VirusScan Enterprise for Linux 1.7 Product Guide - McAfee

Product Guide

McAfee VirusScan Enterprise for Linux1.7.0 Software

COPYRIGHTCopyright © 2011 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or byany means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSAVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE),MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registeredtrademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive ofMcAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee VirusScan Enterprise for Linux 1.7.0 Software Product Guide

Contents

Preface 7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Finding product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1 Introducing McAfee VirusScan Enterprise for Linux 11What is McAfee VirusScan Enterprise for Linux . . . . . . . . . . . . . . . . . . . . . . 11How does VirusScan Enterprise for Linux work . . . . . . . . . . . . . . . . . . . . . . 12

How VirusScan Enterprise for Linux installations interact . . . . . . . . . . . . . . . 12Product Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13What’s new in this release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Contact information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2 Scanning for viruses and other potentially unwanted software 17How does scanning work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17What and when to scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Types of scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3 VirusScan Enterprise for Linux interface 19Opening the VirusScan Enterprise for Linux interface . . . . . . . . . . . . . . . . . . . 20Introducing the VirusScan Enterprise for Linux interface . . . . . . . . . . . . . . . . . . 21

Navigation pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Quick Help pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Links bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Using the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Expanding and collapsing tables of information . . . . . . . . . . . . . . . . . . . 23Sorting by table columns . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Navigating through long tables . . . . . . . . . . . . . . . . . . . . . . . . . 23Changing the settings on a page . . . . . . . . . . . . . . . . . . . . . . . . 24Automatically refreshing information on pages . . . . . . . . . . . . . . . . . . . 24Using wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Understanding error messages . . . . . . . . . . . . . . . . . . . . . . . . . 25Displaying dates and times . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4 Viewing VirusScan Enterprise for Linux information 27Host Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Scanning Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Scanning statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Recently detected items . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Recently scanned items . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Obtaining a diagnostic report . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Detected items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

McAfee VirusScan Enterprise for Linux 1.7.0 Software Product Guide 3

Analyzing the detected items . . . . . . . . . . . . . . . . . . . . . . . . . . 32Viewing the results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Exporting the results for analysis . . . . . . . . . . . . . . . . . . . . . . . . 33

System events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Analyzing the system events . . . . . . . . . . . . . . . . . . . . . . . . . . 34Exporting the results for analysis . . . . . . . . . . . . . . . . . . . . . . . . 35

Scheduled tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Running a task immediately . . . . . . . . . . . . . . . . . . . . . . . . . . 37Modifying an existing scheduled task . . . . . . . . . . . . . . . . . . . . . . . 37Deleting an existing scheduled task . . . . . . . . . . . . . . . . . . . . . . . 37Stopping a task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Information about extra DAT files . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

5 Setting up schedules 39Using a wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Updating the product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Creating a schedule to update the product . . . . . . . . . . . . . . . . . . . . 41Running on-demand scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Creating a schedule to run an on-demand scan . . . . . . . . . . . . . . . . . . . 43Running a task from the command line . . . . . . . . . . . . . . . . . . . . . . . . . 43

6 Configuring VirusScan Enterprise for Linux 45General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Clearing statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Resetting configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . 47

On-access settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Scanning options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Paths excluded from scanning . . . . . . . . . . . . . . . . . . . . . . . . . 49Extension-based scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Anti-virus actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

On-demand settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

SMTP notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55SMTP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

7 Advanced features 59Substituting variables in notification templates . . . . . . . . . . . . . . . . . . . . . . 59Configuring features from a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Controlling VirusScan Enterprise for Linux from the command line . . . . . . . . . . . . . . 61

Controlling the processes . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Controlling VirusScan Enterprise for Linux . . . . . . . . . . . . . . . . . . . . . 61

How the quarantine action works . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

8 Troubleshooting 65Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Viruses and detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Runtime kernel module support . . . . . . . . . . . . . . . . . . . . . . . . 68General information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Contents


Index 73

Contents


Preface

This guide provides the information you need to configure, use, and maintain your McAfee product.

For instructions on how to install McAfee VirusScan Enterprise for Linux software version 1.7 on astand-alone computer, see the McAfee VirusScan Enterprise for Linux 1.7 — Installation Guide. Forinstructions on how to configure, use and maintain McAfee VirusScan Enterprise for Linux usingMcAfee ePolicy Orchestrator software, see the McAfee VirusScan Enterprise for Linux 1.7 —Configuration Guide.

Contents

About this guide Finding product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all ofits features.

ConventionsThis guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code A code sample.

User interface Words in the user interface including options, menus, buttons, and dialogboxes.

Hypertext blue A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.


Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.

What's in this guide This guide is organized to help you find the information you need.

This guide provides you with an introduction to McAfee VirusScan Enterprise for Linux and providesthe information you need for all phases of product use from, scanning to configuring to troubleshooting.

Introducing McAfee VirusScan Enterprise for Linux

This chapter provides detailed information about the software, how it works and interacts, productfeatures, what's new in this release and contact information.

Scanning for viruses and other potentially unwanted software

This chapter provides detailed information on how the scanning works, what to scan and when toscan, and the different types of scanning.

VirusScan Enterprise for Linux interface

This chapter provides detailed information on how to access the user interface, introducing thesections in the interface, using the interface such as using wizards, understanding error messages anddisplaying dates and times.

Viewing VirusScan Enterprise for Linux information

This chapter provides detailed information on viewing the host summary, scanning summary, detecteditems, system events, schedules tasks and information about extra detection definition (DAT) files.

Setting up schedules

This chapter provides detailed information on how to use wizards to schedule a product update task orschedule to run an on-demand scan.

Configuring VirusScan Enterprise for Linux

This chapter provides detailed information on how to access the general settings such as browserinterface, clearing statistics and resetting configuration settings; on-access settings, on-demandsettings, notifications and repositories.

Advanced features

This chapter provides detailed information on the advanced settings such as how to substitutevariables in notification templates, configure features from a file, control the software from commandline and an overview on how the quarantine action works.

Troubleshooting

This chapter provides detailed information on answers to common situations that you might encounterwhile installing or using the software.

PrefaceAbout this guide


Finding product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFinding product documentation


http://mysupport.mcafee.com

1 Introducing McAfee VirusScan Enterprisefor Linux

McAfee VirusScan Enterprise for Linux (previously known as LinuxShield) detects and removes virusesand other potentially unwanted software on Linux-based systems.

This information is intended for network administrators who are responsible for their company’santi-virus and security program.

Contents

What is McAfee VirusScan Enterprise for Linux How does VirusScan Enterprise for Linux work Product Features What’s new in this release Contact information

What is McAfee VirusScan Enterprise for LinuxVirusScan Enterprise for Linux detects and removes viruses and other potentially unwanted softwareon Linux-based systems. VirusScan Enterprise for Linux uses the powerful McAfee scanning engine —the engine common to all our anti-virus products.

Although a few years ago, the Linux operating system was considered a secure environment, it is nowseeing more occurrences of software specifically written to attack or exploit security weaknesses inLinux-based systems. Increasingly, Linux-based systems interact with Windows-based computers.Although viruses written to attack Windows-based systems do not directly attack Linux systems, aLinux server can harbor these viruses, ready to infect any client that connects to it.

When installed on your Linux systems, VirusScan Enterprise for Linux provides protection againstviruses, Trojan horses, and other types of potentially unwanted software.

VirusScan Enterprise for Linux scans files as they are opened and closed — a technique known ason-access scanning. VirusScan Enterprise for Linux also incorporates an on-demand scanner thatenables you to scan any directory or file in your host at any time.

When kept up-to-date with the latest virus-definition (DAT) files, VirusScan Enterprise for Linux is animportant part of your network security. We recommend that you set up an anti-virus security policyfor your network, incorporating as many protective measures as possible.

VirusScan Enterprise for Linux uses a web-browser interface, and a large number of VirusScanEnterprise for Linux installations can be centrally controlled by ePolicy Orchestrator.

1


How does VirusScan Enterprise for Linux workThis section describes how VirusScan Enterprise for Linux works when correctly installed andconfigured on your Linux host.

Once VirusScan Enterprise for Linux software has been correctly installed and configured on yourLinux host, it provides two functions:

• VirusScan Enterprise for Linux runs as a daemon (which is similar to a service in Microsoft Windows).

As files are accessed via the Linux kernel, VirusScan Enterprise for Linux intercepts the files andscans them for viruses and other potentially unwanted software. (See Events that trigger VirusScanEnterprise for Linux scanning for more information.) This form of protection is called on-accessscanning. VirusScan Enterprise for Linux also maintains a record of files that it has recentlyscanned to avoid any unnecessary repeated scanning.

• VirusScan Enterprise for Linux runs an HTTPS-based monitoring service.

VirusScan Enterprise for Linux activities can be monitored and configured through an HTTPSinterface. For example, you can configure which types of files VirusScan Enterprise for Linux willscan, and actions that VirusScan Enterprise for Linux will take against infected files, such ascleaning, deletion or quarantining. Using the simple and secure web-browser interface, you canmonitor and control virus detection on several Linux hosts. Using ePolicy Orchestrator, you cancontrol a large number of Linux hosts from a single point.

The VirusScan Enterprise for Linux software runs under a user called nails.

Events that trigger VirusScan Enterprise for Linux scanning

VirusScan Enterprise for Linux begins to scan files on the following events:

• File open — When a file is opened.

• File release — In the simple case, this is when a file is closed. If a process has multiple referencesto a file, for example, via dup or a memory mapping, this is when the last reference is released.

How VirusScan Enterprise for Linux installations interactVirusScan Enterprise for Linux requires a web browser to monitor and control virus scanning on a host.

The diagram shows a web browser connected via a secure HTTPS link to a web monitor service thatwe supply as a component of the VirusScan Enterprise for Linux software.

The next table explains how the components operate in this simple set up.

Component Function

scanner This component provides anti-virus protection, scanning files as instructed bynailsd.

nailsd This component communicates between the web monitoring service and thescanner, passing information about the anti-virus scans and configuration details.

1 Introducing McAfee VirusScan Enterprise for LinuxHow does VirusScan Enterprise for Linux work


Component Function

mon This component of the web monitor examines VirusScan Enterprise for Linuxactivity on the host, and can configure the anti-virus activity.

nailswebd This component of the web monitor communicates with a web browser such asKonqueror, using a secure HTTPS link. A name and password is required foruser authentication.

kernel hookmodules (file)

This component provides on-access scanning support by hooking on to the kernel.

Product FeaturesThis section describes the product features for the McAfee VirusScan Enterprise for Linux software.

McAfee VirusScan Enterprise for Linux software has the following features:

• Support for 64-bit AMD64/Intel EM64T operating systems.

• The latest version (5400) of the McAfee anti-virus engine.

• Incremental Virus Signature (DAT) updates.

• Mod-versioning for automatic kernel support.

• Regular expression based exclusions for On-access scan and On-demand scan from the user interface.

• Scanning

• Comprehensive on-access anti-virus scanning and cleaning using the McAfee scanning engine.

• On-access scanning for local file systems, NFS and Samba/CIFS.

• Kernel-level scan cache for improved performance.

• Scheduling of on-demand scans.

• Scheduling of updates for scanning engine and virus definition files.

• Administration

• Remote administration using browser-based interface.

• Secure browser interface with authentication and HTTPS (SSL) support.

• Remote administration and reporting using ePolicy Orchestrator 4.5 or 4.6.

• Reporting

• Real-time statistics.

• Detailed database for detected items and system events.

• Ability to query the database by date range or individual field values, for example, virus name.Results of query can be exported to a CSV file.

• Configurable email notification for detected items, out-of-date virus definition files, configurationchanges, and system events.

• Diagnostic report for use when reporting a problem with the product.

Introducing McAfee VirusScan Enterprise for LinuxProduct Features 1


What’s new in this releaseThis section describes the new enhancements in this release of VirusScan Enterprise for Linux.

• Support for Novell Cluster Services.

• Support for Corosync OCFS2 File System Cluster.

• Run-time Kernel Module Support

McAfee VirusScan Enterprise for Linux Kernel modules will be created dynamically in case of amod-version failure. To manually compile the kernel module, refer to the Frequently askedquestions — Run-time Kernel Module Support section in the Product Guide.

Contact informationThis section specifies McAfee's contact information such as the threat center, download site, technicalsupport, customer service, and professional services.

Threat Center

McAfee Labs: http://www.mcafee.com/us/mcafee_labs/index.html

McAfee Avert Labs Threat Library: http://vil.mcafeesecurity.com

McAfee Avert Labs WebImmune & Submit a Sample (logon credentials required): https://www.webimmune.net/default.asp

McAfee Labs .DAT Notification Service Opt-In: https://secure.mcafee.com/apps/mcafee-labs/dat-notification-signup.aspx

Download Site

Homepage: http://www.mcafee.com/us/downloads/

• Products and Upgrades (requires a valid grant number)

• Product Documentation

• Product Evaluation

• McAfee Beta Program

Technical Support

Homepage: http://www.mcafee.com/us/support/index.html

KnowledgeBase Search: http://knowledge.mcafee.com

McAfee Technical Support ServicePortal (logon credentials required): https://mysupport.mcafee.com/eservice_enu/start.swe

Customer Service

Web: http://www.mcafee.com/us/support/index.html or http://www.mcafee.com/us/about/contact/index.html

Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday - Friday, 8 a.m. — 8 p.m., Central Time

1 Introducing McAfee VirusScan Enterprise for LinuxWhat’s new in this release


http://www.mcafee.com/us/mcafee_labs/index.html

http://vil.mcafeesecurity.com

https://www.webimmune.net/default.asp

https://www.webimmune.net/default.asp

https://secure.mcafee.com/apps/mcafee-labs/dat-notification-signup.aspx

https://secure.mcafee.com/apps/mcafee-labs/dat-notification-signup.aspx

http://www.mcafee.com/us/downloads/

http://www.mcafee.com/us/support/index.html

http://knowledge.mcafee.com

https://mysupport.mcafee.com/eservice_enu/start.swe

https://mysupport.mcafee.com/eservice_enu/start.swe

http://www.mcafee.com/us/support/index.html

http://www.mcafee.com/us/about/contact/index.html

http://www.mcafee.com/us/about/contact/index.html

Professional Services

Enterprise: http://www.mcafee.com/us/enterprise/services/index.html

Small & Medium Business: http://www.mcafee.com/us/smb/services/index.html

Introducing McAfee VirusScan Enterprise for LinuxContact information 1


http://www.mcafee.com/us/enterprise/services/index.html

http://www.mcafee.com/us/smb/services/index.html

2 Scanning for viruses and otherpotentially unwanted software

This section describes briefly how scanning works and the types of scanning that are available.

McAfee VirusScan Enterprise for Linux software can perform several types of scanning on yourcomputers in order to provide as much anti-virus protection as possible. You can configure a numberof these scanning features, the type of scan, which objects (for example archive files) to scan, andwhen to run the scan.

Contents

How does scanning work What and when to scan Types of scanning

How does scanning workYour McAfee anti-virus software contains the McAfee scanning engine and the virus definition (DAT)files. The engine is a complex data analyzer. The DAT files contain a great deal of information,including thousands of different drivers, each of which contains detailed instructions on how to identifya virus or type of virus.

The McAfee scanning engine works together with the DAT files. It identifies the type of object beingscanned (often a file) and decodes the contents of that object. The engine then uses the informationin the DAT files to search for known viruses. Many viruses have a distinctive signature — a sequenceof characters unique to that virus.

The engine uses a technique called heuristic analysis to search for unknown viruses. This involvesanalysis of some of the object’s program code and searching for distinctive features typically found inviruses.

Once the engine has confirmed the identity of a virus, it cleans the object as far as possible. Forexample, the anti-virus software can remove an infected macro from a document or delete the viruscode in an executable file. If the virus has destroyed data, and the file cannot be fixed, the anti-virussoftware must make the file safe so that it cannot be activated and infect other files.

What and when to scanThe threat from viruses can come from many directions, including infected macros, shared programfiles, files shared across a network, email, floppy disks, and files downloaded from the Internet. Each

2


McAfee anti-virus software product targets a specific area of vulnerability. We recommend amulti-tiered approach to provide the full range of virus detection, security and cleaning capability.

You can configure your VirusScan Enterprise for Linux software according to the demands of yoursystem. These demands depend on when and how the parts of your system operate and how theyinteract with each other and with the outside world, particularly through email and Internet access.

A variety of options can be configured or enabled which allow you to determine how your anti-virussoftware deals with different types of file and what it does with infected or suspect items.

For further information about configuring the software, see Configuring VirusScan Enterprise for Linux.

Types of scanningScanning fall into these main groups — on-access scanning and on-demand scanning. The types ofscanning detect the same viruses, but they work at different points on the network and on the desktopcomputer. The types of scanning can take place at different times, and at different stages in thehandling of objects.

On-access scanning

On-access scanning (or real-time scanning) examines objects as they are accessed by the user or thesystem. For example, an on-access scanner examines a file when the user opens it.

When you first install VirusScan Enterprise for Linux, on-access scanning defaults are set but you canconfigure these to suit your system. You can set global options that determine how scanning is carriedout, including how the scanner deals with different types of object, specifying what is to be done withinfected items, and how quarantine and notification is handled.

For further details of how to configure on-access scanning, see Configuring VirusScan Enterprise forLinux.

On-demand scanning

The types of on-demand scan are:

• Standard on-demand scan — The user instructs the scanning software to perform a scan, this islaunched manually.

• Scheduled on-demand scan — This is scheduled to run automatically at predetermined intervals ortimes. You may choose to schedule a scan of this type to run after the regular DAT update.

You may run an on-demand scan for many reasons, for example:

• To check a file that has been downloaded from the Internet or obtained from an external source.

• To check that a Linux system is virus-free, possibly following DAT update, in case new viruses canbe detected.

• To check that your computer is completely clean, following a recent single detection.

For further details of how to configure on-demand scanning, see Configuring VirusScan Enterprise forLinux.

2 Scanning for viruses and other potentially unwanted softwareTypes of scanning


3 VirusScan Enterprise for Linux interface

After VirusScan Enterprise for Linux has been correctly installed and configured on your Linux host, itruns as a daemon. To make changes to your VirusScan Enterprise for Linux software configuration, orto view information about your software, you use the VirusScan Enterprise for Linux interface.

McAfee recommends you to use the browser-based interface to manage VirusScan Enterprise for Linuxfeatures. Although some features can be configured using text-based files (described on Configuringfeatures from a file), McAfee does not recommend this.

Some actions can also be controlled from the command line. For more information, see ControllingVirusScan Enterprise for Linux from the command line.

Contents

Opening the VirusScan Enterprise for Linux interface Introducing the VirusScan Enterprise for Linux interface Using the interface

3


Opening the VirusScan Enterprise for Linux interfaceUse this task to view the VirusScan Enterprise for Linux interface.

Task

1 Open a web browser, such as Microsoft Internet Explorer, Mozilla or Konqueror. See the InstallationGuide for a list of supported browser versions.

2 In the address bar, type:

https://<hostname>:<port>

For example: https://192.168.200.200:55443 or https://server1:55443

Figure 3-1 Log on page

Letter case is not important. VirusScan Enterprise for Linux regards server1 and SERVER1 as similar.The browser tries to connect to the port on the Linux host where the VirusScan Enterprise for Linuxweb-monitoring service runs, and displays the log on page. If your browser or its version are notsupported, you see a warning message. You may continue to log on, but you might experienceproblems later with the display and operation of features of the interface.

3 Type the default user name nails and password, then click Log on.

After a short time, the VirusScan Enterprise for Linux homepage is displayed. On Konquerorbrowsers, the following message appears in a dialog box: Server certificate failed the authenticity test...

This happens because the certificate is self-signed. You may ignore this message and click Continue.

The Host Summary page is displayed. To return to this page at any time, click Home from thenavigation pane (on the left side). The Host Summary page provides some brief information (such ashost IP address, DAT version, engine version, product version, files scanned, status, and detecteditems) about the linux server where VirusScan Enterprise for Linux is installed. See the HostSummary section for more information about this page.

3 VirusScan Enterprise for Linux interfaceOpening the VirusScan Enterprise for Linux interface


Introducing the VirusScan Enterprise for Linux interfaceThis section helps you understand the VirusScan Enterprise for Linux user interface and describes thepurpose of each area in the interface.

The VirusScan Enterprise for Linux has the following main areas:

• Left — Navigation pane

• Middle — Console

• Right — Quick Help pane

Figure 3-2 VirusScan Enterprise for Linux user interface

Navigation paneThe navigation pane, on the left side of the VirusScan Enterprise for Linux interface, provides links toeach page.

Similar links are grouped together.

Figure 3-3 Navigation pane

VirusScan Enterprise for Linux interfaceIntroducing the VirusScan Enterprise for Linux interface 3


The name of the currently selected Linux host appears above the navigation pane as a host name andport number, for example: "server1:1234".

The groups of items in the menu (View, Schedule and Configure) refer to this host.

• View — These options display Host Summary, Scanning Summary, Detected Items, System Events, and ScheduledTasks information about the selected host.

• Schedule — These options display Product Update and On-Demand Scan information, where you can set upschedules for running on-demand scans and updating the virus definition (DAT) files.

• Configure — These options display General Settings, On-Access Settings, On-Demand Settings, Notifications, andRepositories information where you can configure VirusScan Enterprise for Linux on the selected host.

The navigation pane also includes:

• Home — To display summary information about the host that is being monitored.

• Show/Hide Quick Help — To show or hide the quick help which is usually displayed on the right pane ofthe user interface.

ConsoleThe console, in the middle of the VirusScan Enterprise for Linux interface, displays each page that isselected from the navigation pane.

Quick Help paneThe Quick Help pane on the right side of the window, displays basic information about each pagedisplayed within the console area of the interface. Quick Help includes links to the online Help system,to our web site and to other sources of product information.

You can show or hide Quick Help, using the Show Quick Help or Hide Quick Help menu options fromthe navigation pane. See also Hide quick help on startup under General settings.

Links barThe links bar, at the top of the VirusScan Enterprise for Linux interface, contains links to usefulresources such as the Virus Information Library and the Help Topics.

This black bar contains the following links:

Table 3-1 Option definitions

Option Definition

Log off Return to the VirusScan Enterprise for Linux logon screen.

Technical Support Frequently asked questions on our Technical Support web site.

Submit a Sample Instructions for submitting a virus sample to us.

Virus Information Links to the Virus information Library, which provides full informationabout every virus and other potentially unwanted software that ourproducts can detect and clean.

About VirusScan Enterprise for Linux Product and licensing information.

Resources Contact information.

Help Topics Online Help.

3 VirusScan Enterprise for Linux interfaceIntroducing the VirusScan Enterprise for Linux interface


The web addresses of the links are listed under Contact information page.

Depending on the configuration that your organization requires, some of these links may not beavailable or they may redirect to other locations. See the Advanced Features section.

Using the interfaceThis section describes the features of the VirusScan Enterprise for Linux interface.

Expanding and collapsing tables of informationThe interface contains several tables of information. For convenience, you can expand or collapsesome tables.

• Click — To hide the information. (Collapse)

• Click — To show the information. (Expand)

Sorting by table columnsThe interface contains several tables. For convenience, you can sort the information.

For example, to sort rows into time order, click on the column heading, Time. An arrow on the rightside of a column heading appears and indicates the order of the sorting.

^ — The information is displayed in ascending ordering (0-9, A-Z).

v — The information is displayed in descending ordering (9-0, Z-A).

To reverse the order of sorting, click the column heading again.

Time ^ File Name

May 2, 2010 12:01:05 foo1

May 2, 2010 12:11:35 foo2

May 3, 2010 01:01:53 foo3

May 4, 2010 02:01:06 foo4

This action does not refresh or update the contents of a table. The action does not sort all theinformation; it changes the order of the currently displayed rows of information only.

Navigating through long tablesIf VirusScan Enterprise for Linux has too much information to display normally within a page,VirusScan Enterprise for Linux displays just a few rows at a time.

Navigation arrows and numbers appear at the foot of the table to enable you to access the rest of theinformation.

For example: << 1 2 3 4 5 >>


Option Definition

<< Click to go to the previous section of the table.

2 You are currently viewing section 2 of the table. The number is displayed larger than theothers.

VirusScan Enterprise for Linux interfaceUsing the interface 3


Table 3-2 Option definitions (continued)

Option Definition

4 Click to go to section 4 of the table.

>> Click to go to the next section of the table.

To increase the number of rows of information that you can view in one page, see Results per pageunder the General settings section.

VirusScan Enterprise for Linux applies a limit to the amount of information that can be viewed overseveral pages. For example, on the Detected Items page and the System Events page, you can viewup to 20 pages each containing up to 50 rows. You can effectively view more results by using a queryto filter the information.

Changing the settings on a pageFrom several pages within the interface, you can change settings, such as which types of file to scan.These pages have a button marked Edit at the top right of the page.

Task

1 To enable any changes to the settings, click Edit.

The Edit button is replaced by other buttons — Apply and Cancel, and in some cases, Defaults or Reset.

2 To change any settings, update the fields, then click Apply.

3 If while making the changes, you decide not to proceed, click Cancel.

4 To reset the settings on the page to the defaults that were in effect when VirusScan Enterprise forLinux was first installed, click Reset. When you click Cancel or Defaults, you are prompted to confirmthat you want to do this.

Automatically refreshing information on pagesThe information on some pages (such as the Scanning Summary) is automatically refreshed every 10seconds by default.

You can change the refresh interval from the VirusScan Enterprise for Linux interface. See the Generalsettings section.

To manually refresh these pages at any time, click Refresh at the top of the page.

3 VirusScan Enterprise for Linux interfaceUsing the interface


Using wizardsThe VirusScan Enterprise for Linux interface uses a form of wizard to help you complete some complextasks by specifying required settings in a sequence of panes.

Figure 3-4 Typical wizard pane

This example is taken from an option in the Schedule menu. The Next and Back buttons in the top rightcorner enable you to move from pane to pane. You can also move to any pane by clicking the tabslabelled 1. ... and 2. ... and so on.

To close the wizard and complete the task, click Finish.

Understanding error messagesIf a fault occurs with the interface, VirusScan Enterprise for Linux displays a message on the currentpage.

The message typically has the format:

Error Code Description

25 Connection failed to host 192.168.255.200

For more information, click the error code. Other types of errors are logged as system events. See theSystem events section.

Displaying dates and timesDates and times in the interface are expressed as the local time on the host. Time is displayed in24-hour format, and includes a UTC (Universal Time Co-ordinates) offset. For example: May 02, 200812:35:00 (-8:00 UTC)

To prevent the display of the UTC offset, see Display time UTC offset in the General settings section.

VirusScan Enterprise for Linux interfaceUsing the interface 3


4 Viewing VirusScan Enterprise for Linuxinformation

From the View area of the navigation pane you can view the VirusScan Enterprise for Linux information.

You can view the following information about VirusScan Enterprise for Linux:

Contents

Host Summary Scanning Summary Detected items System events Scheduled tasks Information about extra DAT files

Host SummaryThe Host Summary page shows information collected from the server running VirusScan Enterprise forLinux. The information includes the number of files that have been scanned and any detections.

To view this page, click Host Summary under View in the navigation pane.

Figure 4-1 Host Summary page

For more information about the scanning activity on the host, click its name in the Host column. Thetable contains the following information:

4



Option Definition

Host Name of host being monitored. Click this address to view the Scanning Summary page forthat host.

Status Status of the host:

• active — The host is being monitored.

• connecting, disconnecting — Brief changes of state.

• disconnected — Typically the host has been switched off, or its services are not running.

• on-access disabled — On-access scanning has been disabled on the host. See theOn-access settings section.

Files Scanned Number of items that have been scanned since VirusScan Enterprise for Linux wasinstalled, or since the statistics counters were last reset.

Detected Items Number of detected items since VirusScan Enterprise for Linux was installed or sincethe statistics counters were reset. Click this number to see more details on the DetectedItems page for that host.

DAT Version The 8-digit (XXXX.YYYY) version number for the detection definition (DAT) files.

DAT Date Date when these DAT files were created. We regularly provide updated DAT files. If thedate is more than a few days ago, your DAT files are probably out of date.

Extra DAT We occasionally provide an 'extra DAT' file to counter specific threats. If an 'extra DAT'file is available, click Yes to view the details on the Extra DAT page.

Engine Version Version of the scanning engine. Engines are updated less often than DAT files.

Product Version Version of the product.

To reset the Files Scanned and Detected Items to zero, see the General Settings page. See the General settingssection.

Scanning SummaryThe Scanning Summary page shows details of on-access scanning activity on the host that you selectedfrom the Host Summary page.

See the Host Summary section. Statistics about infections detected during on-access and on-demandscans are available from the Detected Items page and the rest will be available from System Events. See theDetected items and System Events section.

4 Viewing VirusScan Enterprise for Linux informationScanning Summary


To view this page, click Scanning Summary under View in the navigation pane.

Figure 4-2 Scanning Summary page

Scanning statisticsThe statistics are collected from the time when VirusScan Enterprise for Linux was installed, or sincethe statistics counters were last reset on the General Settings page.

The next table explains the information in each column.


Option Definition

On-Access status Indicates whether on-access scanning is enabled.

Files scanned Number of files scanned since the host started or the counters were reset.

Detected items Number of items detected by on-access scanning since VirusScan Enterprise forLinux was installed or since the count was last cleared. To see more details, clickthis number to view the Detected Items page.

Actions performed Actions that have been performed on files, in accordance with the settings on theOn-Access Settings page. For on-access scans, Access denied means that all actionstaken against the infection failed, or the action was set to deny access.

Files not scanned Numbers of files that were not scanned for various reasons. For example, someitems are excluded because they are on specified excluded paths, or because ofthe file name extension.

Average scan time (ms) Measure of scan performance. Average time in milliseconds taken to scan an item.

Scanning uptime Time since VirusScan Enterprise for Linux was last started. Statistics aboutaverage scanning time are based on this period.

Host local time Time is expressed in 24-hour format as local time on the host, and with a UTCoffset. See the Displaying dates and times section.

Viewing VirusScan Enterprise for Linux informationScanning Summary 4


Recently detected itemsThis information is continuously updated as files are accessed, then scanned and any viruses aredetected.

Although a file name appears in the list, the file itself might no longer exist if VirusScan Enterprise forLinux has deleted the infected file. The following information is displayed under Recently Detected.


Option Description

Time Time when the detection occurred.

File Name Name of the file, excluding its path.

Detected As Name of any virus or other potentially unwanted software. For more information, clickthe name to visit the Virus Information Library.

Detected Type Type of the detected item, such as:

• Program — A program (application) such as spyware, remote-access software, orpassword cracker.

• Joke — Joke program.

• Test — Test virus such as EICAR.

• Trojan — Trojan-horse program.

• Virus — Virus, and other types of infection.

User Name of the user who accessed the file.

Process Process that accessed the file.

Path Name of the file, including its full path. In the case of an archive or other file types thatact as a container, this can include the name of an item within the archive.

Recently scanned itemsThis information is continuously updated as files are accessed and scanned. The following informationis displayed under Recently Scanned.


Option Description

Time Time when the scanning occurred.


Detected As This column appears only if a recently scanned file was infected.

Name of any virus or other potentially unwanted software. For more information, clickthe name to visit the Virus Information Library.

Detected Type This column appears only if a recently scanned file was infected.

Type of the detected item, such as:

• Program — A program (application) such as spyware, remote-access software, orpassword cracker.

• Joke — Joke program.

• Test — Test virus such as EICAR.

• Trojan — Trojan-horse program.

• Virus — Virus, and other types of infection.

User Name of the user who accessed the file.

4 Viewing VirusScan Enterprise for Linux informationScanning Summary



Option Description

Process Process that accessed the file.

Path Name of the file, including its full path. In the case of an archive or other file types thatact as a container, this can include the name of an item within the archive.

If the path name is very long, move the horizontal scroll bar to see it all clearly.

Obtaining a diagnostic reportA diagnostic report contains detailed information that is useful to our technical support staff if youneed to contact them.

Task

1 In the Scanning Summary page, click Diagnostic Report. After a message such as Loading, the consoledisplays a list of system events, configuration details, and other information.

2 Using the browser, you can copy the information for later analysis. Typically, you select Select Allfrom a right-click menu (or Ctrl+A), copy then paste the text as required.

Detected itemsThe Detected Items page shows a list of items that have been detected as containing a virus or otherpotentially unwanted software. The range of items that you see can vary because this depends on howyou navigated to this page.

For example, if you navigated directly to this page from the left-hand navigation pane or you selectedthe count of Detected Items in the Scanning Summary page, you see items detected today by on-accessscanning.

If you navigated to this page from a task in the Scheduled Tasks page for an on-demand task, then yousee items detected during the last run of the task.

Viewing VirusScan Enterprise for Linux informationDetected items 4


To view this page, click Detected Items under View in the navigation pane. From this page, you can modifythe view to show information about items detected by on-access scanning or detected by anon-demand scan.

Figure 4-3 Detected Items page

The Detected Items page has two areas — Query and Results.

Analyzing the detected itemsUnder Query, you can refine the information that is displayed under Results.

You can examine entries made between, before or after specified dates and times, and you can filterthe information further. For example, you can find all occurrences of a particular virus. This feature isuseful if VirusScan Enterprise for Linux has detected a large number of viruses, and it enables you toanalyze trends.

• To view information about detections during on-access scanning, select On-Access, at for.

To view information about detections during an on-demand scan, select On-Demand, at for. Then,select the name of the on-demand task.

• To examine information after a specified date, select from. To examine information before aspecified date, select to. Select the date and time.

To examine information between two dates, select both from and to, then select the dates and times.

• Click Find Results.

After a short time, VirusScan Enterprise for Linux updates the information under Results.

4 Viewing VirusScan Enterprise for Linux informationDetected items


Task

1 At where, use the checkboxes on the right to select from items such as Path and User. Fordescriptions, see the table in Recently detected items section.

2 Enter or select the details to match. Enter any path names in the correct case.

3 Click Find Results. After a short time, VirusScan Enterprise for Linux updates the information underResults.

Viewing the resultsThe Results area of the page, below Query, has a table with several rows and columns. The number ofrow is typically up to 10.

To change the number, see the General settings section. The area contains the following information:


Option Definition

Time Time when the detection occurred.


Result Result of the scan. This is one of the following:

• Cleaned, Deleted, Quarantined, or Renamed.

• Clean Failed, Delete Failed, Quarantine Failed, or Rename Failed.

• Access denied — No cleaning occurs but VirusScan Enterprise for Linux denies furtheraccess to the file. This option applies to on-access scans only.

Detected As Name of any virus or other potentially unwanted software. For more information, click itsname to view its details in our Virus Information Library.

Detected Type Type of infection, such as Joke.

User Name of the user who accessed the file. This field is not available in the results ofon-demand scans.

Process Process that accessed the file. This field is not available in the results of on-demand scans.

Path Name of the file, including its full path. This field is not available in the results ofon-demand scans.

To see more rows of information, use the navigation arrows and numbers below the table, forexample: << 1 2 3 >>. See Navigating through long tables section.

To refine the information, use the Query filter. See Analyzing the detected items section.

If the page is showing on-access scanning, or if VirusScan Enterprise for Linux is still running ascheduled scan, click Refresh to see the latest detections.

Exporting the results for analysisYou can save all the information under Results as a CSV (Comma-Separated Values) file, then importthe information into a spreadsheet program, such as Microsoft Excel or Lotus 123, for further analysis.

Task

1 Click Export to CSV.

2 In the next dialog box, save the file. The default name is detitems.csv.

Viewing VirusScan Enterprise for Linux informationDetected items 4


System eventsThe System Events page shows details of events such as system errors, updates to DAT files, andchanges in configuration for the host that you selected from the Host Summary page.

To view this page, click System Events under View in the navigation pane.

Figure 4-4 System Events page

The page has two areas — Query and Results.

The table under Results has several rows and columns. The number of rows is typically limited to 10. Tochange the number, see the General settings section. To see the latest events, click Refresh.

The columns contain the following information:


Option Definition

Time Time at which the event occurred. See the Displaying dates and times section.

Code Event code (a number relating to the error or information event).

Type Type of event — Error or Information.

Description Details of the event or error.

Analyzing the system eventsUnder Query you can refine the information that is displayed under Results.

You can examine entries made between, before or after a specified date and time, and you can filterthe information further, for example, you can find all occurrences of a particular error code. Thisfeature is useful if VirusScan Enterprise for Linux has generated a large number of events, and enablesyou to analyze trends.

4 Viewing VirusScan Enterprise for Linux informationSystem events


Task

1 To examine information after a specified date, select from. To examine information before aspecified date, select to. Select the date and time. To examine information between two dates,select both from and to, then select the dates and times.

2 Click Find Results. After a short time, VirusScan Enterprise for Linux updates information under Results.

VirusScan Enterprise for Linux uses ranges to categorize events to different parts of the product.For example, all engine-related errors are in the range 3000-3999. See the table Error code rangesfor System Events log under Error messages section.

At Code, you can specify a single code or a range of codes, for example:

Code Description

3000 Only the 3000 code event.

3001 Only the 3001 code event.

3000- All events above and including code event 3000.

-3000 All events up to and including code 3000.

1000-3000 All events between 1000 and 3000, including 1000 and 3000.

Exporting the results for analysisYou can save information under Results as a CSV (Comma-Separated Values) file, then import theinformation into a spreadsheet program such as Microsoft Excel or Lotus 123, for further analysis.

The System Events page shows only a few rows of information, typically 10 at a time. However the exportwill include all the events that match the query specification. The title line of the Results table showsthe full number, for example: (101 to 110 of 2359). If the full number of rows is large, the export can takesome time, during which the scanning performance is slower, and the host performance might also beaffected.

Task

1 Under Query, specify the information you want to see as described in Analyzing the system eventssection, and click Find Results.

2 Click Export to CSV.

3 In the next dialog box, save the file. The default name is sysevents.csv.

Scheduled tasksVirusScan Enterprise for Linux uses scheduled tasks to enable you to update the scanning engine andvirus definition (DAT) files, or to run on-demand scans on your Linux host.

You can choose these tasks to run immediately, to run once, or to run at regular times. To schedule anew task, see the Setting Up Schedules section.

Viewing VirusScan Enterprise for Linux informationScheduled tasks 4


The Scheduled Tasks page shows all tasks that you have scheduled under Task Summaries. To view thispage, click Scheduled Tasks under View in the navigation pane.

Figure 4-5 Scheduled Tasks page

The page has two areas — Task Summaries and Task Details.

Task Summaries has the following information:


Option Definition

Name Name of the task. To see the details for any task, click its name.

Type Type of task — Update or On-Demand scan.

Status Status of the task, such as Idle, Completed, In Progress or Failed.

Results Result of each task.

To see any more rows of information, use the navigation arrows and numbers, below the table. SeeNavigating through long tables section.

To see extra information about any task, click its name under Task Summaries. The following informationthen appears under Task Details.


Option Definition

Status Status of the task — Idle (not started), Completed, Failed, In Progress, or Stopped (by theuser).

(Stopping might appear briefly before Stopped.)

Next Run Scheduling information for the task. This applies to regular tasks only.

Last Run Date and time when the task was last run.

4 Viewing VirusScan Enterprise for Linux informationScheduled tasks



Option Definition

Progress Progress of the task. During an on-demand scan, this field shows the number of files thathave been scanned, and other information such as the number of files that were excludedfrom scanning.

During an update, this field shows text messages about each stage. You can click any bluelink here to see messages about this task in the System Events page.

Duration The time taken for the last task, or the elapsed time on the current task.

Results For an on-demand scan, a completed scan shows as the number of detected items. For moreinformation, click the number to open the Detected Items page.

If an update has completed, click here to open the System Events page and find more information.

If a failure occurred, click here to open the System Events page and find the reason.

The buttons under Task Details enable you to run, stop, modify, or delete the task, as appropriate. To seethe latest status of the tasks, click Refresh.

Running a task immediatelyUse this task to execute a scheduled task immediately.

Task

1 Under Task Summaries, click the task name to display its details under Task Details.

2 Under Task Details, click Run Now.

The task runs immediately. The results appear at Results under Task Details.

Modifying an existing scheduled taskUse this task to modify an existing scheduled task. If you no longer need a task but you want to setup a similar task, you can modify the existing task.

Task

1 Under Task Summaries, select the existing task.

2 Under Task Details, click Modify.

3 Follow the procedures given in:

• Creating a schedule to update the product section

• Creating a schedule to run an on-demand scan section

Deleting an existing scheduled taskUse this task to delete an existing scheduled task. If you no longer need a scheduled task, you candelete it.

Task

1 Under Task Summaries, select the task name.

2 Under Task Details, click Delete.

Viewing VirusScan Enterprise for Linux informationScheduled tasks 4


Stopping a taskUse this task to stop a scheduled task which is running.

Task

1 Click Stop. This will set the status to Stopping.

2 Click Stop again. This will set the status to Stopped.

You may now run or delete the task.

Information about extra DAT filesAn extra.dat is a supplemental virus definition file that we occasionally create in response to anoutbreak of some potentially unwanted software such as a new virus or a new variant of an existingvirus.

The Extra DAT page shows information about any extra.dat file that is in use on the selected host. Theinformation includes the names of viruses and other potentially unwanted software that the extra.dat filecan detect.

To view this page, click on the text — for example Yes(5) — under the Extra DAT column on the HostSummary page. If the column contains No, no extra.dat file is available for the host, and VirusScanEnterprise for Linux does not display the page.

Figure 4-6 Extra DAT page

For information about any virus in the list, click on its name, to link to our Virus Information Library.

4 Viewing VirusScan Enterprise for Linux informationInformation about extra DAT files


5 Setting up schedules

Use this task to set up schedules to update the product or run an on-demand scan.

From the Schedule area of the navigation pane, you can protect your Linux hosts, by running thefollowing tasks on a regular basis:

• Update the product. At least once per day, you must update virus definition (DAT) files to ensurethat VirusScan Enterprise for Linux can recognize new viruses and other potentially unwantedsoftware. See Updating the product section.

• Run an on-demand scan. VirusScan Enterprise for Linux normally examines files as they areaccessed, but for full security, scan other files occasionally. See Running on-demand scans section.

Product updating and on-demand scans are likely to be needed on a regular basis. VirusScanEnterprise for Linux enables you to create multiple schedules, for running these tasks atpredetermined intervals.

You can also use the schedule options to create an immediate scan or update. These can be created inresponse to a suspected virus attack, where you want to use the latest available DAT files to counterany new viruses, then run the anti-virus software to ensure that your hosts are free from the new viruses.

You can also run these tasks from a command line. This can be useful at times when you do not wantto use the browser interface, such as within a script.

Understanding time differences

It is important to understand how to set up times for scans and updates. Suppose you are in LosAngeles, using a browser to control a host that is running VirusScan Enterprise for Linux in New York.When you schedule the time and date, it will be the local time in New York. The time differencebetween these two locations is typically three hours. Therefore if you set an on-demand scan to run atmidnight, the scan will run at midnight in New York, and you will see the results of the scan from 9p.m. in Los Angeles.

Contents

Using a wizard Updating the product Running on-demand scans Running a task from the command line

5


Using a wizardEach type of scheduling works in a similar way, using a wizard-like process to make the task easier.

See the Using wizards section. The process leads you through a few pages where you enter thefollowing information:

• When the scan or update will take place.

• What to scan or update.

• The name of the task.

Updating the productThe VirusScan Enterprise for Linux software depends on information in the virus definition (DAT) filesto identify viruses. Without updated information on the latest virus threats, no anti-virus software candetect new virus strains or respond to them effectively. Software that is not using current DAT filescan compromise your virus-protection program.

Hundreds of new viruses appear every month. To meet this challenge, we release new DAT files everyday, incorporating the results of our ongoing research into the characteristics of new viruses and theirvariants. The update task that is provided with the VirusScan Enterprise for Linux software makes iteasy to take advantage of this service.

This feature allows you to download the latest DAT files or a new scanning engine, using an immediateupdate or a scheduled update.

You can also create an unscheduled update. Here, you provide information about an update but do notattach a schedule to it. You can then run the update at any time, or run it from a command line.

Within your network, you need at least one computer that can download the files from our FTP site.See details of the download site in Contact information section. The VirusScan Enterprise for Linuxsoftware can then access the FTP site directly or via a proxy host, or it can copy files from that computer.

5 Setting up schedulesUsing a wizard


To use this feature, click Product Update under Schedule in the navigation pane.

Figure 5-1 Product Update page

Creating a schedule to update the productUse this task to create a schedule to update VirusScan Enterprise for Linux.

To create a schedule to update the virus definition files or the scanning engine, click Product Updateunder Schedule in the navigation pane.

Task

1 Choose when to update.

a Select how frequently you want the update to occur.

b If you select any option other than Immediately or Unscheduled, enter further details for the date,day, month and time (as appropriate) for the update to run. See Understanding time differencessection.

c Click Next.

2 Choose what to update.

a Select what you want the update — DAT files or scanning engine.

b Click Next.

Setting up schedulesUpdating the product 5


3 Enter a task name.

a Enter a unique name for the update. This will help you to locate the task later in the list ofscheduled tasks.

b Click Finish.

VirusScan Enterprise for Linux displays the Scheduled Tasks page (see Scheduled tasks section), andthe update runs at the times you defined in the schedule.

Running on-demand scansOn-demand scanning provides a method for scanning all parts of your host at convenient times or atregular intervals. Use it to supplement the continuous protection that the on-access scanner offers, orto schedule regular scan operations when they will not interfere with your work.

VirusScan Enterprise for Linux scans files as they are written to or read from disk. During these scans,VirusScan Enterprise for Linux uses the installed virus definition (DAT) files to check for any viruses orpotentially unwanted software within the files.

You can perform a one-time on-demand scan when you want to scan a file or location that you believeis vulnerable or you suspect of containing a virus infection, or you can perform scheduled scanningactivities at convenient times or at regular intervals.

You can also create an unscheduled scan. Here, you provide information about a scan but do notattach a schedule to it. You can then choose to run the scan at any time, or run it from a command line.

To use this feature, click On-Demand Scan under Schedule in the navigation pane.

Figure 5-2 On-Demand Scan page

5 Setting up schedulesRunning on-demand scans


Creating a schedule to run an on-demand scanUse this task to create a schedule to run an on-demand scan.

To create a schedule to run an on-demand scan, click On-Demand Scan under Schedule in the navigation pane.

Task

1 Choose when to scan.

a Select how frequently you want the scan to run.

b If you select any option other than Immediately or Unscheduled, enter any further details for thedate, day, month and time for the scan to run. See Understanding time differences section.

c Click Next.

2 Choose what to scan.

Here, you can build a list of directories to scan.

a Under Path, type the name of a directory. Enter any path names in the correct case, and that thedirectory already exists.

b To scan its subdirectories, select Scan Sub-Directories.

c Click Add.

d Add any more directory names. To remove any directory name, click Remove.

e Click Next.

3 Choose scan settings.

Select the settings. They are organized into these main areas:

• Scanning options

• Paths excluded from scanning

• Extension-based scanning

• Anti-virus actions

4 Enter a task name.

a Enter a unique name for the on-demand scan. This enables you to locate the task later in thelist of scheduled tasks.

b Click Finish.

VirusScan Enterprise for Linux displays the Scheduled Tasks page, and the scan runs at the times youdefined in the schedule.

Running a task from the command lineYou can run tasks from a command line. This can be useful at times when you do not want to use thebrowser interface, such as within a script. The task must already be set up from the Product Update pageor the On-Demand Scan page.

Furthermore, you can define some tasks specifically to be run from a command line. Select Unscheduledfrom the Product Update page or the On-Demand Scan page and add the details as usual.

Setting up schedulesRunning a task from the command line 5


Task

1 At the command line, type:

/opt/NAI/LinuxShield/bin/nails task --list

This provides the task number.

2 At the command line, type:

/opt/NAI/LinuxShield/bin/nails task --run task-number

The task runs immediately using the details previously entered at the Product Update page or theOn-Demand Scan page.

Example

To run a task called Daily scan that you created earlier:

1 Find the number for the task by typing:

/opt/NAI/LinuxShield/bin/nails task --list

The output is:

VirusScan Enterprise for Linux configured tasks:

1 "Weekly scan" (Stopped)

2 "Daily scan" (Idle)

3 "Friday scan" (Idle)

From the output, you can see that the task number is 2.

2 Run the task by typing:

/opt/NAI/LinuxShield/bin/nails task --run 2

5 Setting up schedulesRunning a task from the command line


6 Configuring VirusScan Enterprise forLinux

When you first use VirusScan Enterprise for Linux, it provides optimum protection against viruses andother potentially unwanted software. However, you can modify these settings to suit your owncomputing environment.

From the Configure area of the navigation pane, you can configure the following areas within theVirusScan Enterprise for Linux software:

• Configure some general settings.

• Reset all the configuration settings to those at installation time.

• Specify settings for on-access scanning.

• Specify default settings for new on-demand tasks.

• Determine how to issue notifications of virus attacks and other events.

• Configure Repositories.

Contents

General settings On-access settings On-demand settings Notifications Repositories

General settingsFrom the General Settings page, you can change the appearance of pages in the browser interface, thebehavior of logging, and the collection of statistics.

To view this page, click General Settings under Configure in the navigation pane.

6


To make any changes to the settings, click Edit. To apply the new settings, click Apply. See Changingthe settings on a page section for more information.

Figure 6-1 General Settings page

The page has two main areas:

• Browser Interface

• Logging

This page also has two important buttons:

• Clear Statistics

• Reset Defaults

Browser interfaceUnder Browser interface, you can view and change settings such as the refresh interval.



Option Definition

Refresh interval(seconds)

The browser automatically updates the contents of pages such as the ScanningSummary page. By default, the page is refreshed every 10 seconds, but you canadjust the interval between 5 and 600 seconds.

Results per page Number of rows of information shown in certain pages under Results, namely inthe Detected Items, Scheduled Tasks, and System Events pages.

By default, 10 rows are displayed at a time, but you can adjust the numberbetween 1 and 50 rows.

Display time UTC offset Wherever time values are displayed — as in scheduled tasks and detections —an offset value is displayed in UTC form to help you understand any time-zonedifferences.

Hide quick help onstartup

Quick Help pane is not displayed when logging in to the browser interface.

6 Configuring VirusScan Enterprise for LinuxGeneral settings


LoggingUnder Logging, you can view and change settings such as the level of detail that you require.



Option Definition

Detail level Level of logging information that VirusScan Enterprise for Linux records in itsdatabase. A high level can affect performance and the size the database. Bydefault, the level is Normal. Options are Low, Normal, and High.

Additionally log toSYSLOG

Indicates if information logged to the VirusScan Enterprise for Linux database isalso logged to SYSLOG. By default, this is not required.

Detail level for SYSLOG (This field is only available if Additionally log to SYSLOG is selected.)

Level of detail of the information to be logged to SYSLOG. disabled if logging toSYSLOG is checked. By default, the level is Low. Options are Low, Normal, andHigh.

Limit age of log entries Indicates if information in the log will be automatically removed later, based onthe age of the log entries.

Maximum age of logentries

(This field is only available if Limit age of log entries is selected.)

Limits to the age of entries in the VirusScan Enterprise for Linux database to thespecified days.

After the specified number of days, old entries are automatically removed. Thishelps to limit the size of the database. Maximum age of log entries (days) - Bydefault, the limit is 28 days, but you can adjust the limit between 1 and 999 days.

Statistics last cleared Indicates when statistics were removed by clicking Clear statistics.

Clearing statisticsUse this task to clear all the statistics.

To clear all the statistics, click Clear statistics.

The values of Files scanned and Detected items in the Scanning Summary page are reset to zero, and currentinformation in the Recently scanned and Recently detected areas are cleared.

Resetting configuration settingsTo reset all the configuration settings to those at installation time, click Reset Defaults.

The settings include:

• On-access settings

• On-demand defaults

• Notification settings

• Settings for the browser interface and logging

On-access settingsThe On-Access Settings page shows how VirusScan Enterprise for Linux will respond when a virus or otherpotentially unwanted software is detected whenever files are accessed. The available settings for

Configuring VirusScan Enterprise for LinuxOn-access settings 6


on-access scanning and on-demand scanning are similar. To view this page, click On-Access Settingsunder Configure in the navigation pane.

To make any changes to the settings, click Edit. To apply the new settings, click Apply. See Changingthe settings section for more information.

Figure 6-2 On-Access Settings page

The On-Access Settings page has these main areas:

• Scanning options

• Paths excluded from scanning

• Extension-based scanning

• Anti-virus actions

Scanning optionsThe scanning options determine which types of file VirusScan Enterprise for Linux will scan. By default,all these scanning options are available, unless stated.

The next table explains the options.


Option Definition

Enable On-Access Scanning This item appears for on-access scanning only.

Decompress archives VirusScan Enterprise for Linux scans inside file archives such as .tar or .tgzfiles. The decompression can slow performance; any virus-infected file insidean archive cannot become active until it has been extracted.

Find unknown programviruses

VirusScan Enterprise for Linux uses heuristic analysis to identify potentialnew file viruses.

Find unknown macro viruses VirusScan Enterprise for Linux uses heuristic analysis to identify anypotential new macro viruses in files created by Microsoft Office products.

6 Configuring VirusScan Enterprise for LinuxOn-access settings



Option Definition

Decode MIME encoded files Email messages are typically encoded in MIME format.

Use of this option can affect performance. If your network has otheranti-virus software for handling email, you might not require this option.

Find potentially unwantedprograms

These programs might be dangerous but they are not viruses. They includeprograms such as spyware, remote-access utilities, and password crackers.

Find joke programs Joke programs are not harmful. They play tricks such as displaying a hoaxmessage. This feature only becomes available if you have selected Findpotentially unwanted programs.

Scan files when writing to disk Scan the contents of each file when it is closed.

Scan files when reading fromdisk

Scan the contents of each file when it is opened.

Scan files on networkmounted volumes

Scan the network mounted files on /mnt or any mounted folder. Disabling thisoption will not scan the network mounted volumes, even if it containsinfected files.

Extension-based Scanning Indicates how VirusScan Enterprise for Linux will handle files that haveextension names (for example, .txt and .exe). By default, VirusScan Enterprisefor Linux scans all files regardless of the file name extension.

See the Extension-based scanning section.

Maximum scan time (seconds) Number of seconds after which scanning will stop. This feature preventslarge files reducing overall performance, and protects against corrupted filesand denial-of-service attacks.

By default, this is 45 seconds but may be between 1 and 9999 seconds.

On computers with low-specification hardware, VirusScan Enterprise forLinux might abandon scanning of some large files because of the length oftime taken. In such cases, we recommend that you increase this number.

Quarantine directory Directory for holding quarantined files. Do not use a symbolic link to refer tothis directory.

By default, this is called /quarantine, and should be on a local file system.

Paths excluded from scanningVirusScan Enterprise for Linux supports excluding specific paths/files (either absolute path or regularexpression format) from being scanned. You can add exclusions for on-access scan and on-demandscan from product user interface.

This area of the page allows you to exclude some files from scanning.

Figure 6-3 Paths Excluded From Scanning

Some directories (or paths) might not require scanning, or you might prefer not to scan themfrequently. For example:

• Directories that contain only plain text files or other file types that are not prone to infection.

• Directories that contain executable files that have file permissions that prevent them being modified.



• Directories that contain large archive files and compressed files.

• Directories that contain files already known to be infected (quarantined).

Task

1 Click Edit.

2 Under Paths Excluded From Scanning, add the absolute path or regular expression for the file/folder youwant to exclude and click Apply.

For example: /directory1 or /directory1/subdirectory2

Enter path names in the correct case. Do not use symbolic links. For bind mounts (which appear inmore than one place in the directory), add each path that you want to exclude.

You can use regular expressions to represent the pattern matching within directory name(s) or filename(s). See the Examples for Regular expression based exclusions section.

3 To exclude the subdirectories from scanning, select the checkbox in the Exclude All Sub-Directoriescolumn of that row.

4 Click Add in that row. An extra row is added to the table. To remove any exclusion, click Remove in itsrow.

Examples for Regular expression based exclusions:

Regular expression Example

To exclude all files starting with abc available in /media/nss

/media/nss/abc.*

To exclude all files starting with "." under /media/nss

/media/nss/\..*

To exclude all files with extensions ext and abcunder /media/nss

/media/nss/.*\.(ext|abc)

To exclude all users mail boxes folders /home/.*/mailbox/.*To exclude all files and folders starts with abc inthe machine

.*/abc.*

To use the regular expressions from ePolicy Orchestrator:

• You should include "/" as the first character. For example: From ePolicyOrchestrator, to exclude all files and folders starting with abc in the machineuse the regular expression: /.*/abc.*

• Ensure that there are no escape sequences included in the regular expression.For example: From ePolicy Orchestrator, to exclude all files starting with "."under /media/nss use the regular expression: /media/nss/..*

Extension-based scanningVirusScan Enterprise for Linux normally scans all files regardless of the file name extension. The virusdefinition files include a comprehensive list of file name extensions that are susceptible to attack. Thelist includes popular extensions such as .doc and .exe, and it is referred to here as the default list. Theextension name is not case-sensitive.

This table only becomes visible when you click Edit. However, you can see the chosen setting atExtension Based Scanning in the first table.



If VirusScan Enterprise for Linux is running on a Samba file server that is accessed by MicrosoftWindows users, it might be useful to specify the types of files to scan according to their file nameextension. However, we recommend that all files are scanned where possible.

You can specify extension names that you want VirusScan Enterprise for Linux to scan, or you canspecify extension names for VirusScan Enterprise for Linux to scan at the same time as it scans thosein the default list. You cannot remove any extension names from the default list, although you canbuild your own list of extension names based on those in the current default list.

This area of the page allows you to limit scanning to certain types of file.

Figure 6-4 Extension Based Scanning

The choices available in this area are as follows:

Scanning all filesTo scan all files regardless of file name extension, under Extension Based Scanning, select Scan all files.

This is the default setting.

Scanning default files and specific filesUse this task to scan the default files and specific files.

Task

1 Under Extension Based Scanning, select Default + specified.

2 At New, type the file name extension, for example AAA or aaa.

3 Click Add to move the name to the Specified list.

To remove names from the Specified list, select each name, then click Remove:

• To select one name, just click the name.

• To select a range of names, click the first, then use Shift+Click to select the last.

• To select several names, use Ctrl+Click.

If a new file name extension is included in later virus definition files, files with that file nameextension will also be scanned.



Scanning specific filesUse this task to scan specific files.

Task

1 Under Extension Based Scanning, select Specified.

2 At New, type the file name extension, for example AAA or aaa.

3 Click Add to move the name to the Specified list.

4 To build a list quickly, click Set Defaults to copy all names from the virus definition files into theSpecified list. You can then modify the Specified list.

The file name extensions in the Specified list do not change automatically. Therefore, if a new filename extension is included in later virus definition files, files with that file name extension will notbe scanned.

To remove names from the Specified list, select each name, then click Remove:

• To select one name, just click the name.



If a new file name extension is included in later virus definition files, files with that file nameextension will also be scanned.

Anti-virus actionsYou can configure VirusScan Enterprise for Linux to take a variety of actions when it detects a virus orother potentially unwanted software.

This area of the page allows you to choose the actions.

Figure 6-5 Anti-virus Actions

The actions are:

• clean — Cleans the infected file by removing the virus code. VirusScan Enterprise for Linux cannotrepair any damage that has occurred to the file. For example, some viruses can modify or erasedata in spreadsheets.

• continue — Reports the detection and continues scanning. This action is only available foron-demand scanning.

• delete — Deletes the infected file.

• deny access — Prevents further access to the infected file. This action is only available for on-accessscanning.



• quarantine — Moves the infected file to the area specified in Quarantine directory. To prevent the spreadof infected files, VirusScan Enterprise for Linux will not move a file from a remote file system intothis area.

• rename — Renames the extension of the infected file, to prevents its accidental use. Renaming isuseful in cases where the file extension (such as .exe or .txt) determines the application that willopen the file.



Option Definition

Action for viruses and Trojanhorses

Actions to take when a virus or Trojan-horse program is detected.

Your second choice of action is limited by your first choice. You cannotchoose both actions to be the same.

Action for applications andjoke programs

Actions to take when a potentially unwanted application or joke program isdetected.

Your second choice of action is limited by your first choice. You cannotchoose both actions to be the same.

Action on time out Action to take when the scanning takes too long to complete. You canchoose to allow or deny access to the suspect file.

Action if an error occursduring scanning

Action to take if a fault occurs such as an internal fault in VirusScanEnterprise for Linux or the scanning engine, or a failure to complete thesecond choice of action.

You can choose to allow or deny access to the suspect file.

Quarantine directory Name of the quarantine file, as set up at installation time.

If any action fails to work, VirusScan Enterprise for Linux uses any secondary action. If that actionfails, VirusScan Enterprise for Linux uses its fallback action. For on-access scanning, VirusScanEnterprise for Linux blocks access to the infected file. For on-demand scanning, VirusScan Enterprisefor Linux reports that the file is infected.

On-demand settingsThe On-Demand Settings page shows how VirusScan Enterprise for Linux will respond when a virus orother potentially unwanted software is detected during an on-demand scan.

See Running on-demand scans section. Settings for on-access scans and on-demand scans are similar.

This page shows the default settings that will be applied to all new tasks. Any on-demand scanningtasks that you previously configured retain their own settings. To change any settings in an existingtask, see Modifying an existing scheduled task section.

Configuring VirusScan Enterprise for LinuxOn-demand settings 6


To view this page, click On-Demand Settings under Configure in the navigation pane. To change any settings,click Edit. To apply the new settings, click Apply. See Changing the settings on a page section for moreinformation.

Figure 6-6 On-Demand Settings page

6 Configuring VirusScan Enterprise for LinuxOn-demand settings


NotificationsFrom the Notifications page, you can specify who will receive email notification of events such as virusdetection and changes to the scanning options. VirusScan Enterprise for Linux sends the emailmessages using the SMTP email protocol.

To view this page, click Notifications under Configure in the navigation pane. To change any settings, clickEdit. To apply the new settings, click Apply. See Changing the settings on a page section for moreinformation.

Figure 6-7 Notifications page

SMTP notificationsFrom this area, you can define which events will be notified.

The next table explains the available settings.


Option Definition

Item detected Details of a detection of a virus or other potentially unwanted software. Here, forexample, you can decide whether to issue a notification if any joke programs aredetected.

Out of date Details of out-of-date DAT files.

Here, for example, you can decide whether to notify if DAT files are more than 10days old.

Configuring VirusScan Enterprise for LinuxNotifications 6



Option Definition

Configuration change Details of changes to the settings for on-access scanning, notifications and generalsettings. Changes to the settings for on-demand scans are not notified.

Here, for example, you can decide whether to notify if changes are made to thesettings for on-access scanning.

System events Details of any important events.

Here, for example, you can specify the range of system events or event types tobe forwarded by SMTP.

To enable any notification feature, select its checkbox in the left column under SMTP Notification.

For each type of notification, VirusScan Enterprise for Linux provides a default subject and a message.You can change these messages to suit your organization. Messages can include substitution variables,such as %hostname% to indicate the host name. To include variables in any message, see Substitutingvariables in notification templates section.

To restore the default message, click Reset.

SMTP settingsFrom this area, you can define who VirusScan Enterprise for Linux will notify about the eventsspecified in SMTP Notifications.

The next table explains the available settings.

Server Name and port of the server that sends the email message. This is set up during installation.

From Name of the sender. By default, this is the address that was given during installation.

To Names of the recipient. For example: [email protected]

To add to the list of recipients:

1 At To, type the email address in New. For example: [email protected].

2 Click Add, to move the name to the Recipient list.

To remove the list of recipients:

To remove names from the Recipient list, select each name, then click Remove:• To select one name, just click the name.



Enhancing this featureVirusScan Enterprise for Linux sends all messages to the same recipients. However if your emailsoftware includes some advanced features, you can enhance this feature.

For example, you can send all messages about detections to one person, and all messages aboutout-of-date products to another person.

Add the following recipe lines to the file .procmailrc:

:0:* ^Subject: McAfee VirusScan Enterprise for Linux detection|[email protected]

6 Configuring VirusScan Enterprise for LinuxNotifications


:0:* ^Subject: McAfee VirusScan Enterprise for Linux update is needed|[email protected]

For more information, visit http://www.procmail.org.

RepositoriesA software repository is a storage location from which software packages or updates may be retrievedand installed on a computer.

To deliver products and updates throughout your network, McAfee offers several types of repositoriesto create a robust update infrastructure. These provide the flexibility to develop an updating strategyto ensure your systems stay up-to-date.

To view this page, click Repositories under Configure in the navigation pane. To change or modify therepository settings, click Edit and to save the new settings, click Apply.

Repository listThe repository list contains the names of all the repositories you are managing with VirusScanEnterprise for Linux.

The Repository List has details like Repository name, type, URL, Port, username and password of theavailable repositories. The repository list includes the location and network credential information thatmanaged systems use to select the repository and retrieve updates. The ePolicy Orchestrator serversends the repository list to the agent during agent-to-server communication.

Figure 6-8 Repository List

Task

1 To add, delete or modify the Repository List, click Edit.

2 Type the repository name, type, URL, port number, user name and password.

You can use the following options:

• Add — to add a new repository to the list.

• Delete — to remove the desired repository from the repository list.

• Move up — to shift the selected repository one level up in the repository list.

• Move down — to shift the selected repository one level down in the repository list.

3 Click Apply, to save the changes or Cancel to discard the changes.

Configuring VirusScan Enterprise for LinuxRepositories 6


http://www.procmail.org

Proxy settingsIf a repository must be accessed via the Internet, such as the McAfee update sites or an internalrepository, the repository uses proxy settings to retrieve packages.

If your organization uses proxy servers for connecting to the Internet, you can use the proxy settings.

Figure 6-9 Proxy Settings

Task

1 To configure the Proxy Settings, click Manually configure the proxy.

2 Type the IP address and Port number of the HTTP or FTP server.

You can use the following options:

• Use these settings for all proxy types — to specify the same IP address and port number for all theproxy types.

• Use authentication for HTTP — to specify the username and password of the HTTP server forauthentication.

• Use authentication for FTP — to specify the username and password of the FTP server for authentication.

• Specify exceptions — to bypass a proxy server for specific domain(s).

3 Click Apply to save the changes or Cancel to discard the changes.

6 Configuring VirusScan Enterprise for LinuxRepositories


7 Advanced features

This section describes some advanced features of VirusScan Enterprise for Linux.

Contents

Substituting variables in notification templates Configuring features from a file Controlling VirusScan Enterprise for Linux from the command line How the quarantine action works

Substituting variables in notification templatesThis section describes the variable that you can use to substitute in a notification.

The notification messages described in Notifications section can use variables that VirusScanEnterprise for Linux substitutes when sending a message. For example, the template message:

File, %filename% is infected on %hostname%.

becomes

File, example.exe is infected on computer1.

The following table lists all the available variables. Some variables are valid only in particular instances.

Table 7-1 Substitution variables

Valid for ... Variable Equivalent field inthe interface

Description

All alerts %hostname% <none> Name of the host on whichVirusScan Enterprise for Linux isinstalled.

All alerts %hostip% <none> IP address of host on whichVirusScan Enterprise for Linux isinstalled.

All alerts %productversion% Host Summary page— Product Version

Version of the product.

Item detected %detectedas% Detected Items page— Detected As

Name of the virus.

Item detected %detectedby% Detected Items page— Task

"On-Access" if detected by theon-access process, or name of theOn-Demand task which detectedthe infection.

Item detected %detectedtime% Detected Items page— Time

Date and time on the local hostfor detected item.

7


Table 7-1 Substitution variables (continued)

Valid for ... Variable Equivalent field inthe interface

Description

Item detected %detectedtype% Detected Items page— Detected Type

Type of the virus.

Item detected %detectedutc% Detected Items page— Time

Date and time on the local host,with UTC offset shown inbrackets. For example: May 022008 12:30:12 (+5:30 UTC).

Item detected %engineversion% Host Summary page— Engine Version

Version number of the scanningengine.

Item detected %extradatcount% Host Summary page— Extra DAT

Number of signatures in theextra.dat file.

Item detected %extradatflag% Host Summary page— Extra DAT

Yes or No to indicate if anextra.dat file is present.

Item detected %filename% Detected Items page— File Name

Name of the file which wasscanned (excluding path).

Item detected %path% Detected Items page— Path

Name of the file which wasscanned (including path).

Item detected %process% Detected Items page— Process

Name of process resulting in thescan.

Item detected %result% Detected Items page— Result

Result of any action taken for thedetected infection.

Item detected %user% Detected Items page— User

Name of user who caused thescan.

Out of date, andItem detected

%datage% <none> Age of the DAT files in days, fromthe VirusScan Enterprise for Linuxhost date and time.


%datdate% Host Summary page— DAT Date

Date when the current DAT fileswere created.


%datversion% Host Summary page— DAT Version

Version of the DAT files.

Configurationchange

%configchange% <none> Configuration change made —modified, on-access detectionenabled, or on-access detectiondisabled.

System events %eventcode% System Events page —Code

Error code for the event.

System events %eventdescription% System Events page —Description

Error description for the event.

System events %eventtime% System Events page —Time

Date and time on the local hostfor event.

System events %eventtype% System Events page —Type

Error type for the event.

System events %eventutc% System Events page —Time

Date and time for the event onthe local host, with UTC offsetshown in brackets. For example:May 02 2008 12:30:12 (-5:00UTC).

7 Advanced featuresSubstituting variables in notification templates


Configuring features from a fileYou can configure features from a text-based configuration file.

The cofiguration file is called nailsd.cfg. However, McAfee strongly recommends that you controlVirusScan Enterprise for Linux activities from the interface described in VirusScan Enterprise for LinuxInterface section. Do not edit this file unless instructed to do so by our technical support staff.

Controlling VirusScan Enterprise for Linux from the commandline

This section describes about controlling some VirusScan Enterprise for Linux features from thecommand line.

McAfee strongly recommends that you control VirusScan Enterprise for Linux activities from theinterface described in VirusScan Enterprise for Linux Interface section. However you can also controlsome features from a command line.

Controlling the processesThis section describes on how to control the VirusScan Enterprise for Linux processes.

The following commands are available from the /etc/init.d/ directory.

Table 7-2 Commands

Command Description

nails start Starts VirusScan Enterprise for Linux processes which include:

• nailsd — Scan manager and scheduler.

• scanner — Anti-virus software: scanner and cleaner.

• mon — Interface communications.

• nailswebd — Web server.

• nailslogd — Configuration, log/alerting.

• ods — On-demand scanner.

• nails-update — Updater.

The lshook and VirusScan Enterprise for Linux kernel modules are also loaded.

nails stop Stops all VirusScan Enterprise for Linux services.

nails restart Performs a stop then start.

nails reload Reloads the configuration information.

This is only required if manual changes are made to configuration files rather than byusing the browser interface.

nails status Provides status on the running services.

Controlling VirusScan Enterprise for LinuxThis section describes about the commands that you can use to control VirusScan Enterprise for Linux.

The following commands are available from the /opt/NAI/LinuxShield/bin directory.

Advanced featuresConfiguring features from a file 7


Table 7-3 Commands

Command Description

nails --help Displays brief information about all nails commands.

nails --version Displays information about the product version.

nails dump [--verbose] Produces a diagnostic report. This is the same report that is producedby clicking Diagnostic Report on the Scanning Summary page of the browserinterface. The --verbose flag provides more detail, however thisgreatly increases the size of the report and the time taken togenerate the report. The output of the command should bere-directed to a file.

nails on-access --disable Disables on-access scanning.

nails on-access --enable Enables on-access scanning.

nails on-access --flush Clears the cache of scanned files, forcing the on-access scanner tore-scan files when they are next accessed.

nails on-access --queue Displays information about files currently being processed by theon-access scanner.

nails on-access --status Displays the status of the on-access scanner, whether enabled ordisabled.

nails passwd Changes the password for the nails user.

nails quarantine --list[--verbose]

Displays information about the files in the on-access quarantinedirectory. The metafiles in the quarantine directory provideinformation that can be used to restore the file.

nails quarantine --recover<meta-file>[<destination-file>]

Uses information in the .metafile to recover a file, and move the fileto its original location, or to the <destination-file>.

Use this command only when a non-infected file has been incorrectlyquarantined. The recovered file might be quarantined again whenaccessed unless an exclusion has been set up for the recovered file.

Scheduled tasks for updating and on-demand scans can normally be managed using the browserinterface. The following commands allow basic control of tasks using the command line.

Table 7-4 Scheduling

Command Description

nails task --list Lists tasks created at the browser-based interface.

nails task --run taskid Runs the specified task immediately.

nails task --stop taskid Stops the specified task.

7 Advanced featuresControlling VirusScan Enterprise for Linux from the command line


How the quarantine action worksAs one of the anti-virus actions, you can configure VirusScan Enterprise for Linux to place infected filesinto a quarantine directory. The processes that VirusScan Enterprise for Linux uses depend on therelative locations of the infected file and the quarantine directory, and on the features of the file system.

In some cases, moving the infected file by copying then deleting is not suitable. In every case,VirusScan Enterprise for Linux works to prevent loss of security and the further spread of viruses andother potentially unwanted software. VirusScan Enterprise for Linux uses the following techniques toquarantine infected files:

• If the file system supports hard links and the infected file is on the same file system, VirusScanEnterprise for Linux creates a hard link to the quarantine directory, then unlinks the infected file. Ifthe unlink fails, VirusScan Enterprise for Linux unlinks the copy in the quarantine directory, so thatonly the original infected file remains.

• If the infected file is on a remote file system, VirusScan Enterprise for Linux copies the infected fileinto the quarantine directory only if the quarantine directory is also on that remote file system. Thismethod prevents the spread of infection between hosts.

• VirusScan Enterprise for Linux verifies that it can copy the infected file into quarantine directoryand that it can delete the file from the quarantine directory. This method prevents creation of acopy of an infected file that cannot be deleted.

• If VirusScan Enterprise for Linux cannot delete the original infected file, VirusScan Enterprise forLinux deletes the copy of the file in the quarantine directory so that only the original infected fileremains.

If the quarantine action fails to work, VirusScan Enterprise for Linux uses any secondary action. If thataction fails, VirusScan Enterprise for Linux uses its fallback action. For on-access scanning, VirusScanEnterprise for Linux blocks access to the infected file. For on-demand scanning, VirusScan Enterprisefor Linux reports that the file is infected.

Advanced featuresHow the quarantine action works 7


8 Troubleshooting

This section provides answers to common situations that you might encounter when installing or usingVirusScan Enterprise for Linux.

Contents

Frequently asked questions Error messages

Frequently asked questionsThis topic contains troubleshooting information in the form of frequently asked questions.

The categories are:

• Installation

• Scanning

• Viruses and detection

• General information

InstallationThis section helps you with the frequently asked questions related to McAfee VirusScan Enterprise forLinux installation.

How do I start the anti-virus software running?

See Opening the VirusScan Enterprise for Linux interface section and Controlling VirusScan Enterprisefor Linux from the command line section.

Which versions of the program components are in use?

To display version numbers of components used by VirusScan Enterprise for Linux on a host, type thefollowing at a command-line prompt:

/opt/NAI/LinuxShield/bin/nails --version

You can also click About VirusScan Enterprise for Linux in the Links bar.

8


ScanningThis section helps you with the frequently asked questions related to McAfee VirusScan Enterprise forLinux On-Access and On-demand scanning.

How can I disable on-access scanning from the command line?

Type the following on a command line:

/opt/NAI/LinuxShield/bin/nails on-access --disable

Why are some files being scanned and detected twice since the quarantinedirectory was changed?

VirusScan Enterprise for Linux maintains a cache to record details of files that have been scanned.Changing the quarantine directory flushes the cache, so VirusScan Enterprise for Linux must re-scanthe file to ensure its information is up to date.

Why was an infected file removed from my KDE desktop before I even opened thefile?

If VirusScan Enterprise for Linux has been configured to delete infected files, it does this when youaccess the file. However, scanning can also occur at other times depending on how your desktop isconfigured. For example, scanning may occur if the directory includes previews of file contents or if apop-up appears when you move the cursor over a file name or icon.

Some large files are not being scanned.

On computers with low-specification hardware, VirusScan Enterprise for Linux abandons scanning ofsome large files because of the length of time taken. You can increase the time-out value at Maximumscan time on the On-Access Settings page and the On-Demand Settings page.

How can I use uvscan with VirusScan Enterprise for Linux?

Run uvscan as root to prevent double scanning.

Why does a file disappear or report "access denied" when an operation (such ascat) is performed on it?

The file is infected, and has been cleaned (or deleted or quarantined), or denied by the on-accessscanner. View Detected Items in the browser interface to see if a virus was detected in that file.

How can I release a file where the on-access scanner has denied access?

Add the file to the list of paths excluded (on the On-Access Settings page), or create a directory on thesame file system, and add that directory to the list. Use mv to move the file to the exclusion directory.Because mv is a meta-data change, it does not cause any on-access scanning.

If VirusScan Enterprise for Linux has blocked the file, the file is likely to be infected, and will not bescanned again when in an excluded directory.

How can I restore a file from quarantine?


/opt/NAI/LinuxShield/bin/nails quarantine --recover <meta-file> [<destination-file>]

8 TroubleshootingFrequently asked questions


How can I see which files VirusScan Enterprise for Linux is processing but has notyet completed scanning?


/opt/NAI/LinuxShield/bin/nails on-access --queue

Viruses and detection

How can I be sure that the anti-virus software is working?

You can test the operation of the anti-virus software by running a test file on any computer where youhave installed the software. The EICAR Standard AntiVirus Test File was developed by the EuropeanInstitute of Computer Anti-virus Research (EICAR), a coalition of anti-virus vendors, as a method fortheir customers to test any anti-virus software.

To test scanning:

1 Open a standard text editor, then type the following character string as one line, with no spaces orline breaks:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The line shown above should appear as one line in your text editor window, so be sure to maximizeyour text editor window and delete any line breaks. Also, be sure to type the letter O, not thenumber 0, in the "X5O..." that begins the test message.

If you are reading this manual on your computer, you can copy the line directly from theAcrobat PDF file and paste it into your text editor. If you copy the line, be sure to deleteany carriage returns or spaces.

2 Save the file with the name EICAR.COM. The file size will be between 68 and 70 bytes (dependingon end-of-line characters appended by the editor).

3 Start your anti-virus software and allow it to scan the folder or directory that contains EICAR.COM.

If the scanner appears not to be working correctly, check that you have read permissions on thetest file.

This file is not a virus — it cannot spread or infect other files, or otherwise harm your computer.Delete the file when you have finished testing your scanner to avoid alarming other users.

How can I find out more about the effect of a virus?

Visit our website. See the Contact information section.

What should I do if I find a new virus?

If you suspect you have a file that contains a virus and the scanning engine does not recognize it,please send us a sample by clicking Submit a Sample on the Links bar.

How do I prevent the quarantine area filling up?

When VirusScan Enterprise for Linux detects a virus or other potentially unwanted software, VirusScanEnterprise for Linux moves it to a quarantine area if you have configured this action. See Anti-virusactions in On-access settings section and On-demand settings section.

However, the area must be monitored to prevent it becoming full. If the area fills too quickly in normaluse, we recommend that you change the action. It is only worthwhile to keep quarantined items if youintend to examine them promptly.

TroubleshootingFrequently asked questions 8


The area can become full quickly during a virus outbreak, and many of the files in the area will thenhave identical contents, and are not worth keeping. We recommend that you create a cron job toperform housekeeping operations on the quarantine directory to ensure that the directory does notexhaust all the available disk space.

I believe that a quarantine file has been falsely identified as infected. What shouldI do?

To ensure that VirusScan Enterprise for Linux does not quarantine the file again, first see How can Irelease a file where the on-access scanner has denied access?.


/opt/NAI/LinuxShield/bin/nails quarantine --recover <meta-file> [<destination-file>]

See What should I do if I find a new virus?.

Where is information about VirusScan Enterprise for Linux recorded?

By default, VirusScan Enterprise for Linux records information about detections, system events, andevents related to tasks. You can view the information at the Detected Items and System Events pages of thebrowser-based interface. In addition, you can configure logging to SYSLOG from the General Settings page.

What kind of information is recorded?

The recorded information includes the following:

• Detections of viruses and other potentially unwanted software, and the result of any action taken.

• Events such as scanning status and errors.

• Events for specific tasks such as updates to DAT files, and on-demand scanning tasks.

What happens to the log messages if the system logger is not working?

If SYSLOG logging is enabled (from the General Settings page) and syslogd has stopped due to a fault, alllog messages are printed on the console.

Runtime kernel module support This section helps you with the frequently asked questions related to the Runtime kernel modulesupport on McAfee VirusScan Enterprise for Linux.

Why is Runtime kernel module support required?

Runtime kernel module support (RKMS) is required to automatically support the latest kernels that arenot supported by Mod-versioning. For example on any supported distribution, if mod-versioning doesnot enable on-access scan for a kernel, RKMS will automatically compile the kernel modules andenable on-access scanning.

How does it work?

You must have have developer utilities (make, gcc) installed on your machine along with kernelheaders package of the current kernel. If mod-versioning fails during nails service start, the kernelmodules gets compiled dynamically and on-access scanner gets enabled.

Does McAfee need to certify the kernel on a supported distribution?

You need not wait for McAfee to certify the kernel on a supported distribution. With RKMS, any futurekernel on a supported distribution will be automatically supported by McAfee.

8 TroubleshootingFrequently asked questions


What should I do when my production servers does not have developer utilitiesinstalled?

You can compile the kernel modules on a staging server and run the export command to archive thekernel modules. Import the kernel modules on to your production server by running the importcommand.

How do I compile the kernel module?

From the terminal window, execute the following command:

/opt/NAI/LinuxShield/bin/khm_setup -c

Ensure that the kernel sources/headers and developer tools are installed on the computer. If the kernelsources/headers are installed in a non-default location, set the KERNEL_HEADER_LOCATION environmentvariable before compilation.

How do I export or import the kernel modules?

From the terminal window, execute the following command:

Task Command

Export /opt/NAI/LinuxShield/bin/khm_setup -e <file_name>.tar.bz2Import /opt/NAI/LinuxShield/bin/khm_setup -i <file_name>.tar.bz2

The import option is useful when you do not want to install developer tools and kernel headersin the production environment. This feature will import all the modules present in the archive(tar.bz2 file).

How do I check if a kernel module is supported?

After you compile the kernel module, execute the following command:

/opt/NAI/LinuxShield/bin/khm_setup -t

To view the logs, go to: /opt/NAI/LinuxShield/src/log

General informationThis section helps you with the frequently asked questions such as general information, contactinformation and so on.

How do I contact Technical Support?

See the Contact information section for the address.

Before speaking to McAfee Technical Support, try to have the following information ready:

• The version of the operating system, such as Red Hat Enterprise Linux 5 or SuSE Enterprise LinuxServer 10.

• The type of computer on which VirusScan Enterprise for Linux is installed — manufacturer and model.

• Any additional hardware that is installed.

• The browser being used and its version.

TroubleshootingFrequently asked questions 8


• A diagnostic report. You can produce this in several ways:

• In the Scanning Summary page, click Diagnostic Report. You can select all the text, copy it, then pasteit in a text editor.

• From the command prompt, type: /opt/NAI/LinuxShield/bin/nails dump > dumpfile

• From the command prompt, type: /opt/NAI/LinuxShield/bin/nails dump --verbose >dumpfile

Where can I obtain the open source code for third-party components?

Open source code is available on the product’s download site (see the Contact information section) oron the product CD.

Problems with pid files

As with other processes, VirusScan Enterprise for Linux uses .pid files. Do not delete these files,because this may cause unpredictable effects.

Server certificate failed the authenticity test

This message appears on Konqueror browsers during log on, because the certificate is self-signed. Youmay ignore this message and click Continue.

Error messagesThis section describes VirusScan Enterprise for Linux error messages that appear on the browser andsystem events log.

Error messages appear in several forms:

• Messages displayed in the browser, as shown in Understanding error messages section. These arebrowser problems and errors reported by the web server.

• Messages logged in the system events log. For a list of categories of these messages, see the nexttable.

Table 8-1 Error code ranges for System Events log

Range Error Categories Description

3000 - 3999 Anti-virus Engine errors Errors which occur during scanning or cleaning reportedby the anti-virus engine.

5000 - 5999 Scan Manager Errors reported by the nailsd process, which controlsthe scanners.

6000 - 6999 Logging errors Errors reported by the logging subsystem. If the errorlogging system fails, errors will be redirected to syslog.

7000 - 7999 Configuration errors Errors found when parsing values in the configurationfiles.

8000 - 8999 Exclusions and filteringerrors

Errors found when processing the information aboutfiles excluded from scanning, or which extensions toscan.

9000 - 9999 Monitoring errors Errors reported by the monitoring processes thatprovide administration of the product.

11000 - 11999 IPC errors Errors reported during inter-process communication.

12000 - 12999 On-Demand scanner errors Errors reported by the on-demand scanner.

8 TroubleshootingError messages


Table 8-1 Error code ranges for System Events log (continued)

Range Error Categories Description

13000 - 13999 Command processor errors Internal errors with respect to the commands usedduring inter-process communication.

14000 - 14999 Anti-virus Engine scanerrors

Errors reported by the anti-virus engine whenprocessing a specific file.

15000 - 15999 Task Scheduler errors Errors reported by the task scheduler.

16000 - 16999 SMTP Alerting errors Errors reported by the SMTP alerting component.

TroubleshootingError messages 8


Index

A

aboutextra DAT files 38

McAfee VirusScan Enterprise for Linux 11

VirusScan Enterprise for Linux 11

about this guide 7advanced features


analysisexporting the results 33, 35

analyzedetected items 32

system events 34

anti-virus actionsconfigure 52

on-access settings 52

audience 11

automatically refreshpage information 24

B

barlinks 22

browser interfaceconfigure 46

general settings 46

C

changingpage settings 24

clear statisticsconfigure 47

general settings 47

command linecontrolling from 61

schedule tasks 43

components 12

configureanti-virus actions 52

browser interface 46

clear statistics 47

extension based scanning 50

features from a file 61

configure (continued)general settings 45

logging 47

notifications 55


on-demand settings 53

paths excluded 49

proxy settings 58

repositories 57

repository list 57

scanning options 48

SMTP notifications 55

SMTP settings 56


consoleinterface 22

contact information 14

controlVirusScan Enterprise for Linux 61

VirusScan Enterprise for Linux processes 61

conventions and icons used in this guide 7create schedule

run on-demand scan 43

update the product 41

customer service 14

D

DAT filesscanning 17

dates and timesdisplaying 25

default configurationresetting 47

delete existingscheduled tasks 37

detected itemsview 31

analyze 32

export to csv 33

view results 33

diagnostic reportobtaining 31

scanning summary 31


displayingdates and times 25

documentationaudience for this guide 7product-specific, finding 9typographical conventions and icons 7

download site 14

E

enhancingSMTP settings 56

error messagestroubleshoot 70

understanding 25

eventstrigger scanning 12

exporting the resultsdetected items 33

for analysis 33, 35

system events 35

extension based scanningconfigure 50


scan all files 51

scan default files 51

scan specific files 51, 52

extra DAT filesview 38

F

featuresadministration 13

reporting 13

scanning 13


features from a fileconfiguring 61

frequently asked questionsgeneral information 69

installation 65

runtime kernel module 68

scanning 66

troubleshoot 65

viruses and detection 67

G

general informationfrequently asked questions 69

general settingsbrowser interface 46

clear statistics 47

configure 45

logging 47

reset defaults 47

H

host summaryview 27

howquarantine action works 63

scanning works 17

I

informationexpanding and collapsing tables 23

extra DAT files 38

viewing 27

installationfrequently asked questions 65

interactVirusScan Enterprise for Linux 12

interfaceconsole 21, 22

navigation pane 21

opening 20

quick help pane 21

using 23


introductionMcAfee VirusScan Enterprise for Linux 11


K

kernel module compilationruntime 68

KnowledgeBase 14

L

links bar 22

Linuxshieldpreviously known as 11

loggingconfigure 47

general settings 47

logging onVirusScan Enterprise for Linux interface 20

long tablesnavigating through 23

M

McAfee Labs 14

McAfee ServicePortal, accessing 9McAfee VirusScan Enterprise for Linux

introduction 11

modify existingscheduled tasks 37

Index


N

navigation paneuser interface 21

notification templatessubstituting variables 59

notificationsconfigure 55

SMTP notifications 55

SMTP settings 56

substitution variables 59

O

on-access scan 18

on-access settingsanti-virus actions 52

configure 47

extension based scanning 50

paths excluded 49

scanning options 48

on-demand scan 18

on-demand scansrunning 42

schedule 42, 43

on-demand settingsconfigure 53

openinginterface 20

P

page informationautomatically refresh 24

page settingschanging 24

panenavigation 21

paths excludedconfigure 49


processescontrolling 61

productconfiguring 45

updating 40

product features 13

product updateschedule 41

professional services 14

proxy settingsconfigure 58

repositories 58

Q

quarantine actionhow it works 63

working of 63

quick help pane 22

R

recently detected itemsscanning summary 30

recently scanned itemsscanning summary 30

refreshing informationautomatically 24

regular expression basedscanning 49

repositoriesconfigure 57

proxy settings 58

repository list 57

repository listconfigure 57

repositories 57

reset defaultsconfigure 47

general settings 47

runon-demand scans 42

run immediatelyscheduled tasks 37

running on-demand scancreating a schedule to 43

runtimekernel module compilation 68

runtime kernel modulefrequently asked questions 68

S

scan all filesextension based scanning 51

scan default filesextension based scanning 51

scan specific filesextension based scanning 51, 52

scan typeson-access 18

on-demand 18

scanningDAT files 17

frequently asked questions 66

regular expression based 49

types 18

what and when 17

scanning forpotentially unwanted software 17

Index


scanning for (continued)viruses 17

scanning optionsconfigure 48


scanning summarydiagnostic report 31

recently detected items 30

recently scanned items 30

statistics 29

view 28

scanning workshow 17

scheduleon-demand scans 42, 43

product update 41

schedule taskscommand line 43

scheduled tasksdelete existing 37

modify existing 37

run immediately 37

stop 38

stopping 38

view 35

schedulessetting up 39

using a wizard 40

ServicePortal, finding product documentation 9setting up

schedules 39

SMTP notificationsconfigure 55

notifications 55

SMTP settingsconfigure 56

enhance 56

notifications 56

sorting tables:VirusScan Enterprise for Linux 23

statisticsscanning summary 29

stopscheduled tasks 38

substitution variablesnotifications 59

system eventsanalyze 34

export to csv 35

view 34

T

table columnssort 23

tablescollapsing 23

expanding 23

technical support 14

Technical Support, finding product information 9threat center 14

time differencesunderstanding 39

troubleshootVirusScan Enterprise for Linux 65

error messages 70

frequently asked questions 65

typesscanning 18

U

understandtime differences 39

understanding error messages 25

updateVirusScan Enterprise for Linux 40

updating the productcreating a schedule to 41

user interfacenavigation pane 21

viewing 20

using the interface 23

using wizardsVirusScan Enterprise for Linux 25

V

viewdetected items 31

extra DAT files 38

host summary 27

scanning summary 28

scheduled tasks 35

system events 34

user interface 20

VirusScan Enterprise for Linux information 27

view resultsdetected items 33

viruses and detectionfrequently asked questions 67

VirusScan Enterprise for Linuxcontrol the processes 61

advanced features 59

configure 45

contact information 14

control 61

controlling 61

controlling from the command line 61

features 13

interact 12

Index


VirusScan Enterprise for Linux (continued)interface 19

introduction 11

logging on 20

product update 40

sorting tables 23

troubleshoot 65

using the interface 23

view information 27

what is 11

VirusScan Enterprise for Linux (continued)wizards 25

W

WebImmune 14

what's in this guide 8wizards

using 25, 40


Index


00

Documents

VirusScan Enterprise for Linux 1.7 Product Guide - McAfee