand Scan. If you right-click an on-demand scan task in the task list, you can start or stop the task, copy or paste the task, delete the task, rename the task, view task statistics, view the activity log, and open the property pages.

When you right-click a blank area in the console, without selecting an item in the task list, you can perform these actions:

New Scan task. Create a new on-demand scan task.

New Update task. Create a new update task.

New Mirror task. Create a new mirror task.

Paste. Paste a copied task into the task list.

User Interface options. Access the User Interface Options property pages. See Setting user interface options on page 27 for information about setting these options.

Right-click scanYou can perform an immediate on-demand scan of a selected file or folder by right-clicking on the file or folder in Windows Explorer, then selecting Scan for viruses. This is also known as shell extension scan. The on-demand scanner is invoked directly with all scan settings, such as archive scanning, heuristic scanning, and other options, enabled. This is useful if you are concerned that a specific folder or file may be infected.

If a file or folder is found to be infected, it is displayed in a list view with the details of the infected item at the bottom of the scanning dialog box. You can take action on the infected item by right-clicking on it in the list view, and selecting either the clean, delete, or move action.

You cannot customize scan options when performing a right-click scan. To customize the scan options or create a new on-demand scan task, see Creating on-demand tasks on page 86 for more information.

Product Guide 25

Getting Started

System trayThe on-access scanner installs and activates itself by default when you perform a typical installation. Once active, the scanner displays the Vshield icon in the Windows system tray.

Double-click in the system tray to view On-Access Scan Statistics.

Right-click scan or update from the system trayUse this feature to create a one-time, unsaved on-demand scan or update task. This is useful when you want to quickly scan a drive, folder, or file at a time other than your regularly scheduled on-demand scan or perform an immediate update.

Right-click in the system tray to display the menu.

The system tray menu includes these options:

VirusScan Console. Display the VirusScan Console.

Disable On-Access Scan. Deactivate the on-access scanner. This function toggles between Disable On-Access Scan and Enable On-Access Scan.

On-Access Scan Properties. Open the on-access scanner property pages to configure the on-access scanner.

On-Access Scan Statistics. View on-access scanner statistics. You can enable or disable the on-access scanner or open the on-access scanner property pages.

On-Access Scan Messages. View the on-access scanner messages. You can remove a message, clean a file, delete a file, or move a file.

On-Demand Scan. Open the on-demand scanner property pages to configure the on-demand scanner to perform a one-time unsaved on-demand scan.

Figure 2-9. System tray menu



Update Now. Perform an immediate update of the default update task.

NOTEUpdate Now only works with the default update task which was created when you installed the product. You can rename and reconfigure the default update task, but if you delete the default task, Update Now becomes disabled.

About VirusScan Enterprise. View specific information about the installed software, such as virus definition (DAT) file and scanning engine version numbers, as well as license information for the product.

Command lineUse the command line feature to perform activities from the Command Prompt. See Command-Line Scanner Program on page 239 for more information.

Setting user interface optionsUse these options to specify display and password settings when installing the program, through McAfee Installation Designer, or from the Tools menu in the VirusScan Console after installation.

This section describes how to set the display and password options from the console. The following topics are addressed in this section:

Display options

Password options

Unlocking and locking the user interface

Product Guide 27

Getting Started

Display optionsThe Display Options dialog box allows you to determine which system tray options users can access and set refresh time for the local console.

To set display options from the console:

1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.

2 Select Tools|User Interface Options|Display Options.

3 Determine which system tray options you want users to see. Under System tray icon, select an option:

Show the system tray icon with all menu options. This option is selected by default. Allow users to see all menu options on the system tray.

Show the system tray icon with minimal menu options. Limit the right-click menu items to only the About and On-Access Scan Statistics items. All other menu items are hidden on the right-click menu.

Do not show the system tray icon. Do not allow users to have access to the system tray icon.

4 Under Local console refresh time, select the frequency, in seconds, for which you want to refresh the console.

5 Click Apply, then OK to save your changes and close the dialog box.

Figure 2-10. Display Options



Password optionsThe Password Options dialog box allows you to set a security password for the entire system or for only the tabs and controls you select. The same password is used for all the selected tabs and controls.

Setting a password has the following impact for users:

Non-administrators — Users who do not have Windows NT administrator rights. Non-administrators always run all VirusScan Enterprise applications in read-only mode. They can view some configuration parameters, run saved scan tasks, and run immediate scans and updates. They cannot change any configuration parameters or create, delete, or modify saved scan and update tasks.

Administrators — Users who have Windows NT administrator rights. If a password is not set, administrators run all VirusScan Enterprise applications in read/write mode. They can view and change all configuration parameters, run tasks, and create, delete, and modify saved scan and update tasks. If a password is set, administrators see the protected tabs and controls in read-only mode if they have not entered the security password. Administrators can lock or unlock the user interface through the console. See Unlocking and locking the user interface on page 32 for more information.

NOTEA locked red padlock indicates a password is required for the item. An unlocked green padlock indicates the item is read/write accessible.

Product Guide 29

Getting Started

To set password options from the console:


2 Select Tools|User Interface Options|Password Options.

3 Choose one of these options:

No password. This option is selected by default.

Password protection for all items listed below. Users must type the specified password before they can access any locked tabs or controls in the software.

Password protection for the selected items below. Users must type the specified password before they can access the items you lock here. Items not locked do not require a password.

Figure 2-11. Password Options

Select Password protection for all items listed below.

Type and confirm the password.

Select Password protection for the selected items below.

Type and confirm the password.

Select all the items for which this password applies.



4 Click Apply to save your changes.

5 Click OK.

WARNINGIf the Console and Miscellaneous password item is locked, you cannot perform the following:

Enable or disable on-access scanning — The menu items to enable and disable on-access scanning, and equivalent toolbar icons, are disabled. In addition, the Disable button on the VirusScan On-Access Scan Statistics dialog box is disabled.

Enable or disable e-mail scanning — The menu items to enable and disable e-mail scanning, and equivalent toolbar icons, are disabled. In addition, the Disable button on the VirusScan On-Delivery E-mail Scan Statistics dialog box is disabled.

Create a new on-demand scan task, update task, or mirror task — The menu items to create new tasks, and equivalent toolbar icons are disabled. In addition for on-demand scanning tasks, the Save As and Save As Default buttons on the VirusScan On-Demand Scan Properties dialog box are disabled.

Delete a task — The menu item to delete a task and equivalent toolbar icon are disabled.

Rename a task — The menu item to rename a task and equivalent toolbar icon are disabled.

Copy or paste a task — The menu items to copy and paste a task, and equivalent toolbar icons are disabled.

Roll back the DAT files — The menu item to roll back the DAT files is disabled.

Product Guide 31

Getting Started

Unlocking and locking the user interfaceAdministrators can unlock and lock protected tabs and controls through the console.

NOTEIf password protection is selected for any item, the User Interface Options dialog box is automatically protected as well. If password protection has been set for any item and the user logs out, the user interface is automatically locked again.

To unlock the user interface:


2 Select Tools|Unlock User Interface.

3 Type the password.

4 Click OK.

To lock the user interface:


2 Select Tools|Lock User Interface.

Figure 2-12. Security Password


Setting up scanning operations

Setting up scanning operationsThe VirusScan Enterprise software provides different types of scanning for different needs.


On-access scanning vs. on-demand scanning

Scanning automatically

Scanning periodically, selectively, or on schedule

On-access scanning vs. on-demand scanningThe VirusScan Enterprise software provides two types of scanning activities. You can perform scanning activities:

Scanning automatically

Scanning periodically, selectively, or on schedule

On-access scanning. Automatic scanning for viruses is called on-access scanning. You must have administrator rights, and the password if one is required, to configure the on-access scan. See Scanning automatically on page 34 for more information.

On-demand scanning. Periodic, selective, or scheduled scanning is called on-demand scanning. You must have administrator rights, and the password if one is required, to schedule an on-demand scan task, but any user can run an on-demand task. See Scanning periodically, selectively, or on schedule on page 35 for more information.

Because the on-access scanner provides your computer with ongoing, background scanning protection, it may seem redundant to run on-demand scan tasks. But good anti-virus security measures incorporate complete, regular system scans because:

On-access scanning operations examine files as they are accessed or used. The on-access scanner looks for viruses as files are used. If there is a rarely-used but infected file on your system, the on-access scanner does not detect the virus until the file is used. However, on-demand scan operations can detect viruses in files stored on your hard disk, even if no one has yet used them. An on-demand scan operation can detect a virus before the file executes.

Viruses are unexpected. Accidentally leaving a disk in your drive as you start your computer could load a virus into memory before the on-access service starts, particularly if you do not have the service configured to scan disks. Once in memory, a potent virus can infect nearly any program.

Product Guide 33

Getting Started

On-access scanning takes time and resources. Scanning for viruses as you run, copy or save files can delay software launch times and other tasks. Depending on your situation, this could be time you might devote to important work. Although the impact is slight, you might be tempted to disable on-access scanning if you need every bit of available system power for demanding tasks. In that case, performing regular scan operations during idle periods can guard your system against infection without compromising performance.

Good security is redundant security. In the networked, web-centric world in which most computer users operate today, it takes only a moment to download a virus from a source you might not even realize you visited. If a software conflict disables background scanning for a moment, or if background scanning is not configured to watch a vulnerable entry point, you could end up with a virus. Regular scan operations can often catch infections before they spread or do any harm.

Scanning automaticallyOn-access scanning provides continuous, real-time virus detection and response, based on users’ activities. The VirusScan Enterprise anti-virus software program provides a single on-access scan task, which examines for infections each time a network user writes a file to the computer or reads a file from the computer. The scanner attempts to clean any infection it finds, and records its activities in a log file. You can change its settings to define:

Files and file types to be scanned.

Circumstances that precipitate a scan.

Action you want the scanner to take when it detects an infection.

Contents, if any, of the scanner’s activity report.

Files to exclude from on-access scanning.

See On-Access Scanning on page 39 for specific details about configuring on-access scanning.


Virus Information Library

Scanning periodically, selectively, or on scheduleTwo types of on-demand scan tasks are available:

One-time, unsaved on-demand scan tasks.

Saved on-demand scan tasks.

A one-time unsaved on-demand task can be configured and scheduled, but is not saved for future use unless you choose to save it.

A saved on-demand scan task can be planned in advance, and run whenever you feel it is necessary, or on a regularly scheduled basis. You can create an unlimited number of scan tasks that target specific locations on the network. You can define them narrowly to a specific drive, folder, or file, or broadly, to multiple drives, folders, or files. Once created, saved scan tasks remain available until they are deleted from the VirusScan Console. They can be edited, as needed.

For a complete discussion of setting up on-demand scanning activities, see On-Demand Scanning on page 85.

Virus Information LibraryThe McAfee Security Anti-Virus Emergency Response Team (AVERT) Virus Information Library has detailed information on where viruses come from, how they infect your system, and how to remove them.

In addition to genuine viruses, the Virus Information Library contains useful information on virus hoaxes, those dire e-mail warnings about disk-eating attachments. A Virtual Card For You and SULFNBK are two of the best-known hoaxes, but there are many others. Next time you receive a well-meaning virus warning, view our hoax page before you pass the message on to your friends.

Product Guide 35

Getting Started

To access the Virus Information Library:


2 Select Virus Information from the Help menu.

Submitting a virus sampleIf you have a suspicious file that you believe contains a virus, or experience a system condition that might result from an infection, McAfee Security recommends that you send a sample to its anti-virus research team for analysis. Submission not only initiates an analysis, but a real-time fix, if warranted.

To submit a sample virus to AVERT:


2 Select Submit a Sample from the Help menu.

3 Follow the directions on the web site.

Figure 2-13. VirusScan Console


Setting up remote administration

Setting up remote administrationYou can perform operations such as modifying or scheduling scanning or update tasks, or enabling or disabling the on-access scanner on a remote computer. To do so, you must have administrator rights and the Remote Registry Service must be running.

NOTEIf you do not have administrator rights to connect to the remote computer, you receive an Insufficient user rights, access denied error message.

When you start the VirusScan Console, the name of the computer you are connected to appears in the console title bar, and in the menu at the left of the console toolbar. If you have not connected to a computer elsewhere on the network, the title bar shows the name of your local computer.

To administer a remote computer on which the VirusScan Enterprise program is installed:

1 From the Tools menu, select Remote Connection or click in the toolbar.

The Connect to Remote Computer dialog box appears.

2 Click to select a computer in the Connect to computer list or type the name of the computer that you want to administer in the text box. You can also click Browse to locate the computer on the network.

NOTEIf environment variables are used while configuring the path name of the file or folder for a remote task, be sure that the environmental variable exists on the remote computer. The VirusScan Console cannot validate environmental variables on the remote computer.

Figure 2-14. Connect to Remote Computer

Product Guide 37

Getting Started

3 Click OK to make a connection attempt to the destination computer.

NOTEWhen you connect to the remote computer, the title bar changes to reflect that computer’s name, and the tasks in the task list are those for the remote computer. You can add, delete, or reconfigure tasks for the remote computer.

The console reads the remote computer’s registry and displays the tasks of the remote computer. Once the tasks appear in the console, you can perform on a local computer.

To disconnect from the computer you have connected to, click in the console toolbar, or select Disconnect Computer from the Tools menu. When you disconnect from the remote computer, the console refreshes to display the local computer’s tasks.


3
On-Access Scanning
The VirusScan Enterprise anti-virus program uses its on-access scanner to provide your computer with continuous, real-time virus detection and response based on the settings you configure. You can configure process-based scanning that allows scanning policies to be linked to applications.

When an infection is detected, the on-access scanner records a message with details about the infected file, allows you to quickly access the message and take immediate action on the infected file.


Configuring the on-access scanner

Viewing scan results

Responding to virus detections

Product Guide 39

On-Access Scanning

Configuring the on-access scannerTo ensure its optimal performance on your computer or in your network environment, you need to configure the program to determine what you want it to scan, what you want it to do if it finds a virus, and how it should notify you when it has.

The on-access scanner comes configured with most response properties enabled. By default, the scanner is set to clean a virus when it finds one. If the virus is not cleanable, the default secondary action is to quarantine the virus. The scanner also records the incident in the log file.


On-access scan properties

General settings

Process settings

Adding file type extensions

Adding user-specified file type extensions

Excluding files, folders, and drives



On-access scan propertiesTo configure the on-access scanner:


2 Open the On-Access Scan Properties using one of these methods:

Select On-Access Scan Properties from the console’s Task menu.

Right-click On-Access Scan in the console, then select Properties.

Double-click On-Access Scan in the console.

Highlight On-Access Scan in the console, then click in the console toolbar.

Right-click in the system tray and select On-Access Scan Properties.

Click Start, then select Programs|Network Associates|VirusScan On-Access Scan.


Product Guide 41

On-Access Scanning

The On-Access Scan Properties dialog box appears.

The On-Access Scan Properties dialog box allows you to configure general settings and three types of processes. The icons in the left pane of the dialog box give you access to the configurable options.

When the On-Access Properties dialog box first opens, the default view provides access to properties for General Settings and All Processes.

General Settings. Set general detection, message, and reporting properties for all types processes. See General settings on page 43 for detailed information about setting these properties.

All Processes. Set process, detection, advanced, and action properties to be the same for all processes, or set them to be different for default, low-risk and/or high-risk processes. See Process settings on page 49 for detailed information about setting these properties.

Figure 3-2. On-Access Scan Properties — default view



General settingsThe properties you specify in General Settings apply to default, low-risk, and high-risk processes.

These properties can be configured:

General properties

Message properties

Report properties

General propertiesUse the options on the General tab to configure basic properties for on-access scanning.

1 Open the On-Access Scan Properties dialog box, then select General Settings in the left pane.

2 Select the General tab.

Figure 3-3. General Settings — General tab

Product Guide 43

On-Access Scanning

3 Under Scan, choose which parts of the computer you want the scanner to examine. Select from these options:

Boot sectors. This option is selected by default. Include the disk boot sector during scanning activities. The scanner includes the disk boot sector when a disk is mounted. In some situations it may be appropriate to disable boot sector analysis when a disk contains a unique or abnormal boot sector that cannot be subjected to virus scanning.

Floppy during shutdown. This option is selected by default. Scan the boot sector of any floppy disk left in your drive as you shut down your computer. If the disk is infected, the computer does not shut down until the disk is removed.

4 Under General, select from these options:

Enable on-access scanning at system startup. This option is selected by default. Start the on-access service when you start your computer.

Quarantine Folder. Accept the default location and name for the quarantine folder, type a path to a different location for the quarantine folder, or click Browse to locate a suitable folder on your local drive.

The default location and name for the quarantine folder is:

<drive>:\quarantine

NOTEThe quarantine folder should not be located on a floppy drive or CD drive. It must be located on a hard drive.

5 Under Scan time, specify the maximum archive and scanning time, in seconds, for all files. If a file takes longer than the specified time to scan, the scan stops cleanly and a message is logged. If the scan cannot be stopped cleanly, it terminates and restarts, and a different message is logged. Select from these options:

Maximum archive scan time (seconds). The default setting is 15 seconds. Accept the default or select the maximum number of seconds the scanner should spend scanning an archive file. The time you select for the archive time must be less than the time you select for scanning all files.

Enforce a maximum scanning time for all files. This option is selected by default. Define a maximum scanning time and enforce it for all files.

Maximum scan time (seconds). The default setting is 45 seconds. Accept the default or select the maximum number of seconds the scanner should spend scanning a file.




Message propertiesUse the options on the Messages tab to configure user message properties for on-access scanning.


2 Select the Messages tab.

3 Under Messages for local users, select message options. Some of these options apply to all users and others apply only to users without administrator rights.

These options apply to all users:

Show the messages dialog when a virus is detected. This option is selected by default. Display the On-Access Scan Messages dialog box when a virus is detected. See Responding to virus detections on page 80 for more information about the On-Access Scan Messages dialog box.

Text to display in message. If you selected Show the messages dialog when a virus is detected, you can accept the default message or type a custom message that displays when an infection is detected. The default message is VirusScan Alert!

Figure 3-4. General Settings — Messages tab

Product Guide 45

On-Access Scanning

The following options apply to the actions that users without administrator rights are allowed to take on messages listed in the On-Access Scan Messages dialog box. Select any combination of these options:

Remove messages from the list. This option is selected by default. Allow users without administrator rights to remove messages from the list.

Clean infected files. This option is selected by default. Allow users without administrator rights to clean infected files referenced by the messages in the list.

Delete infected files. Allow users without administrator rights to delete infected files referenced by the messages in the list.

Move infected files to the quarantine folder. This option is selected by default. Allow users without administrator rights to move infected files, which are referenced by messages in the list, to the quarantine folder.

4 Under Response to network users, select from these options:

Send message to user. Send a message to the network user when a virus is detected. For example, you can send an alert message to a network user that is running on a remote computer and accesses the protected file system through a network share.

If you select this option, you can accept the default message or type a custom message in the text box provided. The default message is Virus Alert!!!

WARNINGThe Windows Messenger service must be running to receive this message.

Disconnect remote users and deny access to network share. Automatically disconnect any user who reads from, or writes to, an infected file in a shared folder on your computer. The scanner then rewrites the permissions to exclude the user who attempted to read from, or write to, the infected file in the shared folder.




Report propertiesUse the options on the Reports tab to configure logging activity and specify what information you want to capture for each log entry.

NOTEThe log file can serve as an important management tool for tracking virus activity on your network and to note which settings you used to detect and respond to any virus that the scanner found. The incident reports recorded in the file can help you determine which files you need to replace from backup copies, examine in quarantine, or delete from your computer. See Viewing the activity log on page 79 for more information about how to view the log.

To configure Reports properties:


2 Select the Reports tab.

Figure 3-5. General Settings — Reports tab

Product Guide 47

On-Access Scanning

3 Under Log file, select from these options:

Log to file. This option is selected by default. Record on-access scanning virus activity in a log file.

In the text box, accept the default log file name and location, type a different log file name and location, or click Browse to locate a suitable file elsewhere on your computer or network.

NOTEBy default, the scanner writes log information to the ONACCESSSCANLOG.TXT file in this folder:

<drive>:Winnt\Profiles\All Users\Application Data\Network Associates\VirusScan

Limit size of log file to. This option is selected by default. The default log file size is 1MB. Accept the default log size or set a different size for the log. If you select this option, type a value between 1MB and 999MB.

NOTEIf the data in the log file exceeds the file size you set, the oldest 20 percent of the log file entries are deleted and new data is appended to the file.

4 Under What to log in addition to virus activity, select the additional information that you want to record in the log file:

Session settings. Record the properties that you chose for each scanning session in the log file.

NOTEA scanning session is the period of time that the scanner remains loaded in memory on your computer. It ends when you either unload the program or restart your computer.

Session summary. This option is selected by default. Summarize the scanner’s actions during each scanning session and add the information to the log file. Summary information includes the number of files scanned, the number and type of viruses detected, the number of files moved, cleaned, or deleted, and other information.

Failure to scan encrypted files. This option is selected by default. Record the name of encrypted files that the scanner failed to scan in the log file.

User name. This option is selected by default. Record the name of the user logged on to the computer at the time the scanner records each log entry, in the log file.




Process settingsChoose whether to use the same settings for all processes, or whether to specify different settings for default, low-risk, and high-risk processes.

Use the settings on these tabs for all processes. Specify the same scanning properties for all processes. The procedure for setting properties for all processes is the same as the procedure for setting properties for default processes. See Default processes on page 50 for a step-by-step procedure.

Use different settings for high-risk and low-risk processes. Specify different properties for processes based on whether they are default processes or are defined as low-risk or high risk. See Low-risk and high-risk processes on page 60 for more information.

Figure 3-6. On-Access Scan Properties — All Processes

Product Guide 49

On-Access Scanning

NOTEWhen you select this option, the All Processes icon changes to Default Processes, and both the Low-Risk Processes and High-Risk Processes icons become available in the left pane.

.

These topics are addressed in this section:

Default processes

Low-risk and high-risk processes

Default processesA default process is any process that is not defined as a low-risk or high-risk process.

NOTEWhen setting properties for all processes, follow the procedures for setting default process properties.

These properties can be configured:

Process properties

Detection properties

Advanced properties

Action properties

Figure 3-7. On-Access Scan Properties



Process propertiesUse the options on the Processes tab to specify properties for default processes or all processes:

1 Open the On-Access Scan Properties dialog box, then select All Processes in the left pane.

2 Select the Processes tab if it is not already selected, then select one of these options:

Use the settings on these tabs for all processes. This option is selected by default. If you specify properties with this option selected, the properties you select apply to all processes. You cannot set different properties for default, low-risk and high-risk processes.

Use different settings for high-risk and low-risk processes. Set different properties for default, low-risk and high-risk processes.



Figure 3-8. Default Processes — Processes tab

Product Guide 51

On-Access Scanning

Detection propertiesUse the options on the Detection tab to specify what types of files you want the on-access scanner to examine, and when you want to scan them.


2 Select one of these options:




3 Select the Detection tab.

Figure 3-9. Default Processes — Detection tab



4 Under Scan Files, select any combination of these scanning options:

When writing to disk. This option is selected by default. Scan all files as they are written to or modified on the server, workstation, or other data storage device.

When reading from disk. This option is selected by default. Scan all files as they are read from the server, workstation, or other data storage device.

On network drives. Include network resources during on-access scans. This is a convenient way to extend virus protection.

NOTEIncluding network resources could have a negative effect on the overall performance of the system that is running the scan.

WARNINGIf you are copying or moving a file from one computer to another, and the on-access scan properties on both computers have been configured to scan files both written to disk and read from disk, scanning occurs when the file is read by the source computer and again when it is written to the destination computer.

If the prevailing traffic pattern on your network is copying or moving files from one computer to another, you may want to configure your scanning properties to scan only files written to disk, and not to scan files read from disk. This eliminates double-scanning of the same file. It is possible to achieve the same result by configuring all computers to scan only files read from them, and not files written to them.

If you use either of these configuration patterns, it is important that all computers be configured identically. Do not configure some computers to scan only files written to disk, and others to scan only files read from disk. This would allow an infected file to be copied from a computer that scans only files written to disk to a computer that scans only files read from disk.

Product Guide 53

On-Access Scanning

5 Under What to scan, select from these options:

All files. This option is selected by default. Scan all files regardless of extension.

Default + additional file types. Scan the default list of extensions plus any additions you specify. The default list of file type extensions is defined by the current DAT file. You can add or remove user-specified file type extensions, but you cannot delete any file type extensions from the default list. You can, however, exclude extensions that appear in the default list. See Excluding files, folders, and drives on page 70 for more information.

Specified file types. Scan only the extensions you specify.

6 Under What not to scan, click Exclusions to specify the files, folders, and drives that you want to exclude from scanning. See Excluding files, folders, and drives on page 70 for detailed instructions.


Additions. If you selected Default + additional file types, click Additions to add or remove user-specified file type extensions. See Adding file type extensions on page 68 for detailed instructions.

The maximum number of additional extensions that the on-access scanner can list is 1,000.

Also scan for macro viruses in all files. Scan all files, regardless of extension, for macro viruses. This option is only available when the Default + additional file types option is selected.

NOTEScanning for macro viruses in all files could affect performance.

Specified. If you selected Specified file types, click Specified to add or remove user-specified file type extensions. You can also set the list of file type extensions to the default list. See Adding user-specified file type extensions on page 69 for detailed instructions.

The maximum number of specified extensions that the on-access scanner can list is 1,000.



Advanced propertiesUse the options on the Advanced tab to specify advanced scan options for heuristics, non-virus program files, and compressed files.






3 Select the Advanced tab..

Figure 3-10. Default Processes — Advanced tab

Product Guide 55

On-Access Scanning

4 Under Heuristics, specify whether you want the scanner to evaluate the probability that an unknown piece of code or a Microsoft Office macro is a virus. When this feature is enabled, the scanner analyzes the likelihood that the code is a variant of a known virus. Select any combination of these options:

Find unknown program viruses. This option is selected by default for default processes and high-risk processes. Treat executable files that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab.

Find unknown macro viruses. This option is selected by default for default processes and high-risk processes. Treat embedded macros that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab.

NOTEThis option is not the same as Also scan for macro viruses in all files on the Detection tab, which instructs the scanner to find all known macro viruses. This option instructs the scanner to assess the probability that an unknown macro is a virus.

5 Under Non-viruses, specify if you want the scanner to search for non-virus programs that are potentially unwanted.

Find potentially unwanted programs. Detect programs that are potentially unwanted.

WARNINGVirusScan Enterprise does not take any action on potentially unwanted program files or joke programs that it detects. Detections are logged in the log file.

If you want to take action on a detected potentially unwanted program file or joke program, you must take action manually. For example, if you want to remove a detected joke program, you must remove it manually.

Find joke programs. If you selected Find potentially unwanted programs, you can also scan for joke programs.



6 Under Compressed files, specify which types of compressed files you want the scanner to examine:

Scan inside packed executables. This option is selected by default for default processes and high-risk processes. Examine compressed files that contain executable files. A packed executable is a file that, when run, extracts itself into memory only. Packed executable files are never extracted to disk.

Scan inside archives. Examine archive files and their contents. An archive file is a compressed file that must be extracted prior to accessing the files within it. Files contained inside archives are scanned when they are written to disk.

Decode MIME encoded files. Detect Multipurpose Internet Mail Extensions (MIME) encoded files, decode them, then scan them.

NOTEAlthough it does give you better protection, scanning compressed files can increase the amount of time required to perform a scanning activity.


Action propertiesUse the options on the Actions tab to specify the primary and secondary actions you want the scanner to take when it detects a virus.




Use different settings for high-risk and low-risk processes. Set different properties for default, low-risk, and high-risk processes.


Product Guide 57

On-Access Scanning

3 Select the Actions tab.

4 Under When a virus is found, select the primary action that you want the scanner to take when a virus is detected.

NOTEThe default primary action is Clean infected files automatically.

Click to select one of these actions:

Deny access to infected files. Denies all users access to any infected files the scanner finds. Be sure to enable the Log to file property on the General Settings, Reports tab, so that you have a record of which files are infected.

NOTEIf the file is written to the local system from an outside source, for example a CD-ROM or the Internet, the scanner adds a .VIR extension to the end of the file name. The scanner considers this type of file action to be a write action.

If the file is copied, for example from one location on a hard disk to another location, the .VIR extension is not added to the file name. The scanner considers this to be a move action.

Move infected files to a folder. The scanner moves infected files to a folder that is named quarantine by default. You can change the name of the folder in the Quarantine Folder text box on the General Settings, General tab.

Figure 3-11. Default Processes — Actions tab



Delete infected files automatically. The scanner deletes infected files as soon as it detects them. Be sure to enable the Log to file property on the General Settings, Reports tab, so that you have a record of which files were infected.

If you select this option, you are required to confirm your selection. Click Yes to confirm your selection, or click No to deselect this option.

WARNINGIf you selected Find unknown macro viruses on the Advanced tab, the action you select here applies to any macro that has code resembling a virus. If you select Delete infected files automatically, any file that has code resembling a macro virus is deleted, and any archive that contains an infected file is deleted. If that is not your intention, be certain that your choice of action corresponds with your choice of action for macros.

Clean infected files automatically. This option is selected by default. The scanner tries to remove the virus from the infected file. If the scanner cannot, or if the virus has damaged the file beyond repair, the scanner performs the secondary action. See Step 5 for more information.

5 Under If the above Action fails, select the secondary action that you want to the scanner to take if the first action fails. The available options depend on the primary action you selected.

NOTEThe default secondary action is Move infected files to a folder.

Click to select the secondary action:

Deny access to infected files.

Move infected files to a folder. This option is selected by default.

Delete infected files automatically.



Product Guide 59

On-Access Scanning

Low-risk and high-risk processesProcess-based scanning allows you to define scanning policies based on your perceived risk of infection from a defined process.

Determine which processes should be designated as low-risk or high-risk, then set the properties for each type of process.


Assigning risk to a process

Process properties


Advanced properties

Action properties



Assigning risk to a processA process is a program in execution. A program may initiate one or more processes. When deciding what risk or scanning policy to assign to a process, remember that only the child processes of the defined parent process adhere to the scanning policy. For example, if you define the Microsoft Word executable file, WINWORD.EXE, as a high-risk scanning process, any Microsoft Word documents that are accessed would be scanned based on the high-risk scanning policy. However, when the parent process, Microsoft Word, is launched the WINWORD.EXE file would be scanned based on the policy of the process that launched it.

You can assign two types of risks to processes:

Low-risk processes are defined as those processes that have a lower possibility of being infected. These can be processes that access a lot of files, but do so in a way that has a lower risk of spreading viruses. Some examples are:

Backup software.

Compiling processes.

High-risk processes are defined as those processes that have a higher possibility of being infected. Some examples are:

Processes that launch other processes. For example, Microsoft Windows Explorer, or the command prompt.

Processes that execute. For example, WINWORD or CSCRIPT.

Processes used for downloading from the Internet. For example, browsers, instant messengers, and mail clients.

NOTEWhen you install VirusScan Enterprise with default settings, the Use the settings on these tabs for all processes option is selected. If you select Use different settings for high-risk and low-risk processes some processes are predefined as high-risk. You can change this list to meet your needs.

Any process that is not defined as either low-risk or high-risk is considered to be a default process and is scanned with the properties that you set for default processes.

Product Guide 61

On-Access Scanning

To determine which risk to assign to which processes, complete these steps:

1 Decide why you want to have different scanning policies. The two most common reasons when balancing performance against risk are:

To scan some processes, such as web downloads, more thoroughly than is accomplished by the default scanning policy.

To scan some processes to a lesser extent based on the risk and impact on performance that occurs during scanning. For example, capturing streaming media such as video has little risk, but is very resource intensive.

2 Decide which processes are low-risk and which are high-risk. First determine which program is responsible for each process, then decide what risk is associated with that process. Use the Windows Task Manager or Windows Performance Monitor to help you understand which processes are using the most CPU time and memory. Once you have this information you can associate each process with a scanning policy based on the processes’ performance and risk.

3 Configure the scanning policies for each of the three levels: default, low-risk and high-risk.

NOTEWe do not recommend reducing the level of scanning for high-risk processes. The high-risk scanning policy is initially set the same as default processes to ensure that high-risk processes maintain an in-depth level of scanning.

Process propertiesUse the options on the Processes tab to define processes as either low-risk or high-risk:

NOTEAny process that is not defined as either low-risk or high-risk is considered to be a default process and is scanned with the properties that you set for default processes.


2 Select Use different settings for high-risk and low-risk processes.


3 Select either Low-Risk Processes or High-Risk Processes.



4 Select the Processes tab.

The list shows the current list of processes, in alphabetical order by file name. Each process is shown with its application icon, file name, and description if available. The default settings are:

The Low-Risk Processes list is empty.

The High-Risk Processes list is populated with processes that McAfee Security considers to be high-risk. You can add or remove processes from this list to meet your security needs.

NOTEThe steps you take to add or select processes are identical for low-risk and high-risk processes.

Figure 3-12. Low-Risk or High-Risk Processes — Processes tab

Product Guide 63

On-Access Scanning

5 To add applications, click Add. The Select Application dialog box appears.

a Select application(s) that you want to add, using these methods:

b When you have finished selecting applications, click OK to save your selections and return to the Processes tab.

6 To remove applications, highlight one or more applications in the list, then click Remove.


8 Repeat Step 3 through Step 7 to define applications as either low-risk or high-risk.

Figure 3-13. Select Application

Select application(s) from the list.

Use CTRL + SHIFT to select more than one application.

Click Browse to locate an application on the network.



Detection propertiesUse the options on the Detection tab to specify what types of files you want the on-access scanner to examine, and when you want to scan them.






NOTEAfter you select the process icon from the left pane, the steps you take to set Detection options are identical for low-risk and high-risk processes.

Figure 3-14. Low-Risk or High-Risk Processes — Detection tab

Product Guide 65

On-Access Scanning

5 Under Scan Files, select any combination of these scanning options:

When writing to disk. This option is selected by default. Scan all files as they are written to or modified on the server, workstation, or other data storage device.

When reading from disk. This option is selected by default. Scan all files as they are read from the server, workstation, or other data storage device.

On network drives. Include network resources during on-access scans. This is a convenient way to extend virus protection.

NOTEIncluding network resources could have a negative effect on the overall performance of the system that is running the scan.

WARNINGIf you are copying or moving a file from one computer to another, and the on-access scan properties on both computers have been configured to scan files both written to disk and files read from disk, scanning occurs when the file is read by the source computer and again when it is written to the destination computer.

If the prevailing traffic pattern on your network is copying or moving files from one computer to another, you may want to configure your scanning properties to scan only files written to disk, and not to scan files read from disk. This eliminates double-scanning of the same file. It is possible to achieve the same result by configuring all computers to scan only files read from them, and not files written to them.

If you use either of these configuration patterns, it is important that all computers be configured identically. Do not configure some computers to scan only files written to disk, and others to scan files only read from disk. This would allow an infected file to be copied from a computer that scans only files written to disk to a computer that scans only files read from disk.







7 Under What not to scan, click Exclusions to specify the files, folders, and drives you want to exclude from scanning. See Excluding files, folders, and drives on page 70 for detailed instructions.


9 Repeat Step 3 through Step 8 to specify detection settings for low-risk or high-risk processes.


The maximum number of additional extensions that the on-access scanner can list is 1,000.




The maximum number of specified extensions that the on-access scanner can list is 1,000.

Product Guide 67

On-Access Scanning

Adding file type extensionsAdd user-specified file types to the default list of file types. You can also use this feature to remove any user-specified file types you added. The default list plus any user-specified file types are scanned during scanning operations.

NOTEYou cannot change or remove file types from the default list of file types. The default list is defined by the latest DAT file you downloaded. To prevent an extension from being scanned, exclude it. See Excluding files, folders, and drives on page 70 for more information.

1 Click Additions to open the Additional File Types dialog box.

2 Under Add File Type, you can add user-specified file type extensions in two ways:

Type a file type extension in the text box, then click Add.

NOTEYou only need to type the first three letters of the file type extension. If you type an HTM file extension, the scanner searches for HTM and HTML files. You can use a wildcard or a combination of characters with a wildcard.

Click Select to open the Select File Type dialog box. Select one or more file type extensions from the list, then click OK.

Use CTRL + SHIFT to select more than one file type extension.

The file type extensions you added appear in the User-specified additional file types list.

Figure 3-15. Additional File Types



3 You can remove user-specified file type extensions from the user-specified list in two ways:

Select one or more file type extensions in the User specified additional file types list, then click Remove.

Click Clear to remove all items from the User specified additional file types list.

Adding user-specified file type extensionsCreate a list of user-specified file type extensions to be scanned during scanning operations. You can also use this feature to remove any of the user-specified file type extensions you added previously.

1 Click Specified to open the Specified File Types dialog box.

2 Under Add File Type, you can add user-specified file type extensions in two ways:

Type a file type extension in the text box, then click Add.

NOTEYou only need to type the first three letters of the file type extension. If you type an HTM file extension, the scanner searches for HTM and HTML files. You can use a wildcard or a combination of characters with a wildcard.

Click Select to open the Select File Type dialog box. Select one or more file type extensions from the list, then click OK.

The file type extensions you added appear in the list under Only files of these types will be scanned.

Figure 3-16. Specified File Types

Product Guide 69

On-Access Scanning

3 You can remove user-specified file type extensions from the list in two ways:

Select one or more file type extensions in the list under Only files of these types will be scanned, then click Remove.

Click Clear to remove all items from the list under Only files of these types will be scanned.

4 Click Set to Default to replace the current list of user-specified file type extensions with the default list. The default list of file type extensions is defined by the current DAT file.

5 Click OK to save your changes and return to the Detection tab.

Excluding files, folders, and drivesSpecify files, folders, and drives to exclude from scanning operations. You can also use this feature to remove any of the exclusions you specified previously.

1 Click Exclusions to open the Set Exclusions dialog box.

2 Add or edit files, folders, or drives. Windows File Protection is listed by default.

To add an item, click Add to open the Add Exclusion Item dialog box.

To edit an item, double-click the item or select it, then click Edit to open the Edit Exclusion Item dialog box.

NOTEThe exclusion options are the same whether you are adding an exclusion item or editing it.

Figure 3-17. Set Exclusions



3 Under What to exclude, select one of these options:

By name/location. This option is selected by default. Specify the name or location. This can include wildcards * and ?. You can type specific information in the text box or click Browse to locate a name or location.

NOTEYou can specify full pathnames such as C:\WINNIT\SYSTEM*, file names such as PAGEFILE.SYS, or PAGEFILE.*, or P*.*, or *.SYS, or folder names such as BACKUP. For example, specifying BACKUP folder excludes all folders named BACKUP, where ever they are located.

When using wildcards, these limitations apply:

Figure 3-18. Add Exclusion Item

Valid wildcards are ? for excluding single characters and * for excluding multiple characters.

A \ cannot follow wildcard characters. For example, C:\ABC\WWW? is valid, but C:\ABC\WWW?\123 is not valid.

An exclusion that does not begin with a path or \ such as WWW* is treated as a file only.

An exclusion containing ? characters applies if the number of characters matches the length of the file or folder name. For example, the exclusion W?? excludes WWW, but does not exclude WW or WWWW.

Product Guide 71

On-Access Scanning

By file type. Specify a file extension by type. Type a file extension in the text box or click Select to open the Select File Type dialog box, where you can select one or more extensions from the list. Click OK to save your entries and close the dialog box.

NOTEThe file extension that you specify can include wildcards. Valid wildcards are ? for excluding single characters and * for excluding multiple characters.

By file age. Specify whether you want to exclude files by age.

Files protected by Windows File Protection. Specify that this exclusion is based on a file’s Windows File Protection status.

4 Under When to exclude, specify when to exclude the items from scanning:

On read. This option is selected by default. Specify that the exclusion items are excluded from scans when read from disk.

On write. This option is selected by default. Specify that the exclusion items are excluded from scans when written to disk.

NOTEThe On read and On write options are not available for on-demand scan tasks.

5 Click OK to save your changes and return to the Set Exclusions dialog box.

6 You can remove user-specified file type extensions from the item list in two ways:

Select one or more file type extensions in the list, then click Remove.

Click Clear to remove all items from the list.

7 Click OK to save your changes and return to the Detection tab.


Also exclude subfolders. If you selected By name/location, you can exclude the subfolders of the folders that match the specified pattern.

Access type. If you selected By file age, click to specify an access type of Modified or Created.

Minimum age in days. If you selected By file age, specify the minimum number age of the file in days. The file must be at least this many days old before it is excluded.



Advanced propertiesUse the options on the Advanced tab to specify advanced scan options for heuristics, non-virus program files, and compressed files.





4 Select the Advanced tab..

NOTEAfter you select the process icon from the left pane, the steps you take to set Advanced options are identical for low-risk and high-risk processes.

Figure 3-19. Low-Risk or High-Risk Processes — Advanced tab

Product Guide 73

On-Access Scanning

5 Under Heuristics, specify whether you want the scanner to evaluate the probability that an unknown piece of code or a Microsoft Office macro is a virus. When this feature is enabled, the scanner analyzes the likelihood that the code is a variant of a known virus. Select any combination of these options:

Find unknown program viruses. This option is selected by default for default processes and high-risk processes. Treat executable files that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab.

Find unknown macro viruses. This option is selected by default for default processes and high-risk processes. Treat embedded macros that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab to those files.


6 Under Non-viruses, specify if you want the scanner to search for non-virus programs that are potentially unwanted.




7 Under Compressed files, specify which types of compressed files you want the scanner to examine. You have these options:

Scan inside packed executables. This option is selected by default for default processes and high-risk processes. Examine compressed files that contain executable files. A packed executable is a file that, when run, extracts itself into memory only. Packed executable files are never extracted to disk.








9 Repeat Step 3 through Step 8 to configure advanced settings for low-risk or high-risk processes.






Product Guide 75

On-Access Scanning


NOTEAfter you select the process icon from the left pane, the steps you take to set Actions options are identical for low-risk and high-risk processes.

5 Under When a virus is found, select the primary action that you want the scanner to take when a virus is detected.

NOTEThe default primary action is Clean infected files automatically.


Deny access to infected files. Denies all users access to any infected files the scanner finds. Be sure to enable the Log to file property on the General Settings, Reports tab, so that you have a record of which files are infected.

NOTEIf the file is written to the local system from an outside source, for example a CD-ROM or the Internet, the scanner adds a .VIR extension to the end of the file name. The scanner considers this type of file action to be a write action.

If the file is copied, for example from one location on a hard disk to another location, the .VIR extension is not added to the file name. The scanner considers this to be a move action.

Figure 3-20. Low-Risk or High-Risk Processes — Actions tab



Move infected files to a folder. The scanner moves infected files to a folder that is named quarantine by default. You can change the name of the folder in the Quarantine Folder text box on the General Settings, General tab.

Delete infected files automatically. The scanner deletes infected files as soon as it detects them. Be sure to enable the Log to file property on the General Settings, Reports tab, so that you have a record of which files were infected.


WARNINGIf you selected Find unknown macro viruses on the Advanced tab, the action you select here applies to any macro that has code resembling a virus. If you select Delete infected files automatically, any file that has code resembling a macro virus is deleted, and any archive that contains an infected file is deleted. If that is not your intention, be certain that your choice of action corresponds with your choice of action for macros.

Clean infected files automatically. This option is selected by default. The scanner tries to remove the virus from the infected file. If the scanner cannot, or if the virus has damaged the file beyond repair, the scanner performs the secondary action. See Step 6 for more information.

6 Under If the above Action fails, select the secondary action that you want to the scanner to take if the first action fails. The available options depend on the primary action you selected.


Click to select the secondary action:

Deny access to infected files.

Move infected files to a folder. This option is selected by default.

Delete infected files automatically.



8 Repeat Step 3 through Step 7 to configure action settings for low-risk or high-risk processes.

Product Guide 77

On-Access Scanning

Viewing scan resultsYou can view the results from your on-access scanning operation in the statistics summary and the activity log.


Viewing scan statistics

Viewing the activity log

Viewing scan statisticsThe On-Access Scan Statistics summary shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response.


2 Use either of these methods to open the On-Access Scan Statistics dialog box:

Double-click in the system tray.

Right-click the on-access scan task in the task list and select Statistics.

The On-Access Scan Statistics dialog box shows the Last file scanned in the upper pane, and a statistical summary in the lower pane.

Figure 3-21. On-Access Scan Statistics



3 You can perform either of these functions if you have administrator rights and type the password, as required:

NOTEThe Disable and Properties buttons are hidden if the user interface is configured to show minimal menu options. This option is set on the Tools|User Interface Options|Display Options tab.

Click Disable to deactivate the on-access scanner. This function toggles between Disable and Enable.

Click Properties to open the On-Access Scan Properties dialog box, change the scan properties you want to modify, then click Apply to save your changes.

The scan runs with your new settings immediately.

4 When you have finished reviewing scan statistics, click Close.

Viewing the activity logThe on-access scan activity log shows specific details about the scanning operation. For example, it shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response.


2 Use either of these methods to open the activity log file:

Highlight the task, then select Activity Log from the Task menu.

Right-click the task in the task list and select View Log.

3 To close the activity log, select Exit from the File menu.

Product Guide 79

On-Access Scanning

Responding to virus detectionsThe on-access scanner looks for viruses based on the configuration settings you selected in the On-Access Scan Properties dialog box. See Configuring the on-access scanner on page 40 for more information. When a virus is detected, these actions occur:

You receive a notification if you have configured Alert Manager and/or the on-access scanner to notify you when a virus is detected.

The on-access scanner records a message in the On-Access Scan Messages dialog box.


Receiving notification of virus detections

Viewing on-access scan messages

Taking action on virus detections



Receiving notification of virus detectionsThe on-access scanner can send three types of notifications when it detects a virus:

On-Access Scan Messages dialog box — The On-Access Scan Messages dialog box displays when a virus is detected, if you configured the on-access scanner to do so. See Message properties on page 45 for more information about configuring message options.

See Viewing on-access scan messages on page 82 for more detailed information about the On-Access Scan Messages dialog box.

Messenger Service to network users — A message is sent to network users when a virus is detected, if you configured the on-access scanner to do so. See Message properties on page 45 for more information about configuring message options.

The message provides details about the infected file, such as the name and location of the file, type of virus detected, and the version of scanning engine and DAT file used to detect the virus. View the message details, then click OK to dismiss the message.

Messenger Service — A network message displays, if you have configured Alert Manager to do so. See Configuring Alert Manager on page 150 for more information.

Following is an example of a network message from Alert Manager.

The message provides details about the infected file, such as the name and location of the file, type of virus detected, and the version of scanning engine and DAT file used to detect the virus.

You may receive more than one notification depending on how you have configured Alert Manager and the on-access scanner.

View the message details, then click OK to dismiss the message.

Figure 3-22. On-Access Scan — Messenger Service

Product Guide 81

On-Access Scanning

NOTEIf you do not have any of the three message options configured to send a message when a virus is detected, you do not receive any notification. However, you can always review the On-Access Scan Messages dialog box to see detected viruses. See Viewing on-access scan messages on page 82 for more information.

Viewing on-access scan messagesWhen a virus is detected, the on-access scanner records a message in the On-Access Scan Messages dialog box. This dialog box lists all messages for the current user in chronological order. If the user is an administrator, it can optionally list all messages on the local system.

This dialog box automatically displays when a virus is detected, if you have configured the on-access scanner to do so.

You can open this dialog box at any time by right-clicking in the system tray and selecting On-Access Scan Messages.

The On-Access Scan Messages dialog box is separated into several sections:

Menus — Provides menus for taking actions on files or messages.

The File menu provides actions that can be taken on files or messages in the list.

The View menu provides options for controlling visibility of parts of the dialog box.

The Options menu gives options for showing all messages and always keeping the On-Access Scan Messages dialog box on top.

Figure 3-23. On-Access Scan Messages



The Help menu provides access to help topics for the VirusScan Enterprise product, access to the Virus Information, Submit a Sample, and Technical Support web sites, as well as information about the currently installed product, license, scanning engine, and DAT files.

VirusScan Message — Displays specific details about the selected message.

Buttons — Displays buttons for actions that are available for the selected message. If an action is not available for the selected message, the corresponding button is disabled.

Message List — Lists the messages for viruses detected by the on-access scanner. The columns in the list area are sortable by clicking on the column header.

Status bar — Displays the status of the selected message.

Taking action on virus detectionsThis section describes the actions that you can take when a virus is detected by the on-access scanner.

NOTEYou also have the option of sending a virus sample to AVERT for analysis. See Submitting a virus sample on page 36 for more information.

Use the On-Access Scan Messages dialog box to take action on viruses detected by the on-access scanner.

1 Right-click in the system tray and select On-Access Scan Messages.

2 Highlight a message in the list, then select an action using one of these methods:

File menu.

Buttons to select an action.

Right-click the highlighted message and select an action.

Product Guide 83

On-Access Scanning

Following are the actions that may be taken on messages in the list:

Clean File — Attempts to clean the file referenced by the selected message.

In some cases, a file cannot be cleaned, either because it has no cleaner or because the virus has damaged the file beyond repair. If the file cannot be cleaned, the scanner appends a .VIR extension to the file name and denies access to it. An entry is recorded in the log file.

NOTEIf a file cannot be cleaned, we recommend that you delete the file and restore it from an uninfected backup copy.

Move File — Moves the file referenced by the selected message to the quarantine folder. The location of the quarantine folder is defined on the General Settings, General tab in the On-Access Scan Properties.

Delete File — Deletes the file referenced by the selected message. The file name is recorded in the log, so that you can restore it from a backup copy.

Select All (CTRL+A) — Selects all the messages in the list.

Remove Message (CTRL+D) — Removes the selected message from the list. Messages that have been removed from the list are still visible in the log file.

If an action is not available for the current message, the corresponding icon, button, and menu items are disabled. For example, Clean File is not available if the file has already been deleted.

The administrator can use the options on the General Settings, Messages tab in the On-Access Scan Properties, to configure what actions users without administrator rights can perform on messages in the list. If an action is suppressed by the administrator, the button is hidden, and the icon and menu items are disabled.

Other actions that are available:

Open Log File — Opens the activity log file.

Close Window — Closes the On-Access Scan Messages dialog box.


4
On-Demand Scanning
The on-demand scanner provides you with a method for scanning all parts of your computer for viruses, at convenient times or at regular intervals. Use it to supplement the continuous protection that the on-access scanner offers, or to schedule regular scan operations when they do not interfere with your work.

In memory process scanning and incremental scanning make virus detection more efficient than ever.

In memory process scanning checks all active processes prior to running the on-demand scan. Where infected processes are found, we highlight the infection and stop the process. This means that only a single pass with the on-demand scanner is required to remove all instances of a virus.

Incremental, or resumable scanning allows the scanner to start where it last left off. You can define a start and stop time for scheduled scans. The on-demand scanner logically works through each folder and related files. When the time limit is reached, the scan is stopped. With incremental scanning on the next scheduled scan, the on-demand scan continues from the point in the file and folder structure where the previous scan stopped.


Creating on-demand tasks

Configuring on-demand tasks

Resetting or saving default settings

Scheduling on-demand tasks

Scanning operations



Product Guide 85

On-Demand Scanning

Creating on-demand tasksYou can create on-demand tasks using three methods. The type of scan you create, saved or unsaved, depends on the method you use. Choose from these options:

From the Start menu — Tasks created from the Start menu are one-time, unsaved tasks, unless you choose to save the task for future use.

From the icon in the system tray — Tasks created from the system tray are one-time, unsaved tasks, unless you choose to save the task for future use.

From the VirusScan Console — Tasks created from the console are automatically saved in the task list for future use.

NOTEIf you create on-demand scanning tasks via ePolicy Orchestrator 3.0 or later, and enable task visibility, you can also see these on-demand scanning tasks in the VirusScan Console. These ePolicy Orchestrator tasks are read-only and cannot be configured from the VirusScan Console. See the VirusScan Enterprise Configuration Guide for use with ePolicy Orchestrator 3.0 for more information.


Creating tasks from the start menu or system tray

Creating tasks from the console

Creating tasks from the start menu or system trayThe on-demand scan task you create from either the start menu or the system tray is a one-time, unsaved task. The task you create can then be configured, scheduled, and run, but unless you choose to save it, the task is discarded when you close the On-Demand Scan Properties dialog box.


2 Open the On-Demand Scan Properties using one of these methods:

Click Start, then select Programs|Network Associates|VirusScan On-Demand Scan.

Right-click in the system tray and select On-Demand Scan.


Creating on-demand tasks

The On-Demand Scan Properties (Unsaved Task) dialog box appears.

NOTEYou can identify this as an unsaved on-demand scan task because the title bar shows (Unsaved Task). Click Save As to save the task to the console for use again. When you save the task, the On-Demand Scan Properties title bar changes from (Unsaved Task) to the task name you specify.

3 Configure the one-time, unsaved on-demand scan task. See Configuring on-demand tasks on page 89 for detailed instructions.


5 To schedule the task, you must first save the task, then click Schedule. You cannot schedule an unsaved task. See Configuring task schedules on page 222 for detailed instructions.

6 To run the task, click Scan Now. See Running on-demand tasks on page 107 for more information.

Figure 4-1. On-Demand Scan Properties — (Unsaved Task)

Product Guide 87

On-Demand Scanning

Creating tasks from the consoleThe VirusScan Console comes with a default Scan All Fixed Disks on-demand scan task. You can rename this task and/or create an unlimited number of on-demand tasks.

To create a new on-demand task from the console:


2 Create a new scan task using one of these methods:

Right-click a blank area in the console, without selecting an item in the task list, then select New Scan Task.

Select New Scan task from the Task menu.

Click in the console toolbar.

A new on-demand task appears, highlighted, in the VirusScan Console task list.




3 Type a new name for your task, then press ENTER to open the On-Demand Scan Properties dialog box.

Configuring on-demand tasksYou can configure the on-demand scanner to determine where and what you want to scan, what you want it to do if it finds a virus, and how it should notify you when it has.


Where properties


Advanced properties

Action properties

Report properties

Adding items

Removing items

Editing items

Figure 4-3. On-Demand Scan Properties

Product Guide 89

On-Demand Scanning

Where propertiesUse the options on the Where tab to specify the locations you want to scan for viruses.

1 Open the On-Demand Scan Properties dialog box for the task you are configuring.

2 Select the Where tab.

NOTEBy default, the dialog box lists all of the drives on your computer and all of the subfolders they contain. A scan operation this inclusive can take a long time. You may want to narrow this scan for regular use later.

3 Under Item name, specify where you want scanning to take place. All fixed disks and Memory of running processes are listed by default.

NOTEIf you are creating a new scan task, All Local Drives and Memory of running processes are listed by default.

Use the Add, Remove, and/or Edit buttons to specify the items to scan. See Adding, removing, and editing items on page 91 for detailed instructions.

Figure 4-4. On-Demand Scan Properties — Where tab



4 Under Scan options, specify additional scanning criteria. Select from these options:

Include subfolders. This option is selected by default. The scanner examines all subfolders in the volumes you target for scanning. To scan only the root level of your chosen volumes, deselect Include subfolders.

Scan boot sector(s). This option is selected by default. The scanner examines the disk boot sector. It may be appropriate to disable boot sector analysis when a disk contains a unique or abnormal boot sector that cannot be subjected to virus scanning.


Adding, removing, and editing itemsFollow these procedures to Add, Remove, or Edit items in the Item name list of the On-Demand Scan Properties.

Adding items

Removing items

Editing items

Adding items1 Open the On-Demand Scan Properties dialog box for the task you are

configuring.

2 On the Where tab, click Add to open the Add Scan Item dialog box.

Figure 4-5. Add Scan Item

Product Guide 91

On-Demand Scanning

3 Click to select a scan item from the list. Choose from these options:

4 Click OK to save your changes and return to the On-Demand Scan Properties dialog box.


My computer. This option is selected by default. Scans all local and mapped drives.

All local drives. Scans all of the drives on your computer and all of the subfolders they contain.

All fixed disks. Scans hard drives physically connected to your computer.

All removable media. Scans only floppy disks, CD-ROM discs, Iomega ZIP disks, or similar storage devices physically attached to your computer.

All network drives. Scans network drives logically mapped to a drive letter on your computer.

Memory of running processes. Scans the memory of all running processes. This scan occurs before all other scans.

User’s home folder. Scans the home folder of the user who starts the scan.

User’s profile folder. Scans the profile of the user who starts the scan. This includes the My Documents folder.

Drive or folder. Scans a specific drive or folder. Type the path to the drive or folder in the Location text box, or click Browse to locate and select a drive or folder.

When you have finished browsing, click OK to return to the Add Scan Item dialog box.

File. Scan a specific file. Type the path to the file in the Location text box, or click Browse to open the Select Item To Scan dialog box where you can locate and select a file.

When you have selected an item, click Open to return to the Add Scan Item dialog box.



Removing items1 Open the On-Demand Scan Properties dialog box for the task you are

configuring.

2 On the Where tab, select one or more items that you want to delete in the Item name list, then click Remove.

3 Click Yes to confirm that you want to remove the item.


Editing items1 Open the On-Demand Scan Properties dialog box for the task you are

configuring.

2 On the Where tab, select an item in the Item name list, then click Edit to open the Edit Scan Item dialog box.

3 Click to select a scan item from the Item to scan list. All local drives is selected by default.

NOTEThe options you have here are the same as the options in Adding items. See Step 3 on page 92 for a complete list and description of available options.

4 Click OK to return to the On-Demand Scan Properties dialog box.


Figure 4-6. Edit Scan Item

Product Guide 93

On-Demand Scanning

Detection propertiesUse the options on the Detection tab to specify what types of files you want the on-demand scanner to examine, and when you want to scan them.



Figure 4-7. On-Demand Scan Properties — Detection tab







4 Under What not to scan, click Exclusions to specify the files, folders, and drives to exclude from scanning. See Excluding files, folders, and drives on page 70 for detailed instructions.


The maximum number of additional extensions that the on-demand scanner can list is 1,000.




The maximum number of specified extensions that the on-demand scanner can list is 1,000.

Product Guide 95

On-Demand Scanning


Scan inside packed executables. This option is selected by default. Examine compressed files that contain executable files. A packed executable is a file that, when run, extracts itself into memory only. Packed executable files are never extracted to disk.




Advanced propertiesUse the options on the Advanced tab to specify advanced scanning properties, such as scanning for unknown program viruses and potentially unwanted programs, setting the CPU utilization level, and miscellaneous options.


2 Select the Advanced tab.

Figure 4-8. On-Demand Scan Properties— Advanced tab



3 Under Heuristics, specify whether you want the scanner to evaluate the probability that an unknown piece of code or a Microsoft Office macro is a virus. When this feature is enabled, the scanner analyzes the likelihood that it is a variant of a known virus. Select any combination of these options:

Find unknown program viruses. This option is selected by default. Treat executable files that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab.

Find unknown macro viruses. This option is selected by default. Treat embedded macros that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab to those files.


4 Under Non-viruses, specify whether you want the scanner to find non-virus programs that are potentially unwanted.




Find joke programs. If you selected Find potentially unwanted programs, you can also scan for joke programs that are potentially unwanted.

Product Guide 97

On-Demand Scanning

5 Under CPU utilization, use the slider to set the utilization level for the scan task in relation to the other tasks running on your computer. 100% is selected by default. This ensures that other running software does not slow down during a scan operation, but the scan takes longer. Set the scan task to a lower scanning level if you plan to run it at a time when the CPU is in heavy use with other essential operations.

NOTEThe CPU limitation you specify does not work when scanning encrypted files. The decryption is done by LSASS.EXE, not by the SCAN32 process. Scanning encrypted files is CPU intensive, therefore even if the CPU limit on the scanning thread is low, it is still scanning files fast enough that LSASS.EXE must keep busy to supply the decrypted data.

6 Under Miscellaneous, select from these options:

Scan files that have been migrated to storage. Scan files that have been moved to offline storage.

NOTEIf you are using Remote Storage to extend disk space on your server, the on-demand scanner can scan the cached files.

Remote Storage data storage is hierarchical, with two defined levels. The upper level, called local storage, includes the NTFS disk volumes of the computer running Remote Storage on Windows 2000 Server. The lower level, called remote storage, is located on the robotic tape library or stand-alone tape drive that is connected to the server computer.

Remote Storage automatically copies eligible files on your local volumes to a tape library, then monitors space available on the local volumes. File data is cached locally so that it can be accessed quickly as needed. When necessary, Remote Storage moves data from the local storage to remote storage. When you need to access a file on a volume managed by Remote Storage, open the file as usual. If the data for the file is no longer cached on your local volume, Remote Storage recalls the data from a tape library.

Rescan all files when DAT files are updated. Re-examine all files when new DAT files are installed or updated. This is best used for scheduled, resumable scans. Using this feature reduces the risk of infection by re-examining files for new viruses.



Scan window. Normal is selected by default. Click to specify how you want the scan window to appear during on-demand scans. The options are:

NOTEAlthough the scan window can be configured to be normal, minimized, or hidden, the scheduled and remote task windows are always hidden regardless of the configured mode.





Normal

Minimized

Hidden

Figure 4-9. On-Demand Scan Properties — Actions tab

Product Guide 99

On-Demand Scanning

3 Under When a virus is found, select the primary action you want the scanner to take when a virus is detected.

NOTEThe default primary action is Clean infected files.


Prompt for action. Prompt the user for action when a virus is detected.

If you select this option, you can also select what actions are allowed in addition to Stop and Continue. The additional choices are:

No secondary action is allowed for this option.

Continue scanning. Continue scanning when an infected file is found.


Move infected files to a folder. The scanner moves infected files to a quarantine folder. You can accept the default location of the folder in the Folder text box, or click Browse to navigate to the location where the folder is located.


<drive>:\quarantine


Clean infected files. This option is selected by default. The scanner tries to remove the virus from the infected file. If the scanner cannot, or if the virus has damaged the file beyond repair, the scanner performs the secondary action. See Step 4 for more information.

Clean file. Allow the infected file to be cleaned.

Delete file. Allow the infected file to be deleted.

Move file. Allow the infected file to be moved.



Delete infected files. The scanner deletes infected files as soon as it detects them. Be sure to enable Log to file on the Reports tab, so that you have a record of which files are infected.


WARNINGIf you selected Find unknown macro viruses on the Advanced tab, the action you select here applies to any macro that has code resembling a virus. If you select Delete infected files, any file that has code resembling a macro virus is deleted, and any archive that contains an infected file is deleted. If that is not your intention, be certain that your choice of action corresponds with your choice of action for macros.

4 Under If the above Action fails, select the secondary action you want the scanner to take if the first action fails.



Prompt for action. If you select this option, you can also select what actions are allowed in addition to Stop and Continue. The additional choices are:


Clean file. Allow the infected file to be cleaned. This option is disabled if you selected Clean file as the primary action.

Delete file. Allow the infected file to be deleted. This option is disabled if you selected Delete file as the primary action.

Move file. Allow the infected file to be moved. This option is disabled if you selected Move file as the primary action.

Product Guide 101

On-Demand Scanning

Move infected files to a folder. This option is selected by default. The scanner moves infected files to a quarantine folder. You can accept the default location of the folder in the Folder text box, or click Browse to navigate to the location where the folder is located.


<drive>:\quarantine


Delete infected files. The scanner deletes infected files as soon as it detects them. Be sure to enable Log to file on the Reports tab, so that you have a record of which files are infected.


Report propertiesUse the options on the Reports tab to configure logging activity. Specify the log file location and size, and what information to capture for each log entry.

NOTEThe log file can serve as an important management tool for tracking virus activity on your network and to note which settings you used to detect and respond to any virus that the scanner found. The incident reports recorded in the file can help you determine which files you need to replace from backup copies, examine in quarantine, or delete from your computer. See Viewing the activity log on page 111 for more information.

1 Open the On-Demand Scan Properties dialog box.





Log to file. This option is selected by default. Record on-demand scanning virus activity in a log file.


NOTEBy default, the scanner writes log information to the ONDEMANDSCANLOG.TXT file in this folder:

<drive>:Winnt\Profiles\All Users\Application Data\Network Associates\VirusScan.



Figure 4-10. On-Demand Scan Properties — Reports tab

Product Guide 103

On-Demand Scanning

4 Under What to log in addition to virus activity, select the additional information to record in the log file:




User name. This option is selected by default. Record the name of the user logged on to the computer at the time the scanner records each log entry in the log file.




Resetting or saving default settingsAfter you have configured the on-demand task, you have the option of resetting the configuration settings to the default settings or saving the current configuration settings as the default.

If you do not want to reset the defaults or save the current settings as the default, skip these steps.

1 Select from these options:

Reset to Default. Restores the default scan settings.

Save as Default. Saves the current scanning configuration as the default configuration. If you Save as Default, all new tasks are created with this configuration.


Product Guide 105

On-Demand Scanning

Scheduling on-demand tasksAfter you have configured an on-demand task, you can schedule it to run at specific dates and times, or intervals.


2 Click Schedule. See Scheduling Tasks on page 221 for detailed instructions about how to schedule a task.

Figure 4-11. On-Demand Scan Properties — Schedule


Scanning operations

Scanning operationsYou can run scheduled on-demand tasks unattended, start immediate scan tasks, and pause, stop, and restart tasks during the scanning operation.

NOTEThe on-demand scanner does not scan its own quarantine folder during scanning operations. The on-demand scanner is designed to exclude the quarantine folder during scanning operations to avoid repeat scanning or scanning loops.


Running on-demand tasks

Pausing and restarting on-demand tasks

Stopping on-demand tasks

Resumable scanning

Running on-demand tasksOnce you have configured your task with the scan properties you want, you can run the scan task using one of these methods:

Scan as scheduled. If you scheduled the scan, allow the task to run unattended.

NOTEFor the scanner to run your task, your computer must be active. If your computer is down when the task is scheduled to start, the task starts at the next scheduled time if the computer is active, or when the computer starts if you selected the Run missed task option on the Schedule Settings, Schedule tab.

Figure 4-12. On-Demand Scan Task — In Progress

Product Guide 107

On-Demand Scanning

NOTEThe scanner always exits after completing scheduled tasks that are launched by the Scheduler and remote tasks that are run on a remote computer.

Scan immediately. You can start on-demand scan tasks immediately using several methods:

Create an on-demand scan task from the system tray or Start menu, then from the On-Demand Scan Properties dialog box, click Scan Now.

From the VirusScan Console, right-click an on-demand scan task and select Start.

From Windows Explorer, right-click a file, folder, drive, or other item, then select Scan for viruses.

The On-Demand Scan dialog box appears.

NOTEThe scanner does not exit automatically upon completion of the scan for these types of immediate scans. To exit the scanner, select Exit from the Scan menu.

Pausing and restarting on-demand tasksYou can pause and restart an on-demand task during the scanning operation.

To pause an on-demand task, click , in the On-Demand Scan dialog box.

To restart an on-demand task, click , in the On-Demand Scan dialog box.

Figure 4-13. On-Demand Scan — In Progress



Stopping on-demand tasksYou can stop an on-demand task during the scanning operation using one of these methods:

Click in the On-Demand Scan dialog box.

From the On-Demand Scan Properties dialog box, click Stop.

Resumable scanningThe on-demand scanner automatically resumes scanning where it left off if the scan is interrupted before it completes. The incremental scan feature of the on-demand scanner recognizes the last file it scanned, so the next time the scan starts, you have the option of starting the scan from where it left off, or starting the scan from the beginning.

Viewing scan resultsYou can view the results from your on-demand scanning operation in the statistics summary and the activity log.


Viewing scan statistics


Figure 4-14. Resumable scan

Product Guide 109

On-Demand Scanning

Viewing scan statisticsThe On-Demand Scan Statistics summary shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response.

To see statistics and results for your task:

1 Open the VirusScan Console, right-click the on-demand task in the task list, and select Statistics.

The On-Demand Scan Statistics dialog box shows each of the scan targets you have chosen for this task in an upper pane, progress of the scan in the center pane, and a statistical summary in the lower pane.

If your scan task is still in progress, the center pane shows the file that the scanner is currently examining, and the status of the scan operation.

NOTEIf the task is run again, the statistics shown here are only for the last scan.

2 Click Properties to open the On-Demand Scan Properties dialog box, change the scan properties you want to modify, then click Apply to save your changes.

The scan runs with your new settings when the next on-demand scan starts. If an on-demand scan is in process when you change the scan properties, the new settings do not take effect until the next on-demand scan starts.

3 When you have finished reviewing scan statistics, click Close.

Figure 4-15. On-Demand Scan Statistics



Viewing the activity logThe on-demand scan activity log shows specific details about the scanning operation. For example, it shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response.






Responding to virus detectionsThe on-demand scanner looks for viruses based on the configuration settings you selected in the On-Demand Scan Properties dialog box. See Configuring on-demand tasks on page 89 for more information.

When a virus is detected, you receive a notification if you have configured Alert Manager and/or the on-demand scanner to notify you when a virus is detected.


Receiving notification of virus detections

Taking action on virus detections

Product Guide 111

On-Demand Scanning

Receiving notification of virus detectionsThe on-demand scanner can send three types of notifications when it detects a virus:

VirusScan Alert — An alert dialog box displays when a virus is detected, if you configured the on-demand scanner to Prompt for action as either the primary or secondary action on the Actions tab. See Action properties on page 99 for more information.

See Taking action on virus detections on page 113 for more information about the VirusScan Alert dialog box.

Messenger Service — A network message displays, if you have configured Alert Manager to do so. See Configuring Alert Manager on page 150 for more information.

Following is an example of a network message from Alert Manager:

The message provides details about the infected file, such as name of the file, location of the file, type of virus detected, and version of scanning engine and DAT file used to detect the virus. View the message details, then click OK to dismiss the message.

On-Demand Scan Progress dialog box — The On-Demand Scan Progress dialog box displays while the on-demand scanner is performing a task. If any infections are found, they appear in the lower pane of the dialog box. See On-Demand Scan Progress dialog box on page 114 for more information.

You may receive more than one notification depending on how you have configured Alert Manager and the on-demand scanner.

NOTEIf you have not configured the on-demand scanner or Alert Manager to send notification, you do not receive a VirusScan Alert or network message. However, you can always see detected viruses in the On-Demand Scan Progress dialog box, during the scan operation.

Figure 4-16. On-Demand Scan — Messenger Service



Taking action on virus detectionsThis section describes the actions that you can take when a virus is detected by the on-demand scanner.

NOTEYou also have the option of sending a virus sample to AVERT for analysis. See Submitting a virus sample on page 36 for more information.

Use either the VirusScan Alert dialog box or the On-Demand Scan Progress dialog box to take action on the detected virus, depending on how you were notified of virus detection.

If you were notified with a VirusScan Alert take action on the detected virus from that dialog box.

If you saw the virus detection in the On-Demand Scan Progress dialog box, take action on the detected virus from there.

VirusScan Alert dialog boxThe VirusScan Alert dialog box appears to notify you of a virus detection if you have configured the on-demand scanner to Prompt for action. It provides information about where the detected file is located and what type of virus it detected in the file.

Select an action to perform on the infected file:

Continue — Continues the scanning operation, records each detection in the activity, and lists each infected file in the On-Demand Scan dialog box.

Stop — Stops the scanning operation immediately.

Figure 4-17. VirusScan Alert

Product Guide 113

On-Demand Scanning

Clean — Attempts to clean the file referenced by the selected message.

If the file cannot be cleaned, either because it has no cleaner or because the virus has damaged the file beyond repair, an entry is recorded in the log file. Alternative responses may be suggested. For example, if a file cannot be cleaned, you should delete the file and restore it from a backup copy.

Delete — Deletes the file referenced by the selected message. The file name is recorded in the log, so that you can restore it from a backup copy.

Move File to — Moves the file referenced by the selected message, to the folder you select from the dialog box.

On-Demand Scan Progress dialog boxThe On-Demand Scan Progress dialog box displays when the on-demand scanner is performing tasks. The lower pane shows viruses detected during the on-demand scan operation.

1 Take action on the detected virus using one of these methods:

Right-click the name of the file in the lower pane and select an action that you want to take from the menu.

Highlight the name of the file in the lower pane and select an action to take from the Scan menu.

2 When you have finished taking actions on all the virus detections in the list, select Exit from the Scan menu to close the dialog box.

Figure 4-18. On-Demand Scan Progress- Virus detected


5
E-mail Scanning
The e-mail scanner provides you with two methods of scanning e-mail folders, attachments, and message bodies for either a local host or a remote host:

The on-delivery e-mail scanner examines e-mail messages and attachments as they are delivered, if Microsoft Outlook is running. You can configure and run the on-delivery e-mail scanner from the VirusScan Console.

The on-demand e-mail scanner examines e-mail messages and attachments as needed, from Microsoft Outlook. You can configure and run the on-demand e-mail scanner from Microsoft Outlook.

Use the on-demand e-mail scanner to supplement the protection that the on-delivery e-mail scanner provides. For example, if you have had Microsoft Outlook closed or you are installing the VirusScan Enterprise product for the first time, we recommend running an on-demand e-mail scan first.


On-delivery e-mail scan

On-demand e-mail scan

Product Guide 115

E-mail Scanning

On-delivery e-mail scanThe on-delivery e-mail scanner examines e-mail attachments, and message bodies as they are delivered to Microsoft Outlook.

WARNINGThe on-delivery scanner does not scan incoming e-mail messages while Microsoft Outlook is offline. If you have had Microsoft Outlook offline, we recommend running an on-demand e-mail scan as soon as you bring Outlook online. See On-demand e-mail scan on page 132 for detailed instructions.


Configuring the on-delivery e-mail scan for a local or remote host

Configuring the on-delivery e-mail scan properties

Viewing on-delivery e-mail scan results

Configuring the on-delivery e-mail scan for a local or remote hostTo configure the on-delivery E-mail Scan from the VirusScan Console for either a local or remote host.


If you are configuring the E-mail Scan for a local host, skip Step 2 and go to Configuring the on-delivery e-mail scan properties on page 117.




2 If you are configuring the E-mail Scan for a remote host:

a Select Remote Connection from the Tools menu.

b Type the computer name or click Browse to locate the computer.

c Click OK to return to the VirusScan Console.

Configuring the on-delivery e-mail scan propertiesYou can configure the on-delivery e-mail scanner to examine e-mail as it is delivered to Microsoft Outlook.



Advanced properties

Action properties

Alert properties

Report properties

Product Guide 117

E-mail Scanning

Detection propertiesUse the options on the Detection tab to specify which attachments and file type extensions you want to scan.

1 Open the On-Delivery Scan Properties dialog box using one of these methods:

Highlight E-mail Scan in the task list, then click .

Right-click E-mail Scan in the task list and select Properties.

Double-click E-mail Scan in the task list.

NOTEIf Outlook has not been configured, the Outlook configuration dialog box is launched. If you have not logged on to your mailbox, you are prompted to log on.


3 Under Scanning of e-mail, Enable Microsoft Exchange (MAPI, IMAP) is selected by default. Deselect this option if you do not want to perform e-mail scanning.

4 Under Scanning of attachments, select one of these options:

All file types. This option is selected by default. Scan all attachments regardless of extension.

Figure 5-2. On-Delivery Scan Properties — Detection tab



Default + additional file types. Scan the default list of extensions plus any additions you specify. The default list of file type extensions is defined by the current DAT file. You can add or remove user-specified file type extensions, but you cannot delete any file type extensions from the default list.


NOTEExcluding file types is not supported for e-mail scanning.



The maximum number of additional extensions that the on-delivery e-mail scanner can list is 1,000.

Also scan for macro viruses in all attachments. Scan all attachments, regardless of extension, for macro viruses. This option is only available when the Default + additional file types option is selected.

NOTEScanning for macro viruses in all attachments could affect performance.


The maximum number of specified extensions that the on-delivery e-mail scanner can list is 1,000.

Product Guide 119

E-mail Scanning

Advanced propertiesUse the options on the Advanced tab to specify advanced scanning properties, such as scanning for unknown program viruses, potentially unwanted programs, compressed files, and e-mail message bodies.







Figure 5-3. On-Delivery Scan Properties — Advanced tab



3 Under Heuristics, specify whether you want the scanner to evaluate the probability that an unknown piece of code or a Microsoft Office macro is a virus. When this feature is enabled, the scanner analyzes the likelihood that it is a variant of a known virus. Select any combination of these options:

Find unknown program viruses. This option is selected by default. Treat executable files that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab.



Find attachments with multiple extensions. Treat attachments that have multiple extensions as if they were infected. The scanner applies the action you choose on the Actions tab to those files.

When you select this option, the E-mail Scan Warning dialog box appears.

E-mail Scan Warning. Read the warning carefully. Click OK to continue and accept the selection to treat attachments that have multiple extensions as if they were infected, or click Cancel to deselect the option.

Figure 5-4. E-mail Scan Warning

Product Guide 121

E-mail Scanning







Scan inside archives. This option is selected by default. Examine archive files and their contents. An archive file is a compressed file that must be extracted prior to accessing the files within it. Files contained inside archives are scanned when they are written to disk.

Decode MIME encoded files. This option is selected by default. Detect Multipurpose Internet Mail Extensions (MIME) encoded files, decode them, then scan them.


6 Under E-mail message body, Scan e-mail message body is selected by default. If you deselect this option, e-mail message bodies are not scanned.












Figure 5-5. On-Delivery Scan Properties — Actions tab

Product Guide 123

E-mail Scanning

3 Under When infected attachments found, select the primary action that you want the scanner to take when a virus is detected.

NOTEThe default primary action is Clean infected attachments.



If you select this option, you can also select what actions are allowed in addition to stop and continue. The additional choices are:


Continue scanning. Continue scanning when an infected attachment is found.


Move infected attachments to a folder. Move infected attachments to a quarantine folder. The default quarantine folder is named Quarantine. You can accept the default name for the quarantine folder or type a new name.

NOTEThe quarantine folder is created in the MAPI database and can be viewed from the Folder List in Microsoft Outlook.

Clean infected attachments. This option is selected by default. The scanner tries to remove the virus from the infected attachment. If the scanner cannot remove a virus from an infected attachment, or if the virus has damaged the attachment beyond repair, the scanner performs the secondary action.

Delete infected attachments. Delete infected attachments as soon as they are detected. Be sure to enable the Log to file property on the Reports tab, so that you have a record of which attachments are infected.


Clean attachment. Allow the infected attachment to be cleaned.

Move attachment. Allow the infected attachment to be moved.

Delete attachment. Allow the infected attachment to be deleted.



4 Under If the above Action fails, select the secondary action that you want the scanner to take if the first action fails.

NOTEThe default secondary action is Move infected attachments to a folder.





Move infected attachments to a folder. This option is selected by default. Move infected attachments to a quarantine folder. The default quarantine folder is named Quarantine. You can accept the default name for the quarantine folder or type a new name.

NOTEThe Quarantine folder is created in the MAPI database and can be viewed from the Folder List in Microsoft Outlook.




Clean attachment. Allow the infected attachment to be cleaned. This option is disabled if you selected Clean attachment as the primary action.

Move attachment. Allow the infected attachment to be moved. This option is disabled if you selected Move attachment as the primary action.

Delete attachment. Allow the infected attachment to be deleted. This option is disabled if you selected Delete attachment as the primary action.

Product Guide 125

E-mail Scanning

Alert propertiesUse the options on the Alerts tab to configure how to warn users that an infected e-mail message or attachment has been detected.






2 Select the Alerts tab.

Figure 5-6. On-Delivery Scan Properties — Alerts tab



3 Under E-mail alert, specify how you want to notify the mail sender and another user when an infected mail message is detected. You have these options:

Return reply mail to sender. To send a return reply to the sender.

Send alert mail to user. Send an e-mail alert to another user.

If you select this option, click Configure to open the Return Mail Configuration dialog box.

Figure 5-7. E-mail Scan — Return Mail Configuration

Type the message you want to send, then click OK.

If you select this option, click Configure to open the Send Mail Configuration dialog box.

Figure 5-8. E-mail Scan — Send Mail Configuration


Product Guide 127

E-mail Scanning


5 Under If Prompt for Action is selected, specify how you want to notify users when an infected e-mail is detected. You have these options:

Display custom message. This option is selected by default. Notify the user with a custom message. If you select this option, you can type the custom message in the text box.

Sound audible alert. This option is selected by default. Notify the user with an audible alert.


Report propertiesUse the options on the Reports tab to configure logging activity. Specify the log file location and size, and what information you want to capture for each log entry.

NOTEThe log file can serve as an important management tool for tracking virus activity on your network and to note which settings you used to detect and respond to any virus that the scanner found. The incident reports recorded in the file can help you determine which files you need to replace from backup copies, examine in quarantine, or delete from your computer. See Viewing the on-delivery e-mail activity log on page 132 for more information.










Log to file. This option is selected by default. Record on-delivery e-mail scanning virus activity in a log file.


NOTEBy default, the scanner writes log information to the EMAILONDELIVERYLOG.TXT file in this folder:




Figure 5-9. On-Delivery Scan Properties — Reports tab

Product Guide 129

E-mail Scanning

4 Under What to log, select the additional information that you want to record in the log file:



Date and time. This option is selected by default. Record the date and time when a virus is detected.

User name. This option is selected by default. Record the name of the user logged on to e-mail at the time the scanner records each log entry, in the log file.



Viewing on-delivery e-mail scan resultsYou can view the results from your scanning operation in the statistics summary and the activity log.


Viewing on-delivery e-mail scan statistics

Viewing the on-delivery e-mail activity log



Viewing on-delivery e-mail scan statisticsThe On-Delivery E-mail Scan Statistics summary shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response.


2 Use either of these methods to open the On-Delivery E-mail Scan Statistics dialog box:

Highlight the e-mail scan task in the task list, then select Statistics from the Task menu.

Right-click the e-mail scan task in the task list and select Statistics.

The On-Delivery E-mail Scan Statistics dialog box shows the Last attachment scanned in the upper pane, and a statistical summary in the lower pane.

If your scan is still in progress, it shows the file that the scanner is currently examining, and the status of the scan operation.

3 You can perform either of these functions if you have administrator rights and type the password, as required:

Click Disable to deactivate the e-mail on-delivery scanner. This function toggles between Disable and Enable.

Click Properties to open the On-Delivery E-mail Scan Properties dialog box, change the scan properties you want to modify, then click Apply to save your changes.

The scan runs with your new settings immediately.

4 When you have finished viewing scan statistics, click Close.

Figure 5-10. On-Delivery E-mail Scan Statistics

Product Guide 131

E-mail Scanning

Viewing the on-delivery e-mail activity logThe on-delivery scan activity log shows specific details about the scanning operation. For example, it shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response.



Highlight the e-mail scan task, then select Activity Log from the Task menu.

Right-click the e-mail scan task in the task list and select View Log.


On-demand e-mail scanThe on-demand e-mail scan task can be run directly from Microsoft Outlook, as needed, to scan selected messages and attachments. Use the on-demand e-mail scanner to supplement the on-delivery e-mail scanner after periods of time when Microsoft Outlook has been closed.

NOTEIf Microsoft Outlook was open during the VirusScan Enterprise installation, we recommend restarting Microsoft Outlook after the installation process completes.


Configuring the on-demand e-mail task

Running the on-demand e-mail task

Viewing on-demand e-mail scan results

Configuring the on-demand e-mail taskYou can use Microsoft Outlook to configure the on-demand e-mail scan task that scans messages and attachments.



Advanced properties

Action properties

Alert properties

Report properties



Detection propertiesUse the options on the Detection tab to specify which attachments and file type extensions you want to scan.

1 Start Microsoft Outlook.

2 Use one of these methods to open the On-Demand E-mail Scan Properties dialog box:

Select E-mail Scan Properties from the Tools menu.

Click in the Outlook toolbar.

NOTEIf the icon is not visible in the Outlook toolbar, click on the right side of the standard toolbar, then select the icon.


Figure 5-11. On-Demand E-mail Scan Properties — Detection tab

Product Guide 133

E-mail Scanning

4 Under Messages to scan, specify what messages you want to scan. You have these options:

All highlighted item(s). This option is selected by default. Scan selected e-mail messages or folders.

All messages in the Inbox folder. Scan all messages currently in the Inbox folder and its subfolders.

5 Under Attachments to scan, specify what files, folders, or drives that you want to scan. You have these options:

All file types. This option is selected by default. Scan all attachments regardless of extension.

Default + additional file types. Scan the default list of extensions plus any additions you specify. The default list of file type extensions is defined by the current DAT file. You can add or remove user-specified file type extensions, but you cannot delete any file type extensions from the default list.

Scan unread messages only. Scan only unread messages in the Inbox folder and its subfolders. If you did not select All messages in the Inbox folder, this option is disabled.


The maximum number of additional extensions that the on-demand e-mail scanner can list is 1,000.

Also scan for macro viruses in all attachments. Scan all attachments, regardless of extension, for macro viruses. This option is only available when the Default + additional file types option is selected.

NOTEScanning for macro viruses in all attachments could affect performance.




NOTEExcluding file types is not supported for e-mail scanning.


Advanced propertiesUse the options on the Advanced tab to specify advanced scanning properties, such as scanning for unknown program viruses, potentially unwanted programs, compressed files, and e-mail message bodies.







The maximum number of specified extensions that the on-demand e-mail scanner can list is 1,000.

Product Guide 135

E-mail Scanning


4 Under Heuristics, specify whether you want the scanner to evaluate the probability that an unknown piece of code or a Microsoft Office macro is a virus. When this feature is enabled, the scanner analyzes the likelihood that it is a variant of a known virus. You have these options:

Find unknown program viruses. This option is selected by default. Treat executable files that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab to those files.



Figure 5-12. On-Demand E-mail Scan Properties — Advanced tab



Find attachments with multiple extensions. Treat attachments that have multiple extensions as if they were infected. The scanner applies the action you choose on the Actions tab to those files.

When you select this option, the E-mail Scan Warning dialog box appears:



WARNINGVirusScan Enterprise does not take action on potentially unwanted program files or joke programs. Detections are logged in the log file.

E-mail Scan Warning. Read the warning carefully. Click OK to continue and accept the selection to treat attachments that have multiple extensions as if they were infected, or click Cancel to deselect the option.

Figure 5-13. E-mail Scan Warning


Product Guide 137

E-mail Scanning



Scan inside archives. This option is selected by default. Examine archive files and their contents. An archive file is a compressed file that must be extracted prior to accessing the files within it. Files contained inside archives are scanned when they are written to disk.

Decode MIME encoded files. This option is selected by default. Detect Multipurpose Internet Mail Extensions (MIME) encoded files, decode them, then scan them.


7 Under E-mail message body, Scan e-mail message body is selected by default. If you deselect this option, e-mail message bodies are not scanned.











Figure 5-14. On-Demand E-mail Scan Properties — Actions tab

Product Guide 139

E-mail Scanning

4 Under When infected attachments found, select the primary action that you want to the scanner to take when a virus is detected.

NOTEThe default primary action is Clean infected attachments.





Continue scanning. Continue scanning when an infected attachment is found.


Move infected attachments to a folder. Move infected attachments to a quarantine folder. The default quarantine folder is named quarantine. You can accept the default name for the quarantine folder or type a new name.


Clean infected attachments. This option is selected by default. The scanner tries to remove the virus from the infected attachment. If the scanner cannot remove a virus from an infected attachment, or if the virus has damaged the attachment beyond repair, the scanner performs the secondary action.



Clean attachment. Allow the infected attachment to be cleaned. This option is disabled if you selected Clean attachment as the primary action.

Move attachment. Allow the infected attachment to be moved. This option is disabled if you selected Move attachment as the primary action.

Delete attachment. Allow the infected attachment to be deleted. This option is disabled if you selected Delete attachment as the primary action.



5 Under If the above Action fails, select the secondary action that you want the scanner to take if the first action fails.

NOTEThe default secondary action is Move infected attachments to a folder.





Move infected attachments to a folder. This option is selected by default. Move infected attachments to a quarantine folder. The default quarantine folder is named quarantine. You can accept the default name for the quarantine folder or type a new name.





Clean attachment. Allow the infected attachment to be cleaned.

Move attachment. Allow the infected attachment to be moved.

Delete attachment. Allow the infected attachment to be deleted.

Product Guide 141

E-mail Scanning

Alert propertiesUse the options on the Alerts tab to configure how to warn users that an infected e-mail message or attachment has been detected.






3 Select the Alerts tab.

Figure 5-15. On-Demand E-Mail Scan Properties — Alerts tab



4 Under E-mail alert, specify how you want to notify the mail sender and another user when an infected mail message is detected. You have these options:

Return reply mail to sender. To send a return reply to the sender.

Send alert mail to user. Send an e-mail alert to another user.

If you select this option, click Configure to open the Return Mail Configuration dialog box.

Figure 5-16. E-mail Scan — Return Mail Configuration


If you select this option, click Configure to open the Send Mail Configuration dialog box.

Figure 5-17. E-mail Scan — Send Mail Configuration


Product Guide 143

E-mail Scanning

5 Under If Prompt for Action is selected, specify how you want to notify users when an infected e-mail is detected. You have these options:

Display custom message. Notify the user with a custom message. If you select this option, you can type the custom message in the text box.

Sound audible alert. Notify the user with an audible alert.


Report propertiesUse the options on the Reports tab to configure logging activity. Specify the log file location and size, and what information you want to capture for each log entry.

NOTEThe log file can serve as an important management tool for tracking virus activity in e-mail and to record which settings you used to detect and respond to any virus that the scanner found. You can open the log file from your text editor for later review. The incident reports recorded in the file can help you determine which files you need to replace from backup copies, examine in quarantine, or delete from your computer.










Log to file. This option is selected by default. Record on-demand e-mail scanning virus activity in a log file.


NOTEBy default, the scanner writes log information to the EMAILONDEMANDLOG.TXT file in this folder:




Figure 5-18. On-Demand E-mail Scan Properties — Reports tab

Product Guide 145

E-mail Scanning

5 Under What to log in addition to virus activity, select the additional information that you want to record in the log file:



Date and time. This option is selected by default. Record the date and time when a virus is detected.

User name. This option is selected by default. Record the name of the user logged on to the computer at the time the scanner records each log entry, in the log file.





Running the on-demand e-mail taskTo run your on-demand e-mail task:


2 Use one of these methods to start an on-demand e-mail scan from Microsoft Outlook:

Select Scan for viruses from the Tools menu.



3 Close the dialog box when the on-demand e-mail scan completes.

Figure 5-19. On-Demand E-mail Scan

Product Guide 147

E-mail Scanning

Viewing on-demand e-mail scan resultsYou can view the results from your scanning operation in the On-Demand E-Mail Scan dialog box while the scan is running, or in the activity log after the scan completes.

The following topic is addressed in this section:

Viewing the on-demand e-mail activity log

Viewing the on-demand e-mail activity logThe on-demand e-mail scan activity log shows specific details about the scanning operation. For example, it shows the number of attachments that the scanner examined, the number of viruses it found, and the actions it took in response.

1 Navigate to the EMAILONDEMANDLOG.TXT file in this location:


2 Open the activity log file.



6
Virus Alerting
VirusScan Enterprise software provides several methods for informing you of the progress and outcome of scanning activities. For example, you can review the results of any scan after it has concluded by examining the Activity Log. You can also see the results of all scans on the VirusScan Enterprise Console. But neither of these methods notifies you immediately when the scanner detects a virus on the computer. Although the console also includes a real-time display of scanning activities, you cannot be watching the screen at all times. Providing you with immediate notification that a virus has been detected is the function of Alert Manager, a discrete component that is incorporated into VirusScan Enterprise software and other Network Associates client/server security and management solutions.

Alert Manager handles alerts and events generated by your anti-virus software in real time. In a typical configuration, Alert Manager resides on a central server and listens for alerts sent to it by client or server anti-virus software applications on the network. This client software can be workstation or server applications. Alert Manager allows you to configure two basic aspects of alerting:

Where and how alerts are sent.

What the alert message is.

See the Alert Manager Product Guide for more detailed information.


Configuring Alert Manager

Configuring recipients and methods

Customizing alert messages

Product Guide 149

Virus Alerting

Configuring Alert ManagerUse the options on the Alert Properties dialog box to determine when and how you are notified when the scanner detects a virus.

To open the Alert Properties dialog box:


2 Select Alerts from the Tools menu.




The Alerts Properties dialog box appears.

3 Under Which components will generate alerts, select the components that you want to communicate with Alert Manager. Choose any combination of these options:

On-Access Scan. This option is selected by default.

On-Demand Scan and scheduled scans. This option is selected by default.

E-Mail Scan. This option is selected by default.

AutoUpdate. This option is selected by default.

Figure 6-2. Alert Properties

Product Guide 151

Virus Alerting

4 Under Alert Manager destination selection, click Destination to open the Alert Manager Client Configuration dialog box.

You can disable or enable the alerting feature, determine which method of alerting to use when an event occurs, and specify which server receives alerts.

a Under Alerting Options, specify the alerting method that meets your needs:

Figure 6-3. Alert Manager Client Configuration

Disable Alerting. Do not send an alert when an event occurs.

Enable Alert Manager alerting. This option is selected by default. Activates the Alert Manager alerting method.

Configure. If you selected Enable Alert Manager alerting, click Configure to open the Select Alert Manager Server dialog box.

Figure 6-4. Select Alert Manager Server



b Click OK to save your changes and return to the Alert Properties dialog box.

Under Destination for Alerts, type the location for the Alert Manager Server to receive alerts, or click Browse to navigate to the location.

Click OK to save your changes and return to the Alert Manager Client Configuration dialog box.

Enable Centralized alerting. Activates the Centralized alerting method. Centralized alerting provides an alternative to using regular Alert Manager messages. See Using Centralized Alerting on page 179 for more information.

NOTEDue to security issues with shared folders, McAfee Security recommends that you do not use centralized alerting.

Configure. If you selected the option to Enable Centralized alerting, click Configure to open the Central Alerting Configuration dialog box.

Figure 6-5. Centralized Alerting Configuration

Under Destination for Alerts, type the location for the Central Alerting Shared Directory, or click Browse to navigate to location.

Click OK to save your changes and return to the Alert Manager Client Configuration dialog box.

Product Guide 153

Virus Alerting

5 Under Configure the selected Alert Manager:

a Click Alert Messages to configure the Alert Manager Messages. See Customizing alert messages on page 181 for detailed instructions.

b Click Recipients to configure the Alert Manager Properties. See Configuring recipients and methods on page 155 for detailed instructions.

c Click Alert Messages to configure the Alert Manager Messages. See Customizing alert messages on page 181 for detailed instructions.

d When you have finished configuring Alert Manager Properties and Alert Manager Messages, click OK to close the Alert Properties dialog box.

NOTEThe buttons are disabled if Alert Manager is not installed.



Configuring recipients and methodsIn the Alert Properties dialog box, click Recipients to open the Alert Manager Properties dialog box.

The Alert Manager Properties dialog box allows you to configure the recipients of alert messages sent out by Alert Manager, and also the method by which those recipients receive the alert messages. Recipients can be e-mail addresses or computers on your network. The methods by which recipients receive alert notifications can include e-mail messages or network pop-up messages.

To configure the recipients for a specific alert method:

1 Click the appropriate tab for a given alert method, such as Logging.

2 Configure the recipients that receive alert notifications using that alert method.

3 Click other tabs to configure recipients for any additional alert methods as required.

4 When finished, click OK to save the configurations and close the Alert Manager Properties dialog box.

Figure 6-6. Alert Manager Properties

Product Guide 155

Virus Alerting

For details on configuring specific alert methods and the recipients to which Alert Manager sends alert messages via those methods, refer to the sections of this Product Guide:

Viewing the Summary page on page 159

Forwarding alert messages to another computer on page 160

Sending an alert as a network message on page 164

Sending alert messages to e-mail addresses on page 166

Sending alert messages to a printer on page 170

Sending alert messages via SNMP on page 172

Launching a program as an alert on page 173

Logging alert notifications in a computer’s event log on page 175

Sending a network message to a terminal server on page 177. This method is only available if terminal services are running on the computer where Alert Manager is installed.

Using Centralized Alerting on page 179

Overview of adding alert methodsThe various tabs of the Alert Manager Properties dialog box allow you to configure alerting methods. As you add each new method to your configuration, you have two options:

Sending a test message.

Setting the alert priority level for recipients.

Sending a test messageWhen using the tabs of the Alert Manager Properties dialog box to add new alert notification recipients, such as a network computer or an e-mail address, you can test whether the destination can receive the message. To send the selected destination a test message when configuring that method, click the Test button.

The message should appear at the configured destination if all is configured correctly.

NOTEAn e-mail alert may take some time to reach its destination, depending on both your SMTP server and the receiving e-mail server.



Test messages that do not reach the target

If the target does not receive the message, review the list and confirm, as applicable, that:

Any communication service required to implement the selected alerting method, such as e-mail or SNMP, is enabled.

Any device required to transmit or receive the message, such as a modem or pager, exists and is operational.

Any program that is to be executed in response to virus detection is located at the path specified and is installed properly.

Any destination printer or computer that you have targeted exists on your network.

Your network is functioning properly.

The configuration information you have provided is accurate and complete. Some property pages include secondary pages. For example, the E-Mail Properties page links to a Mail Settings page. Be certain to review the information on these secondary pages as well.

If you installed Alert Manager using an account and password, make sure that the specified account has sufficient rights for the action you are trying to perform.

Setting the alert priority level for recipientsYou can specify a priority level for each recipient that you add to your Alert Manager configuration. Alert Manager only sends alert notifications of that priority level or higher to the specified recipient, such as an e-mail address.

This is useful for filtering alert notifications. For example, you may want to record alert messages of all priority levels to a computer’s event log using the Logging tab of the Alert Manager Properties dialog box (see Logging alert notifications in a computer’s event log on page 175). However, you may want Alert Manager to send only serious alert notifications to a network administrator’s pager via e-mail. To do this, set separate priority thresholds for your logging and e-mail recipients.

Product Guide 157

Virus Alerting

To set the alert priority level for a specific recipient:

1 On the Properties dialog box for an alert method, click the Priority Level button. See Figure 6-13 on page 165 for an example.

2 In the Priority Level dialog box, drag the slider right or left to set the priority level.

Drag to the right to send the recipient fewer, higher priority messages. Drag the slider to the left to send the recipient more alert messages, including lower priority messages.

3 Click OK to save the priority settings.

NOTEOn the Priority Level dialog box, you can specify the priority level for specific recipients, such as a computer on a network or an e-mail address. However, you cannot set the priority of individual alert messages here. For information on setting the priority levels of individual alert messages, see Customizing alert messages on page 181.

Figure 6-7. Priority Level



Viewing the Summary pageThe Summary tab of the Alert Manager Properties dialog box lists the recipients to which Alert Manager sends any alert notifications it receives. Recipients are grouped by alert method.

Click next to each listed alert method to display the recipient computers, printers, or e-mail addresses. To remove an alert notification recipient, select it, then click Remove. To change the configuration options for a listed recipient, select it, then click Properties to open the Properties dialog box for that alert method.

When you install Alert Manager, it is by default configured to send pop-up network message to the computer on which it is installed and to log alert notifications in that computer’s event log. If you have not yet configured Alert Manager to send alert notifications to any recipients, the Summary tab displays only these two methods. Alert Manager sets priority levels for these two default methods to send alert notifications of all priorities except for the lowest, Informational. See Setting the alert priority level for recipients on page 157 for details on priority.

The following sections describe the options available for each method.

Figure 6-8. Alert Manager Properties — Summary tab

Product Guide 159

Virus Alerting

Forwarding alert messages to another computerAlert Manager can forward the alert messages received from McAfee anti-virus client or server products to another computer on your network that has Alert Manager installed. Typically, you would do this when you want to forward messages to another Alert Manager server for further distribution.

NOTEAlert Manager 4.7 can only forward alert notifications to, and receive alerts forwarded from, servers running the same version of Alert Manager. Forwarding alert notifications between servers running older versions of Alert Manager is not supported.

These topics are included in this section:

Forwarding alerts in a large organization.

Forwarding alerts in a small organization.

Configuring alert forwarding options.



Forwarding alerts in a large organization

In a large organization you can use the forwarding feature to send alert notifications to a central notification system or to an MIS (Management Information System) department for tracking virus statistics and problem areas. Also, large organizations tend to be spread out geographically, often with offices in several different countries. In this case, you may want to use a single Alert Manager installed on a local server to handle alerting for that local subnetwork. You can then configure that local Alert Manager server to forward high priority alert notifications to another server in another part of your network for further distribution.

To do this, configure the local Alert Manager to forward alerts to the computer where the second Alert Manager is installed. You then need to configure the second Alert Manager to distribute alert notifications as desired. See Configuring alert forwarding options on page 162 for instructions.

Figure 6-9. Forward alerts to another Alert Manager

Product Guide 161

Virus Alerting

Forwarding alerts in a small organization

In a small organization, forwarding can also be useful. Suppose, for example, you want to send all high priority alert notifications to a specific pager via e-mail, but only one server on your network has direct Internet access.

To satisfy this requirement:

1 Configure Alert Manager on each Alert Manager server to forward high priority alert messages to the modem-equipped computer.

2 Configure Alert Manager on the modem-equipped computer to send high priority messages to the target pager’s e-mail address.

Configuring alert forwarding options

To configure forwarding options:

1 From the Alert Manager Properties dialog box, click the Forward tab.

The Forward page appears with a list of all of the computers you have chosen to receive forwarded messages. If you have not yet chosen a destination computer, this list is blank.

Figure 6-10. Alert Manager Properties — Forward tab



2 To update this list, you can do any of the following:

To add a computer, click Add to open the Forward Properties dialog box, then type the name of the computer that receives forwarded messages in the text box. You can type the computer name in Universal Naming Convention (UNC) notation, or click Browse to locate the computer on the network.

To remove a listed computer, select one of the destination computers listed, then click Remove.

To change configuration options, select one of the destination computers listed, then click Properties. Alert Manager opens the Forward Properties dialog box. Type the name of the computer to which you want Alert Manager to forward messages, or click Browse to locate the computer on the network.

3 Click Priority Level to specify which types of alert messages the destination computer receives. See Setting the alert priority level for recipients on page 157.

4 Click Test to send the destination computer a test message. See Sending a test message on page 156.

5 Click OK to return to the Alert Manager Properties dialog box.

Figure 6-11. Forward Properties

Product Guide 163

Virus Alerting

Sending an alert as a network messageAlert Manager can send alert messages to other computers. A standard message appears as a pop-up box on the recipient computer’s screen and requires the recipient to acknowledge it.

It is not necessary for the recipient computers to have Alert Manager installed. However, you might need to have the appropriate messaging client software for your operating system running on the recipient computer. This messaging software is always pre-installed on newer versions of the Windows operating system, such as Windows NT, Windows 2000, and Windows XP. This service is usually running by default.

To configure Alert Manager to send alert notifications as network messages:

1 Open the Alert Manager Properties dialog box.

2 Click the Network Message tab. The Network Message page appears with a list of the computers that you have configured to receive a network message. If you have not yet chosen a recipient computer, this list is blank.

Figure 6-12. Alert Manager Properties — Network Message tab




To add a computer, click Add to open the Network Message Properties dialog box. You can specify a recipient computer in one of two ways. You can type the name of the computer directly into the Computer: text box in UNC format, or you can select Browse to locate the computer on the network.

To remove a listed computer, select one of the recipient names listed, then click Remove.

To change configuration options, select one of the recipient names listed, then click Properties. Alert Manager opens the Network Message Properties dialog box. Change the information in the Computer: text box as necessary.

4 Click Priority Level to specify which types of alert messages the recipient receives. See Setting the alert priority level for recipients on page 157.

5 Click Test to send the recipient a test message. See Sending a test message on page 156.


Figure 6-13. Network Message Properties

Product Guide 165

Virus Alerting

Sending alert messages to e-mail addressesAlert Manager can send alert messages to a recipient’s e-mail address via Simple Mail Transfer Protocol (SMTP). Alert messages appear in the recipient’s mail box. If your message is particularly urgent, you can supplement an e-mail message with other methods, such as pop-up network messages, to ensure that your recipient sees the alert in time to take appropriate action.

NOTEAn e-mail alert may take some time to reach its destination, depending on both your SMTP server and the receiving e-mail server.

To configure Alert Manager to send e-mail alert notifications to recipients:


2 Click the E-Mail tab.

The E-Mail page appears with a list of the e-mail addresses that you have chosen to receive alert messages. If you have not yet chosen an e-mail address, this list is blank.

Figure 6-14. Alert Manager Properties — E-Mail tab




To add an e-mail address to the list, click Add to open the E-Mail Properties dialog box. Type the e-mail address for your alert notification recipient in the Address text box, type a subject in the Subject text box, then type your e-mail address in the From text box. Use the standard Internet address format <user name>@<domain>, such as [email protected].

To control the truncation of longer messages, for example, a message containing a very long file and path name, append the address with a “*”, like this: [email protected]*. For more information, see Forcing truncation of messages sent to specific e-mail addresses on page 169.

To remove a listed address, select one of the e-mail addresses listed, then click Remove.

To change configuration options, select one of the e-mail addresses listed, then click Properties. Alert Manager opens the E-Mail Properties dialog box. Change the information in the text boxes as necessary.

Figure 6-15. E-Mail Properties

Product Guide 167

Virus Alerting

4 Click Mail Settings to specify the network server you use to send Internet mail via SMTP.

NOTEYou must click Mail Settings and specify an SMTP server to be able to send e-mail alert notifications. Do not skip this step. Also, after configuring your SMTP mail settings the first time, you are not be required to configure them again unless your SMTP mail server information changes.

a In the dialog box that appears, type the mail Server. You can type the server name as an Internet Protocol (IP) address, as a name your local domain name server can recognize, or in Universal Naming Convention (UNC) notation.

b If your SMTP server requires it, type a Login name to use for the mail server.

NOTEOnly type a login name in the Login field if your SMTP mail server is configured to use a login. Check your SMTP configuration to see if this is required. Typing a login name here when your mail server is not configured to use it may cause problems with e-mail alerting.

c Click OK to return to the E-Mail Properties dialog box.

Figure 6-16. SMTP Mail Settings



5 Click Priority Level to specify which types of alert messages the recipient computer receives. See Setting the alert priority level for recipients on page 157.

6 Click Test to send the recipient computer a test message. See Sending a test message on page 156.

7 If the test message is successful, click OK to return to the Alert Manager Properties dialog box.

Forcing truncation of messages sent to specific e-mail addresses

Sometimes alert notification messages can become very long, particularly when containing %FILENAME% system variables populated with file names containing very long path information. Very long messages containing long file and names can be confusing and inconvenient. For example, when e-mail messages are sent to a pager, some pager services truncate long messages abruptly, potentially removing important information from the message. On the other hand, if a very long message does get through to a pager, the recipient might be forced to scroll through lines of path information in a file name to get to the critical information contained in the alert.

You have two options for managing long messages in e-mail alert notifications:

Append e-mail addresses with an asterisk (*), such as [email protected]*. Alert Manager truncates alerts sent to e-mail addresses that are appended with an asterisk according to the current system SMTP message length settings. The default SMTP length is 240 characters.

This is particularly valuable if Alert Manager sends alerts to pagers via e-mail. Some pager services have a short message length limit, for example 200 characters. If a message is intended to be delivered to a pager via an e-mail address, appending the address with an asterisk (*) lets you, instead of the pager company, control where the message is truncated.

You can also edit the message text in the Alert Manager Messages dialog box to make sure important message content is preserved in truncated messages. To do this, you could either abbreviate some parts of the message or move critical information to the beginning of the message, perhaps leaving long file names for the end of the message.

Product Guide 169

Virus Alerting

Sending alert messages to a printerAlert Manager can send alert notifications to a printer to print hardcopy messages. To configure Alert Manager to send alert notifications to a print queue:


2 Click the Printer tab.

The Printer page appears with a list of all of the printer queues that you have chosen to receive alert messages. If you have not yet chosen a printer queue, this list is blank.

Figure 6-17. Alert Manager Properties — Printer tab




To add a print queue to the list, click Add to open the Printer Properties dialog box, then type the name of the print queue to which you want to send messages. You can type the print queue name or you can click Browse to locate the printer on the network.

To remove a listed print queue, select one of the printers listed, then click Remove.

To change configuration options, select one of the printers listed, then click Properties. Alert Manager opens the Printer Properties dialog box. Change the information in the Printer text box as necessary.

4 Click Priority Level to specify which types of alert notifications the recipient printer receives. See Setting the alert priority level for recipients on page 157.

5 Click Test to send the recipient printer a test message. See Sending a test message on page 156.


Figure 6-18. Printer Properties

Product Guide 171

Virus Alerting

Sending alert messages via SNMPAlert Manager can send alert messages to other computers via the Simple Network Management Protocol (SNMP). To use this option, you must install and activate the Microsoft SNMP service on your computer; see your operating system documentation for details. To view the alert messages that the client anti-virus software sends, you must also have an SNMP management system configured properly with an SNMP viewer. To set up and configure your SNMP management system, see the documentation for your SNMP management product.

To configure the scanner to send alert messages via SNMP:


2 Click the SNMP tab.

3 Select Enable SNMP traps.

4 If Alert Manager is installed on a computer running the Windows NT 4 operating system, you can click Configure SNMP to display your Windows Network dialog box and configure the Microsoft SNMP service. See your operating system documentation for details.


6 Click Test to send the recipient computer a test message via SNMP. See Sending a test message on page 156.

Figure 6-19. Enable SNMP alerting



7 Click OK to save your changes and return to the Alert Manager Properties dialog box.

Launching a program as an alertWhenever Alert Manager receives an alert that a virus has been detected, it can automatically start any executable program on your computer or anywhere on your network. By default, Alert Manager runs VIRNOTFY.EXE, which is installed in your Alert Manager installation folder. VIRNOTFY.EXE displays names of infected files in a scrolling dialog box on the screen of the computer where Alert Manager is installed.

NOTEAlert Manager only launches a program when it receives alerts specifically pertaining to viruses. The %VIRUSNAME% and %FILENAME% system variables must be present in the alert message. See Using Alert Manager system variables on page 185. Alert Manager does not start a program unless these fields are present in the alert, regardless of the priority level set for the Program method. See Setting the alert priority level for recipients on page 157 for more information about priority levels.

To configure Alert Manager to execute a program when it finds a virus:


2 Click the Program tab to open the Program page.

Figure 6-20. Alert Manager Properties — Program tab

Product Guide 173

Virus Alerting

3 Select Execute Program.

4 Type the path and file name of the executable program that you want to run when your anti-virus software finds a virus, or click Browse to locate the program file on your computer or network.

5 Select one of the following:

To start the program only when your anti-virus software first finds a specific virus, click First Time.

To start the program each time the scanner finds a virus, click Every Time.

NOTEIf you select First time, the program you designate starts as soon as the scanner initially encounters a specific virus, for example VirusOne. If the scanner finds more than one occurrence of VirusOne in the same folder, it does not start the program again. However, if, after encountering VirusOne, the scanner then encounters a different virus (VirusTwo), then encounters VirusOne again, the program starts in response to each encounter, in this example, three times in a row. Starting multiple instances of the same program might cause your server to run out of memory.


Remember that the Program method does not run a program unless the alert pertains specifically to viruses. In other words, the alert must contain the %VIRUSNAME% and %FILENAME% system variables. All other alerts, regardless of priority level, are ignored.




Logging alert notifications in a computer’s event logAlert Manager can log alert messages to the local event log on your computer or the event log of another computer on your network.

To configure logging options:


2 Click the Logging tab.

The Logging page appears with a list of all of the computers you have chosen to receive messages for logging. If you have not yet chosen a recipient computer, this list is blank.

Figure 6-21. Alert Manager Properties — Logging tab

Product Guide 175

Virus Alerting


To add a computer, click Add to open the Logging Properties dialog box, then type the name of the computer that receives forwarded messages in the text box. You can type the computer name in Universal Naming Convention (UNC) notation, or you can click Browse to locate the computer on the network.

To remove a listed computer, click the computer in the list and click the Remove button.

To change configuration options, select one of the recipient computers listed, then click Properties. Alert Manager opens the Logging Properties dialog box. Type the name of the computer to which you want Alert Manager to forward messages for logging. Click Browse to locate the destination computer.




Figure 6-22. Logging Properties



Sending a network message to a terminal serverAlert Manager can send alert messages to a terminal server. Pop-up network messages display to the user whose session originated the alert.

The Alert Manager Properties dialog box only displays the Terminal Server tab if the computer on which Alert Manager is installed is a terminal server.

To configure Alert Manager to send a message to a terminal server:


2 Click the Terminal Server tab.

3 To enable terminal server alerting, select Enable alerting to client.

Figure 6-23. Alert Manager Properties — Terminal Server tab

Product Guide 177

Virus Alerting

4 Click Test to send the recipient computer a test message. The Select client for test message dialog box appears, listing the current terminal server user sessions for that computer.

5 Select a user from the list and click OK to send that user a test message and return to the Alert Manager Properties dialog box.

6 Click Priority Level to specify which types of alert messages the terminal server users should receive. See Setting the alert priority level for recipients on page 157.

7 Click OK to save the terminal server settings and return to the Alert Manager Properties dialog box.

Figure 6-24. Send a terminal server user a test message



Using Centralized AlertingCentralized Alerting provides an alternative to using regular Alert Manager messaging. With centralized alerting, alert messages generated by anti-virus software, such as VirusScan Enterprise, are saved to a shared folder on a server. Then, Alert Manager is configured to read alert notifications from that same folder. When the contents of the shared folder change, Alert Manager sends new alert notifications using whatever alerting methods Alert Manager is already configured to use, such as sending e-mail messages to a pager.

WARNINGDue to security issues with shared folders, McAfee Security recommends that you do not use centralized alerting. Instead, you should configure your client anti-virus software to use the regular Alert Manager alert notification methods.

To use centralized alerting:

1 Configure the anti-virus software on client computers to send alert messages to the appropriate alert folder. See your anti-virus software documentation for instructions on how to do this.

NOTETo allow other workstations on your network to send messages to this folder, you must give file scan, write, create and modify permissions for this folder to all users and computers. See your operating system documentation for details.

2 Make sure that all your users and computers are able to read and write to this shared alert folder. If the folder is located on a computer running Windows NT, you must properly configure a null session share. See your operating system documentation for details.

Product Guide 179

Virus Alerting

3 Configure Alert Manager to monitor the centralized alert folder for activity. To do this:

a From the Alert Manager Properties dialog box, select Centralized Alert tab.

b Select Enable centralized alerts.

c Type the location of the alert folder or click Browse to locate a folder elsewhere on your server or on the network. This must be the same folder to which your anti-virus software on client computers is using for centralized alerts (see Step 1). The default location of the alert folder is:

C:\Program Files\Network Associates\Alert Manager\Queue\.



6 Click OK to save your centralized alerting settings and return to the Alert Manager Properties dialog box.

Figure 6-25. Centralized Alerting Properties



Customizing alert messagesAlert Manager comes with a wide range of alert messages suited to nearly all of the situations you may encounter when a virus is detected on a computer in your network. The alert messages include a preset priority level and incorporate system variables that identify the infected file and system, the infecting virus, and other information that you can use to get a quick but thorough overview of the situation.

To suit your own circumstances, you can enable or disable individual alert messages or change the contents and priority level for any message. Because Alert Manager still activates the alert message in response to specific trigger events, you should try to retain the overall sense of any alert messages you choose to edit.

Use the Alert Manager Messages dialog box to customize alert messages. See Configuring Alert Manager on page 150 for details on how to access the Alert Manager Messages dialog box.

From here, you can do either of the following:

Enabling and disabling alert messages.

Editing alert messages.

Figure 6-26. Alert Manager Messages

Product Guide 181

Virus Alerting

Enabling and disabling alert messagesAlthough VirusScan Enterprise can alert you whenever your anti-virus software finds a virus or whenever nearly any aspect of its normal operation changes significantly, you might not want to receive alert messages in each of these circumstances. Use the Alert Manager Messages dialog box to disable specific alert messages that you do not want to receive.

Next to each alert listed in the Alert Manager Messages dialog box is a checkbox. If this is selected, the alert is enabled. If it is not selected, it is disabled. By default, all of the available alert messages are enabled.

To enable or disable alert messages:

1 Select or deselect the corresponding checkbox for any alert messages you want to enable or disable.

2 Click OK to save your changes and close the Alert Manager Messages dialog box.

Editing alert messagesYou can edit alert messages in the following two ways:

Changing alert priority.

Editing alert message text.



Changing alert prioritySome of the alerts that Alert Manager receives from your client anti-virus software require more immediate attention than others. A default priority level is set for each alert message, corresponding to the urgency most system administrators would assign them. You can reassign these priority levels to suit your own needs. Use them to filter the messages that Alert Manager sends to your recipients so your recipients can concentrate on the most important ones first.

To change the priority level assigned to an alert message:

1 On the Alert Manager Messages dialog box (see Customizing alert messages on page 181), click a message in the list once to select it.

2 Click Edit to open the Edit Alert Manager Message dialog box.

3 Choose a priority level from the Priority list. You can assign each alert message a Critical, Major, Minor, Warning, or Informational priority.

The icons shown beside each message listed in the Alert Manager Messages dialog box identify the priority level currently assigned to a message. Each icon corresponds to a choice in the Priority drop-down list. The priority levels are:

Critical. Indicates your anti-virus software detected viruses in files that could not be cleaned, quarantined or deleted.

Major. Indicates either that successful virus detection and cleaning has occurred or that serious errors and problems that might cause your anti-virus software to stop working. Examples include “Infected file deleted,” “No licenses are installed for the specified product,” or “Out of memory!”

Minor. Indicates lesser detection or status messages.

Warning. Indicates status messages that are more serious than informational messages. These often relate to non-critical problems encountered during the anti-virus scan.

Figure 6-27. Edit the priority and text of an alert message

Product Guide 183

Virus Alerting

Informational. Indicates standard status and informational messages, such as “On-Access scan started” or “Scan completed. No viruses found.”

As you reassign the priority for a message, the icon beside it changes to show its new priority status.

4 Click OK.

Filtering messages by priority level

To filter your messages, configure each alert method you have set up in Alert Manager to accept only messages of a certain priority. For example, suppose you want to have Alert Manager page you whenever your client anti-virus software finds a virus on your network, but do not want it to send routine operational messages. To do this, you would assign a Critical or Major priority to virus alerts, and a Minor, Warning, or Informational priority to the routine informational messages. Then, configure Alert Manager to send only high priority messages to the e-mail address that goes to your pager.

See Setting the alert priority level for recipients on page 157 for information about applying priority level filters for specific recipients.

Editing alert message textTo help you respond to a situation that requires your attention, Alert Manager includes enough information in its messages to identify the source of whatever problem it has found and some information about the circumstances in which it found the problem. You can edit the message text as desired. For example, you can add comments to the alert message that describe more about the problem or list support contact information.

NOTEAlthough you can edit the alert message text to state what you want, you should try to keep its essence intact, because Alert Manager sends each message only when it encounters certain conditions. Alert Manager sends the “task has started” alert message, for example, only when it starts a task.

To edit the alert message text:

1 From the Alert Manager Messages dialog box, click the alert message in the list to select it.

2 Click Edit to open the Edit Alert Manager Message dialog box.

3 Edit the message text as desired. Text enclosed in percentage signs, such as %COMPUTERNAME%, represents a variable that Alert Manager replaces with text at the time it generates the alert message. See Using Alert Manager system variables on page 185.

4 Click OK to save your changes and return to the Alert Properties dialog box.



Using Alert Manager system variablesAlert Manager 4.7 includes system variables that you can use in alert message text. These variables refer to system features like system date and time, file names, or computer names. When sending alert notifications, Alert Manager dynamically replaces the variable with a specific value.

For example, the major alert Infected file successfully cleaned (1025) listed in the Alert Manager Messages dialog box is by default set to the following:

The file %FILENAME% was infected with %VIRUSNAME% %VIRUSTYPE%. The file was successfully cleaned with Scan engine version %ENGINEVERSION% and DAT version %DATVERSION%.

When this alert is sent to Alert Manager from an anti-virus application, Alert Manager dynamically populates the system variables with real values, for example displaying MYDOCUMENT.DOC for the %FILENAME% variable.

Some of the most commonly-used system variables are:

%DATVERSION% The version of the current DAT files used by the antivirus software that generated the alert.

%ENGINEVERSION% The version of the current antivirus engine used by the antivirus software to detect an infection or other problem.

%FILENAME% The name of a file. This could include the name of an infected file it found, or the name of a file it excluded from a scan operation.

%TASKNAME% The name of an active task, such as an On-Access scan or AutoUpdate task in VirusScan Enterprise. Alert Manager might use this to report the name of the task that found a virus, or the name of a task that reported an error during a scan operation.

%VIRUSNAME% The name of an infecting virus.

%DATE% The system date of the Alert Manager computer.

%TIME% The system time of the Alert Manager computer.

%COMPUTERNAME% The name of a computer as it appears on the network. This could include an infected computer, a computer that reported a device driver error, or any other computer with which the program interacted.

%SOFTWARENAME% The file name of an executable file. This could include the application that detected a virus, an application that reported an error, or any other application with which the program interacted.

Product Guide 185

Virus Alerting

WARNINGBe careful when editing message text to include system variables that might not be used by the event generating that alert message. Using system variables in alerts that do not use that system variable field could cause unexpected results, including garbled message text or even a system crash.

Following is a complete list of the Alert Manager system variables that can be used in Alert Manager messages:

%SOFTWAREVERSION% The version number taken from an active software package. This could include the application that detected a virus, an application that reported an error, or any other application with which the program interacted.

%USERNAME% The login name of the user currently logged on to the server. This can, for instance, inform you if somebody cancelled a scan.

%ACCESSPROCESSNAME%

%CLIENTCOMPUTER%

%COMPUTERNAME%

%DATVERSION%

%DOMAIN%

%ENGINESTATUS%

%ENGINEVERSION%

%EVENTNAME%

%FILENAME%

%GMTDAY%

%GMTHOUR%

%GMTMIN%

%GMTMONTH%

%GMTSEC%

%GMTTIME%

%GMTYEAR%

%INFO%

%MAILIDENTIFIERINFO%

%MAILSUBJECTLINE%

%MAILTONAME%

%NOTEID%

%NOTESDBNAME%

%NOTESSERVERNAME%

%LANGUAGECODE%

%LOCALDAY%

%LOCALHOUR%

%LOCALMIN%

%LOCALMONTH%

%LOCALSEC%

%LOCALTIME%

%LOCALYEAR%

%LONGDESCRIPT%

%MAILCCNAME%

%MAILFROMNAME%

%NUMCLEANED%

%NUMDELETED%

%NUMQUARANTINED%

%NUMVIRS%

%OBRULENAME%

%OS%

%PROCESSORSERIA%

%RESOLUTION%

%SCANRETURNCODE%

%SEVERITY%

%SHORTDESCRIPT%

%SOFTWARENAME%

%SOFTWAREVERSION%

%SOURCEIP%

%SOURCEMAC%

%SOURCESEG%

%TARGETCOMPUTERNAME%

%TARGETIP%

%TARGETMAC%

%TASKID%

%TASKNAME%

%TRAPID%

%TSCLIENTID%

%URL%

%USERNAME%

%VIRUSNAME%

%VIRUSTYPE%


7
Updating
The VirusScan Enterprise software depends on information in the virus definition (DAT) files to identify viruses. Without updated files, the product software might not detect new virus strains or respond to them effectively. Software that is not using current DAT files can compromise your virus-protection program.

New viruses appear at the rate of more than 500 per month. To meet this challenge, McAfee Security releases new DAT files every week, incorporating the results of its ongoing research into the characteristics of new or mutated viruses. The AutoUpdate feature makes it easy to take advantage of this service. It allows you to download the latest DAT files, scanning engine, and EXTRA.DAT simultaneously, using an immediate or scheduled update.


Update strategies

System variables

AutoUpdate tasks

AutoUpdate repository list

Mirror tasks

Rollback DAT files

Manual updates

Product Guide 187

Updating

Update strategiesUpdates can be performed using many methods. You can use update tasks, manual updates, login scripts, or you can schedule updates with management tools. This document discusses using the update tools provided in VirusScan Enterprise and updating manually. Any other implementations are beyond of the scope of this document.

An efficient updating strategy generally requires that at least one client or server in your organization retrieve the updates from the Network Associates download site. From there, the files can be replicated throughout your organization, providing access for all other computers. Ideally, you should minimize the amount of data transferred across your network by automating the process of copying the updated files to your share sites.

For efficient updating, the main factors to consider are the number of clients and the number of sites. There may be additional considerations that affect your update schema, for example, the number of systems at each remote site and how remote sites access the Internet. However, the basic concepts of populating your share sites and scheduling updates apply to any size organization.

Using an update task to perform updates allows you to:

Schedule network-wide DAT file rollouts at convenient times and with minimal intervention from either administrators or network users. You might, for example, stagger your update tasks, or set a schedule that phases in, or rotates, DAT file updates to different parts of the network.

Split rollout administration duties among different servers or domain controllers, among different regions of wide-area networks, or across other network divisions. Keeping update traffic primarily internal can also reduce the potential for network security breaches.

Reduce the likelihood that you need to wait to download new DAT or upgraded engine files. Traffic on McAfee computers increases dramatically on regular DAT file publishing dates and whenever new product versions appear. Avoiding the competition for network bandwidth enables you to deploy your new software with minimal interruptions.

For more information about updating and using McAfee Installation Designer or McAfee AutoUpdate Architect to configure and manage updates, see the VirusScan Enterprise Updating Implementation Guide.


System variables

System variablesSystem variables are supported for path definition when configuring AutoUpdate tasks, mirror tasks, and repositories. Some commonly-used system variables are:

Variable Definition

<COMPUTER_NAME> The name of the computer as it appears on the network.

<USER_NAME> The login name of the user currently logged on to the computer.

<DOMAIN_NAME> The name of the domain.

<SYSTEM_DRIVE> The name of the system drive. For example:

C:

<SYSTEM_ROOT> The path to the root directory. For example:

C:\WinNT

<SYSTEM_DIR> The path to the system directory. For example:

C:\WinNT\System32

<TEMP_DIR> The path to the temporary directory. For example:

C:\Document and Settings\Administrator\Local Settings\Temp

<PROGRAM_FILES_DIR> The path to the Program Files directory. For example:

C:\Program Files

<PROGRAM_FILES_COMMON_DIR> The path to the Common Files directory: For example:

C:\Program Files\Common Files

<SOFTWARE_INSTALLED_DIR> The path to the location where the software is installed.

<PP_VAR_NAME> McAfee product variable name. For example:

%ALLUSERSPROFILE%

Product Guide 189

Updating

AutoUpdate tasksThe AutoUpdate task is used to perform scheduled or immediate updates. You can update DAT files, the scanning engine, and the EXTRA.DAT file. See the VirusScan Enterprise Updating Implementation Guide for information about downloading HotFix, Service Pack, SuperDAT package, or .CAB files.

The VirusScan Enterprise product provides a default update task that is scheduled to update every Friday at 5:00 p.m. with one-hour randomization. The default update task is named AutoUpdate.You can rename and reconfigure the default AutoUpdate task. You can also create additional update tasks to meet your updating requirements.


AutoUpdate task overview

Creating an AutoUpdate task

Configuring an AutoUpdate task

Running AutoUpdate tasks



AutoUpdate tasks

AutoUpdate task overviewThe following diagram shows an overview of an AutoUpdate task:

Figure 7-1. AutoUpdate task overview

Product Guide 191

Updating

Creating an AutoUpdate taskTo create a new AutoUpdate task:


2 Create a new update task using one of these methods:

Right-click a blank area in the console without selecting an item in the task list, then select New Update Task.

Select New Update task from the Task menu.

A new update task appears, highlighted, in the VirusScan Console task list.

3 Accept the default task name or type a new name for your task, then press ENTER to open the AutoUpdate Properties dialog box. See Configuring an AutoUpdate task on page 193 for detailed configuration information.

NOTEIf you create update tasks via ePolicy Orchestrator 3.0 or later, and enable task visibility, these update tasks are visible in the VirusScan Console. These ePolicy Orchestrator tasks are read-only and cannot be configured from the VirusScan Console. See the VirusScan Enterprise Configuration Guide for use with ePolicy Orchestrator 3.0 for more information.


AutoUpdate tasks

Configuring an AutoUpdate taskYou can configure and schedule an AutoUpdate task to meet your requirements.


2 Open the AutoUpdate Properties dialog box using one of these methods:

Highlight the task in the console task list, then select Properties from the Task menu.

Double-click the task in the task list.

Right-click the task in the task list, then select Properties.

Highlight the task in the task list, then click .

NOTEConfigure the update task before you click either Schedule or Update Now.

3 In the Log file text box, accept the default log file name and location, type a different log file name and location, or click Browse to locate a suitable location. System variables are supported. See System variables on page 189 for more information.

NOTEBy default, log information is written to the UPDATELOG.TXT file in this folder:


Figure 7-2. AutoUpdate Properties — New Update Task

Product Guide 193

Updating

4 Under Run options, you can specify an executable file to start after the AutoUpdate task finishes running. For example, you might use this option to start a network message utility that notifies the administrator that the update operation completed successfully.

Enter the executable to be run after the Update has completed. Type the path of the executable you want to run, or click Browse to locate it.

Only run after successful update. Run the executable program only after a successful update. If the update is not successful, the program you specified does not run.

NOTEThe program file that you specify must be executable by the currently logged on user. If the currently logged on user does not have access to the folder containing the program files, or if there is no currently logged on user, the program does not run.

5 Click Schedule to schedule the update task. See Scheduling Tasks on page 221 for more information.


7 To run the update task immediately, click Update Now.

8 Click OK to close the AutoUpdate Properties dialog box.

NOTEThe update task uses the configuration settings in the AutoUpdate repository list to perform the update. See AutoUpdate repository list on page 199 for more information.


AutoUpdate tasks

Running AutoUpdate tasksOnce you have configured your task with the update properties you want, you can run the update task. The following topics are addressed in this section:

Running the update task

Activities that occur during an update task

Running the update taskUpdates can be executed immediately as needed or scheduled for a convenient time. If the update task is interrupted during execution, it automatically resumes as follows:

Tasks that are updating from an HTTP, UNC, or local site. If the update task is interrupted for any reason during the update, the task resumes where it left off the next time the update task starts.

Tasks that are updating from an FTP site. The task does not resume if interrupted during a single file download. However, if a task is downloading several files and is interrupted, the task resumes before the file that was being downloaded at the time of the interruption.

To run an update task:


2 Run the update task using one of these methods:

Update as scheduled. If you scheduled the update, allow the task to run unattended.

NOTEYour computer must be active to run an update task. If your computer is not operating when the task is scheduled to start, the task starts at the next scheduled time if the computer is active, or when the computer starts if you selected the Run missed task option on the Schedule Settings, Schedule tab.

Update immediately. You can start update tasks immediately using three methods:

Update Now command for the default update task.

Start command for all update tasks.

Update Now command for all update tasks.

Product Guide 195

Updating

Update Now command for the default update task

You can use Update Now to immediately start the default update task.

NOTEUpdate Now only works with the default update task which was created when you installed the product. You can rename and reconfigure the default update task, but if you delete the default task, Update Now becomes disabled.


2 Use one of these methods to perform an immediate update using Update Now:

From the VirusScan Console, select Update Now from the Task menu.

Right-click in the system tray, then select Update Now.

3 When the task finishes, click Close to exit the McAfee Updater dialog box, or wait for the dialog box to close automatically.

Start command for all update tasks

You can use Start from the VirusScan Console to immediately begin any update task.


2 Use one of these methods to start an immediate update from the VirusScan Console:

Highlight the task in the console task list, then select Start from the Task menu.

Right-click the task in the task list, then select Start.




AutoUpdate tasks

Update Now command for all update tasks

You can use Update Now in the AutoUpdate Properties dialog box to immediately begin any update task.


2 Open the AutoUpdate Properties dialog box for the selected update task. For instructions, see Configuring an AutoUpdate task on page 193.

3 Click Update Now in the AutoUpdate Properties dialog box.


Activities that occur during an update taskThe following activities occur when you run an AutoUpdate task:

A connection is made to the first enabled repository (update site) in the repository list. If this repository is not available, the next repository is contacted, and so on until a connection is made, or until the end of the list is reached.

An encrypted CATALOG.Z file downloads from the repository. The CATALOG.Z file contains the fundamental data required to complete updating. This data is used to determine what files and/or updates are available.

The software versions in the CATALOG.Z are checked against the versions on the computer. If new software updates are available, they are downloaded.

Once the update is checked into the repository, the update is verified to confirm that it is applicable to VirusScan Enterprise and that the version is newer than the current version. Once this is verified, VirusScan Enterprise downloads the update when the next update task runs.

Product Guide 197

Updating

An EXTRA.DAT file can be used in an emergency to detect a new threat until the new virus is added to the weekly virus definition file. The EXTRA.DAT file is downloaded from the repository on each update. This ensures that if you modify and re-check the EXTRA.DAT in as a package, all VirusScan Enterprise clients download and use the same updated EXTRA.DAT package. For example, you may use the EXTRA.DAT as an improved detector for the same virus or additional detection for other new viruses. VirusScan Enterprise supports using only one EXTRA.DAT file.

NOTEWhen you have finished using the EXTRA.DAT file, you should remove it from the master repository and run a replication task to ensure it is removed from all distributed repository sites. This stops VirusScan Enterprise clients from attempting to download the EXTRA.DAT file during an update.

By default, detection for the new virus in the EXTRA.DAT is ignored once the new virus definition is added to the weekly DAT files.

See AutoUpdate task overview on page 191 for a diagram of the updating process.

Viewing the activity logThe update task activity log shows specific details about the updating operation. For example, it shows the updated DAT file and engine version numbers.

To view the activity log:








AutoUpdate repository listThe AutoUpdate repository list (SITELIST.XML) specifies repositories and configuration information necessary to perform an update task.

For example:

Repository information and location.

Repository order preference.

Proxy settings, where required.

Credentials required to access each repository.

NOTEThese credentials are encrypted.

The AutoUpdate repository list (SITELIST.XML) is located at different locations depending on your operating system.

For example, for Windows NT:

C:\Program Files\Network Associates\Common Framework\Data

For example, for Windows 2000:

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework


AutoUpdate repositories

Configuring the AutoUpdate repository list

Product Guide 199

Updating

AutoUpdate repositoriesA repository is a location from which you receive updates.

The VirusScan Enterprise software comes pre-configured with two repositories:

ftp://ftp.nai.com/CommonUpdater

http://update.nai.com/Products/CommonUpdater

The FTP repository is the default site. If you plan to use the FTP repository to perform updates, you are automatically configured to do so after the VirusScan Enterprise 7.1.0 installation process completes.

You can use either of these sites to download the latest updates if you are using VirusScan Enterprise 7.1.0 exclusively, or if you are using VirusScan Enterprise 7.1.0 in a mixed environment with VirusScan 4.5.1 or NetShield 4.5.

You can reorganize the repositories in the list or create new repositories to meet your requirements. The number of repositories that you need depends on your updating requirements. See Editing the AutoUpdate repository list on page 201 for more information.

Configuring the AutoUpdate repository listYou can configure the AutoUpdate repository list (SITELIST.XML) before installation, during installation, or after installation.

This guide addresses post installation options. See the VirusScan Enterprise Updating Implementation Guide for more information about installation options.


Importing the AutoUpdate repository list

Editing the AutoUpdate repository list





Importing the AutoUpdate repository listTo import an AutoUpdate repository list from another location:


2 Select Tools|Import AutoUpdate Repository List.

3 In the Look in box, type the location for the .XML file, or click to navigate to the location, then select a file.

4 Click Open to import the AutoUpdate repository list.

NOTETo import a customized AutoUpdate repository list, to specify source repositories from which to obtain software, or to use multiple update locations that can replicate from a master repository, you must use the McAfee AutoUpdate Architect™ utility with VirusScan Enterprise. Refer to the McAfee AutoUpdate Architect Product Guide for more information.

Editing the AutoUpdate repository listUse the Edit AutoUpdate Repository List dialog box to add new AutoUpdate repositories to the list, configure them, edit and remove existing repositories, and organize the repositories in the list.


Adding and editing repositories

Removing and reorganizing repositories

Specifying proxy settings

Figure 7-3. Import AutoUpdate Repository List

Product Guide 201

Updating

Adding and editing repositoriesAutoUpdate repositories can be added or edited from the Edit AutoUpdate Repository List dialog box.

NOTEYou can also create repositories using McAfee AutoUpdate Architect and export them to VirusScan Enterprise. See the McAfee AutoUpdate Architect Product Guide for more information about using it to create and export AutoUpdate repositories.

AutoUpdate repositories can have a state of Enabled or Disabled.

Enabled — A defined repository that may be used during the AutoUpdate process.

Disabled — A defined repository that you do not want to access during the AutoUpdate process.

To add or edit a repository in the AutoUpdate repository list:


2 Select Tools|Edit AutoUpdate Repository List.

3 Select the Repositories tab. The FTP repository is the default download site.

Figure 7-4. Edit AutoUpdate Repository List — Repositories tab



4 Choose from these actions:

To add a repository, click Add to open the Repository Settings dialog box.

To edit a repository, highlight it in the Repository Description list, then click Edit to open the Repository Settings dialog box.

5 In the Repository description text box, type the name or description for this repository.

6 Under Retrieve files from, select the repository type or path from these choices:

HTTP repository. This option is selected by default. Use the HTTP repository location that you designate as the repository from which you retrieve the update files.

NOTEAn HTTP site, like FTP, offers updating independent of network security, but supports higher levels of concurrent connections than FTP.

Figure 7-5. Repository Settings

Product Guide 203

Updating

FTP repository. Use the FTP repository location that you designate as the repository from which you retrieve the update files.

NOTEAn FTP site offers flexibility of updating without having to adhere to network security permissions. FTP has been less prone to unwanted code attack than HTTP, so it may offer better tolerance.

UNC path. Use the UNC path that you designate as the repository from which you retrieve the update files.

NOTEA UNC site is the quickest and easiest to set up. Cross domain UNC updates require security permissions for each domain, which makes update configuration more involved.

Local path. Use the local site that you designate as the repository from which you retrieve the update files.

7 Under Repository details, the information you type depends on the repository type or path you selected under Retrieve files from. System variables are supported. See System variables on page 189 for more information. Choose from the following:

If you selected HTTP repository or FTP repository, see HTTP or FTP repository details on page 205 for detailed instructions.

If you selected UNC path or Local path, see UNC path or Local path repository details on page 206 for detailed instructions.



HTTP or FTP repository details

If you selected HTTP or FTP repository:

1 Under Repository details, type the path to the repository you selected, the port number, and specify security credentials for accessing the repository.

URL. Type the path to the HTTP or FTP repository location:

Figure 7-6. Repository details — HTTP or FTP site

HTTP. Type the location for the HTTP server and folder where the update files are located. The default McAfee HTTP repository for DAT file updates is located at:


FTP. Type the location for the FTP server and folder where the update files are located. The default McAfee FTP repository for DAT file updates is located at:


Product Guide 205



Updating

Port. Type the port number for the HTTP or FTP server you selected.

Use authentication or Use anonymous login. The title differs depending on whether you have selected HTTP path or FTP path. Specify security credentials for accessing the repository. Type a User name and Password, then Confirm password.

NOTEDownload credentials are required for FTP and UNC repositories, but are optional for HTTP repositories. The credentials you specify are used by AutoUpdate to access the repository so that it can download the required update files. When configuring the account credentials on the repository, you ensure that the account has read permissions to the folders containing the update files.

FTP updates support anonymous repository connections.

2 Click OK to save your changes and return to the AutoUpdate Repositories List dialog box.

UNC path or Local path repository details

If you selected UNC or Local path:

Figure 7-7. Repository details — UNC or Local path



1 Under Repository details, type the path to the repository you selected and determine whether to use the logged on account or add security by specifying a user name and password. System variables are supported. See System variables on page 189 for more information.

Path. Type the path to the location from which you want to retrieve the update files.

Use logged on account. Determine which account you want to use:

NOTEDownload credentials are required for FTP and UNC repositories, but are optional for HTTP repositories. The credentials you specify are used by AutoUpdate to access the repository so that it can download the required update files. When configuring the account credentials on the repository, you ensure that the account has read permissions to the folders containing the update files.

With UNC updates, you have the additional option to use the logged on account. This allows the update task to make use of the logged on users’ permissions to access the repository.

2 Click OK to save your changes and return to the Repositories tab.

UNC path. Using UNC notation (\\servername\path\), type the path of the repository where the update files are located.

Local path. Type the path of the local folder in which you have placed the update files, or click Browse to navigate to the folder.

NOTEThe path can be that of a folder on a local drive or a network drive.

Select Use logged on account to use the account that is currently logged on.

Deselect Use logged on account to use a different account, then type the Domain, User name, Password, and Confirm password.

Product Guide 207

Updating

Removing and reorganizing repositoriesTo remove or reorganize repositories in the repository list:



3 Select the Repositories tab.

4 To remove or reorganize repositories in the repository list, choose from the following:

To remove a repository, highlight it in the list, then click Delete.

To reorganize the repositories in the list, highlight a repository, then click Move up or Move down repeatedly until the repository has moved to the place in the list that you want it.

NOTEThe order in which the repositories are listed, is the order in which they are accessed during an update operation.

Figure 7-8. Edit AutoUpdate Repository List — Repositories tab



Specifying proxy settingsProxy servers are commonly used as part of Internet security to mask Internet users’ computers from the Internet, and improve access speed by caching commonly accessed sites.

If your network uses a proxy server, you can specify which proxy settings to use, the address of the proxy server, and whether to use authentication. Proxy information is stored in the AutoUpdate repository list (SITELIST.XML). The proxy settings you configure here apply to all the repositories in this repository list.

To specify proxy settings:



3 Select the Proxy settings tab.

Figure 7-9. Edit AutoUpdate Repository List — Proxy settings tab

Product Guide 209

Updating

4 Determine whether you want to use a proxy and, if you do, which settings you want to use. Choose from these options:

Don’t use a proxy. Do not specify a proxy server. Select this option, then click OK to save your settings and close the Edit AutoUpdate Repository List dialog box.

Use Internet Explorer proxy settings. This option is selected by default. Use the proxy settings for the currently installed version of Internet Explorer. Select this option, then click OK to save your settings and close the Edit AutoUpdate Repository List dialog box.

Manually configure the proxy settings. Configure the proxy settings to meet your specific needs. System variables are supported. See System variables on page 189 for more information.

Select this option, then type the address and port information for the repository you selected:

Determine whether to use authentication for either the HTTP or FTP proxy server you specified. Choose from these options:

HTTP Address. Type the address of the HTTP proxy server.

HTTP Port. Type the port number of the HTTP proxy server.

FTP Address. Type the address of the FTP proxy server.

FTP Port. Type the port number of the FTP proxy server.

Use authentication for HTTP. Select this option to add authentication to the HTTP proxy, then type the HTTP user name, HTTP password, and HTTP confirm password.

Use authentication for FTP. Select this option to add authentication to the FTP proxy server, then type the FTP user name, FTP password, and FTP confirm password.



5 Click Exceptions to specify proxy exceptions. If you do not want to specify exceptions, skip this step and go to Step 6.

a Select Specify exceptions, then type the exceptions, using semicolons to separate the entries.

b Click OK to save your changes and return to the Proxy settings tab.

6 Click OK to save your changes and close the Edit AutoUpdate Repository List dialog box.

Figure 7-10. Proxy Exceptions

Product Guide 211

Updating

Mirror tasksThe VirusScan Enterprise software relies on a directory structure to update itself. The mirror task allows you to replicate the update files from the first accessible repository defined in the repository list, to a mirror site on your network. It is important to remember to replicate the entire directory structure when mirroring a site. This directory structure also supports previous versions of VirusScan and NetShield, as long as the entire directory structure is replicated in the same locations that VirusScan 4.5.1 used for updating.

The following shows the directory structure in the repository after using a mirror task to replicate the Network Associates repository:

After you replicate the Network Associates site that contains the update files, computers on your network can download the files from the mirror site. This approach is practical because it allows you to update any computer on your network, whether or not it has Internet access; and efficient because your computers are communicating with a server that is probably closer than a Network Associates Internet site, therefore economizing access and download time. The most common use of this task is to mirror the contents of the Network Associates download site to a local server.

Figure 7-11. Mirrored site


Mirror tasks


Creating a mirror task

Configuring a mirror task

Running mirror tasks

Viewing the mirror task activity log

Creating a mirror taskYou can create a mirror task for each mirror location you need.

To create a new mirror task:


2 Create a mirror task using one of these methods:

Right-click a blank area in the console without selecting an item in the task list, then select New Mirror Task.

Select New Mirror task from the Task menu.

A new mirror task appears, highlighted, in the VirusScan Console task list.

3 Accept the default task name or type a new name for your task, then press ENTER to open the AutoUpdate Properties dialog box. See Configuring a mirror task on page 214 for detailed configuration information.

NOTEIf you create mirror tasks via ePolicy Orchestrator 3.0 or later, and enable task visibility, these mirror tasks are visible in the VirusScan Console. These ePolicy Orchestrator tasks are read-only and cannot be configured from the VirusScan Console. See the VirusScan Enterprise Configuration Guide for use with ePolicy Orchestrator 3.0 for more information.

Product Guide 213

Updating

Configuring a mirror taskYou can configure and schedule a mirror task to meet your requirements.


2 Open the AutoUpdate Properties dialog box using one of these methods:

NOTEConfigure the mirror task before click Schedule or Mirror Now.

3 In the Log file text box, accept the default log file name and location, type a different log file name and location, or click Browse to locate a suitable location. System variables are supported. See System variables on page 189 for more information.

NOTEBy default, log information is written to the VSEMIRRORLOG.TXT file in this folder:


Highlight the task in the console task list, then select Properties from the Task menu.

Double-click the task in the task list.

Right-click the task in the task list, then select Properties.


Figure 7-12. AutoUpdate Properties — New Mirror Task


Mirror tasks

4 Click Mirror Location to open the Mirror Location Settings dialog box:

a Type the path to the destination on the local system that you are using for the mirror site, or click Browse to navigate to the desired location. System variables are supported. See System variables on page 189 for more information.

b Click OK to return to the AutoUpdate Properties dialog box.

5 Under Run options, you can specify an executable file to start after the mirror task finishes running. For example, you might use this option to start a network message utility that notifies the administrator that the update operation completed successfully.

Enter the executable to be run after the Mirror has completed. Type the path of the executable you want to run, or click Browse to locate it.

Only run after successful mirror. Run the executable program only after a successful update. If the update is not successful, the program you selected does not run.

NOTEThe program file that you specify must be executable by the currently logged on user. If the currently logged on user does not have access to the folder containing the program files, or if there is no currently logged on user, the program does not run.

6 Click Schedule to schedule the mirror task. See Scheduling Tasks on page 221 for more information about scheduling tasks.


8 To run the mirror task immediately, click Mirror Now.

9 Click OK to close the AutoUpdate Properties dialog box.

NOTEThe Mirror task uses the configuration settings in the repository list to perform the update. See AutoUpdate repository list on page 199 for more information.

Figure 7-13. Mirror Location Settings

Product Guide 215

Updating

Running mirror tasksOnce you have configured the mirror task with the properties you want, you can run the mirror task using one of these methods:

Mirror as scheduled. If you scheduled the mirror task, allow it to run unattended.

NOTEYour computer must be active to run a mirror task. If your computer is not operating when the task is scheduled to start, the task starts at the next scheduled time if the computer is active, or when the computer starts if you selected the Run missed task option on the Schedule Settings, Schedule tab.

Mirror immediately. You can start mirror tasks immediately using two methods:

Start command for mirror task.

Mirror Now command for mirror tasks.

Start command for mirror tasks

You can use Start from the VirusScan Console to immediately start any mirror task.


2 Use one of these methods to start an immediate mirror task from the VirusScan Console:

Highlight the task in the console task list, then select Start from the Task menu.

Right-click the task in the task list, then select Start.


When the task finishes, click Close to exit the McAfee Updater dialog box, or wait for the dialog box to close automatically.


Rollback DAT files

Mirror Now command for mirror tasks

You can use Mirror Now in the AutoUpdate Properties dialog box to immediately start any mirror task.


2 Open the AutoUpdate Properties dialog box for the selected mirror task. For instructions, see Configuring a mirror task on page 214.

3 Click Mirror Now in the AutoUpdate Properties dialog box.


Viewing the mirror task activity logThe mirror task activity log shows specific details about the updating operation. For example, it shows the updated DAT file and engine version numbers.






Rollback DAT filesUse this feature to roll back the DAT files to the last backed up version, if you find that the current DAT files are corrupt or incompatible for some reason. When you update DAT files, the old version is stored in this location:

C:\Program Files\Common Files\Network Associates\Engine\OldDats

When you roll back the DAT files, the current DAT files are replaced with the version in the OldDats folder, and a flag is set in the registry at this location:

HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szRollbackedDATS

Once the rollback occurs, you cannot go back to the previous version again. The next time an update is performed, the DAT version in the registry is compared with the DAT files in the update repository. If the new DAT files are the same as the ones flagged in the registry, no update occurs.

Product Guide 217

Updating

To roll back the DAT files:


2 Select Tools|Rollback DATs. The McAfee Updater dialog box opens.

3 The rollback appears to be the same as an update, except that the details show Performing DAT rollback. When the rollback finishes, click Close to exit the McAfee AutoUpdate dialog box, or wait for the dialog box to close automatically.

NOTEWhen you perform a rollback, the last backup of the DAT files is restored.

Figure 7-14. Rollback DATs — Update in Progress


Manual updates

Manual updatesMcAfee Security recommends that you use the AutoUpdate task supplied with the VirusScan Enterprise software to install new DAT file or scanning engine versions. This utility offers an easy method for correctly updating the DAT files and scanning engine. To install DAT files yourself, however, you can download DAT and engine files manually from these update sites:

http:www.networkassociates.com/us/downloads/updates


Regular DAT files. McAfee Security stores these files on its FTP site as .ZIP archives with the name DAT-XXXX.ZIP. The XXXX in the file name is a series number that changes with each DAT file release. To download these files, use a web browser or FTP client to connect with:


Installable .EXE files. McAfee Security stores these files on its web site as a self-executing setup file named XXXXUPDT.EXE. Here, too, the XXXX is a series number that changes with each new DAT release. To download these files, use a web browser to connect with:

http:www.networkassociates.com/us/downloads/updates

Both files contain exactly the same DAT files. The difference between them is in how you use them to update your copy of the VirusScan Enterprise software.

To use the DAT-XXXX.ZIP archive, you must download the file, extract it from its archive, copy the files into the DAT folder, then restart the on-access scanner. See Updating from DAT file archives on page 220 for detailed steps.

To install DAT files that come with their own setup utility, you need only to download the files to a temporary folder on your hard disk, then run or double-click the XXXUPDT.EXE file. The setup utility stops the on-access scanner, copies the files to the correct folder, then restarts the on-access scanner.

NOTEYou may need administrator rights to write to the DAT folder.

Once updated, the new DAT files are picked up by the on-access scanner, the on-demand scanner, and the e-mail scanner, the next time each scanner starts.

Product Guide 219



http://www.networkassociates.com/us/downloads/updates

http://www.networkassociates.com/us/downloads/updates

Updating

Updating from DAT file archivesTo install DAT file updates directly from a .ZIP archive without using AutoUpdate:

1 Create a temporary folder on your hard disk, then copy the DAT file .ZIP archive you downloaded to that folder.

2 Back up or rename these existing DAT files.

CLEAN.DAT

NAMES.DAT

SCAN.DAT

If you accepted the default installation path, these files are located in:

<drive>:\Program Files\Common Files\Network Associates\Engine\

3 Use WINZIP, PKUNZIP, or a similar utility to open the .ZIP archive and extract the updated DAT files.

4 Log on to the server you want to update. You must have administrator rights for the destination computer.

5 Copy the DAT files to the DAT folder.

6 Disable on-access scanning by stopping the McShield service, then enable it again by starting the McShield service.

7 Stop Microsoft Outlook, then restart it.

8 Stop on-demand scan tasks, then restart them.


8
Scheduling Tasks
You have the option of scheduling VirusScan Enterprise tasks to run at specific dates and times, or intervals. Schedules can be configured to meet your company’s needs.


Configuring task schedules

Product Guide 221

Scheduling Tasks

Configuring task schedulesYou can schedule three types of tasks:

On-demand tasks — To schedule an on-demand task, open the On-Demand Scan Properties for the task, then click Schedule. The Schedule Settings dialog box opens.

For more information about on-demand tasks, see On-Demand Scanning on page 85.

AutoUpdate tasks — To schedule an AutoUpdate task, open the AutoUpdate Properties for the AutoUpdate task, then click Schedule. The Schedule Settings dialog box opens.

For more information about AutoUpdate tasks, see AutoUpdate tasks on page 190.

Mirror tasks — To schedule a mirror task, open the AutoUpdate Properties for the mirror task, then click Schedule. The Schedule Settings dialog box opens.

For more information about mirror tasks, see Mirror tasks on page 212.


Task properties

Schedule properties



Task propertiesUse the options on the Task tab to enable scheduling, specify a limit for the task run time, and add authentication for this task.

1 Select the Task tab.

2 Under Schedule Settings, specify whether you want the task to run at a specific time. You have these options:

Enable (scheduled task runs at specified time). Schedule the task to run at a specified time.

Stop the task if it runs for. Stop the task after a limited time. If you select this option, also type in or select the hours and minutes.

NOTEIf the task is interrupted before it completes, the next time it starts it resumes scanning from where it left off, unless the DAT files have been updated and you have selected the option to rescan all files when DAT files are updated. In that case, the scan starts over instead of resuming from where it left off.

Figure 8-1. Schedule Settings — Task tab

Product Guide 223

Scheduling Tasks

3 Under Task, specify authentication credentials for this task by entering the following information:

NOTEThe use of credentials is optional. If you do not type credentials here, the scheduled task runs under the local system account.

User. Type the user ID under which this task executes.

Domain. Type the domain for the user ID you specified.

Password. Type the password for the user ID and domain you specified.


NOTEIf you schedule a task using credentials, the account that you specify needs to have logon as a batch job privilege. Without this privilege, the spawned process cannot access network resources, even though it has the correct credentials. This is documented Windows NT behavior.

To give an account this privilege:

Schedule propertiesUse the options on the Schedule tab to specify the task frequency, when the task runs in time zones, whether you want to run the task at random times within specified intervals, whether to run missed tasks, and specify delay times for missed tasks.


Schedule task frequencies

Advanced schedule options

Scheduling tasks by frequency

Start|Programs|Administrative Tools|Local Security Policy.

Security Settings|Local Policies|User Rights Assignments.

Double-click Log on as a batch job.

Add the user to the list.

Click OK to save your changes and close the dialog box.



Schedule task frequenciesThe schedule frequency you select here affects the options you have available for scheduling days, weeks, months, and other frequencies. The frequency options are:

Daily. This option is selected by default. Run the task daily on the specified day(s). See Daily on page 227.

Weekly. Run the task weekly on the specified week(s) and day(s). See Weekly on page 229.

Monthly. Run the task monthly on the specified day(s) and months. See Monthly on page 230.

Once. Run the task once on the specified date. See Once on page 232.

At System Startup. Run the task at system startup and specify whether to run the task once per day and the number of minutes to delay the task. See At System Startup on page 233.

At Logon. Run the task at log on and specify whether to run the task once per day and the number of minutes to delay the task. See At Logon on page 234.

When Idle. Run the task when the computer is idle and specify the number of minutes. See When Idle on page 235.

Run Immediately. Run the task immediately. See Run Immediately on page 236.

Run On Dialup. Run the task on Dialup and specify whether to run the task once per day. See Run On Dialup on page 237.

Product Guide 225

Scheduling Tasks

Advanced schedule options1 On the Schedule tab, under Schedule, click Advanced to open the Advanced

Schedule Options dialog box.

Start Date. Click to select a date from the calendar. This field is optional.

End Date. Click to select a date from the calendar. This field is optional.

Repeat Task. Repeat the task at the frequency selected.

Every. Type the frequency or use the arrows to select a number, then select whether you want the frequency to be in minutes or hours.

Until. Select either Time (Local) and type in or select the time, or select Duration and type in or select the hour(s) and minute(s).

2 Click OK to return to the Schedule tab.

Figure 8-2. Advanced Schedule Options



Scheduling tasks by frequencyYou can schedule a task for a date and/or time that meets your needs.

The following task frequencies are addressed in this section:

Daily

Weekly

Monthly

Once

At System Startup

At Logon

When Idle

Run Immediately

Run On Dialup

Daily1 On the Schedule tab, under Schedule:

Schedule Task. Click to select Daily.

Figure 8-3. Schedule tab — Daily

Product Guide 227

Scheduling Tasks

Start Time. Type the start time the for the scheduled task or use the arrows to select a time.

UTC Time. Coordinated Universal Time (UTC). Select this option to run the task simultaneously in all time zones.

Local Time. This option is selected by default. Run the task independently in each local time zone.

Enable randomization. Run the task at a random point within the interval of time you set. If you select this option, also type in or select the hours and minutes for the maximum time lapse.

You can type in or select a time lapse interval between one minute (minimum) and 24 hours (maximum). For example, setting the task schedule to 1:00 and the randomization to three hours, would cause the task to run at any time between 1:00 and 4:00.

Run missed task. To ensure that missed tasks run when the computer starts up again. If the computer was offline when a task was scheduled to be run, it may have been missed. This feature ensures that remote users and the network are fully protected if they happen to be offline when a task is scheduled to run.

Delay missed task by. Type the number of minutes by which you want to delay the missed task, or use the arrows to select the number of minutes. Choose from 0 to 99 minutes.

Advanced. Click this button to set advanced scheduling properties. See Advanced schedule options on page 226 for more information.

2 Under Schedule Task Daily, type in or select frequency in number of days, or use the arrows to select a number.

NOTEDaily tasks can be run every so many days, or every day Monday through Sunday. If you only want to run the task on specific days of the week, other than every day Monday through Sunday, we recommend that you use the weekly task frequency.

3 Click OK to save your settings and close the Schedule Settings dialog box.



Weekly1 On the Schedule tab, under Schedule:

Schedule Task. Click to select Weekly.





You can type a time lapse interval between one minute (minimum) and 24 hours (maximum). For example, setting the task schedule to 1:00 and the randomization to three hours, would cause the task to run at any time between 1:00 and 4:00.

Figure 8-4. Schedule tab — Weekly

Product Guide 229

Scheduling Tasks




2 Under Schedule Task Weekly:

Every. Type the frequency in number of weeks.

Week(s) on. Select the days of the week.


Monthly1 On the Schedule tab, under Schedule:

Schedule Task. Click to select Monthly.

Figure 8-5. Schedule tab — Monthly






Enable randomization. Run the task at a random point within the interval of time you set. If you select this option, also type the hours and minutes for the maximum time lapse.

You can type a time lapse interval between one minute (minimum) and 24 hours (maximum). For example, setting the task schedule to 1:00 and the randomization to three hours, would cause the task to run at any time between 1:00 and 4:00.




2 Under Schedule Task Monthly, choose from these options:

Day of the month. Select the option and the day of the month.

Weekday of the month. Select this option to run the task on a specific day of the month (for example, first Sunday or second Wednesday).

Click Select Months to select specific months:


Select First, Second, Third, Fourth, or Last option.

Select the day of the week on which to run this task each month.

Select the months for which you want to run the task.

NOTEAll months are selected by default.

Click OK to return to the Schedule tab.

Product Guide 231

Scheduling Tasks

Once1 On the Schedule tab, under Schedule:

Schedule Task. Click to select Once.






Figure 8-6. Schedule tab — Once






2 Under Schedule Task Once, click to select the date on which you want to run the task.


At System Startup1 On the Schedule tab, under Schedule:

Schedule Task. Click to select At System Startup.

Figure 8-7. Schedule tab — At System Startup

Product Guide 233

Scheduling Tasks

2 Under Schedule Task at System Startup:

Only run this task once per day. Select this option to run this task once a day. If you do not select this option, the task runs every time startup occurs.

Delay task by. Select the number of minutes to delay the task. Choose from 0 to 99 minutes. This allows time for logon scripts to execute or user logon time.


At Logon1 On the Schedule tab, under Schedule:

Schedule Task. Click to select At Logon.

2 Under Schedule Task at Logon:

Only run this task once per day. Select this option to run this task once a day. If you do not select this option, the task runs every time log on occurs.

Delay task by. Type the number of minutes to delay the task. Choose from 0 to 99 minutes. This allows time for logon scripts to execute or user logon time.


Figure 8-8. Schedule tab — At Logon



When Idle1 On the Schedule tab, under Schedule:

Schedule Task. Click to select When Idle.

2 Under Schedule Task When Idle, type in or select the number of minutes that you want the computer to be idle before it starts the task. Choose from 0 to 999 minutes.


Figure 8-9. Schedule tab — When Idle

Product Guide 235

Scheduling Tasks

Run Immediately1 On the Schedule tab, under Schedule:

Schedule Task. Click to select Run Immediately.




Figure 8-10. Schedule tab — Run Immediately



Run On Dialup1 On the Schedule tab, under Schedule:

Schedule Task. Click to select Run On Dialup.



2 Under Schedule Task Run On Dialup, select whether to run the task once per day.

NOTEScheduling a task to Run On Dialup may be more useful for an AutoUpdate task than an on-demand task.


Figure 8-11. Schedule tab — Run On Dialup

Product Guide 237

Scheduling Tasks


A
Command-Line Scanner Program
A typical installation of the VirusScan Enterprise software includes the McAfee Security VirusScan Enterprise Command Line program. That program can be run from a Windows Command Line prompt.


VirusScan Enterprise command-line options

On-demand scanning command-line options

Customized installation properties

Product Guide 239


VirusScan Enterprise command-line optionsTo run the VirusScan Enterprise Command Line program, change to the folder in which the file SCAN.EXE is located, and type SCAN. If you installed the VirusScan Enterprise program to its default location, the file can be found in:

C:\Program Files\Common Files\Network Associates\Engine\

The following table lists the options that can be added to the command SCAN. All the options listed can be used to configure both on-demand and on-access scans, unless otherwise noted.

Table A-1. VirusScan Command-Line Options

Command-Line Option Description

/? or /HELP Displays a list of VirusScan command-line options, each with a brief description.

You may find it helpful to add a list of scanning options to the report files that the VirusScan program creates. To do this, type scan /? /REPORT <file name> at the command prompt. The results of your scanning report are appended with the full set of options available for that scan task.

/ADL Scan all local drives—including compressed drives and PC cards, but not disks—in addition to any other drive(s) specified on the command line.

To scan both local and network drives, use the /ADL and /ADN commands together in the same command line.

/ADN Scan all network drives—including CD-ROM—for viruses, in addition to any other drive(s) specified on the command line.

Note: To scan both local drives and network drives, use the /ADL and /ADN commands together in the same command line.

/ALERTPATH <dir> Designates the directory <dir> as a network path to a remote NetWare volume or Windows NT directory, monitored by Centralized Alerting.

VirusScan sends an .ALR text file to the server when it detects an infected file.

From this directory, VirusScan Enterprise, through its Centralized Alerting feature, broadcasts or compiles the alerts and reports according to its established configuration.

Requirements:

You must have write-access to the directory you specify.

The directory must contain the VirusScan Enterprise-supplied CENTALRT.TXT file.



/ALL Overrides the default scan setting by scanning all infectable files—regardless of extension.

Notes: Using the /ALL option substantially increases the scanning time required. Use it only if you find a virus or suspect that you have one.

To get a current list of file type extensions run /EXTLIST at the command prompt.

/ANALYZE Sets the software to scan using its full heuristics, both program and macro.

Note: /MANALYZE targets macro viruses only; /PANALYZE targets program viruses only.

/APPEND Used with /REPORT <file name> to append report message text to the specified report file instead of overwriting it.

/BOOT Scan boot sector and master boot record only.

/CLEAN Clean viruses from all infected files and system areas.

/CLEANDOCALL As a precautionary measure against macro viruses, /CLEANDOCALL cleans all macros from Microsoft Word and Office documents if a single infection is found.

Note: This option deletes all macros, including macros not infected by a virus.

/CONTACTFILE <file name>

Display the contents of <file name> when a virus is found. It is an opportunity to provide contact information and instructions to the user when a virus is encountered. (McAfee Security recommends using /LOCK in tandem with this option.)

This option is especially useful in network environments, because you can easily maintain the message text in a central file instead of on each workstation.

Note: Any character is valid in a contact message except a backslash (\). Messages beginning with a slash (/)or a hyphen (-) should be placed in quotation marks.

Table A-1. VirusScan Command-Line Options (Continued)


Product Guide 241


/DAM A repair switch: deletes all macros in the event an infected macro is found. If no infected macro is found, no deletions are made.

If you suspect that there is an infection in your file, you may choose to strip all macros from a data file to minimize any possible exposure to a virus. To pre-emptively delete all macros in a file, use this option with /FAM:

scan <file name> /fam /dam

When using these two options in tandem, all found macros are deleted, whether or not an infection is found.

/DEL Deletes infected files permanently.

/EXCLUDE <file name> Do not scan the files listed in <file name>.

Use this option to exclude specific files from a scan. List the complete path to each file that you want to exclude on its own line. You may use wildcards * and ?

/EXTLIST Use this option to get a current list of file type extension from the current DAT file.

/FAM Find all macros: not just macros suspected of being infected. It causes any macro found to be treated as a possible virus detection. No deletion of the found macros is made unless used in conjunction with the /DAM option.

If you suspect that there is an infection in your file, you may choose to strip all macros from a data file to minimize any possible exposure to a virus. To pre-emptively delete all macros in a file, use this option with /FAM:

scan <file name> /fam /dam

When using these two options in tandem, all found macros are deleted, whether or not an infection is found.

/FREQUENCY <n > Do not scan <n> hours after the previous scan.

In environments where the risk of viral infection is low, use this option to prevent unnecessary scans.

Remember, the greater the scan frequency, the better your protection against infection.

/HELP or /? Displays a list of scanning options, each with a brief description.

You may find it helpful to add a list of scanning options to the report files the VirusScan program creates. To do this, type scan /? /REPORT <file name> at the command prompt. The results of your scanning report are appended with the full set of options available for that scan task.





/LOAD <file name> Load scanning options from the named file.

Use this option to perform a scan you’ve already configured by loading custom settings saved in an ASCII-formatted file.

/MANALYZE Enables heuristic scanning target macro viruses.

Note: /PANALYZE targets program viruses only; /ANALYZE targets both program and macro viruses.

/MANY Scans multiple disks consecutively in a single drive. The program prompts you for each disk.

Use this option to examine multiple disks quickly.

You cannot use the /MANY option if you run the VirusScan software from a boot disk and you have only one floppy drive.

/MOVE <dir> Moves all infected files found during a scan to the specified directory, preserving drive letter and directory structure.

Note: This option has no effect if the Master Boot Record or boot sector is infected, since these are not files.

/NOBEEP Disables the tone that sounds whenever the scanners find a virus.

/NOBREAK Disables CTRL+C and CTRL+BREAK during scans.

Users are not be able to halt scans in progress with /NOBREAK in use.

/NOCOMP Skips the examination of compressed executables created with the LZ.EXE or PkLite file-compression programs.

This reduces scanning time when a full scan is not needed. Otherwise, by default, VirusScan examines inside executable, or self-decompressing files by decompressing each file in memory and checking for virus signatures.

/NODDA No direct disk access. This prevents the scanners from accessing the boot record.

This feature has been added to allow the scanners to run under Windows NT.

You might need to use this option on some device-driven drives.

Using /NODDA with the /ADN or /ADL switches may generate errors when accessing empty CD-ROM drives or empty Zip drives. If this occurs, type F (for Fail) in response to the error messages to continue the scan.

/NOXMS Does not use extended memory (XMS).



Product Guide 243


/PANALYZE Enables heuristic scanning for program viruses.

Note: /MANALYZE targets macro viruses only; /ANALYZE targets both program and macro viruses.

/PAUSE Enables screen pause.

The “Press any key to continue” prompt appears when the program fills a screen with messages. Otherwise, by default, the program fills and scrolls a screen continuously without stopping, which allows it to run on PCs with multiple drives or that have severe infections without needing your input.

McAfee Security recommends omitting /PAUSE when using the report options (/REPORT, /RPTALL, /RPTCOR, and /RPTERR).

/REPORT <file name> Creates a report of infected files and system errors, and saves the data to <file name> in ASCII text file format.

If <file name> already exists, /REPORT overwrites it. To avoid overwriting, use the /APPEND option with /REPORT: the software adds report information to the end of the file, instead of overwriting it.

You can also use /RPTALL, /RPTCOR, and /RPTERR to add scanned files, corrupted files, modified files, and system errors to the report.

You may find it helpful to add a list of scanning options to the report files the VirusScan program creates. To do this, type /? /report <file name> at the command prompt. The results of your scanning report are appended with the full set of options available for that scan task.

You can include the destination drive and directory (such as D:\VSREPRT\ALL.TXT), but if the destination is a network drive, you must have rights to create and delete files on that drive.

McAfee Security recommends omitting /PAUSE when using any report option.

/RPTALL Includes the names of all scanned files in the /REPORT file.

You can use /RPTCOR with /RPTERR on the same command line.






/RPTCOR Include corrupted files in /REPORT file.

When used with /REPORT, this option adds the names of corrupted files to the report file. Corrupted files that the VirusScan scanners find may have been damaged by a virus.

You can use /RPTCOR with /RPTERR on the same command line.

There may be false readings in some files that require an overlay or another executable to run properly (that is, a file that is not executable on its own).


/RPTERR Include errors in /REPORT file.

When used with /REPORT, this option adds a list of system errors to the report file.

/LOCK is appropriate in highly vulnerable network environments, such as open-use computer labs.

You can use /RPTERR with /RPTCOR on the same command line.

System errors can include problems reading or writing to a disk or hard disk, file system or network problems, problems creating reports, and other system-related problems.


/SUB Scans subdirectories inside a directory.

By default, when you specify a directory to scan other than a drive, the VirusScan scanners examine only the files it contains, not its subdirectories.

Use /SUB to scan all subdirectories within any directories you have specified. It is not necessary to use /SUB if you specify an entire drive as a target.

/UNZIP Scan inside compressed files.

/VIRLIST Displays the name of each virus that the VirusScan software can detect.

This file is over 250 pages long. This is too large for the MS-DOS “Edit” program to open; McAfee Security recommends using Windows Notepad or another text editor to open the virus list.



Product Guide 245


On-demand scanning command-line optionsThe VirusScan Enterprise on-demand scanner can be run from the Windows Command Line prompt, or from the Start menu’s Run dialog box. To run the program, change to the folder in which the file SCAN32.EXE is located, and type SCAN32. If you installed the VirusScan Enterprise program to its default location, the file can be found in:

C:\Program Files\Network Associates\VirusScan

The following table lists the options that can be added to the command SCAN32.

Table A-2. On-Demand Command-Line Arguments


SPLASH Displays the VirusScan splash dialog when opening the on-demand scanner.

NOSPLASH Conceals the VirusScan splash dialog when opening the on-demand scanner.

AUTOEXIT Exits the on-demand scanner upon completion of a non-interactive scan.

NOAUTOEXIT Does not exit on-demand scanner upon completion of a non-interactive scan.

ALWAYSEXIT Forces exit from on-demand scan, even if scan completed with error/failure.

NOALWAYSEXIT Does not force exit.

UINONE Launch the scanner without making the user interface dialog box visible.

SUB Include sub-folders of the target folders in the scan.

NOSUB Exclude sub-folders of the target folder from the scan.

ALL Scan all files in the target folder

NOALL Scan only those files in the target folder that have file name extensions found on the list of specified file types.

COMP Scans archive files such as .ZIP, .CAB, .LZH, and .UUE files.

NOCOMP Excludes archive files from scan.

CONTINUE Scanning continues after a virus is detected.

PROMPT Prompts user for action when a virus is detected.

NOPROMPT Does not prompt user for action when a virus is detected.

CLEAN Cleans the infected target file when a virus is detected.

DELETE Deletes the infected file when a virus is detected.


On-demand scanning command-line options

MOVE Move (quarantine) the infected file to a pre-specified quarantine folder when a a virus is detected.

BEEP Plays an audible beep on completion of a scan if an infected item is detected.

NOBEEP Suppresses the audible beep on completion of a scan even if an infected item is detected.

RPTSIZE Sets the size of the alert log, in kilobytes.

BOOT Scans the boot sectors before the current scan task runs.

NOBOOT Excludes the boot sectors from scanning.

EXT File extensions that you add, as parameters following this argument, replace the extensions on the list of selected filed types that are included in scanning.

DEFEXT File extensions that you add, as parameters following this argument, are added to the list of selected file types that are included in scanning.

TASK Launches the on-demand scanner task specified in the VirusScan Enterprise Console. Requires additional parameter specifying the specified task ID as recorded in the registry at:

HKEY_LOCAL_MACHINE;SOFTWARE;NETWORK ASSOCIATES;TVD; VirusScan EnterpriseNT;CurrentVersion;Tasks.

SERVER Use this argument to specify the computer on which you want to start or stop a scan task.

CANCEL If a task fails, but the console continues to show it as running, use this argument to adjust the registry to show that the task is no longer running.

LOG Log infection reports to previously specified log file.

NOLOG Do not log infection reports.

LOGALL Log all responses to virus detection as events. This includes Prompt, Clean, Delete, and Move.

LOGDETECT Log detection of a virus as an event.

NOLOGDETECT Do not log detection of a virus as an event.

LOGCLEAN Log success or failure of a virus cleaning activity as an event.

NOLOGCLEAN Do not log success or failure of a virus cleaning activity as an event.

Table A-2. On-Demand Command-Line Arguments (Continued)


Product Guide 247


LOGDELETE Log deletion of an infected file as an event.

NOLOGDELETE Do not log deletion of an infected file as an event.

LOGMOVE Log the moving of an infected file to a quarantine folder as an event.

NOLOGMOVE Do not log the moving of an infected file as an event.

LOGSETTINGS Log the configuration settings of a scan task.

NOLOGSETTINGS Do not log the configuration settings for a scan task.

LOGSUMMARY Log a summary of scan task results.

NOLOGSUMMARY Do not log a summary of scan task results

LOGDATETIME Log the date, start time, and end time of scanning activities.

NOLOGDATETIME Do not log date or time of scanning activities.

LOGUSER Log identifying information about the user who executes a scan task.

NOLOGUSER Do not log user information.

PRIORITY Sets the priority of the scan task relative to other CPU processes. Requires an additional numerical parameter. A value of 1 assigns priority to all other CPU processes. A value of 5 assigns the highest priority to the scan task.

Table A-2. On-Demand Command-Line Arguments (Continued)




Customized installation propertiesYou can customize the installation process using these properties when installing from the command line.

Table A-3. Customized Installation Properties

Command-Line Property Function

ALERTMANAGERSOURCEDIR Sets the default Alert Manager source path. The default path is \AMG.

You can set it yourself in SETUP.INI

CMASOURCEDIR Set the source path for the SITELIST.XML. The default path is the current directory from which SETUP.EXE is being run.

ENABLEONACCESSSCANNER False = A False value cannot be set.

True = Enable on-access scanner upon completion of installation. This is the default.

Note: If you do not want to enable the on-access scanner, set the property to ““. This literally means ENABLEONACCESSSCANNER=””, an empty string.

EXTRADATSOURCEDIR Set the source path for the EXTRA.DAT. During installation, the EXTRA.DAT is copied into the location where the engine files reside.

FORCEAMSINSTALL True = Install Alert Manager, if present.

INSTALLDIR Sets the default installation directory.

INSTALLCHECKPOINT False = Do not install the Check Point SCV integration.

True = Install the Check Point SCV integration.

LOCKDOWNVIURUSSCANSHORTCUTS False = A False value cannot be set.

True = Do not display any shortcuts under the start menu.

Note: To allow the shortcuts to be installed, set the property to ““. This literally means LOCKDOWNVIURUSSCANSHORTCUTS=””, an empty string. This is the default.

Product Guide 249


PRESERVESETTINGS Preserves settings upon upgrade of NetShield 4.5 or VirusScan 4.5.1.

False = A False value cannot be set.

True = Preserve settings. This is the default.

Note: If you do not want to preserve settings, set the property to ““. This literally means PRESERVESETTINGS=””, an empty string.

RUNAUTOUPDATE False = A False value cannot be set.

True = Run update upon completion of installation. This is the default.

Note: If you do not want to run update upon completion of installation, set the property to ““. This literally means RUNAUTOUPDATE=””, an empty string.

RUNONDEMANDSCAN False = A False value cannot be set.

True = Run a scan of all local drives upon completion of installation. This is the default.

Note: If you do not want to run the on-demand scanner at completion of installation, set the property to ““. This literally means RUNONDEMANDSCAN=””, an empty string.

RUNAUTOUPDATESILENTLY False = A False value cannot be set.

True = Run silent update upon completion of installation.

Note: If you do not want to run a silent update upon completion of installation, set the property to ““. This literally means RUNAUTOUPDATESILENTLY=””, an empty string.

RUNONDEMANDSCANSILENTLY False = A False value cannot be set.

True = Run on-demand scan silently upon completion of installation.

Note: If you do not want to run a silent on-demand scan upon completion of installation, set the property to ““. This literally means RUNONDEMANDSCANSILENTLY=””, an empty string.

Table A-3. Customized Installation Properties (Continued)




SUPPRESSAMSINSTALL True = Suppress installation of Alert Manager.

VIRUSSCANICONLOCKDOWN Lock down the product in two different levels.

NORMAL = Show all the menu items on the VirusScan icon menu in the system tray.This is the default.

MINIMAL = Show only the Enable On-Access Scan and About VirusScan Enterprise menu items on the VirusScan icon menu in the system tray.

NOICON = Do not show the VirusScan icon menu in the system tray.

Table A-3. Customized Installation Properties (Continued)


Product Guide 251



B
Secure Registry
The VirusScan Enterprise program is compatible with the Windows secure registry feature. The program writes registry entries based on the limits imposed by the user's security permissions. Any program feature to which the user has no permission appear disabled and are unselectable or unresponsive. Previous releases of the product sometimes generated errors when the VirusScan Enterprise program attempted to write a registry entry for a function to which the user did not have permission.

This topic is included in this section:

Registry keys requiring write access

Product Guide 253

Secure Registry

Registry keys requiring write accessThis a list of the registry keys to which the VirusScan Enterprise program and its Alert Manager component require Write access. The table also displays the results that can be expected if a user does not have adequate permission to write to those keys.

All the registry keys shown in this table are subkeys of:

hkey_local_machine\software\network associates\tvd.

Table B-1. Result of VirusScan Enterprise Registry Key Lock-down

Feature Program or Windows Service

Description Write access required to registry key for full functionality

Result if Write Access is unavailable due to registry lockdown

On-Access Scanner

Network Associates McShieldservice

A Windows service that can run only under the local System account. This service performs scans whenever a file is used.

Shared Components

On-Access Scanner

Ordinarily not affected because the service runs under a System account. However, if this service does not have write access to this key, the on-access scanner does not function.

On-Access Scanner

ShCfg32.exe A program that runs the on-access configuration interface.

Shared Components

On-Access Scanner

McShield

Configuration

The user can see the on-access scanner property pages, but cannot change the configuration.



On-Access Scanner

ShStat.exe A program that gathers statistics on the activities of the on-access scanner. This program also places the VirusScan Enterprise icon in the system tray. Right-clicking the icon allows the user to view scanning statistics, disable and enable the program, and open several program components.

Shared Components

On-Access Scanner

McShield

Configuration

The user cannot enable or disable the on-access scanner using the icon in the system tray.

On-Demand Scanner

ScnCfg32 A program that runs the on-demand configuration interface. This interface is accessed from the VirusScan Enterprise Console.

VirusScan Enterprise

CurrentVersion


CurrentVersion

Tasks


CurrentVersion

DefaultTask


CurrentVersion

Tasks

If write access fails for any of these keys, The user can see the on-demand scanner property pages, but cannot change the configuration.

Table B-1. Result of VirusScan Enterprise Registry Key Lock-down (Continued)




Product Guide 255

Secure Registry

On-Demand Scanner

ScnStat.exe A program that gathers statistics on the activities of the on-demand scanner.


CurrentVersion

Tasks


CurrentVersion


CurrentVersion

Tasks

No effect.

On-Demand Scanner

Scan32.exe A program that performs on-demand scanning activities of targets specified on the VirusScan Enterprise Console.


CurrentVersion


CurrentVersion\

Tasks

Note: Also requires Read rights to:

Shared Components

VirusScan Engine

4.0.xx

If Scan32 does not have a writable key to it's own task, then it runs but does not update statistics. Scanning results data is not generated.

This does not affect scheduled on-demand tasks, which are controlled by the Task Manager service described in the following section.







Task Manager

Network Associates TaskManager Service

A Windows service that can run under the System account or under an administrator’s account. This program allows scheduling of scanning and updating activities.

VirusScan Enterprise NT

CurrentVersion


CurrentVersion

Alerts


CurrentVersion

Tasks

all subkeys

Shared Components

On-Access Scanner

McShield

Shared Components

On-Access scanner

McShield

Configuration

Ordinarily not affected because the service runs under a system or administrator account. However, if this service does not have read/write access to any of these keys, the service fails to start.





Product Guide 257

Secure Registry

McUpdate McUPdate.exe A program used to perform updating of DAT files and software upgrades.


Current Version

Shared Components

On-Access Scanner

McShield

Configuration


CurrentVersion

Tasks


CurrentVersion

Tasks

Update


CurrentVersion

Tasks

Upgrade

DAT information won't be updated.

McShield might not reload the DAT.

Status information cannot be communicated to the VirusScan Enterprise Console.

The user can see the Update property page, but cannot change the configuration.

The user can see the Upgrade property page, but cannot change the configuration.







VirusScan Enterprise Console

McConsol.exe A program that runs the administrative interface for the VirusScan Enterprise program.


CurrentVersion


CurrentVersion

Alerts

CurrentVersion


CurrentVersion

Tasks

Shared Components

On-Access Scanner

McShield

Configuration


CurrentVersion

Tasks

Xxxx

Update of virus definitions does not function reliably. Also, The user can see the current screen refresh rate, but cannot change it.

The Alert Manager settings visible by selecting Alerts from the Tools menu appear disabled and do not respond when selected. Also, some start/stop tasks that the VirusScan Enterprise Console controls may not be generated.

The following options appear disabled and do not respond when selected:

Enable/Disable the on-access scan task.

Copy, Paste, Delete, Rename, Import and Export tasks.

The Stop scanning control.

The on-access task cannot be configured, enabled, or disabled.

Any key that has been locked down cannot be configured.





Product Guide 259

Secure Registry

Alert Manager

nai alert

manager

A component that provides immediate notification that the scanner has detected a virus, or that the event scheduler has encountered a problem.

Shared Components

Alert Manager

The user can see the property pages for the alerting methods and messages, but cannot change the configuration.






C
Troubleshooting
This section contains troubleshooting information for the VirusScan Enterprise product.


Minimum Escalation Tool

Frequently asked questions

Updating error codes

Minimum Escalation ToolThe McAfee Minimum Escalation Tool (MERTool) is a utility that is designed to gather reports and logs for the Network Associates software on your system. The information obtained can be used to help analyze problems.

To get more information about MERTool and access the utility, click the MERTool file that was installed with the VirusScan Enterprise product.

This file is located in the installation folder. If you accepted the default installation path, this file is located in:

drive:\Program Files\Network Associates\VirusScan

When you click the MERTool file, it accesses the URL for the MERTool web site. Follow the instructions on the web site.

Frequently asked questionsThis section contains troubleshooting information in the form of frequently asked questions. The questions are divided into the following categories:

Installation questions

Scanning questions

Virus questions

General questions

Product Guide 261

Troubleshooting

Installation questions

I just installed the software using the Silent Install method, and there is no VirusScan Enterprise icon in the Windows system tray.

The icon does not appear in the system tray until you restart your system. However, even though there is no icon, VirusScan Enterprise is running, and your computer is protected.

You can verify this by checking the following registry key:

HKEY_Local_Machine\SOFTWARE/Microsoft\Windows\CurrentVersion\Run ShStatEXE=”C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE\STANDALONE

Why can some users on my network configure their own settings in VirusScan Enterprise and others cannot?

If the administrator configures the user interface to password protect the tasks, users cannot change the settings.

Different Microsoft Windows operating systems have different user privileges. Windows NT users have permission to write to the system registry, while Windows XP or Windows 2000 users do not. Refer to your Microsoft Windows documentation for more information about user permissions.

During a command-line installation, how can I prevent users who do not have administrator rights from obtaining administrator rights through the VirusScan Console?

You can prevent users from obtaining administrator rights during a command-line installation by adding the following property:

DONOTSTARTSHSTAT=True

This prevents the SHSTAT.EXE from starting upon completion of installation.



Scanning questions

In On-Access Scanning, what is the difference between scanning “when writing to disk” and scanning “when reading from disk”?

Scanning when writing is a file-writing action. It scans the following:

Incoming files being written to the local hard drive.

Files being created on the local hard drive or a mapped network drive (this includes new files, modified files, or files being copied or moved from one drive to another).

Scanning when reading is a file-reading action. It scans the following:

Outgoing files being read from the local hard drive.

NOTESelect on network drives in the On-Access Scan Properties dialog box to include remote network files.

Any file being executed on the local hard drive.

Any file opened on the local hard drive.

Any file being renamed on the local hard drive, if the file properties have changed.

When I detect a virus using On-Demand E-mail Scan or On-Delivery E-mail Scan, what do the different action options mean?

See Action properties on page 123 for a detailed description of each of the action options.

Product Guide 263

Troubleshooting

Virus questions

I suspect I have a virus but VirusScan Enterprise is not detecting it.

You can download the latest DAT file while it is still being tested prior to the official release. To use the daily DAT file, refer to:

www.mcafeeb2b.com/naicommon/avert/avert-research-enter/virus-4d.asp

I cannot get VirusScan Enterprise installed, but I think I have a virus. How can I determine if my computer is infected?

If you have not been able to install VirusScan Enterprise, you can still run a scan at the command line, using a single file downloaded from the Network Associates web site. To run a command-line scan on a computer that does not have anti-virus software installed:

1 Create a folder in the root of your C drive named Scan.

2 Right-click the Scan folder and select Properties. Make sure that the read-only attribute is selected.

3 Go to http://nai.com/naicommon/download/dats/superdat.asp. Click sdatxxxx.exe for Windows-Intel to start the download.

4 Download this file into your new folder (C:\Scan)

5 From the Start menu, select Run and type C:\Scan\sdatxxxx.exe /e in the text box. Click OK.

6 Open a DOS prompt (also called a Command Prompt). At the C:\> prompt, type cd c:\Scan. Your prompt now looks like this: C:\Scan>

7 At the C:\Scan> prompt, type:

scan.exe /clean /all /adl /unzip /report report.txt

This scans all local drives and create a report in a file named REPORT.TXT.

8 After scanning, browse to your C:\Scan directory and read the REPORT.TXT file.

NOTEWe recommend that you disconnect the system from the network before scanning.


http://nai.com/naicommon/download/dats/superdat.asp

http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/virus-4d.asp


On Windows 2000 and Windows XP systems, boot into Safe Mode Command Prompt only to perform the scan. On Windows NT systems, run the scan from VGA Mode, then a command prompt.

We recommend that you rerun the command-line scanner until no virus files are found. You may want to rename the report text file as REPORT2.TXT to record the second scan and REPORT3.TXT for the third scan, and so on, to avoid overwriting the reports file each time.

WARNINGYou may receive an error that an application is attempting to directly access the hard disk on Windows NT systems. Click Ignore to continue. If you do not click Ignore, the scan terminates.

General questions

The VirusScan Enterprise icon in my system tray appears to be disabled.

If there is a red circle and line covering the VirusScan Enterprise icon, that indicates that On-Access Scan is disabled. Here are the most common causes and solutions. If none of these solves your problem, contact technical support.

Make sure that the On-Access Scan is enabled. To do this:

Right-click the VirusScan Enterprise icon in the system tray. If the on-access scanner is disabled, the words Enable On-Access Scan appear in the menu.

Select Enable On-Access Scan to enable the on-access scanner.

Make sure that the service is running. To do this:

Open the Services Control Panel using one of these methods:

If it is not started, highlight Network Associates McShield on the list of services and click Start or Resume.

You can also select Start|Run, then type NetStart McShield.

For Windows NT, select Start|Settings|Control Panel|Services and confirm that Network Associates McShield has a Status of Started.

For Windows 2000 or XP, select Start|Settings|Control Panel|Admin Tools|Services and confirm that Network Associates McShield has a Status of Started.

Product Guide 265

Troubleshooting

Make sure that the service is set to start automatically. To do this:

Open the Services Control Panel using one of these methods:

I get an error that I cannot download catalog.z.

This error can be caused by many things. Here are a few suggestions to help determine the source of the problem.

If you are using the Network Associates default download site for updates, determine if you can download the catalog.z file via a web browser. To do this, go to the URL:

http://update.nai.com/Products/CommonUpdater/catalog.z

and try to download the file.

If you are not able to download the file, but you can see it (in other words, your browser does not allow you to download it), that means you have a proxy issue and need to talk to your network administrator.

If you are able to download the file, that means VirusScan Enterprise should be able to download it as well. Contact technical support for assistance in troubleshooting your installation of VirusScan Enterprise.

If you are using a mirror site for updates, make sure that your mirror site is pointing to the correct site for updates. If you are unsure, try changing your settings to use the default Network Associates site.

For Windows NT, select Start|Settings|Control Panel|Services and confirm that Network Associates McShield has a Startup Type of Automatic.

If it is not set to Automatic, highlight Network Associates McShield on the list of services, click Startup, then select Automatic as the Startup Type.

For Windows 2000 or XP, select Start|Settings|Control Panel|Admin Tools|Services and confirm that Network Associates McShield has a Startup Type of Automatic.

If it is not set to Automatic, right-click Network Associates McShield on the list of services, select Properties and General tab, then select Automatic as the Startup Type.




I have some computers that will continue using VirusScan 4.5x and others using VirusScan Enterprise 7.0. Can all the computers use the same repository for DAT files?

Yes, a network of computers running multiple versions of VirusScan can all use the same repository for DAT files. First, make sure that you are using the correct directory structure in the repository list for VirusScan 4.5.x, then, make sure that in the McAfee AutoUpdate Architect console, you have selected the option I want to make my site compatible with legacy software. See the McAfee AutoUpdate Architect Product Guide for more information.

Where is the location of the HTTP download site?

The CATALOG.Z file, which contains the latest updates, can be downloaded from the web site:


Where is the location of the FTP download site?

The CATALOG.Z file, which contains the latest updates, can be downloaded from the FTP site:

ftp://ftp.nai.com/CommonUpdater/catalog.z

If I do detect a virus and I have chosen “prompt user for action,” what action should I choose (Clean, Delete, Move)?

Our general recommendation is to choose Clean if you are not sure what to do with an infected file. The VirusScan Enterprise default action is to Clean a file, then Move it.

I tried to Move or Delete a file and it failed.

This can happen when a file is locked by another program, or you do not have permissions to move or delete the file. As a workaround, you can look in the VirusScan Enterprise log and see where the file is located, then move or delete it manually using Windows Explorer.

Product Guide 267

ftp://ftp.nai.com/CommonUpdater/catalog.z


Troubleshooting

Updating error codesWhen your AutoUpdate fails, review the update log. See Viewing the activity log on page 198 for information about how to view the log file. Following are common error codes that you may encounter:

-215: Failed to get site status — The software cannot verify if the repository is available. Attempt to manually download the PKGCATALOG.Z file using the network protocol. If this fails, verify the path and user credentials.

-302: Failed to get the agent’s framework interface — The scheduler interface is not available. Stop and restart the framework service.

-409: Master site not found — The master repository for the update is not available, is inaccessible, or is in use. Attempt to manually download the PKGCATALOG.Z file using the network protocol. If this fails, verify the path and user credentials.

-414: Verify the Domain, User Name, and Password you provided are typed correctly. Verify that the user account has permissions to the location where the repository resides — While creating the repository, the credentials entered were determined invalid when Verify was selected. Either now, or after the repository is created, correct the credential information. Click Verify again. Repeat this process until the credentials are verified.

-503: Product package not found — Update files are not present in the repository or may be corrupt. Ensure that the repository is populated with the update files. If these files are present, create a replication or pull task to overwrite the current task setting. If the files were not present, populate the repository, then attempt to update again.

-530: Site catalog not found — You performed a pull task from a repository that does not have a catalog file, or contains a corrupted catalog file. To correct this issue, verify that the source repository contains a valid catalog directory.

-531: Package catalog not found — The PKGCATALOG.Z was not found in the repository. Try to download the file using the network protocol. If it cannot be downloaded, perform a replication or pull task (depending on the type of repository).

-601: Failed to download file — The repository is not accessible. Try to download the file using network protocol. If it cannot be downloaded, verify the path and user rights. If the file is downloaded, try stopping and starting the service.

-602: Failed to upload file — You performed a pull task but the master repository credentials or settings are invalid (or the location is not available). Verify the credentials and location.


Updating error codes

-804: Sit status not found — You performed a replication task but the master repository is not available (or the credentials are invalid). Verify that the master repository is active, accessible, and that the credentials are valid.

-1113: Replication has been done partially — One or more repositories may be inaccessible at the time of replication. Consequently, not all repositories are up-to-date. Verify that all repositories are accessible and that no files are marked as read-only, then perform the task again.

Product Guide 269

Troubleshooting


Glossary

agentSee ePolicy Orchestrator agent.

agent hostSee client computer.

Agent MonitorA dialog box for prompting the agent to send properties or events to the ePolicy Orchestrator server; enforce policies and tasks locally; check the ePolicy Orchestrator server for new or updated policies and tasks, then enforce them immediately upon receipt.

agent policiesSettings that affect how the agent behaves.

agent wakeup callA scheduled task or on-demand command that prompts agents to contact the ePolicy Orchestrator server when needed, rather than waiting for the next ASCI.

See also SuperAgent Wakeup call.

agent-to-server communicationA communications technique where the agent contacts the server at a predefined interval to see if there are any new policies or tasks for the agent to enforce or execute.

agent-to-server communications interval (ASCI)Determines how often the agent and ePolicy Orchestrator server exchange information.

alertA message or notification regarding computer activity such as virus detection. It can be sent automatically according to a predefined configuration, to system administrators and users, via e-mail, pager, or phone.

anti-virus policySee policy.

archiveA compressed file that must be extracted prior to accessing the files within it.

AutoUpdateThe automatic updating program in McAfee Security anti-virus products; it automatically installs updates to existing products or upgrades to new versions of products.

Product Guide 271

Glossary

AVERTAnti-Virus Emergency Response Team, a division of Network Associates, Inc., is an anti-virus research center that supports the computing public and Network Associates customers by researching the latest threats, and by uncovering threats that may arise in the future. It is comprised of three integrated teams that provide Anti-Virus Services and Support, Virus Analysis, and Advanced Virus Research.

background scanningA type of on-access scanning, made possible by Microsoft VS API2, in which not all files are scanned when accessed, reducing the workload of the scanner when it is busy. It scans databases on which it has been enabled, for example, Mailbox store and Public Folder store.

Centralized AlertingAn alternative to using regular Alert Manager. Alert messages generated by anti-virus software, such as VirusScan Enterprise 7.0, are saved to a shared folder on a server. Alert Manager is configured to read alert notifications from that same folder. When the contents of the shared folder change, Alert Manager sends new alert notifications using whatever alerting methods Alert Manager is already configured to use, such as sending e-mail messages to a pager.

client computerA computer on the client-side of the program.

client tasksTasks that are executed on client computers.

common frameworkA common core technologies architecture to allow different McAfee Security products to share the same common components and code. The architecture for this is referred to as the common framework. The Scheduler, AutoUpdate, and ePolicy Orchestrator agent components are common components that are part of the common framework.

computersThe physical computers on the network.

console treeThe left pane of the console, which contains all console tree items.

console tree itemsEvery item in the console tree.

DAT filesVirus definition files that allow the anti-virus software to recognize viruses and related potentially unwanted code embedded in files.

See also EXTRA.DAT file, incremental DAT files, and SuperDAT.

default processIn VirusScan Enterprise, any process that is not defined as a low-risk process or high-risk process.

See also high-risk process and low-risk process.


Glossary

denial of service attackA means of attack, an intrusion, against a computer, server or network that disrupts the ability to respond to legitimate connection requests. A denial of service attack overwhelms its target with false connection requests, so that the target ignores legitimate requests.

deploymentSending and installing products (and the agent) to groups, computers and users.

details paneThe right pane of the console, which shows details of the currently selected console tree item. Depending on the console tree item selected, the details pane can be divided into upper and lower panes.

See also upper details pane and lower details pane.

directional scanningScanning where one appliance is dedicated to inbound scanning, and another appliance is dedicated to outbound scanning.

DirectoryLists all computers to be managed via ePolicy Orchestrator, and is the link to the primary interfaces for managing these computers.

distributed software repositoryArchitecture for deploying products and product updates throughout an enterprise; it creates a central library of supported products and product updates in the master repository.

download siteA repository from which you retrieve product or DAT updates.

See also update site.

EICAREuropean Institute of Computer Anti-Virus Research has developed a string of characters that can be used to test the proper installation and operation of anti-virus software.

ePolicy Orchestrator agentAn intelligent link between the ePolicy Orchestrator server and the anti-virus and security products. It enforces policies and tasks on client computers; gathers and reports data; installs products; enforces policies and tasks; and sends events back to the ePolicy Orchestrator server.

ePolicy Orchestrator consoleA view of all virus activity and status, with the ability to manage and deploy agents and products. It provides the ability to set and enforce anti-virus and security policies to all agents on client computers, or to selected computers; provides a task scheduling feature that targets specific computers or groups with scheduled tasks and policies; and allows viewing and customizing reports to monitor deployment, virus outbreaks, and current protection levels.

Product Guide 273

Glossary

ePolicy Orchestrator serverA repository for all data collected from distributed ePolicy Orchestrator agents. It includes a database that accrues data about product operation on client computers in the network; a report-generating engine for monitoring the virus protection performance in your company; a software repository that stores products and product updates for deploying to your network.

eventsGenerated by supported products, events identify activity on client computers, from service events to infection detection events. Each event is assigned a severity from informational to critical. Events and properties comprise the data that appears on reports and queries.

EXTRA.DAT fileSupplemental virus definition file that is created in response to an outbreak of a new virus or a new variant of an existing virus.

See also DAT files, incremental DAT files, and SuperDAT.

fallback repositoryThe repository from which client computers retrieve updates when none of the repositories in their repository list (SITELIST.XML) are available. Only one fallback repository can be defined.

firewallA program that acts as a filter between your computer and the network or Internet. It can scan all traffic arriving at your computer (incoming traffic) and all traffic sent by your computer (outgoing traffic). It scans traffic at the packet level, and either blocks it or allows it, based on rules that you set up.

force install, force uninstallSee product deployment client task.

FRAMEPKG.EXE The agent installation package. When it executes, this file installs the ePolicy Orchestrator agent on a client computer.

frequencyThe repetitive interval for which you want to schedule the task.

global administratorA user account with read, write, and delete permissions, and rights to all operations. Operations that affect the entire installation are reserved for use only by global administrator user accounts.

Compare to site administrator and global reviewer.

global distributed repositoryAn identical copy of the packages in the master repository.

global reporting settingsReporting settings that affect all ePolicy Orchestrator database servers, reports, and queries.


Glossary

global reviewerA user account with read-only permissions; the global reviewer can view all settings in the software, but cannot change any of these settings.

Compare to site reviewer and global administrator.

global updatingA method for deploying product updates as soon as the corresponding packages are checked into the master repository. Packages are immediately replicated to all SuperAgent and global distributed repositories; the ePolicy Orchestrator server sends a wakeup call to all SuperAgents; SuperAgents send a broadcast wakeup call to all agents in the same subnet; then all agents retrieve the update from the nearest repository.

groupIn the console tree, a logical collection of entities assembled for ease of management. Groups can contain other groups or computers. You can assign IP address ranges or IP subnet masks to groups to sort computers by IP address. If you create a group by importing a Windows NT domain, you can automatically send the agent installation package to all imported computers in the domain.

heuristic analysis, heuristicsA method of scanning that looks for patterns or activities that are virus-like, to detect new or previously undetected viruses.

high-risk processIn VirusScan Enterprise, these are processes that McAfee Security considers to have a higher possibility of being infected.

See also default process and low-risk process.

host, host computerSee client computer.

inactive agent An agent that has not communicated with the ePolicy Orchestrator server within a specified time period.

incremental DAT filesNew virus definitions that supplement the virus definitions currently installed. Allows the update utility to download only the newest DAT files rather than the entire DAT file set.

See also DAT files, EXTRA.DAT file and SuperDAT.

inheritanceSee task inheritance and policy inheritance.

itemSee console tree item.

joke programA non-replicating program that may alarm or annoy an end user, but does not do any actual harm to files or data.

Product Guide 275

Glossary

local distributed repositoryLocations accessible only from the client computer; for example, a mapped drive or FTP server whose address can only be resolved from a local DNS server. Local distributed repositories are defined in the agent policy for selected client computers.

logA record of the activities of a component of McAfee anti-virus software. Log files record the actions taken during an installation or during the scanning or updating tasks.

See also events.

Lost&Found groupA location on the ePolicy Orchestrator server for computers whose appropriate location in the Directory cannot be determined. The server uses the IP management settings, computer names, domain names, and site or group names to determine where to place computers. Only global administrators have full access to the global Lost&Found; site administrators can access only Lost&Found groups in sites for which they have rights.

lower details paneIn the console, the lower division of the details pane, which displays the configuration settings for the products listed on the Policies tab in the upper details pane.

See also details pane and upper details pane.

low-risk processIn VirusScan Enterprise, these are processes that McAfee Security considers to have a lower possibility of being infected.

See also default process and high-risk process.

macro virusA malicious macro — a saved set of instructions created to automate tasks within certain applications or systems — that can be executed inadvertently, causing damage or replicating itself.

master repositoryThe ePolicy Orchestrator server; it maintains an original copy of the packages in the source repository, and can replicate packages to distributed repositories. At the master repository level, you can check in product and product update packages; schedule tasks to replicate packages to global or SuperAgent distributed repositories; and schedule tasks to pull packages from source or fallback repositories, and integrate them into the master repository.

McAfee AutoUpdate ArchitectMcAfee Security software that works with ePolicy Orchestrator to deploy products and product updates throughout an enterprise.

mirror distributed repositoryA local directory on client computers whose replication is done using a Mirror client task and other client computers can retrieve updates from it.


Glossary

mirror taskTasks that copy the contents of the first repository in the repository list to the local directory you specify on the client computer.

.MSI fileA Microsoft Windows Installer package that includes installation and configuration instructions for the software being deployed.

.NAP file Network Associates Package file. This file extension is used to designate McAfee software program files that are installed in the software repository for ePolicy Orchestrator to manage.

nodeSee console tree items.

on-access scanningAn examination of files in use to determine if they contain a virus or other potentially unwanted code. It can take place whenever a file is read from the disk and/or written to the disk.

Compare to on-demand scanning.

on-demand scanningA scheduled examination of selected files to determine if a virus or other potentially unwanted code is present. It can take place immediately, at a future scheduled time, or at regularly scheduled intervals.

Compare to on-access scanning.

packageContains binary files, detection and installation scripts, and a package catalog (PKGCATALOG.Z) file used to install products and product updates.

package catalog fileA file (PKGCATALOG.Z) that contains details about each update package, including the name of the product for which the update is intended, language version, and any installation dependencies.

package signing, package securityA signature verification system for securing packages created and distributed by Network Associates. Packages are signed with a key pair using the DSA (Digital Signature Algorithm) signature verification system, and are encrypted using 168-bit 3DES encryption. A key is used to encrypt or decrypt sensitive data.

packed executableA packed executable is a file that, when run, extracts itself into memory only. Packed executable files are never extracted to disk.

paneA subsection of the console.

See details pane and console tree.

Product Guide 277

Glossary

policyConfiguration settings for each product that can be managed via ePolicy Orchestrator, and that determine how the product behaves on client computers.

Compare to task. See also agent policies.

policy enforcement intervalDetermines how often the agent enforces the policies it has received from the ePolicy Orchestrator server. Because policies are enforced locally, this interval does not require any bandwidth.

policy inheritanceDetermines whether the policy settings for any one console tree item under the Directory are taken from the item directly above it.

policy pagesPart of the ePolicy Orchestrator console; they allow you to set policies and create scheduled tasks for products, and are stored on individual ePolicy Orchestrator servers (they are not added to the master repository).

product deployment client taskA scheduled task for deploying all products currently checked into the master repository at once. It enables you to schedule product installation and removal during off-peak hours or during the policy enforcement interval.

propertiesProperties are attributes or characteristics of an object used to define its state, appearance, or value.

pull taskSee Repository Pull server task.

quarantineEnforced isolation of a file or folder to prevent infection by a virus. VirusScan Enterprise quarantines infected files or folders until action can be taken to clean or remove the item.

randomizationA random point within an interval of time that you set for a scheduled task.

real-time scanningSee on-access scanning.

remote consoleThe console running on a computer that does not have the ePolicy Orchestrator server running on it. Remote consoles allow more than one person access to the server to review actions or to manage sites and installations.

See also ePolicy Orchestrator console.

replication taskSee Repository Replication server task.


Glossary

repository The location that stores policy pages used to manage products.

repository listThe SITELIST.XML file that McAfee anti-virus products using AutoUpdate 7.0 use to access distributed repositories and retrieve packages from them.

Repository Pull server taskA task that specifies the source or fallback repository from which to retrieve packages, then integrate the packages into the specified branches in the master repository.

Repository Replication server taskA task that updates global and SuperAgent distributed repositories to maintain identical copies of all packages in all branches that are in the master repository. You can also update selected distributed repositories.

scan actionThe action that takes place when an infected file is found.

scanningAn examination of files to determine if a virus or other potentially unwanted code is present.

See on-access scanning and on-demand scanning.

selective updatingSpecifying which version (Evaluation, Current, or Previous) of updates you want client computers to retrieve.

server tasksTasks that the server performs for maintenance on the ePolicy Orchestrator database and Repository. Default server tasks include Inactive Agent Maintenance, Repository Pull, Repository Replication, and Synchronize Domains.

silent installationAn installation method that installs a software package onto a computer silently, without need for user intervention.

site In the console tree, a logical collection of entities assembled for ease of management. Sites can contain groups or computers, and can be organized by IP address range, IP subnet mask, location, department, and others.

site administratorA user account with read, write, and delete permissions, and rights to all operations (except those restricted to the global administrator) on the specified site and all groups and computers underneath it on the console tree.

Compare to global administrator and site reviewer.

Product Guide 279

Glossary

site reviewerA user account with read-only permissions; the site reviewer can view the same settings as the site administrator, but cannot change any of these settings.

Compare to global reviewer and site administrator.

source repositoryA location from which a master repository retrieves packages.

spam e-mail, spam messageAny unsolicited and unwelcome e-mail messages, including commercial e-mail messages, the electronic equivalent of “junk mail,” and unwanted non-commercial e-mail messages, such as a virus hoaxes, joke program, and chain letter.

SPIPESecured PIPE, a secured communications protocol used by ePolicy Orchestrator servers.

SuperAgentAn agent with the ability to contact all agents in the same subnet as the SuperAgent, using the SuperAgent wakeup call. It is used in global updating and supports distributed software repositories, alleviating the need for a dedicated server. It provides a bandwidth-efficient method of sending agent wakeup calls.

See also ePolicy Orchestrator agent.

SuperAgent distributed repositoryA replication of the master repository, used in place of dedicated servers for global distributed repositories.

SuperAgent wakeup callA scheduled task or on-demand command that prompts SuperAgents (and all agents in the same subnet as each SuperAgent) to contact the ePolicy Orchestrator server when needed, rather than waiting for the next ASCI.

See also agent wakeup call.

SuperDATA utility that installs updated virus definition (SDAT*.EXE) files and, when necessary, upgrades the scanning engine.

See also DAT files, EXTRA.DAT file, and incremental DAT files.

supplemental virus definition fileSee EXTRA.DAT file.

system scanA scan of the designated system.


Glossary

task An activity (both one-time such as on-demand scanning, and routine such as updating) that is scheduled to occur at a specific time, or at specified intervals.

Compare to policy.

task inheritanceDetermines whether the client tasks scheduled for any one console tree item under the Directory are taken from the item directly above it.

Trojan horseA program that either pretends to have, or is described as having, a set of useful or desirable features, but actually contains a damaging payload. Trojan horses are not technically viruses, because they do not replicate.

update packagePackage files from Network Associates that provide updates to a product. All packages are considered product updates with the exception of the product binary (Setup) files.

update siteThe repository from which you retrieve product or DAT updates.

See also download site.

updatingThe process of installing updates to existing products or upgrading to new versions of products.

upper details paneIn the console, the upper division of the details pane, which contains the Policies, Properties, and Tasks tabs.

See also details pane and lower details pane.

user accountsThe ePolicy Orchestrator user accounts include global administrator, global reviewer, site administrator, and site reviewer. Administrator-level user accounts have read, write, and delete permissions; reviewer-level user accounts have read-only permissions.

See also global administrator, global reviewer, site administrator, and site reviewer.

UTC timeCoordinated Universal Time (UTC). This refers to time on the zero or Greenwich meridian.

virusA program that is capable of replicating with little or no user intervention, and the replicated program(s) also replicate further.

virus definition (DAT) filesSee DAT files.

VirusScan Enterprise consoleThe control point for the program’s activities.

Product Guide 281

Glossary

virus-scanning engineThe mechanism that drives the scanning process.

warning priorityThe value that you assign each alert message for informational purposes. Alert messages can be assigned a Critical, Major, Minor, Warning, or Informational priority.

wormA virus that spreads by creating duplicates of itself on other drives, systems, or networks.


Index

Aactivity log for

AutoUpdate task, 198mirror task, 217on-access scanning, 79on-delivery e-mail scanning, 132on-demand e-mail scanning, 148on-demand scanning, 111

adding file type extensions (using the Additions feature), 68

Alert folderfunction, 179

Alert Managerconfiguration

e-mail alert, 166forwarding an alert, 160launching a program, 173network broadcasting, 164printed messages, 170SNMP, 172

Summary page, 159system variables, 185

Alert Manager PropertiesSummary, 159

alert messagesbroadcasting a network alert, 164Centralized Alerting, 179customizing, 181disabling, 182editing, 184e-mail, 166enabling, 182forwarding, 160launching a program in response to, 173sending to a printer, 170sending via SNMP traps, 172truncating, 169

variables in, 185alert method

configuring recipients, 155alert priority

changing, 183types, 183

archive files, scanning, 246arguments, applicable to on-demand scanner, 246audience for this manual, 9automatic scanning, 34AutoUpdate

activity log, viewing, 198description, 190download sites, 200

FTP default download site, 200, 205, 219HTTP default download site, 200, 205

error codes, 268implementing (See Updating with VirusScan

Enterprise Implementation Guide)proxy settings, 209repository list, 199

adding repositories, 202editing repositories, 201importing repositories, 201removing and reorganizing

repositories, 208tasks

activities during update, 197configuring, 193creating, 192overview of update process, 191running, 195

from the console, 195from the Start menu, 196immediate update, 195resumable update, 195using Update Now, 197

scheduling, 195

Product Guide 283

Index

AVERT (Anti-Virus Emergency Response Team), contacting, 12

Bbeta program, contacting, 12boot sectors

scanning from command line, 241scanning with on-access scanning, 44scanning with on-demand scanning, 91

broadcasting network messages, 164

C.CAB, scanning files with extension, 246CATALOG.Z file, 197Centralized Alerting, 179command line, Windows, 27

options, 240running the on-demand scanner from, 246

compressed filesscanning from command line

archive type, 246configuring

AutoUpdate task, 192mirror task, 213on-access scanning, 39on-delivery e-mail scanning, 116on-demand e-mail scanning, 132on-demand scanning, 86via ePolicy Orchestrator (See Configuration

Guide)connecting to remote servers, 37console (See VirusScan Console)contacting McAfee Security, 12conventions used in this manual, 10customer service, contacting, 12

DDAT file updates, web site, 12DAT files

rolling back, 217date and time, recorded in log file, 48, 104, 130, 146default processes, 50 to 51definition of terms (See Glossary)detections, virus

on-access scanningmessages, viewing, 82receiving notification, 81taking action, 83

on-demand scanningreceiving notification, 112taking action, 113

Display Options, 28documentation for the product, 11download web site, 12

EEdit menu, 21e-mail scanning, on-delivery

activity log, viewing, 132scan statistics, viewing, 130tasks, configuring, 116

action properties, 123advanced properties, 120alert properties, 126detection properties, 118report properties, 128

e-mail scanning, on-demandactivity log, viewing, 148tasks, configuring, 132

action properties, 139advanced properties, 135alert properties, 142detection properties, 133report properties, 144

tasks, running, 147e-mail, sending virus alert via, 166enable randomization, 228excluding files, folders, and drives (using the

Exclusions feature), 70EXTRA.DAT, 187, 198

FFAQ (frequently asked questions), 261features, descriptions of, 15file type extensions, what to scan

adding file types (using the Additions feature), 68


Index

adding user-specified types (using the Specified feature), 69

excluding file types (using the Exclusions feature), 70

floppy during shutdownscanning with on-access scanning, 44

forwarding alertslarge organization, 161small organization, 162

frequently asked questions (FAQ), 261FTP default download site, 200, 205, 219

Ggeneral questions, troubleshooting, 265General Settings properties, on-access scanning, 43getting information, 11getting started, 17glossary, 271

HHelp menu, 21high-risk processes, 50, 60

definition, 61HTTP default download site, 200, 205

Iinstallation (See Installation Guide)installation questions, troubleshooting, 262

KKnowledgeBase search, 12

Llimiting log file size, 48, 103, 129, 145list of tasks in VirusScan Console, 23lockdown registry, 253 to 260locking user interface, 31log file for

AutoUpdate task, 198mirror task, 217on-access scanning, 79on-delivery e-mail scanning, 132on-demand e-mail scanning, 148on-demand scanning, 111

log file sizelimiting, 48, 103, 129, 145

low-risk processes, 50, 60definition, 61

.LZH, scanning files with extension, 246

Mmail server, configuring for e-mail alerting, 168manuals, 11McAfee Security University, contacting, 12menu bar, 20menus

in VirusScan Console, 20Edit, 21Help, 21right-click, 25Task, 20Tools, 21View, 21

Start, 18MERTool (Minimum Escalation Tool), 261messages, on-access scanning, 45

clean infected files referenced, 46delete infected file referenced, 46deny access to network share, 46disconnect remote users, 46move infected file referenced, 46remove messages from list, 46send message to user, 46show messages dialog box, 45text to display, 45viewing, 82

Minimum Escalation Tool (MERTool), 261Mirror Now command, 217mirror task, 212

activity log, viewing, 217configuring, 214creating, 213running, 216

as scheduled, 216from the Start command, 216immediately, 216using Mirror Now, 217

Product Guide 285

Index

scheduling, 216

Nnew features, 14

Oon-access scanning

activity log, viewing, 79configuring, 40

action properties, 57, 75advanced properties, 55, 73detection properties, 52, 65general properties, 43message properties, 45process properties

assigning risk, 61default, 50 to 51high-risk, 50, 60low-risk, 50, 60

report properties, 47messages, viewing, 82scan statistics, viewing, 78virus detections, responding, 80

on-access vs. on-demand scanning, 33on-demand scanning

activity log, viewing, 111scan statistics, viewing, 110

tasksconfiguring, 89

action properties, 99advanced properties, 96detection properties, 94report properties, 102where properties, 90

creating, 86from the console, 88from the Start menu, 86from the system tray, 86

resumable scanning, 109running

from the console, 107from the Windows command

line, 246pausing, 108restarting, 108stopping, 109

scheduling, 106virus detections, responding, 111

on-demand vs. on-access scanning, 33

Ppassword options, 29pausing on-demand tasks, 108PrimeSupport, 12prioritizing messages sent

across the network, 163, 165, 169, 171 to 172, 174, 176, 178

to another computer, 158priority level, setting for alerts, 157product documentation, 11product features, 15product training, contacting, 12proxy settings for updating, 209

Qquarantine folder

on-access scanning, 44on-delivery e-mail scanning, 124on-demand e-mail scanning, 141on-demand scanning, 100


Index

Rregistry, secure, 253 to 260remote administration, 37Remote Connection, in Tools menu, 37report properties, configuring

on-access scanning, 47on-delivery e-mail scanning, 128on-demand e-mail scanning, 144on-demand scanning, 102

repositories, 208repository list

adding repositories, 202editing repositories, 201importing repositories, 201removing and reorganizing repositories, 208

restarting on-demand tasks, 108resumable scanning, 109right-click menus, 24right-click scan, 25

from system tray, 26

SScan menu

Statistics, 78 to 79, 131 to 132scan time

on-access scanning, 44scanning

automatically, 34configuring

on-access scanner for, 39on-delivery e-mail scanner for, 116on-demand e-mail scanner for, 132on-demand scanner for, 86

immediately, 107on access vs. on-demand scanning, 33on schedule, 35on-access, 39on-delivery e-mail, 116on-demand, 86on-demand e-mail, 132

operationsautomatic, 34on schedule, 35periodical, 35selective, 35setting up, 33

periodically, 35results, viewing

AutoUpdate activity log, 198mirror task activity log, 217on-access scan

activity log, 79statistics, 78

on-delivery e-mail scanactivity log, 132statistics, 130

on-demand e-mail scan activity log, 148on-demand scan

activity log, 111statistics, 110

right-click scan, 25from system tray, 26

selectively, 35shell extension scan, 25troubleshooting questions, 263

scanning, scheduled, 35scheduling, 221

advanced options, 226enable randomization., 228schedule properties, 224

frequencies, 225task properties, 223

Product Guide 287

Index

tasksat logon, 234at system startup, 233AutoUpdate, 195daily, 227mirror, 216monthly, 230once, 232on-demand scanning, 106to run immediately, 236to run on dialup, 237weekly, 229when idle, 235

secure registry, 253 to 260security headquarters, contacting AVERT, 12service portal, PrimeSupport, 12session settings, recorded in log file, 48, 104, 130,

146session summary, recorded in log file, 48, 104, 130,

146SMTP mail server, configuring for e-mail

alerting, 168SNMP

sending alerts via, 172specifying file type extensions (using the Specified

feature), 69Start menu, 18startup, scanning at, 44Statistics, in Scan menu, 78 to 79, 131 to 132statistics, viewing

on-access scanning, 78on-delivery e-mail scanning, 130on-demand scanning, 110

status bar, 24submitting a sample virus, 12system startup, scanning at, 44system tray, setting options, 26system variables, 189system variables, alerting, 185

Ttask list, 23Task menu, 20tasks

configuringAutoUpdate task, 192mirror task, 213on-access scanner, 39on-delivery e-mail scanner, 116on-demand e-mail scanner, 132on-demand scanner, 86

definition of, 23pausing, 108restarting, 108running immediately, 107stopping, 109types available in VirusScan Enterprise, 23

technical support, 12testing alerting configuration, 156toolbar, 22Tools menu, 21training web site, 12troubleshooting, 261

frequently asked questionsgeneral, 265installation, 262scanning, 263viruses, 264

Minimum Escalation Tool, 261update error codes, 268

truncating alert message, forced, 169

Uunlocking user interface, 31Update Now command, 197updating

activities, 197download sites, 200

FTP default download site, 200, 205, 219HTTP default download site, 200, 205

error codes, 268manually, 219mirror task, 214proxy settings, 209repository list, 199

editing repositories, 201removing and reorganizing


Index

repositories, 208strategies, 188tasks

configuring, 193running

immediate updates, 195resumable update, 195

upgrade web site, 12user interface

optionsdisplay, 28locking, 31password, 29setting, 27unlocking, 31

orientation, 18user name, recorded in log file, 48, 104, 130, 146UTC Coordinated Universal Time (UTC), 228.UUE, scanning files with extension, 246

Vvariables, system, 189View menu, 21Virus Information Library, 12, 35virus, submitting a sample, 12viruses

detectionson-access scanning, 80on-demand scanning, 111

frequently asked questions, 264submitting a sample, 36

VirusScan Console, 19configuring

AutoUpdate via (See AutoUpdate)mirror task via (See mirror task)on-access scanning via (See on-access

scanning)on-delivery e-mail scanning via (See e-mail

scanning, on-delivery)on-demand e-mail scanning via (See e-mail

scanning, on-demand)on-demand scanning via (See on-demand

scanning)connecting to remote servers via, 37

menus (See menus)status bar, 24task list, 23toolbar, 22

VirusScan Enterpriseproduct features, 15what’s new in this release, 14

Wwhat’s new in this release, 14

Z.ZIP, scanning files with extension, 246

Product Guide 289

Index
