Académique Documents
Professionnel Documents
Culture Documents
Revision 1.0
VirusScan Enterprise
®
version 7.1.0
COPYRIGHT
© 2003 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted,
transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission
of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the
Network Associates legal department at: 5000 Headquarters Drive, Plano, Texas 75024, or call +1-972-963-8000.
TRADEMARK ATTRIBUTIONS
Active Firewall, Active Security, Active Security (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, Appera, AVERT, Bomb
Shelter, Certified Network Expert, Clean-Up, CleanUp Wizard, ClickNet, CNX, CNX Certification Certified Network Expert and design, Covert,
Design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, E and
Design, Entercept, Enterprise SecureCast, Enterprise SecureCast (in Katakana), ePolicy Orchestrator, Event Orchestrator (in Katakana), EZ SetUp,
First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HelpDesk, HelpDesk IQ, HomeGuard, Hunter, Impermia,
InfiniStream, Intrusion Prevention Through Innovation, IntruShield, IntruVert Networks, LANGuru, LANGuru (in Katakana), M and design,
Magic Solutions, Magic Solutions (in Katakana), Magic University, MagicSpy, MagicTree, McAfee, McAfee (in Katakana), McAfee and design,
McAfee.com, MultiMedia Cloaking, NA Network Associates, Net Tools, Net Tools (in Katakana), NetAsyst, NetCrypto, NetOctopus, NetScan,
NetShield, NetStalker, Network Associates, Network Performance Orchestrator, Network Policy Orchestrator, NetXray, NotesGuard, nPO, Nuts
& Bolts, Oil Change, PC Medic, PCNotary, PortalShield, Powered by SpamAssassin, PrimeSupport, Recoverkey, Recoverkey – International,
Registry Wizard, Remote Desktop, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, SecureSelect, Service Level
Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SpamKiller, SpamAssassin, Stalker, SupportMagic, ThreatScan, TIS, TMEG,
Total Network Security, Total Network Visibility, Total Network Visibility (in Katakana), Total Service Desk, Total Virus Defense, Trusted Mail,
UnInstaller, VIDS, Virex, Virus Forum, ViruScan, VirusScan, WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall,
What's The State Of Your IDS?, Who’s Watching Your Network, WinGauge, Your E-Business Defender, ZAC 2000, Zip Manager are registered
trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer® brand products
are made only by Network Associates, Inc. All other registered and unregistered trademarks in this document are the sole property of
their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER
DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE
(AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE
PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE,
YOU MAY RETURN THE PRODUCT TO NETWORK ASSOCIATES OR THE PLACE OF PURCHASE FOR A FULL REFUND.
Attributions
This product includes or may include:
Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
Cryptographic software written by Eric A. Young (eay@cryptsoft.com) and software written by Tim J. Hudson (tjh@cryptsoft.com).
Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software
licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source
code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source
code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free
Software licenses require that Network Associates provide rights to use, copy or modify a software program that are broader than the rights granted in
this agreement, then such rights shall take precedence over the rights and restrictions herein.
Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer.
Software originally written by Robert Nordier, Copyright © 1996-7 Robert Nordier. All rights reserved.
Software written by Douglas W. Sauder.
Software developed by the Apache Software Foundation (http://www.apache.org/).
International Components for Unicode (“ICU”) Copyright © 1995-2002 International Business Machines Corporation and others. All rights reserved.
Software developed by CrystalClear Software, Inc., Copyright © 2000 CrystalClear Software, Inc.
FEAD® Optimizer® technology, Copyright Netopsystems AG, Berlin, Germany.
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Getting information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Contacting McAfee Security & Network Associates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Orientation to the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Start menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
VirusScan Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Menu bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Task menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Edit menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
View menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Tools menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Help menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Task list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Status bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Right-click menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Right-click menus from the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Right-click scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
System tray . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Right-click scan or update from the system tray . . . . . . . . . . . . . . . . . . . . . . . . 26
Command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Setting user interface options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Display options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Password options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3 On-Access Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Configuring the on-access scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
On-access scan properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
General properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Message properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Process settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Default processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Process properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Low-risk and high-risk processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Assigning risk to a process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Process properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Adding file type extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Adding user-specified file type extensions . . . . . . . . . . . . . . . . . . . . . . . . 69
Excluding files, folders, and drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Viewing scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Viewing scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Viewing the activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Responding to virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Receiving notification of virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Viewing on-access scan messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Taking action on virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4 On-Demand Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Creating on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Creating tasks from the start menu or system tray . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Creating tasks from the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Configuring on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Where properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Adding, removing, and editing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Adding items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Removing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Editing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Resetting or saving default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Scheduling on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Scanning operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Running on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Pausing and restarting on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Stopping on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Resumable scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Viewing scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Viewing scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Viewing the activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Responding to virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Receiving notification of virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Taking action on virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
VirusScan Alert dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
On-Demand Scan Progress dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Product Guide v
Contents
7 Updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Update strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
System variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
AutoUpdate tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
AutoUpdate task overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Creating an AutoUpdate task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Configuring an AutoUpdate task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Running AutoUpdate tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Running the update task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Activities that occur during an update task . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Viewing the activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
AutoUpdate repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Configuring the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Importing the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Editing the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Adding and editing repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Removing and reorganizing repositories . . . . . . . . . . . . . . . . . . . . . . . . 208
Specifying proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Mirror tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Creating a mirror task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Configuring a mirror task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Running mirror tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Viewing the mirror task activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Rollback DAT files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Manual updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Updating from DAT file archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Once . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
At System Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
At Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
When Idle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Run Immediately . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Run On Dialup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
C Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Minimum Escalation Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Installation questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Scanning questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Virus questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
General questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Updating error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
This guide introduces McAfee® VirusScan® Enterprise software version 7.1.0, and
provides the following information:
Troubleshooting information.
Glossary of terms.
Audience
This information is intended primarily for two audiences:
Users who are responsible for updating virus definition (DAT) files on their
computer, or configuring the software’s detection options.
Product Guide 9
Preface
Conventions
This guide uses the following conventions:
Bold All words from the user interface, including options, menus,
buttons, and dialog box names.
Example
Type the User name and Password of the desired account.
Courier Text that represents something the user types exactly; for example,
a command at the system prompt.
Example
To enable the agent, run this command line on the client
computer:
Example
Refer to the VirusScan Enterprise Product Guide for more
information.
Example
In the console tree under ePolicy Orchestrator, right-click
<SERVER>.
Getting information
Installation Guide *† System requirements and instructions for installing and starting the software.
VirusScan Enterprise 7.1.0 Installation Guide
Product Guide * Product introduction and features, detailed instructions for configuring the
software, information on deployment, recurring tasks, and operating procedures.
VirusScan Enterprise 7.1.0 Product Guide
Help § High-level and detailed information on configuring and using the software.
What’s This? field-level help.
Configuration Guide * For use with ePolicy Orchestrator™. Procedures for configuring, deploying, and
managing your McAfee Security product through ePolicy Orchestrator
management software.
Implementation Guide * Supplemental information for product features, tools, and components.
Release Notes ‡ ReadMe. Product information, resolved issues, any known issues, and
last-minute additions or changes to the product or its documentation.
Contacts ‡ Contact information for McAfee Security and Network Associates services and
resources: technical support, customer service, AVERT (Anti-Virus Emergency
Response Team), beta program, and training. This file also includes phone
numbers, street addresses, web addresses, and fax numbers for Network
Associates offices in the United States and around the world.
* An Adobe Acrobat .PDF file on the product CD or the McAfee Security download site.
† A printed manual that accompanies the product CD. Note: Some language manuals may be available only as a .PDF file.
‡ Text files included with the software application and on the product CD.
§ Help accessed from the software application: Help menu and/or Help button for page-level help; right-click option for What’s
This? help.
Product Guide 11
Preface
This Product Guide provides information on configuring and using the VirusScan
Enterprise software. For system requirements and installation instructions, refer to
the VirusScan Enterprise Installation Guide.
Product components
Product Guide 13
Introducing VirusScan Enterprise
See the VirusScan Enterprise 7.1.0 Installation Guide for more information about
configuring Check Point.
See the McAfee Installation Designer Product Guide for more information.
See the VirusScan Enterprise 7.1.0 Installation Guide for more information about
configuring Netopsystems’ FEAD Optimizer.
Engine and DAT files are contained in the .MSI file — The engine and DAT files
have been added to the .MSI file for VirusScan Enterprise 7.1.0. This allows
customers to deploy the product using a single .MSI file.
See the VirusScan Enterprise 7.1.0 Configuration Guide for use with ePolicy
Orchestrator 3.0 for details about enabling ePolicy Orchestrator task visibility.
Product components
The VirusScan Enterprise software consists of several components that are
installed as features. Each feature plays a part in defending your computer against
viruses and other potentially unwanted software. The features are:
VirusScan Console. The console is the control point that allows you to create,
configure, and run VirusScan Enterprise tasks. A task can include anything
from running a scan operation on a set of drives at a specific time or interval,
to running an update operation. You can also enable or disable the on-access
scanner from the console if you have administrator rights and if required, type
the password.
E-mail scanner. The e-mail scanner allows you to scan your Microsoft Outlook
messages, attachments, or public folders to which you have access, directly on
the computer. If Outlook is running, e-mail is scanned on-delivery. You can
also perform an on-demand e-mail scan at any time. This allows you to find
potential infections before they make their way to your desktop.
Product Guide 15
Introducing VirusScan Enterprise
Alert Manager. The Alert Manager™ product gives you the ability to receive
or send virus related alert messages. After it is installed, you can configure
Alert Manager to notify you as soon as the scanner detects a virus on the
computer, via e-mail, a printer, SNMP traps, or by other means. By default,
Alert Manager is not preconfigured; you must configure the software before
you can receive or send virus related alert messages.
Ordinarily, you can use the VirusScan Enterprise interface to perform most
scanning operations, but if you have trouble starting Windows or if the
VirusScan Enterprise features do not run in your environment, you can use the
command-line scanner as an alternative.
Product Guide 17
Getting Started
Start menu
VirusScan Console
Right-click menus
System tray
Command line
Start menu
You can use the Start menu to:
VirusScan Console
The VirusScan Console is the control point for all of the program’s activities.
Menu bar
Toolbar
Task list
Status bar
Menu bar
Toolbar
Task list
Status bar
Product Guide 19
Getting Started
Menu bar
The VirusScan Console includes menus with commands that allow you to create,
delete, configure, run, start, stop, and copy scan tasks to suit your most demanding
security needs. You can also connect and disconnect from a remote VirusScan
Enterprise computer. All of the commands are available from the menus. Some
commands are also available when you right-click a task in the VirusScan Console.
Task menu
Edit menu
View menu
Tools menu
Help menu
Task menu
Use the Task menu to create and configure tasks, and view statistics and activity
logs.
NOTE
The menu items Start, Stop, Disable, Delete, Rename, Statistics,
Activity Log, and Properties apply to the selected task.
Edit menu
Use the Edit menu to copy and paste selected tasks.
View menu
Use the View menu to specify whether to show the toolbar and status bar, or refresh
the console.
Tools menu
Use the Tools menu to configure alerts, launch the event viewer, specify user
interface options, lock or unlock user interface security, connect or disconnect a
computer when configuring a remote console, import or edit the repository list,
and roll back DAT files to a previous version.
Product Guide 21
Getting Started
Help menu
Use the Help menu to access online Help topics, the virus information library, or
the Technical Support web site. You can also submit a sample virus to the
Anti-Virus Emergency Response Team (AVERT). The About dialog box gives you
product, DAT file version, and scanning engine information.
Toolbar
The toolbar gives you quick access to many commands just by clicking an icon. The
icons are:
Connect to a computer.
Disconnect from a computer.
Task list
The VirusScan Console includes a list of tasks that VirusScan Enterprise can
perform. A task is a set of instructions to run a program or scan operation, in a
specific configuration, at a certain time.
To configure a task, select the task, then click or double-click the task to open
its property pages. The following default tasks come with the VirusScan Enterprise
software:
AutoUpdate. This task allows you to download the latest virus definition (DAT)
files and scanning engine. You can use this default update task and create other
update tasks to meet your requirements. To create, configure, and schedule
update tasks, see Updating on page 187.
E-mail Scan. This task allows you to perform on-delivery e-mail scanning. This
task is unique and cannot be copied. To configure an on-delivery or
on-demand e-mail task, see E-mail Scanning on page 115.
Scan All Fixed Disks. This task allows you to perform on-demand scanning.
You can use this default on-demand scan task and create others to meet your
requirements. To create, configure, and schedule on-demand tasks, see
On-Demand Scanning on page 85.
Product Guide 23
Getting Started
Other tasks that you create from the VirusScan Console are added to the task list.
For example:
New mirror task. This task allows you to create a mirror site for use in
downloading update files. You can create any number of mirror tasks. For
more information about mirror tasks see Mirror tasks on page 212.
In addition, you can view tasks created via ePolicy Orchestrator if you choose to
do so.
ePO Task - task name. If you are using ePolicy Orchestrator 3.0 or later to
manage the VirusScan Enterprise software, you can choose to view ePolicy
Orchestrator tasks in the VirusScan Console. This applies to on-demand,
update, and mirror tasks. See the VirusScan Enterprise Configuration Guide for
use with ePolicy Orchestrator 3.0 for information about enabling ePolicy
Orchestrator task visibility.
Status bar
The status bar shows the status of the current activity.
Right-click menus
Use right-click menus for quick access to commonly used actions; such as creating
new tasks, viewing task statistics and logs, opening task property pages, or
scanning a specific file or folder for viruses.
Right-click menus from the console. The right-click menus available from the
VirusScan Console vary, depending on whether you have selected a task in the
task list, and on which task you select. See Right-click menus from the console on
page 25 for details.
Right-click scan. This right-click scan feature allows you to select a specific file
or folder and immediately scan it for viruses. See Right-click scan on page 25 for
details.
Right-click scan from the system tray. This right-click scan feature allows you
to create a one-time, unsaved on-demand scan task. See Right-click scan or
update from the system tray on page 26 for details.
On-access Scan. If you right-click the on-access scan task in the task list, you
can enable or disable the task, view task statistics, view the activity log, and
open the property pages.
Update. If you right-click an update task in the task list, you can start or stop
the task, delete the task, rename the task, view the activity log, and open the
property pages.
E-mail Scan. If you right-click an e-mail scan task in the task list, you can enable
or disable the task, view task statistics, view the activity log, and open the
property pages.
On-demand Scan. If you right-click an on-demand scan task in the task list, you
can start or stop the task, copy or paste the task, delete the task, rename the
task, view task statistics, view the activity log, and open the property pages.
When you right-click a blank area in the console, without selecting an item in the task
list, you can perform these actions:
User Interface options. Access the User Interface Options property pages. See
Setting user interface options on page 27 for information about setting these
options.
Right-click scan
You can perform an immediate on-demand scan of a selected file or folder by
right-clicking on the file or folder in Windows Explorer, then selecting Scan for
viruses. This is also known as shell extension scan. The on-demand scanner is
invoked directly with all scan settings, such as archive scanning, heuristic
scanning, and other options, enabled. This is useful if you are concerned that a
specific folder or file may be infected.
If a file or folder is found to be infected, it is displayed in a list view with the details
of the infected item at the bottom of the scanning dialog box. You can take action
on the infected item by right-clicking on it in the list view, and selecting either the
clean, delete, or move action.
Product Guide 25
Getting Started
System tray
The on-access scanner installs and activates itself by default when you perform a
typical installation. Once active, the scanner displays the Vshield icon in the
Windows system tray.
On-Access Scan Statistics. View on-access scanner statistics. You can enable or
disable the on-access scanner or open the on-access scanner property pages.
On-Access Scan Messages. View the on-access scanner messages. You can
remove a message, clean a file, delete a file, or move a file.
NOTE
Update Now only works with the default update task which
was created when you installed the product. You can rename
and reconfigure the default update task, but if you delete the
default task, Update Now becomes disabled.
Command line
Use the command line feature to perform activities from the Command Prompt.
See Command-Line Scanner Program on page 239 for more information.
This section describes how to set the display and password options from the
console. The following topics are addressed in this section:
Display options
Password options
Product Guide 27
Getting Started
Display options
The Display Options dialog box allows you to determine which system tray options
users can access and set refresh time for the local console.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
3 Determine which system tray options you want users to see. Under System tray
icon, select an option:
Show the system tray icon with all menu options. This option is selected by
default. Allow users to see all menu options on the system tray.
Show the system tray icon with minimal menu options. Limit the right-click
menu items to only the About and On-Access Scan Statistics items. All
other menu items are hidden on the right-click menu.
Do not show the system tray icon. Do not allow users to have access to the
system tray icon.
4 Under Local console refresh time, select the frequency, in seconds, for which
you want to refresh the console.
5 Click Apply, then OK to save your changes and close the dialog box.
Password options
The Password Options dialog box allows you to set a security password for the
entire system or for only the tabs and controls you select. The same password is
used for all the selected tabs and controls.
Product Guide 29
Getting Started
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
Password protection for all items listed below. Users must type the specified
password before they can access any locked tabs or controls in the
software.
Password protection for the selected items below. Users must type the
specified password before they can access the items you lock here. Items
not locked do not require a password.
5 Click OK.
WARNING
If the Console and Miscellaneous password item is locked, you
cannot perform the following:
Product Guide 31
Getting Started
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
4 Click OK.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
Because the on-access scanner provides your computer with ongoing, background
scanning protection, it may seem redundant to run on-demand scan tasks. But
good anti-virus security measures incorporate complete, regular system scans
because:
Viruses are unexpected. Accidentally leaving a disk in your drive as you start
your computer could load a virus into memory before the on-access service
starts, particularly if you do not have the service configured to scan disks. Once
in memory, a potent virus can infect nearly any program.
Product Guide 33
Getting Started
On-access scanning takes time and resources. Scanning for viruses as you
run, copy or save files can delay software launch times and other tasks.
Depending on your situation, this could be time you might devote to
important work. Although the impact is slight, you might be tempted to
disable on-access scanning if you need every bit of available system power for
demanding tasks. In that case, performing regular scan operations during idle
periods can guard your system against infection without compromising
performance.
Good security is redundant security. In the networked, web-centric world in
which most computer users operate today, it takes only a moment to
download a virus from a source you might not even realize you visited. If a
software conflict disables background scanning for a moment, or if
background scanning is not configured to watch a vulnerable entry point, you
could end up with a virus. Regular scan operations can often catch infections
before they spread or do any harm.
Scanning automatically
On-access scanning provides continuous, real-time virus detection and response,
based on users’ activities. The VirusScan Enterprise anti-virus software program
provides a single on-access scan task, which examines for infections each time a
network user writes a file to the computer or reads a file from the computer. The
scanner attempts to clean any infection it finds, and records its activities in a log
file. You can change its settings to define:
Files and file types to be scanned.
See On-Access Scanning on page 39 for specific details about configuring on-access
scanning.
A one-time unsaved on-demand task can be configured and scheduled, but is not
saved for future use unless you choose to save it.
A saved on-demand scan task can be planned in advance, and run whenever you
feel it is necessary, or on a regularly scheduled basis. You can create an unlimited
number of scan tasks that target specific locations on the network. You can define
them narrowly to a specific drive, folder, or file, or broadly, to multiple drives,
folders, or files. Once created, saved scan tasks remain available until they are
deleted from the VirusScan Console. They can be edited, as needed.
Product Guide 35
Getting Started
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
When you start the VirusScan Console, the name of the computer you are
connected to appears in the console title bar, and in the menu at the left of the
console toolbar. If you have not connected to a computer elsewhere on the
network, the title bar shows the name of your local computer.
To administer a remote computer on which the VirusScan Enterprise program is
installed:
1 From the Tools menu, select Remote Connection or click in the toolbar.
The Connect to Remote Computer dialog box appears.
2 Click to select a computer in the Connect to computer list or type the name
of the computer that you want to administer in the text box. You can also click
Browse to locate the computer on the network.
NOTE
If environment variables are used while configuring the path
name of the file or folder for a remote task, be sure that the
environmental variable exists on the remote computer. The
VirusScan Console cannot validate environmental variables
on the remote computer.
Product Guide 37
Getting Started
The console reads the remote computer’s registry and displays the tasks of the
remote computer. Once the tasks appear in the console, you can perform on a local
computer.
To disconnect from the computer you have connected to, click in the console
toolbar, or select Disconnect Computer from the Tools menu. When you disconnect
from the remote computer, the console refreshes to display the local computer’s
tasks.
When an infection is detected, the on-access scanner records a message with details
about the infected file, allows you to quickly access the message and take
immediate action on the infected file.
Product Guide 39
On-Access Scanning
The on-access scanner comes configured with most response properties enabled.
By default, the scanner is set to clean a virus when it finds one. If the virus is not
cleanable, the default secondary action is to quarantine the virus. The scanner also
records the incident in the log file.
The following topics are addressed in this section:
General settings
Process settings
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
Product Guide 41
On-Access Scanning
The On-Access Scan Properties dialog box allows you to configure general
settings and three types of processes. The icons in the left pane of the dialog
box give you access to the configurable options.
When the On-Access Properties dialog box first opens, the default view
provides access to properties for General Settings and All Processes.
General settings
The properties you specify in General Settings apply to default, low-risk, and
high-risk processes.
General properties
Message properties
Report properties
General properties
Use the options on the General tab to configure basic properties for on-access
scanning.
1 Open the On-Access Scan Properties dialog box, then select General Settings in
the left pane.
Product Guide 43
On-Access Scanning
3 Under Scan, choose which parts of the computer you want the scanner to
examine. Select from these options:
Boot sectors. This option is selected by default. Include the disk boot sector
during scanning activities. The scanner includes the disk boot sector when
a disk is mounted. In some situations it may be appropriate to disable boot
sector analysis when a disk contains a unique or abnormal boot sector that
cannot be subjected to virus scanning.
Floppy during shutdown. This option is selected by default. Scan the boot sector
of any floppy disk left in your drive as you shut down your computer. If
the disk is infected, the computer does not shut down until the disk is
removed.
Quarantine Folder. Accept the default location and name for the quarantine
folder, type a path to a different location for the quarantine folder, or click
Browse to locate a suitable folder on your local drive.
The default location and name for the quarantine folder is:
<drive>:\quarantine
NOTE
The quarantine folder should not be located on a floppy drive
or CD drive. It must be located on a hard drive.
5 Under Scan time, specify the maximum archive and scanning time, in seconds,
for all files. If a file takes longer than the specified time to scan, the scan stops
cleanly and a message is logged. If the scan cannot be stopped cleanly, it
terminates and restarts, and a different message is logged. Select from these
options:
Maximum archive scan time (seconds). The default setting is 15 seconds.
Accept the default or select the maximum number of seconds the scanner
should spend scanning an archive file. The time you select for the archive
time must be less than the time you select for scanning all files.
Enforce a maximum scanning time for all files. This option is selected by default.
Define a maximum scanning time and enforce it for all files.
Maximum scan time (seconds). The default setting is 45 seconds. Accept the
default or select the maximum number of seconds the scanner should
spend scanning a file.
6 Click Apply to save your changes.
Message properties
Use the options on the Messages tab to configure user message properties for
on-access scanning.
1 Open the On-Access Scan Properties dialog box, then select General Settings in
the left pane.
3 Under Messages for local users, select message options. Some of these options
apply to all users and others apply only to users without administrator rights.
Show the messages dialog when a virus is detected. This option is selected by
default. Display the On-Access Scan Messages dialog box when a virus is
detected. See Responding to virus detections on page 80 for more information
about the On-Access Scan Messages dialog box.
Text to display in message. If you selected Show the messages dialog when
a virus is detected, you can accept the default message or type a custom
message that displays when an infection is detected. The default message is
VirusScan Alert!
Product Guide 45
On-Access Scanning
The following options apply to the actions that users without administrator
rights are allowed to take on messages listed in the On-Access Scan Messages
dialog box. Select any combination of these options:
Remove messages from the list. This option is selected by default. Allow users
without administrator rights to remove messages from the list.
Clean infected files. This option is selected by default. Allow users without
administrator rights to clean infected files referenced by the messages in
the list.
Move infected files to the quarantine folder. This option is selected by default.
Allow users without administrator rights to move infected files, which are
referenced by messages in the list, to the quarantine folder.
4 Under Response to network users, select from these options:
Send message to user. Send a message to the network user when a virus is
detected. For example, you can send an alert message to a network user
that is running on a remote computer and accesses the protected file
system through a network share.
If you select this option, you can accept the default message or type a
custom message in the text box provided. The default message is Virus
Alert!!!
WARNING
The Windows Messenger service must be running to receive
this message.
Report properties
Use the options on the Reports tab to configure logging activity and specify what
information you want to capture for each log entry.
NOTE
The log file can serve as an important management tool for
tracking virus activity on your network and to note which
settings you used to detect and respond to any virus that the
scanner found. The incident reports recorded in the file can
help you determine which files you need to replace from
backup copies, examine in quarantine, or delete from your
computer. See Viewing the activity log on page 79 for more
information about how to view the log.
1 Open the On-Access Scan Properties dialog box, then select General Settings in
the left pane.
Product Guide 47
On-Access Scanning
Log to file. This option is selected by default. Record on-access scanning virus
activity in a log file.
In the text box, accept the default log file name and location, type a
different log file name and location, or click Browse to locate a suitable file
elsewhere on your computer or network.
NOTE
By default, the scanner writes log information to the
ONACCESSSCANLOG.TXT file in this folder:
<drive>:Winnt\Profiles\All Users\Application
Data\Network Associates\VirusScan
Limit size of log file to. This option is selected by default. The default log file size
is 1MB. Accept the default log size or set a different size for the log. If you
select this option, type a value between 1MB and 999MB.
NOTE
If the data in the log file exceeds the file size you set, the oldest
20 percent of the log file entries are deleted and new data is
appended to the file.
4 Under What to log in addition to virus activity, select the additional information
that you want to record in the log file:
Session settings. Record the properties that you chose for each scanning
session in the log file.
NOTE
A scanning session is the period of time that the scanner
remains loaded in memory on your computer. It ends when
you either unload the program or restart your computer.
Session summary. This option is selected by default. Summarize the scanner’s
actions during each scanning session and add the information to the log
file. Summary information includes the number of files scanned, the
number and type of viruses detected, the number of files moved, cleaned,
or deleted, and other information.
Failure to scan encrypted files. This option is selected by default. Record the
name of encrypted files that the scanner failed to scan in the log file.
User name. This option is selected by default. Record the name of the user
logged on to the computer at the time the scanner records each log entry,
in the log file.
Process settings
Choose whether to use the same settings for all processes, or whether to specify
different settings for default, low-risk, and high-risk processes.
Use the settings on these tabs for all processes. Specify the same scanning
properties for all processes. The procedure for setting properties for all
processes is the same as the procedure for setting properties for default
processes. See Default processes on page 50 for a step-by-step procedure.
Use different settings for high-risk and low-risk processes. Specify different
properties for processes based on whether they are default processes or are
defined as low-risk or high risk. See Low-risk and high-risk processes on page 60
for more information.
Product Guide 49
On-Access Scanning
NOTE
When you select this option, the All Processes icon changes to
Default Processes, and both the Low-Risk Processes and
High-Risk Processes icons become available in the left pane.
.
Default processes
A default process is any process that is not defined as a low-risk or high-risk
process.
NOTE
When setting properties for all processes, follow the
procedures for setting default process properties.
Process properties
Detection properties
Advanced properties
Action properties
Process properties
Use the options on the Processes tab to specify properties for default processes or
all processes:
1 Open the On-Access Scan Properties dialog box, then select All Processes in the
left pane.
2 Select the Processes tab if it is not already selected, then select one of these
options:
Use the settings on these tabs for all processes. This option is selected by
default. If you specify properties with this option selected, the properties
you select apply to all processes. You cannot set different properties for
default, low-risk and high-risk processes.
Use different settings for high-risk and low-risk processes. Set different
properties for default, low-risk and high-risk processes.
NOTE
When you select this option, the All Processes icon changes to
Default Processes, and both the Low-Risk Processes and
High-Risk Processes icons become available in the left pane.
Product Guide 51
On-Access Scanning
Detection properties
Use the options on the Detection tab to specify what types of files you want the
on-access scanner to examine, and when you want to scan them.
1 Open the On-Access Scan Properties dialog box, then select All Processes in the
left pane.
Use the settings on these tabs for all processes. This option is selected by
default. If you specify properties with this option selected, the properties
you select apply to all processes. You cannot set different properties for
default, low-risk and high-risk processes.
Use different settings for high-risk and low-risk processes. Set different
properties for default, low-risk and high-risk processes.
NOTE
When you select this option, the All Processes icon changes to
Default Processes, and both the Low-Risk Processes and
High-Risk Processes icons become available in the left pane.
When writing to disk. This option is selected by default. Scan all files as they are
written to or modified on the server, workstation, or other data storage
device.
When reading from disk. This option is selected by default. Scan all files as they
are read from the server, workstation, or other data storage device.
On network drives. Include network resources during on-access scans. This
is a convenient way to extend virus protection.
NOTE
Including network resources could have a negative effect on
the overall performance of the system that is running the scan.
WARNING
If you are copying or moving a file from one computer to
another, and the on-access scan properties on both computers
have been configured to scan files both written to disk and
read from disk, scanning occurs when the file is read by the
source computer and again when it is written to the destination
computer.
Product Guide 53
On-Access Scanning
All files. This option is selected by default. Scan all files regardless of extension.
Default + additional file types. Scan the default list of extensions plus any
additions you specify. The default list of file type extensions is defined by
the current DAT file. You can add or remove user-specified file type
extensions, but you cannot delete any file type extensions from the default
list. You can, however, exclude extensions that appear in the default list.
See Excluding files, folders, and drives on page 70 for more information.
Also scan for macro viruses in all files. Scan all files, regardless of
extension, for macro viruses. This option is only available when the
Default + additional file types option is selected.
NOTE
Scanning for macro viruses in all files could affect
performance.
6 Under What not to scan, click Exclusions to specify the files, folders, and drives
that you want to exclude from scanning. See Excluding files, folders, and drives
on page 70 for detailed instructions.
Advanced properties
Use the options on the Advanced tab to specify advanced scan options for
heuristics, non-virus program files, and compressed files.
1 Open the On-Access Scan Properties dialog box, then select All Processes in the
left pane.
Use the settings on these tabs for all processes. This option is selected by
default. If you specify properties with this option selected, the properties
you select apply to all processes. You cannot set different properties for
default, low-risk and high-risk processes.
Use different settings for high-risk and low-risk processes. Set different
properties for default, low-risk and high-risk processes.
NOTE
When you select this option, the All Processes icon changes to
Default Processes, and both the Low-Risk Processes and
High-Risk Processes icons become available in the left pane.
Product Guide 55
On-Access Scanning
4 Under Heuristics, specify whether you want the scanner to evaluate the
probability that an unknown piece of code or a Microsoft Office macro is a
virus. When this feature is enabled, the scanner analyzes the likelihood that the
code is a variant of a known virus. Select any combination of these options:
Find unknown program viruses. This option is selected by default for default
processes and high-risk processes. Treat executable files that have code
resembling a virus as if they were infected. The scanner applies the action
you choose on the Actions tab.
Find unknown macro viruses. This option is selected by default for default
processes and high-risk processes. Treat embedded macros that have code
resembling a virus as if they were infected. The scanner applies the action
you choose on the Actions tab.
NOTE
This option is not the same as Also scan for macro viruses in all
files on the Detection tab, which instructs the scanner to find
all known macro viruses. This option instructs the scanner to
assess the probability that an unknown macro is a virus.
5 Under Non-viruses, specify if you want the scanner to search for non-virus
programs that are potentially unwanted.
WARNING
VirusScan Enterprise does not take any action on potentially
unwanted program files or joke programs that it detects.
Detections are logged in the log file.
If you want to take action on a detected potentially unwanted
program file or joke program, you must take action manually.
For example, if you want to remove a detected joke program,
you must remove it manually.
6 Under Compressed files, specify which types of compressed files you want the
scanner to examine:
Scan inside packed executables. This option is selected by default for default
processes and high-risk processes. Examine compressed files that contain
executable files. A packed executable is a file that, when run, extracts itself
into memory only. Packed executable files are never extracted to disk.
Scan inside archives. Examine archive files and their contents. An archive
file is a compressed file that must be extracted prior to accessing the files
within it. Files contained inside archives are scanned when they are written
to disk.
Action properties
Use the options on the Actions tab to specify the primary and secondary actions
you want the scanner to take when it detects a virus.
1 Open the On-Access Scan Properties dialog box, then select All Processes in the
left pane.
Use the settings on these tabs for all processes. This option is selected by
default. If you specify properties with this option selected, the properties
you select apply to all processes. You cannot set different properties for
default, low-risk and high-risk processes.
Use different settings for high-risk and low-risk processes. Set different
properties for default, low-risk, and high-risk processes.
NOTE
When you select this option, the All Processes icon changes to
Default Processes, and both the Low-Risk Processes and
High-Risk Processes icons become available in the left pane.
Product Guide 57
On-Access Scanning
4 Under When a virus is found, select the primary action that you want the
scanner to take when a virus is detected.
NOTE
The default primary action is Clean infected files automatically.
Deny access to infected files. Denies all users access to any infected files the
scanner finds. Be sure to enable the Log to file property on the General
Settings, Reports tab, so that you have a record of which files are infected.
NOTE
If the file is written to the local system from an outside source,
for example a CD-ROM or the Internet, the scanner adds a .VIR
extension to the end of the file name. The scanner considers
this type of file action to be a write action.
If the file is copied, for example from one location on a hard
disk to another location, the .VIR extension is not added to the
file name. The scanner considers this to be a move action.
Move infected files to a folder. The scanner moves infected files to a folder
that is named quarantine by default. You can change the name of the folder
in the Quarantine Folder text box on the General Settings, General tab.
Delete infected files automatically. The scanner deletes infected files as soon
as it detects them. Be sure to enable the Log to file property on the General
Settings, Reports tab, so that you have a record of which files were infected.
If you select this option, you are required to confirm your selection. Click
Yes to confirm your selection, or click No to deselect this option.
WARNING
If you selected Find unknown macro viruses on the Advanced
tab, the action you select here applies to any macro that has
code resembling a virus. If you select Delete infected files
automatically, any file that has code resembling a macro virus
is deleted, and any archive that contains an infected file is
deleted. If that is not your intention, be certain that your
choice of action corresponds with your choice of action for
macros.
Clean infected files automatically. This option is selected by default. The
scanner tries to remove the virus from the infected file. If the scanner
cannot, or if the virus has damaged the file beyond repair, the scanner
performs the secondary action. See Step 5 for more information.
5 Under If the above Action fails, select the secondary action that you want to the
scanner to take if the first action fails. The available options depend on the
primary action you selected.
NOTE
The default secondary action is Move infected files to a folder.
If you select this option, you are required to confirm your selection. Click
Yes to confirm your selection, or click No to deselect this option.
Product Guide 59
On-Access Scanning
Process properties
Detection properties
Advanced properties
Action properties
Low-risk processes are defined as those processes that have a lower possibility of
being infected. These can be processes that access a lot of files, but do so in a
way that has a lower risk of spreading viruses. Some examples are:
Backup software.
Compiling processes.
High-risk processes are defined as those processes that have a higher possibility
of being infected. Some examples are:
Product Guide 61
On-Access Scanning
1 Decide why you want to have different scanning policies. The two most
common reasons when balancing performance against risk are:
To scan some processes to a lesser extent based on the risk and impact on
performance that occurs during scanning. For example, capturing
streaming media such as video has little risk, but is very resource intensive.
2 Decide which processes are low-risk and which are high-risk. First determine
which program is responsible for each process, then decide what risk is
associated with that process. Use the Windows Task Manager or Windows
Performance Monitor to help you understand which processes are using the
most CPU time and memory. Once you have this information you can associate
each process with a scanning policy based on the processes’ performance and
risk.
3 Configure the scanning policies for each of the three levels: default, low-risk
and high-risk.
NOTE
We do not recommend reducing the level of scanning for
high-risk processes. The high-risk scanning policy is initially
set the same as default processes to ensure that high-risk
processes maintain an in-depth level of scanning.
Process properties
Use the options on the Processes tab to define processes as either low-risk or
high-risk:
NOTE
Any process that is not defined as either low-risk or high-risk
is considered to be a default process and is scanned with the
properties that you set for default processes.
1 Open the On-Access Scan Properties dialog box, then select All Processes in the
left pane.
The list shows the current list of processes, in alphabetical order by file name.
Each process is shown with its application icon, file name, and description if
available. The default settings are:
The Low-Risk Processes list is empty.
The High-Risk Processes list is populated with processes that McAfee
Security considers to be high-risk. You can add or remove processes from
this list to meet your security needs.
NOTE
The steps you take to add or select processes are identical for
low-risk and high-risk processes.
Product Guide 63
On-Access Scanning
5 To add applications, click Add. The Select Application dialog box appears.
Detection properties
Use the options on the Detection tab to specify what types of files you want the
on-access scanner to examine, and when you want to scan them.
1 Open the On-Access Scan Properties dialog box, then select All Processes in the
left pane.
NOTE
After you select the process icon from the left pane, the steps
you take to set Detection options are identical for low-risk and
high-risk processes.
Product Guide 65
On-Access Scanning
When writing to disk. This option is selected by default. Scan all files as they are
written to or modified on the server, workstation, or other data storage
device.
When reading from disk. This option is selected by default. Scan all files as they
are read from the server, workstation, or other data storage device.
On network drives. Include network resources during on-access scans. This
is a convenient way to extend virus protection.
NOTE
Including network resources could have a negative effect on
the overall performance of the system that is running the scan.
WARNING
If you are copying or moving a file from one computer to
another, and the on-access scan properties on both computers
have been configured to scan files both written to disk and
files read from disk, scanning occurs when the file is read by
the source computer and again when it is written to the
destination computer.
All files. This option is selected by default. Scan all files regardless of extension.
Default + additional file types. Scan the default list of extensions plus any
additions you specify. The default list of file type extensions is defined by
the current DAT file. You can add or remove user-specified file type
extensions, but you cannot delete any file type extensions from the default
list. You can, however, exclude extensions that appear in the default list.
See Excluding files, folders, and drives on page 70 for more information.
Also scan for macro viruses in all files. Scan all files, regardless of
extension, for macro viruses. This option is only available when the
Default + additional file types option is selected.
NOTE
Scanning for macro viruses in all files could affect
performance.
7 Under What not to scan, click Exclusions to specify the files, folders, and drives
you want to exclude from scanning. See Excluding files, folders, and drives on
page 70 for detailed instructions.
Product Guide 67
On-Access Scanning
2 Under Add File Type, you can add user-specified file type extensions in two
ways:
Type a file type extension in the text box, then click Add.
NOTE
You only need to type the first three letters of the file type
extension. If you type an HTM file extension, the scanner
searches for HTM and HTML files. You can use a wildcard or a
combination of characters with a wildcard.
Click Select to open the Select File Type dialog box. Select one or more file
type extensions from the list, then click OK.
Use CTRL + SHIFT to select more than one file type extension.
The file type extensions you added appear in the User-specified additional file
types list.
3 You can remove user-specified file type extensions from the user-specified list
in two ways:
Select one or more file type extensions in the User specified additional file
types list, then click Remove.
Click Clear to remove all items from the User specified additional file types
list.
2 Under Add File Type, you can add user-specified file type extensions in two
ways:
Type a file type extension in the text box, then click Add.
NOTE
You only need to type the first three letters of the file type
extension. If you type an HTM file extension, the scanner
searches for HTM and HTML files. You can use a wildcard or a
combination of characters with a wildcard.
Click Select to open the Select File Type dialog box. Select one or more file
type extensions from the list, then click OK.
The file type extensions you added appear in the list under Only files of these
types will be scanned.
Product Guide 69
On-Access Scanning
3 You can remove user-specified file type extensions from the list in two ways:
Select one or more file type extensions in the list under Only files of these
types will be scanned, then click Remove.
Click Clear to remove all items from the list under Only files of these types
will be scanned.
4 Click Set to Default to replace the current list of user-specified file type
extensions with the default list. The default list of file type extensions is
defined by the current DAT file.
5 Click OK to save your changes and return to the Detection tab.
2 Add or edit files, folders, or drives. Windows File Protection is listed by default.
To add an item, click Add to open the Add Exclusion Item dialog box.
To edit an item, double-click the item or select it, then click Edit to open the
Edit Exclusion Item dialog box.
NOTE
The exclusion options are the same whether you are adding an
exclusion item or editing it.
Product Guide 71
On-Access Scanning
By file type. Specify a file extension by type. Type a file extension in the text
box or click Select to open the Select File Type dialog box, where you can
select one or more extensions from the list. Click OK to save your entries
and close the dialog box.
NOTE
The file extension that you specify can include wildcards.
Valid wildcards are ? for excluding single characters and * for
excluding multiple characters.
4 Under When to exclude, specify when to exclude the items from scanning:
On read. This option is selected by default. Specify that the exclusion items are
excluded from scans when read from disk.
On write. This option is selected by default. Specify that the exclusion items are
excluded from scans when written to disk.
NOTE
The On read and On write options are not available for
on-demand scan tasks.
5 Click OK to save your changes and return to the Set Exclusions dialog box.
6 You can remove user-specified file type extensions from the item list in two
ways:
Select one or more file type extensions in the list, then click Remove.
Click Clear to remove all items from the list.
7 Click OK to save your changes and return to the Detection tab.
Advanced properties
Use the options on the Advanced tab to specify advanced scan options for
heuristics, non-virus program files, and compressed files.
1 Open the On-Access Scan Properties dialog box, then select All Processes in the
left pane.
NOTE
After you select the process icon from the left pane, the steps
you take to set Advanced options are identical for low-risk and
high-risk processes.
Product Guide 73
On-Access Scanning
5 Under Heuristics, specify whether you want the scanner to evaluate the
probability that an unknown piece of code or a Microsoft Office macro is a
virus. When this feature is enabled, the scanner analyzes the likelihood that the
code is a variant of a known virus. Select any combination of these options:
Find unknown program viruses. This option is selected by default for default
processes and high-risk processes. Treat executable files that have code
resembling a virus as if they were infected. The scanner applies the action
you choose on the Actions tab.
Find unknown macro viruses. This option is selected by default for default
processes and high-risk processes. Treat embedded macros that have code
resembling a virus as if they were infected. The scanner applies the action
you choose on the Actions tab to those files.
NOTE
This option is not the same as Also scan for macro viruses in all
files on the Detection tab, which instructs the scanner to find
all known macro viruses. This option instructs the scanner to
assess the probability that an unknown macro is a virus.
6 Under Non-viruses, specify if you want the scanner to search for non-virus
programs that are potentially unwanted.
WARNING
VirusScan Enterprise does not take any action on potentially
unwanted program files or joke programs that it detects.
Detections are logged in the log file.
If you want to take action on a detected potentially unwanted
program file or joke program, you must take action manually.
For example, if you want to remove a detected joke program,
you must remove it manually.
7 Under Compressed files, specify which types of compressed files you want the
scanner to examine. You have these options:
Scan inside packed executables. This option is selected by default for default
processes and high-risk processes. Examine compressed files that contain
executable files. A packed executable is a file that, when run, extracts itself
into memory only. Packed executable files are never extracted to disk.
Scan inside archives. Examine archive files and their contents. An archive
file is a compressed file that must be extracted prior to accessing the files
within it. Files contained inside archives are scanned when they are written
to disk.
Action properties
Use the options on the Actions tab to specify the primary and secondary actions
you want the scanner to take when it detects a virus.
1 Open the On-Access Scan Properties dialog box, then select All Processes in the
left pane.
Product Guide 75
On-Access Scanning
NOTE
After you select the process icon from the left pane, the steps
you take to set Actions options are identical for low-risk and
high-risk processes.
5 Under When a virus is found, select the primary action that you want the
scanner to take when a virus is detected.
NOTE
The default primary action is Clean infected files automatically.
Deny access to infected files. Denies all users access to any infected files the
scanner finds. Be sure to enable the Log to file property on the General
Settings, Reports tab, so that you have a record of which files are infected.
NOTE
If the file is written to the local system from an outside source,
for example a CD-ROM or the Internet, the scanner adds a .VIR
extension to the end of the file name. The scanner considers
this type of file action to be a write action.
Move infected files to a folder. The scanner moves infected files to a folder
that is named quarantine by default. You can change the name of the folder
in the Quarantine Folder text box on the General Settings, General tab.
Delete infected files automatically. The scanner deletes infected files as soon
as it detects them. Be sure to enable the Log to file property on the General
Settings, Reports tab, so that you have a record of which files were infected.
If you select this option, you are required to confirm your selection. Click
Yes to confirm your selection, or click No to deselect this option.
WARNING
If you selected Find unknown macro viruses on the Advanced
tab, the action you select here applies to any macro that has
code resembling a virus. If you select Delete infected files
automatically, any file that has code resembling a macro virus
is deleted, and any archive that contains an infected file is
deleted. If that is not your intention, be certain that your
choice of action corresponds with your choice of action for
macros.
6 Under If the above Action fails, select the secondary action that you want to the
scanner to take if the first action fails. The available options depend on the
primary action you selected.
NOTE
The default secondary action is Move infected files to a folder.
Click to select the secondary action:
If you select this option, you are required to confirm your selection. Click
Yes to confirm your selection, or click No to deselect this option.
Product Guide 77
On-Access Scanning
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
2 Use either of these methods to open the On-Access Scan Statistics dialog box:
Right-click the on-access scan task in the task list and select Statistics.
The On-Access Scan Statistics dialog box shows the Last file scanned in the
upper pane, and a statistical summary in the lower pane.
3 You can perform either of these functions if you have administrator rights and
type the password, as required:
NOTE
The Disable and Properties buttons are hidden if the user
interface is configured to show minimal menu options. This
option is set on the Tools|User Interface Options|Display
Options tab.
Click Properties to open the On-Access Scan Properties dialog box, change
the scan properties you want to modify, then click Apply to save your
changes.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
Highlight the task, then select Activity Log from the Task menu.
Right-click the task in the task list and select View Log.
3 To close the activity log, select Exit from the File menu.
Product Guide 79
On-Access Scanning
You receive a notification if you have configured Alert Manager and/or the
on-access scanner to notify you when a virus is detected.
See Viewing on-access scan messages on page 82 for more detailed information
about the On-Access Scan Messages dialog box.
The message provides details about the infected file, such as the name and
location of the file, type of virus detected, and the version of scanning engine
and DAT file used to detect the virus.
You may receive more than one notification depending on how you have
configured Alert Manager and the on-access scanner.
Product Guide 81
On-Access Scanning
NOTE
If you do not have any of the three message options
configured to send a message when a virus is detected, you do
not receive any notification. However, you can always review
the On-Access Scan Messages dialog box to see detected
viruses. See Viewing on-access scan messages on page 82 for
more information.
This dialog box automatically displays when a virus is detected, if you have
configured the on-access scanner to do so.
You can open this dialog box at any time by right-clicking in the system tray
and selecting On-Access Scan Messages.
The On-Access Scan Messages dialog box is separated into several sections:
The File menu provides actions that can be taken on files or messages in the
list.
The View menu provides options for controlling visibility of parts of the
dialog box.
The Options menu gives options for showing all messages and always
keeping the On-Access Scan Messages dialog box on top.
The Help menu provides access to help topics for the VirusScan Enterprise
product, access to the Virus Information, Submit a Sample, and Technical
Support web sites, as well as information about the currently installed
product, license, scanning engine, and DAT files.
Buttons — Displays buttons for actions that are available for the selected
message. If an action is not available for the selected message, the
corresponding button is disabled.
Message List — Lists the messages for viruses detected by the on-access
scanner. The columns in the list area are sortable by clicking on the column
header.
Status bar — Displays the status of the selected message.
Use the On-Access Scan Messages dialog box to take action on viruses detected by
the on-access scanner.
2 Highlight a message in the list, then select an action using one of these
methods:
File menu.
Product Guide 83
On-Access Scanning
Following are the actions that may be taken on messages in the list:
Clean File — Attempts to clean the file referenced by the selected message.
Move File — Moves the file referenced by the selected message to the
quarantine folder. The location of the quarantine folder is defined on the
General Settings, General tab in the On-Access Scan Properties.
Delete File — Deletes the file referenced by the selected message. The file name
is recorded in the log, so that you can restore it from a backup copy.
Remove Message (CTRL+D) — Removes the selected message from the list.
Messages that have been removed from the list are still visible in the log file.
If an action is not available for the current message, the corresponding icon,
button, and menu items are disabled. For example, Clean File is not available if
the file has already been deleted.
The administrator can use the options on the General Settings, Messages tab in
the On-Access Scan Properties, to configure what actions users without
administrator rights can perform on messages in the list. If an action is
suppressed by the administrator, the button is hidden, and the icon and menu
items are disabled.
In memory process scanning and incremental scanning make virus detection more
efficient than ever.
In memory process scanning checks all active processes prior to running the
on-demand scan. Where infected processes are found, we highlight the
infection and stop the process. This means that only a single pass with the
on-demand scanner is required to remove all instances of a virus.
Incremental, or resumable scanning allows the scanner to start where it last left
off. You can define a start and stop time for scheduled scans. The on-demand
scanner logically works through each folder and related files. When the time
limit is reached, the scan is stopped. With incremental scanning on the next
scheduled scan, the on-demand scan continues from the point in the file and
folder structure where the previous scan stopped.
Product Guide 85
On-Demand Scanning
From the Start menu — Tasks created from the Start menu are one-time,
unsaved tasks, unless you choose to save the task for future use.
From the icon in the system tray — Tasks created from the system tray are
one-time, unsaved tasks, unless you choose to save the task for future use.
From the VirusScan Console — Tasks created from the console are
automatically saved in the task list for future use.
NOTE
If you create on-demand scanning tasks via ePolicy
Orchestrator 3.0 or later, and enable task visibility, you can
also see these on-demand scanning tasks in the VirusScan
Console. These ePolicy Orchestrator tasks are read-only and
cannot be configured from the VirusScan Console. See the
VirusScan Enterprise Configuration Guide for use with ePolicy
Orchestrator 3.0 for more information.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
NOTE
You can identify this as an unsaved on-demand scan task
because the title bar shows (Unsaved Task). Click Save As to
save the task to the console for use again. When you save the
task, the On-Demand Scan Properties title bar changes from
(Unsaved Task) to the task name you specify.
5 To schedule the task, you must first save the task, then click Schedule. You
cannot schedule an unsaved task. See Configuring task schedules on page 222 for
detailed instructions.
6 To run the task, click Scan Now. See Running on-demand tasks on page 107 for
more information.
Product Guide 87
On-Demand Scanning
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
Right-click a blank area in the console, without selecting an item in the task
list, then select New Scan Task.
3 Type a new name for your task, then press ENTER to open the On-Demand Scan
Properties dialog box.
Where properties
Detection properties
Advanced properties
Action properties
Report properties
Adding items
Removing items
Editing items
Product Guide 89
On-Demand Scanning
Where properties
Use the options on the Where tab to specify the locations you want to scan for
viruses.
1 Open the On-Demand Scan Properties dialog box for the task you are
configuring.
2 Select the Where tab.
NOTE
By default, the dialog box lists all of the drives on your
computer and all of the subfolders they contain. A scan
operation this inclusive can take a long time. You may want to
narrow this scan for regular use later.
3 Under Item name, specify where you want scanning to take place. All fixed disks
and Memory of running processes are listed by default.
NOTE
If you are creating a new scan task, All Local Drives and
Memory of running processes are listed by default.
Use the Add, Remove, and/or Edit buttons to specify the items to scan. See
Adding, removing, and editing items on page 91 for detailed instructions.
4 Under Scan options, specify additional scanning criteria. Select from these
options:
Include subfolders. This option is selected by default. The scanner examines all
subfolders in the volumes you target for scanning. To scan only the root
level of your chosen volumes, deselect Include subfolders.
Scan boot sector(s). This option is selected by default. The scanner examines
the disk boot sector. It may be appropriate to disable boot sector analysis
when a disk contains a unique or abnormal boot sector that cannot be
subjected to virus scanning.
Adding items
Removing items
Editing items
Adding items
1 Open the On-Demand Scan Properties dialog box for the task you are
configuring.
2 On the Where tab, click Add to open the Add Scan Item dialog box.
Product Guide 91
On-Demand Scanning
3 Click to select a scan item from the list. Choose from these options:
All local drives. Scans all of the drives on your computer and all of the
subfolders they contain.
All removable media. Scans only floppy disks, CD-ROM discs, Iomega
ZIP disks, or similar storage devices physically attached to your
computer.
When you have finished browsing, click OK to return to the Add Scan
Item dialog box.
File. Scan a specific file. Type the path to the file in the Location text
box, or click Browse to open the Select Item To Scan dialog box where
you can locate and select a file.
When you have selected an item, click Open to return to the Add Scan
Item dialog box.
4 Click OK to save your changes and return to the On-Demand Scan Properties
dialog box.
Removing items
1 Open the On-Demand Scan Properties dialog box for the task you are
configuring.
2 On the Where tab, select one or more items that you want to delete in the Item
name list, then click Remove.
Editing items
1 Open the On-Demand Scan Properties dialog box for the task you are
configuring.
2 On the Where tab, select an item in the Item name list, then click Edit to open the
Edit Scan Item dialog box.
3 Click to select a scan item from the Item to scan list. All local drives is selected
by default.
NOTE
The options you have here are the same as the options in
Adding items. See Step 3 on page 92 for a complete list and
description of available options.
Product Guide 93
On-Demand Scanning
Detection properties
Use the options on the Detection tab to specify what types of files you want the
on-demand scanner to examine, and when you want to scan them.
1 Open the On-Demand Scan Properties dialog box for the task you are
configuring.
2 Select the Detection tab.
All files. This option is selected by default. Scan all files regardless of extension.
Default + additional file types. Scan the default list of extensions plus any
additions you specify. The default list of file type extensions is defined by
the current DAT file. You can add or remove user-specified file type
extensions, but you cannot delete any file type extensions from the default
list. You can, however, exclude extensions that appear in the default list.
See Excluding files, folders, and drives on page 70 for more information.
Also scan for macro viruses in all files. Scan all files, regardless of
extension, for macro viruses. This option is only available when the
Default + additional file types option is selected.
NOTE
Scanning for macro viruses in all files could affect
performance.
4 Under What not to scan, click Exclusions to specify the files, folders, and drives
to exclude from scanning. See Excluding files, folders, and drives on page 70 for
detailed instructions.
Product Guide 95
On-Demand Scanning
5 Under Compressed files, specify which types of compressed files you want the
scanner to examine. You have these options:
Scan inside packed executables. This option is selected by default. Examine
compressed files that contain executable files. A packed executable is a file
that, when run, extracts itself into memory only. Packed executable files
are never extracted to disk.
Scan inside archives. Examine archive files and their contents. An archive
file is a compressed file that must be extracted prior to accessing the files
within it. Files contained inside archives are scanned when they are written
to disk.
Advanced properties
Use the options on the Advanced tab to specify advanced scanning properties, such
as scanning for unknown program viruses and potentially unwanted programs,
setting the CPU utilization level, and miscellaneous options.
1 Open the On-Demand Scan Properties dialog box for the task you are
configuring.
3 Under Heuristics, specify whether you want the scanner to evaluate the
probability that an unknown piece of code or a Microsoft Office macro is a
virus. When this feature is enabled, the scanner analyzes the likelihood that it
is a variant of a known virus. Select any combination of these options:
4 Under Non-viruses, specify whether you want the scanner to find non-virus
programs that are potentially unwanted.
WARNING
VirusScan Enterprise does not take any action on potentially
unwanted program files or joke programs that it detects.
Detections are logged in the log file.
If you want to take action on a detected potentially unwanted
program file or joke program, you must take action manually.
For example, if you want to remove a detected joke program,
you must remove it manually.
Product Guide 97
On-Demand Scanning
5 Under CPU utilization, use the slider to set the utilization level for the scan task
in relation to the other tasks running on your computer. 100% is selected by
default. This ensures that other running software does not slow down during a
scan operation, but the scan takes longer. Set the scan task to a lower scanning
level if you plan to run it at a time when the CPU is in heavy use with other
essential operations.
NOTE
The CPU limitation you specify does not work when scanning
encrypted files. The decryption is done by LSASS.EXE, not by
the SCAN32 process. Scanning encrypted files is CPU intensive,
therefore even if the CPU limit on the scanning thread is low, it
is still scanning files fast enough that LSASS.EXE must keep
busy to supply the decrypted data.
Scan files that have been migrated to storage. Scan files that have been
moved to offline storage.
NOTE
If you are using Remote Storage to extend disk space on your
server, the on-demand scanner can scan the cached files.
Remote Storage data storage is hierarchical, with two defined
levels. The upper level, called local storage, includes the NTFS
disk volumes of the computer running Remote Storage on
Windows 2000 Server. The lower level, called remote storage,
is located on the robotic tape library or stand-alone tape drive
that is connected to the server computer.
Rescan all files when DAT files are updated. Re-examine all files when new
DAT files are installed or updated. This is best used for scheduled,
resumable scans. Using this feature reduces the risk of infection by
re-examining files for new viruses.
Scan window. Normal is selected by default. Click to specify how you want
the scan window to appear during on-demand scans. The options are:
Normal
Minimized
Hidden
NOTE
Although the scan window can be configured to be normal,
minimized, or hidden, the scheduled and remote task
windows are always hidden regardless of the configured
mode.
Action properties
Use the options on the Actions tab to specify the primary and secondary actions
you want the scanner to take when it detects a virus.
1 Open the On-Demand Scan Properties dialog box for the task you are
configuring.
Product Guide 99
On-Demand Scanning
3 Under When a virus is found, select the primary action you want the scanner to
take when a virus is detected.
NOTE
The default primary action is Clean infected files.
Prompt for action. Prompt the user for action when a virus is detected.
If you select this option, you can also select what actions are allowed in
addition to Stop and Continue. The additional choices are:
NOTE
The quarantine folder should not be located on a floppy drive
or CD drive. It must be located on a hard drive.
Clean infected files. This option is selected by default. The scanner tries to
remove the virus from the infected file. If the scanner cannot, or if the virus
has damaged the file beyond repair, the scanner performs the secondary
action. See Step 4 for more information.
Delete infected files. The scanner deletes infected files as soon as it detects
them. Be sure to enable Log to file on the Reports tab, so that you have a
record of which files are infected.
If you select this option, you are required to confirm your selection. Click
Yes to confirm your selection, or click No to deselect this option.
WARNING
If you selected Find unknown macro viruses on the Advanced
tab, the action you select here applies to any macro that has
code resembling a virus. If you select Delete infected files, any
file that has code resembling a macro virus is deleted, and any
archive that contains an infected file is deleted. If that is not
your intention, be certain that your choice of action
corresponds with your choice of action for macros.
4 Under If the above Action fails, select the secondary action you want the
scanner to take if the first action fails.
NOTE
The default secondary action is Move infected files to a folder.
Prompt for action. If you select this option, you can also select what actions
are allowed in addition to Stop and Continue. The additional choices are:
Move infected files to a folder. This option is selected by default. The scanner
moves infected files to a quarantine folder. You can accept the default
location of the folder in the Folder text box, or click Browse to navigate to
the location where the folder is located.
The default location and name for the quarantine folder is:
<drive>:\quarantine
NOTE
The quarantine folder should not be located on a floppy drive
or CD drive. It must be located on a hard drive.
Delete infected files. The scanner deletes infected files as soon as it detects
them. Be sure to enable Log to file on the Reports tab, so that you have a
record of which files are infected.
5 Click Apply to save your changes.
Report properties
Use the options on the Reports tab to configure logging activity. Specify the log file
location and size, and what information to capture for each log entry.
NOTE
The log file can serve as an important management tool for
tracking virus activity on your network and to note which
settings you used to detect and respond to any virus that the
scanner found. The incident reports recorded in the file can
help you determine which files you need to replace from
backup copies, examine in quarantine, or delete from your
computer. See Viewing the activity log on page 111 for more
information.
In the text box, accept the default log file name and location, type a
different log file name and location, or click Browse to locate a suitable file
elsewhere on your computer or network.
NOTE
By default, the scanner writes log information to the
ONDEMANDSCANLOG.TXT file in this folder:
<drive>:Winnt\Profiles\All Users\Application
Data\Network Associates\VirusScan.
Limit size of log file to. This option is selected by default. The default log file size
is 1MB. Accept the default log size or set a different size for the log. If you
select this option, type a value between 1MB and 999MB.
NOTE
If the data in the log file exceeds the file size you set, the oldest
20 percent of the log file entries are deleted and new data is
appended to the file.
4 Under What to log in addition to virus activity, select the additional information
to record in the log file:
Session settings. Record the properties that you chose for each scanning
session in the log file.
Session summary. This option is selected by default. Summarize the scanner’s
actions during each scanning session and add the information to the log
file. Summary information includes the number of files scanned, the
number and type of viruses detected, the number of files moved, cleaned,
or deleted, and other information.
Failure to scan encrypted files. This option is selected by default. Record the
name of encrypted files that the scanner failed to scan in the log file.
User name. This option is selected by default. Record the name of the user
logged on to the computer at the time the scanner records each log entry in
the log file.
If you do not want to reset the defaults or save the current settings as the default,
skip these steps.
1 Open the On-Demand Scan Properties dialog box for the task you are
configuring.
2 Click Schedule. See Scheduling Tasks on page 221 for detailed instructions about
how to schedule a task.
Scanning operations
You can run scheduled on-demand tasks unattended, start immediate scan tasks,
and pause, stop, and restart tasks during the scanning operation.
NOTE
The on-demand scanner does not scan its own quarantine
folder during scanning operations. The on-demand scanner is
designed to exclude the quarantine folder during scanning
operations to avoid repeat scanning or scanning loops.
Resumable scanning
Scan as scheduled. If you scheduled the scan, allow the task to run unattended.
NOTE
For the scanner to run your task, your computer must be
active. If your computer is down when the task is scheduled
to start, the task starts at the next scheduled time if the
computer is active, or when the computer starts if you selected
the Run missed task option on the Schedule Settings, Schedule
tab.
NOTE
The scanner always exits after completing scheduled tasks
that are launched by the Scheduler and remote tasks that are
run on a remote computer.
Scan immediately. You can start on-demand scan tasks immediately using
several methods:
Create an on-demand scan task from the system tray or Start menu, then
from the On-Demand Scan Properties dialog box, click Scan Now.
From the VirusScan Console, right-click an on-demand scan task and select
Start.
From Windows Explorer, right-click a file, folder, drive, or other item, then
select Scan for viruses.
The On-Demand Scan dialog box appears.
NOTE
The scanner does not exit automatically upon completion of
the scan for these types of immediate scans. To exit the
scanner, select Exit from the Scan menu.
Resumable scanning
The on-demand scanner automatically resumes scanning where it left off if the
scan is interrupted before it completes. The incremental scan feature of the
on-demand scanner recognizes the last file it scanned, so the next time the scan
starts, you have the option of starting the scan from where it left off, or starting the
scan from the beginning.
1 Open the VirusScan Console, right-click the on-demand task in the task list,
and select Statistics.
The On-Demand Scan Statistics dialog box shows each of the scan targets you
have chosen for this task in an upper pane, progress of the scan in the center
pane, and a statistical summary in the lower pane.
If your scan task is still in progress, the center pane shows the file that the
scanner is currently examining, and the status of the scan operation.
NOTE
If the task is run again, the statistics shown here are only for
the last scan.
2 Click Properties to open the On-Demand Scan Properties dialog box, change the
scan properties you want to modify, then click Apply to save your changes.
The scan runs with your new settings when the next on-demand scan starts. If
an on-demand scan is in process when you change the scan properties, the new
settings do not take effect until the next on-demand scan starts.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
2 Use either of these methods to open the activity log file:
Highlight the task, then select Activity Log from the Task menu.
Right-click the task in the task list and select View Log.
3 To close the activity log, select Exit from the File menu.
When a virus is detected, you receive a notification if you have configured Alert
Manager and/or the on-demand scanner to notify you when a virus is detected.
See Taking action on virus detections on page 113 for more information about the
VirusScan Alert dialog box.
The message provides details about the infected file, such as name of the file,
location of the file, type of virus detected, and version of scanning engine and
DAT file used to detect the virus. View the message details, then click OK to
dismiss the message.
On-Demand Scan Progress dialog box — The On-Demand Scan Progress dialog
box displays while the on-demand scanner is performing a task. If any
infections are found, they appear in the lower pane of the dialog box. See
On-Demand Scan Progress dialog box on page 114 for more information.
You may receive more than one notification depending on how you have
configured Alert Manager and the on-demand scanner.
NOTE
If you have not configured the on-demand scanner or Alert
Manager to send notification, you do not receive a VirusScan
Alert or network message. However, you can always see
detected viruses in the On-Demand Scan Progress dialog box,
during the scan operation.
Use either the VirusScan Alert dialog box or the On-Demand Scan Progress dialog
box to take action on the detected virus, depending on how you were notified of
virus detection.
If you were notified with a VirusScan Alert take action on the detected virus
from that dialog box.
If you saw the virus detection in the On-Demand Scan Progress dialog box, take
action on the detected virus from there.
If the file cannot be cleaned, either because it has no cleaner or because the
virus has damaged the file beyond repair, an entry is recorded in the log file.
Alternative responses may be suggested. For example, if a file cannot be
cleaned, you should delete the file and restore it from a backup copy.
Delete — Deletes the file referenced by the selected message. The file name is
recorded in the log, so that you can restore it from a backup copy.
Move File to — Moves the file referenced by the selected message, to the folder
you select from the dialog box.
Use the on-demand e-mail scanner to supplement the protection that the
on-delivery e-mail scanner provides. For example, if you have had Microsoft
Outlook closed or you are installing the VirusScan Enterprise product for the
first time, we recommend running an on-demand e-mail scan first.
The following topics are addressed in this section:
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
If you are configuring the E-mail Scan for a local host, skip Step 2 and go to
Configuring the on-delivery e-mail scan properties on page 117.
Detection properties
Advanced properties
Action properties
Alert properties
Report properties
Detection properties
Use the options on the Detection tab to specify which attachments and file type
extensions you want to scan.
1 Open the On-Delivery Scan Properties dialog box using one of these methods:
All file types. This option is selected by default. Scan all attachments regardless
of extension.
Default + additional file types. Scan the default list of extensions plus any
additions you specify. The default list of file type extensions is defined by
the current DAT file. You can add or remove user-specified file type
extensions, but you cannot delete any file type extensions from the default
list.
NOTE
Excluding file types is not supported for e-mail scanning.
Advanced properties
Use the options on the Advanced tab to specify advanced scanning properties, such
as scanning for unknown program viruses, potentially unwanted programs,
compressed files, and e-mail message bodies.
1 Open the On-Delivery Scan Properties dialog box using one of these methods:
3 Under Heuristics, specify whether you want the scanner to evaluate the
probability that an unknown piece of code or a Microsoft Office macro is a
virus. When this feature is enabled, the scanner analyzes the likelihood that it
is a variant of a known virus. Select any combination of these options:
When you select this option, the E-mail Scan Warning dialog box appears.
4 Under Non-viruses, specify whether you want the scanner to find non-virus
programs that are potentially unwanted.
Find potentially unwanted programs. Detect programs that are potentially
unwanted.
WARNING
VirusScan Enterprise does not take any action on potentially
unwanted program files or joke programs that it detects.
Detections are logged in the log file.
5 Under Compressed files, specify which types of compressed files you want the
scanner to examine. You have these options:
Scan inside archives. This option is selected by default. Examine archive files
and their contents. An archive file is a compressed file that must be
extracted prior to accessing the files within it. Files contained inside
archives are scanned when they are written to disk.
Action properties
Use the options on the Actions tab to specify the primary and secondary actions
you want the scanner to take when it detects a virus.
1 Open the On-Delivery Scan Properties dialog box using one of these methods:
3 Under When infected attachments found, select the primary action that you
want the scanner to take when a virus is detected.
NOTE
The default primary action is Clean infected attachments.
Prompt for action. Prompt the user for action when a virus is detected.
If you select this option, you can also select what actions are allowed in
addition to stop and continue. The additional choices are:
Clean infected attachments. This option is selected by default. The scanner tries
to remove the virus from the infected attachment. If the scanner cannot
remove a virus from an infected attachment, or if the virus has damaged
the attachment beyond repair, the scanner performs the secondary action.
If you select this option, you are required to confirm your selection. Click
Yes to confirm your selection, or click No to deselect this option.
4 Under If the above Action fails, select the secondary action that you want the
scanner to take if the first action fails.
NOTE
The default secondary action is Move infected attachments to a
folder.
Prompt for action. Prompt the user for action when a virus is detected.
If you select this option, you can also select what actions are allowed in
addition to stop and continue. The additional choices are:
If you select this option, you are required to confirm your selection. Click
Yes to confirm your selection, or click No to deselect this option.
Alert properties
Use the options on the Alerts tab to configure how to warn users that an infected
e-mail message or attachment has been detected.
1 Open the On-Delivery Scan Properties dialog box using one of these methods:
3 Under E-mail alert, specify how you want to notify the mail sender and another
user when an infected mail message is detected. You have these options:
Return reply mail to sender. To send a return reply to the sender.
If you select this option, click Configure to open the Return Mail
Configuration dialog box.
If you select this option, click Configure to open the Send Mail
Configuration dialog box.
5 Under If Prompt for Action is selected, specify how you want to notify users
when an infected e-mail is detected. You have these options:
Display custom message. This option is selected by default. Notify the user
with a custom message. If you select this option, you can type the custom
message in the text box.
Sound audible alert. This option is selected by default. Notify the user with an
audible alert.
6 Click Apply to save your changes.
Report properties
Use the options on the Reports tab to configure logging activity. Specify the log file
location and size, and what information you want to capture for each log entry.
NOTE
The log file can serve as an important management tool for
tracking virus activity on your network and to note which
settings you used to detect and respond to any virus that the
scanner found. The incident reports recorded in the file can
help you determine which files you need to replace from
backup copies, examine in quarantine, or delete from your
computer. See Viewing the on-delivery e-mail activity log on
page 132 for more information.
1 Open the On-Delivery Scan Properties dialog box using one of these methods:
<drive>:Winnt\Profiles\All Users\Application
Data\Network Associates\VirusScan
Limit size of log file to. This option is selected by default. The default log file size
is 1MB. Accept the default log size or set a different size for the log. If you
select this option, type a value between 1MB and 999MB.
NOTE
If the data in the log file exceeds the file size you set, the oldest
20 percent of the log file entries are deleted and new data is
appended to the file.
4 Under What to log, select the additional information that you want to record in
the log file:
Session settings. Record the properties that you chose for each scanning
session in the log file.
Session summary. This option is selected by default. Summarize the scanner’s
actions during each scanning session and add the information to the log
file. Summary information includes the number of files scanned, the
number and type of viruses detected, the number of files moved, cleaned,
or deleted, and other information.
Date and time. This option is selected by default. Record the date and time
when a virus is detected.
User name. This option is selected by default. Record the name of the user
logged on to e-mail at the time the scanner records each log entry, in the
log file.
Failure to scan encrypted files. This option is selected by default. Record the
name of encrypted files that the scanner failed to scan in the log file.
2 Use either of these methods to open the On-Delivery E-mail Scan Statistics
dialog box:
Highlight the e-mail scan task in the task list, then select Statistics from the
Task menu.
Right-click the e-mail scan task in the task list and select Statistics.
The On-Delivery E-mail Scan Statistics dialog box shows the Last attachment
scanned in the upper pane, and a statistical summary in the lower pane.
If your scan is still in progress, it shows the file that the scanner is currently
examining, and the status of the scan operation.
3 You can perform either of these functions if you have administrator rights and
type the password, as required:
Click Properties to open the On-Delivery E-mail Scan Properties dialog box,
change the scan properties you want to modify, then click Apply to save
your changes.
Highlight the e-mail scan task, then select Activity Log from the Task menu.
Right-click the e-mail scan task in the task list and select View Log.
3 To close the activity log, select Exit from the File menu.
Detection properties
Advanced properties
Action properties
Alert properties
Report properties
Detection properties
Use the options on the Detection tab to specify which attachments and file type
extensions you want to scan.
2 Use one of these methods to open the On-Demand E-mail Scan Properties dialog
box:
4 Under Messages to scan, specify what messages you want to scan. You have
these options:
All highlighted item(s). This option is selected by default. Scan selected e-mail
messages or folders.
All messages in the Inbox folder. Scan all messages currently in the Inbox
folder and its subfolders.
Scan unread messages only. Scan only unread messages in the Inbox
folder and its subfolders. If you did not select All messages in the Inbox
folder, this option is disabled.
5 Under Attachments to scan, specify what files, folders, or drives that you want
to scan. You have these options:
All file types. This option is selected by default. Scan all attachments regardless
of extension.
Default + additional file types. Scan the default list of extensions plus any
additions you specify. The default list of file type extensions is defined by
the current DAT file. You can add or remove user-specified file type
extensions, but you cannot delete any file type extensions from the default
list.
NOTE
Excluding file types is not supported for e-mail scanning.
6 Click Apply to save your changes.
Advanced properties
Use the options on the Advanced tab to specify advanced scanning properties, such
as scanning for unknown program viruses, potentially unwanted programs,
compressed files, and e-mail message bodies.
2 Use one of these methods to open the On-Demand E-mail Scan Properties dialog
box:
Select E-mail Scan Properties from the Tools menu.
Click in the Outlook toolbar.
NOTE
If the icon is not visible in the Outlook toolbar, click on the
right side of the standard toolbar, then select the icon.
4 Under Heuristics, specify whether you want the scanner to evaluate the
probability that an unknown piece of code or a Microsoft Office macro is a
virus. When this feature is enabled, the scanner analyzes the likelihood that it
is a variant of a known virus. You have these options:
When you select this option, the E-mail Scan Warning dialog box appears:
5 Under Non-viruses, specify whether you want the scanner to find non-virus
programs that are potentially unwanted.
WARNING
VirusScan Enterprise does not take action on potentially
unwanted program files or joke programs. Detections are
logged in the log file.
6 Under Compressed files, specify which types of compressed files you want the
scanner to examine. You have these options:
Scan inside packed executables. This option is selected by default. Examine
compressed files that contain executable files. A packed executable is a file
that, when run, extracts itself into memory only. Packed executable files
are never extracted to disk.
Scan inside archives. This option is selected by default. Examine archive files
and their contents. An archive file is a compressed file that must be
extracted prior to accessing the files within it. Files contained inside
archives are scanned when they are written to disk.
Action properties
Use the options on the Actions tab to specify the primary and secondary actions
you want the scanner to take when it detects a virus.
2 Use one of these methods to open the On-Demand E-mail Scan Properties dialog
box:
4 Under When infected attachments found, select the primary action that you
want to the scanner to take when a virus is detected.
NOTE
The default primary action is Clean infected attachments.
Prompt for action. Prompt the user for action when a virus is detected.
If you select this option, you can also select what actions are allowed in
addition to stop and continue. The additional choices are:
Clean infected attachments. This option is selected by default. The scanner tries
to remove the virus from the infected attachment. If the scanner cannot
remove a virus from an infected attachment, or if the virus has damaged
the attachment beyond repair, the scanner performs the secondary action.
If you select this option, you are required to confirm your selection. Click
Yes to confirm your selection, or click No to deselect this option.
5 Under If the above Action fails, select the secondary action that you want the
scanner to take if the first action fails.
NOTE
The default secondary action is Move infected attachments to a
folder.
Prompt for action. Prompt the user for action when a virus is detected.
If you select this option, you can also select what actions are allowed in
addition to stop and continue. The additional choices are:
Alert properties
Use the options on the Alerts tab to configure how to warn users that an infected
e-mail message or attachment has been detected.
2 Use one of these methods to open the On-Demand E-mail Scan Properties dialog
box:
4 Under E-mail alert, specify how you want to notify the mail sender and another
user when an infected mail message is detected. You have these options:
Return reply mail to sender. To send a return reply to the sender.
If you select this option, click Configure to open the Return Mail
Configuration dialog box.
If you select this option, click Configure to open the Send Mail
Configuration dialog box.
5 Under If Prompt for Action is selected, specify how you want to notify users
when an infected e-mail is detected. You have these options:
Display custom message. Notify the user with a custom message. If you
select this option, you can type the custom message in the text box.
Sound audible alert. Notify the user with an audible alert.
Report properties
Use the options on the Reports tab to configure logging activity. Specify the log file
location and size, and what information you want to capture for each log entry.
NOTE
The log file can serve as an important management tool for
tracking virus activity in e-mail and to record which settings
you used to detect and respond to any virus that the scanner
found. You can open the log file from your text editor for later
review. The incident reports recorded in the file can help you
determine which files you need to replace from backup
copies, examine in quarantine, or delete from your computer.
1 Start Microsoft Outlook.
2 Use one of these methods to open the On-Demand E-mail Scan Properties dialog
box:
<drive>:Winnt\Profiles\All Users\Application
Data\Network Associates\VirusScan.
Limit size of log file to. This option is selected by default. The default log file size
is 1MB. Accept the default log size or set a different size for the log. If you
select this option, type a value between 1MB and 999MB.
NOTE
If the data in the log file exceeds the file size you set, the oldest
20 percent of the log file entries are deleted and new data is
appended to the file.
5 Under What to log in addition to virus activity, select the additional information
that you want to record in the log file:
Session settings. Record the properties that you chose for each scanning
session in the log file.
Session summary. This option is selected by default. Summarize the scanner’s
actions during each scanning session and add the information to the log
file. Summary information includes the number of files scanned, the
number and type of viruses detected, the number of files moved, cleaned,
or deleted, and other information.
Date and time. This option is selected by default. Record the date and time
when a virus is detected.
User name. This option is selected by default. Record the name of the user
logged on to the computer at the time the scanner records each log entry,
in the log file.
Failure to scan encrypted files. This option is selected by default. Record the
name of encrypted files that the scanner failed to scan in the log file.
2 Use one of these methods to start an on-demand e-mail scan from Microsoft
Outlook:
3 Close the dialog box when the on-demand e-mail scan completes.
3 To close the activity log, select Exit from the File menu.
Alert Manager handles alerts and events generated by your anti-virus software in
real time. In a typical configuration, Alert Manager resides on a central server and
listens for alerts sent to it by client or server anti-virus software applications on the
network. This client software can be workstation or server applications. Alert
Manager allows you to configure two basic aspects of alerting:
See the Alert Manager Product Guide for more detailed information.
The following topics are addressed in this section:
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
3 Under Which components will generate alerts, select the components that you
want to communicate with Alert Manager. Choose any combination of these
options:
On-Access Scan. This option is selected by default.
4 Under Alert Manager destination selection, click Destination to open the Alert
Manager Client Configuration dialog box.
You can disable or enable the alerting feature, determine which method of
alerting to use when an event occurs, and specify which server receives alerts.
a Under Alerting Options, specify the alerting method that meets your needs:
Under Destination for Alerts, type the location for the Alert Manager
Server to receive alerts, or click Browse to navigate to the location.
Click OK to save your changes and return to the Alert Manager Client
Configuration dialog box.
Under Destination for Alerts, type the location for the Central Alerting
Shared Directory, or click Browse to navigate to location.
Click OK to save your changes and return to the Alert Manager Client
Configuration dialog box.
b Click OK to save your changes and return to the Alert Properties dialog box.
d When you have finished configuring Alert Manager Properties and Alert
Manager Messages, click OK to close the Alert Properties dialog box.
NOTE
The buttons are disabled if Alert Manager is not installed.
The Alert Manager Properties dialog box allows you to configure the recipients of
alert messages sent out by Alert Manager, and also the method by which those
recipients receive the alert messages. Recipients can be e-mail addresses or
computers on your network. The methods by which recipients receive alert
notifications can include e-mail messages or network pop-up messages.
1 Click the appropriate tab for a given alert method, such as Logging.
2 Configure the recipients that receive alert notifications using that alert method.
3 Click other tabs to configure recipients for any additional alert methods as
required.
4 When finished, click OK to save the configurations and close the Alert Manager
Properties dialog box.
For details on configuring specific alert methods and the recipients to which Alert
Manager sends alert messages via those methods, refer to the sections of this
Product Guide:
Sending a network message to a terminal server on page 177. This method is only
available if terminal services are running on the computer where Alert
Manager is installed.
Any destination printer or computer that you have targeted exists on your
network.
This is useful for filtering alert notifications. For example, you may want to record
alert messages of all priority levels to a computer’s event log using the Logging tab
of the Alert Manager Properties dialog box (see Logging alert notifications in a
computer’s event log on page 175). However, you may want Alert Manager to send
only serious alert notifications to a network administrator’s pager via e-mail. To do
this, set separate priority thresholds for your logging and e-mail recipients.
1 On the Properties dialog box for an alert method, click the Priority Level button.
See Figure 6-13 on page 165 for an example.
2 In the Priority Level dialog box, drag the slider right or left to set the priority
level.
Drag to the right to send the recipient fewer, higher priority messages. Drag
the slider to the left to send the recipient more alert messages, including lower
priority messages.
Click next to each listed alert method to display the recipient computers,
printers, or e-mail addresses. To remove an alert notification recipient, select it,
then click Remove. To change the configuration options for a listed recipient, select
it, then click Properties to open the Properties dialog box for that alert method.
The following sections describe the options available for each method.
To do this, configure the local Alert Manager to forward alerts to the computer
where the second Alert Manager is installed. You then need to configure the
second Alert Manager to distribute alert notifications as desired. See Configuring
alert forwarding options on page 162 for instructions.
1 From the Alert Manager Properties dialog box, click the Forward tab.
The Forward page appears with a list of all of the computers you have chosen
to receive forwarded messages. If you have not yet chosen a destination
computer, this list is blank.
To add a computer, click Add to open the Forward Properties dialog box,
then type the name of the computer that receives forwarded messages in
the text box. You can type the computer name in Universal Naming
Convention (UNC) notation, or click Browse to locate the computer on the
network.
3 Click Priority Level to specify which types of alert messages the destination
computer receives. See Setting the alert priority level for recipients on page 157.
4 Click Test to send the destination computer a test message. See Sending a test
message on page 156.
It is not necessary for the recipient computers to have Alert Manager installed.
However, you might need to have the appropriate messaging client software for
your operating system running on the recipient computer. This messaging
software is always pre-installed on newer versions of the Windows operating
system, such as Windows NT, Windows 2000, and Windows XP. This service is
usually running by default.
2 Click the Network Message tab. The Network Message page appears with a list
of the computers that you have configured to receive a network message. If
you have not yet chosen a recipient computer, this list is blank.
To remove a listed computer, select one of the recipient names listed, then
click Remove.
4 Click Priority Level to specify which types of alert messages the recipient
receives. See Setting the alert priority level for recipients on page 157.
5 Click Test to send the recipient a test message. See Sending a test message on
page 156.
The E-Mail page appears with a list of the e-mail addresses that you have
chosen to receive alert messages. If you have not yet chosen an e-mail address,
this list is blank.
To add an e-mail address to the list, click Add to open the E-Mail Properties
dialog box. Type the e-mail address for your alert notification recipient in
the Address text box, type a subject in the Subject text box, then type your
e-mail address in the From text box. Use the standard Internet address
format <user name>@<domain>, such as administrator_1@mail.com.
To remove a listed address, select one of the e-mail addresses listed, then
click Remove.
4 Click Mail Settings to specify the network server you use to send Internet mail
via SMTP.
NOTE
You must click Mail Settings and specify an SMTP server to be
able to send e-mail alert notifications. Do not skip this step.
Also, after configuring your SMTP mail settings the first time,
you are not be required to configure them again unless your
SMTP mail server information changes.
a In the dialog box that appears, type the mail Server. You can type the server
name as an Internet Protocol (IP) address, as a name your local domain
name server can recognize, or in Universal Naming Convention (UNC)
notation.
b If your SMTP server requires it, type a Login name to use for the mail
server.
NOTE
Only type a login name in the Login field if your SMTP mail
server is configured to use a login. Check your SMTP
configuration to see if this is required. Typing a login name
here when your mail server is not configured to use it may
cause problems with e-mail alerting.
5 Click Priority Level to specify which types of alert messages the recipient
computer receives. See Setting the alert priority level for recipients on page 157.
6 Click Test to send the recipient computer a test message. See Sending a test
message on page 156.
7 If the test message is successful, click OK to return to the Alert Manager
Properties dialog box.
You have two options for managing long messages in e-mail alert notifications:
This is particularly valuable if Alert Manager sends alerts to pagers via e-mail.
Some pager services have a short message length limit, for example 200
characters. If a message is intended to be delivered to a pager via an e-mail
address, appending the address with an asterisk (*) lets you, instead of the
pager company, control where the message is truncated.
You can also edit the message text in the Alert Manager Messages dialog box to
make sure important message content is preserved in truncated messages. To
do this, you could either abbreviate some parts of the message or move critical
information to the beginning of the message, perhaps leaving long file names
for the end of the message.
The Printer page appears with a list of all of the printer queues that you have
chosen to receive alert messages. If you have not yet chosen a printer queue,
this list is blank.
To add a print queue to the list, click Add to open the Printer Properties
dialog box, then type the name of the print queue to which you want to
send messages. You can type the print queue name or you can click Browse
to locate the printer on the network.
To remove a listed print queue, select one of the printers listed, then click
Remove.
To change configuration options, select one of the printers listed, then click
Properties. Alert Manager opens the Printer Properties dialog box. Change
the information in the Printer text box as necessary.
4 Click Priority Level to specify which types of alert notifications the recipient
printer receives. See Setting the alert priority level for recipients on page 157.
5 Click Test to send the recipient printer a test message. See Sending a test message
on page 156.
5 Click Priority Level to specify which types of alert messages the recipient
computer receives. See Setting the alert priority level for recipients on page 157.
6 Click Test to send the recipient computer a test message via SNMP. See Sending
a test message on page 156.
7 Click OK to save your changes and return to the Alert Manager Properties dialog
box.
4 Type the path and file name of the executable program that you want to run
when your anti-virus software finds a virus, or click Browse to locate the
program file on your computer or network.
5 Select one of the following:
To start the program only when your anti-virus software first finds a
specific virus, click First Time.
To start the program each time the scanner finds a virus, click Every Time.
NOTE
If you select First time, the program you designate starts as
soon as the scanner initially encounters a specific virus, for
example VirusOne. If the scanner finds more than one
occurrence of VirusOne in the same folder, it does not start the
program again. However, if, after encountering VirusOne, the
scanner then encounters a different virus (VirusTwo), then
encounters VirusOne again, the program starts in response to
each encounter, in this example, three times in a row. Starting
multiple instances of the same program might cause your
server to run out of memory.
6 Click Priority Level to specify which types of alert messages the recipient
computer receives. See Setting the alert priority level for recipients on page 157.
Remember that the Program method does not run a program unless the alert
pertains specifically to viruses. In other words, the alert must contain the
%VIRUSNAME% and %FILENAME% system variables. All other alerts, regardless of
priority level, are ignored.
7 Click Test to send the recipient computer a test message. See Sending a test
message on page 156.
The Logging page appears with a list of all of the computers you have chosen
to receive messages for logging. If you have not yet chosen a recipient
computer, this list is blank.
To add a computer, click Add to open the Logging Properties dialog box,
then type the name of the computer that receives forwarded messages in
the text box. You can type the computer name in Universal Naming
Convention (UNC) notation, or you can click Browse to locate the
computer on the network.
To remove a listed computer, click the computer in the list and click the
Remove button.
4 Click Priority Level to specify which types of alert messages the recipient
computer receives. See Setting the alert priority level for recipients on page 157.
5 Click Test to send the recipient computer a test message. See Sending a test
message on page 156.
The Alert Manager Properties dialog box only displays the Terminal Server tab if the
computer on which Alert Manager is installed is a terminal server.
4 Click Test to send the recipient computer a test message. The Select client for
test message dialog box appears, listing the current terminal server user
sessions for that computer.
5 Select a user from the list and click OK to send that user a test message and
return to the Alert Manager Properties dialog box.
6 Click Priority Level to specify which types of alert messages the terminal server
users should receive. See Setting the alert priority level for recipients on page 157.
7 Click OK to save the terminal server settings and return to the Alert Manager
Properties dialog box.
2 Make sure that all your users and computers are able to read and write to this
shared alert folder. If the folder is located on a computer running Windows
NT, you must properly configure a null session share. See your operating
system documentation for details.
3 Configure Alert Manager to monitor the centralized alert folder for activity. To
do this:
a From the Alert Manager Properties dialog box, select Centralized Alert tab.
4 Click Priority Level to specify which types of alert messages the recipient
computer receives. See Setting the alert priority level for recipients on page 157.
5 Click Test to send the recipient computer a test message. See Sending a test
message on page 156.
6 Click OK to save your centralized alerting settings and return to the Alert
Manager Properties dialog box.
Use the Alert Manager Messages dialog box to customize alert messages. See
Configuring Alert Manager on page 150 for details on how to access the Alert
Manager Messages dialog box.
Next to each alert listed in the Alert Manager Messages dialog box is a checkbox. If
this is selected, the alert is enabled. If it is not selected, it is disabled. By default, all
of the available alert messages are enabled.
1 Select or deselect the corresponding checkbox for any alert messages you want
to enable or disable.
2 Click OK to save your changes and close the Alert Manager Messages dialog
box.
1 On the Alert Manager Messages dialog box (see Customizing alert messages on
page 181), click a message in the list once to select it.
2 Click Edit to open the Edit Alert Manager Message dialog box.
3 Choose a priority level from the Priority list. You can assign each alert message
a Critical, Major, Minor, Warning, or Informational priority.
The icons shown beside each message listed in the Alert Manager Messages
dialog box identify the priority level currently assigned to a message. Each icon
corresponds to a choice in the Priority drop-down list. The priority levels are:
Critical. Indicates your anti-virus software detected viruses in files that
could not be cleaned, quarantined or deleted.
Major. Indicates either that successful virus detection and cleaning has
occurred or that serious errors and problems that might cause your
anti-virus software to stop working. Examples include “Infected file
deleted,” “No licenses are installed for the specified product,” or “Out of
memory!”
Minor. Indicates lesser detection or status messages.
As you reassign the priority for a message, the icon beside it changes to show
its new priority status.
4 Click OK.
See Setting the alert priority level for recipients on page 157 for information about
applying priority level filters for specific recipients.
1 From the Alert Manager Messages dialog box, click the alert message in the list
to select it.
2 Click Edit to open the Edit Alert Manager Message dialog box.
3 Edit the message text as desired. Text enclosed in percentage signs, such as
%COMPUTERNAME%, represents a variable that Alert Manager replaces with text
at the time it generates the alert message. See Using Alert Manager system
variables on page 185.
4 Click OK to save your changes and return to the Alert Properties dialog box.
For example, the major alert Infected file successfully cleaned (1025) listed in the
Alert Manager Messages dialog box is by default set to the following:
The file %FILENAME% was infected with %VIRUSNAME% %VIRUSTYPE%. The file
was successfully cleaned with Scan engine version %ENGINEVERSION% and
DAT version %DATVERSION%.
When this alert is sent to Alert Manager from an anti-virus application, Alert
Manager dynamically populates the system variables with real values, for example
displaying MYDOCUMENT.DOC for the %FILENAME% variable.
WARNING
Be careful when editing message text to include system
variables that might not be used by the event generating that
alert message. Using system variables in alerts that do not use
that system variable field could cause unexpected results,
including garbled message text or even a system crash.
Following is a complete list of the Alert Manager system variables that can be used
in Alert Manager messages:
New viruses appear at the rate of more than 500 per month. To meet this challenge,
McAfee Security releases new DAT files every week, incorporating the results of its
ongoing research into the characteristics of new or mutated viruses. The
AutoUpdate feature makes it easy to take advantage of this service. It allows you
to download the latest DAT files, scanning engine, and EXTRA.DAT simultaneously,
using an immediate or scheduled update.
Update strategies
System variables
AutoUpdate tasks
Mirror tasks
Rollback DAT files
Manual updates
Update strategies
Updates can be performed using many methods. You can use update tasks,
manual updates, login scripts, or you can schedule updates with management
tools. This document discusses using the update tools provided in VirusScan
Enterprise and updating manually. Any other implementations are beyond of the
scope of this document.
An efficient updating strategy generally requires that at least one client or server
in your organization retrieve the updates from the Network Associates download
site. From there, the files can be replicated throughout your organization,
providing access for all other computers. Ideally, you should minimize the amount
of data transferred across your network by automating the process of copying the
updated files to your share sites.
For efficient updating, the main factors to consider are the number of clients and
the number of sites. There may be additional considerations that affect your
update schema, for example, the number of systems at each remote site and how
remote sites access the Internet. However, the basic concepts of populating your
share sites and scheduling updates apply to any size organization.
Schedule network-wide DAT file rollouts at convenient times and with minimal
intervention from either administrators or network users. You might, for
example, stagger your update tasks, or set a schedule that phases in, or rotates,
DAT file updates to different parts of the network.
Reduce the likelihood that you need to wait to download new DAT or upgraded
engine files. Traffic on McAfee computers increases dramatically on regular
DAT file publishing dates and whenever new product versions appear.
Avoiding the competition for network bandwidth enables you to deploy your
new software with minimal interruptions.
For more information about updating and using McAfee Installation Designer or
McAfee AutoUpdate Architect to configure and manage updates, see the
VirusScan Enterprise Updating Implementation Guide.
System variables
System variables are supported for path definition when configuring AutoUpdate
tasks, mirror tasks, and repositories. Some commonly-used system variables are:
Variable Definition
AutoUpdate tasks
The AutoUpdate task is used to perform scheduled or immediate updates. You can
update DAT files, the scanning engine, and the EXTRA.DAT file. See the VirusScan
Enterprise Updating Implementation Guide for information about downloading
HotFix, Service Pack, SuperDAT package, or .CAB files.
The VirusScan Enterprise product provides a default update task that is scheduled
to update every Friday at 5:00 p.m. with one-hour randomization. The default
update task is named AutoUpdate.You can rename and reconfigure the default
AutoUpdate task. You can also create additional update tasks to meet your
updating requirements.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
3 Accept the default task name or type a new name for your task, then press
ENTER to open the AutoUpdate Properties dialog box. See Configuring an
AutoUpdate task on page 193 for detailed configuration information.
NOTE
If you create update tasks via ePolicy Orchestrator 3.0 or later,
and enable task visibility, these update tasks are visible in the
VirusScan Console. These ePolicy Orchestrator tasks are
read-only and cannot be configured from the VirusScan
Console. See the VirusScan Enterprise Configuration Guide for
use with ePolicy Orchestrator 3.0 for more information.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
2 Open the AutoUpdate Properties dialog box using one of these methods:
Highlight the task in the console task list, then select Properties from the
Task menu.
NOTE
Configure the update task before you click either Schedule or
Update Now.
3 In the Log file text box, accept the default log file name and location, type a
different log file name and location, or click Browse to locate a suitable
location. System variables are supported. See System variables on page 189 for
more information.
NOTE
By default, log information is written to the UPDATELOG.TXT
file in this folder:
<drive>:Winnt\Profiles\All Users\Application
Data\Network Associates\VirusScan
4 Under Run options, you can specify an executable file to start after the
AutoUpdate task finishes running. For example, you might use this option to
start a network message utility that notifies the administrator that the update
operation completed successfully.
Enter the executable to be run after the Update has completed. Type the path
of the executable you want to run, or click Browse to locate it.
Only run after successful update. Run the executable program only after a
successful update. If the update is not successful, the program you
specified does not run.
NOTE
The program file that you specify must be executable by the
currently logged on user. If the currently logged on user does
not have access to the folder containing the program files, or if
there is no currently logged on user, the program does not
run.
5 Click Schedule to schedule the update task. See Scheduling Tasks on page 221
for more information.
6 Click Apply to save your changes.
Tasks that are updating from an HTTP, UNC, or local site. If the update task
is interrupted for any reason during the update, the task resumes where it left
off the next time the update task starts.
Tasks that are updating from an FTP site. The task does not resume if
interrupted during a single file download. However, if a task is downloading
several files and is interrupted, the task resumes before the file that was being
downloaded at the time of the interruption.
To run an update task:
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
Update as scheduled. If you scheduled the update, allow the task to run
unattended.
NOTE
Your computer must be active to run an update task. If your
computer is not operating when the task is scheduled to start,
the task starts at the next scheduled time if the computer is
active, or when the computer starts if you selected the Run
missed task option on the Schedule Settings, Schedule tab.
Update immediately. You can start update tasks immediately using three
methods:
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
2 Use one of these methods to perform an immediate update using Update Now:
From the VirusScan Console, select Update Now from the Task menu.
Right-click in the system tray, then select Update Now.
3 When the task finishes, click Close to exit the McAfee Updater dialog box, or
wait for the dialog box to close automatically.
2 Use one of these methods to start an immediate update from the VirusScan
Console:
Highlight the task in the console task list, then select Start from the Task
menu.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
2 Open the AutoUpdate Properties dialog box for the selected update task. For
instructions, see Configuring an AutoUpdate task on page 193.
3 Click Update Now in the AutoUpdate Properties dialog box.
4 When the task finishes, click Close to exit the McAfee Updater dialog box, or
wait for the dialog box to close automatically.
The software versions in the CATALOG.Z are checked against the versions on the
computer. If new software updates are available, they are downloaded.
Once the update is checked into the repository, the update is verified to
confirm that it is applicable to VirusScan Enterprise and that the version is
newer than the current version. Once this is verified, VirusScan Enterprise
downloads the update when the next update task runs.
An EXTRA.DAT file can be used in an emergency to detect a new threat until the new
virus is added to the weekly virus definition file. The EXTRA.DAT file is downloaded
from the repository on each update. This ensures that if you modify and re-check
the EXTRA.DAT in as a package, all VirusScan Enterprise clients download and use
the same updated EXTRA.DAT package. For example, you may use the EXTRA.DAT as
an improved detector for the same virus or additional detection for other new
viruses. VirusScan Enterprise supports using only one EXTRA.DAT file.
NOTE
When you have finished using the EXTRA.DAT file, you should
remove it from the master repository and run a replication
task to ensure it is removed from all distributed repository
sites. This stops VirusScan Enterprise clients from attempting
to download the EXTRA.DAT file during an update.
See AutoUpdate task overview on page 191 for a diagram of the updating process.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
Highlight the task, then select Activity Log from the Task menu.
Right-click the task in the task list and select View Log.
3 To close the activity log, select Exit from the File menu.
For example:
AutoUpdate repositories
AutoUpdate repositories
A repository is a location from which you receive updates.
ftp://ftp.nai.com/CommonUpdater
http://update.nai.com/Products/CommonUpdater
The FTP repository is the default site. If you plan to use the FTP repository to
perform updates, you are automatically configured to do so after the VirusScan
Enterprise 7.1.0 installation process completes.
You can use either of these sites to download the latest updates if you are using
VirusScan Enterprise 7.1.0 exclusively, or if you are using VirusScan Enterprise
7.1.0 in a mixed environment with VirusScan 4.5.1 or NetShield 4.5.
You can reorganize the repositories in the list or create new repositories to meet
your requirements. The number of repositories that you need depends on your
updating requirements. See Editing the AutoUpdate repository list on page 201 for
more information.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
2 Select Tools|Import AutoUpdate Repository List.
3 In the Look in box, type the location for the .XML file, or click to navigate to
the location, then select a file.
4 Click Open to import the AutoUpdate repository list.
NOTE
To import a customized AutoUpdate repository list, to specify
source repositories from which to obtain software, or to use
multiple update locations that can replicate from a master
repository, you must use the McAfee AutoUpdate Architect™
utility with VirusScan Enterprise. Refer to the McAfee
AutoUpdate Architect Product Guide for more information.
NOTE
You can also create repositories using McAfee AutoUpdate
Architect and export them to VirusScan Enterprise. See the
McAfee AutoUpdate Architect Product Guide for more
information about using it to create and export AutoUpdate
repositories.
AutoUpdate repositories can have a state of Enabled or Disabled.
Disabled — A defined repository that you do not want to access during the
AutoUpdate process.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
3 Select the Repositories tab. The FTP repository is the default download site.
To add a repository, click Add to open the Repository Settings dialog box.
To edit a repository, highlight it in the Repository Description list, then click
Edit to open the Repository Settings dialog box.
5 In the Repository description text box, type the name or description for this
repository.
6 Under Retrieve files from, select the repository type or path from these choices:
HTTP repository. This option is selected by default. Use the HTTP repository
location that you designate as the repository from which you retrieve the
update files.
NOTE
An HTTP site, like FTP, offers updating independent of network
security, but supports higher levels of concurrent connections
than FTP.
FTP repository. Use the FTP repository location that you designate as the
repository from which you retrieve the update files.
NOTE
An FTP site offers flexibility of updating without having to
adhere to network security permissions. FTP has been less
prone to unwanted code attack than HTTP, so it may offer
better tolerance.
UNC path. Use the UNC path that you designate as the repository from
which you retrieve the update files.
NOTE
A UNC site is the quickest and easiest to set up. Cross domain
UNC updates require security permissions for each domain,
which makes update configuration more involved.
Local path. Use the local site that you designate as the repository from
which you retrieve the update files.
7 Under Repository details, the information you type depends on the repository
type or path you selected under Retrieve files from. System variables are
supported. See System variables on page 189 for more information. Choose from
the following:
If you selected UNC path or Local path, see UNC path or Local path repository
details on page 206 for detailed instructions.
1 Under Repository details, type the path to the repository you selected, the port
number, and specify security credentials for accessing the repository.
HTTP. Type the location for the HTTP server and folder where the
update files are located. The default McAfee HTTP repository for DAT
file updates is located at:
http://update.nai.com/Products/CommonUpdater
FTP. Type the location for the FTP server and folder where the update
files are located. The default McAfee FTP repository for DAT file
updates is located at:
ftp://ftp.nai.com/CommonUpdater
Port. Type the port number for the HTTP or FTP server you selected.
NOTE
Download credentials are required for FTP and UNC
repositories, but are optional for HTTP repositories. The
credentials you specify are used by AutoUpdate to access the
repository so that it can download the required update files.
When configuring the account credentials on the repository,
you ensure that the account has read permissions to the folders
containing the update files.
2 Click OK to save your changes and return to the AutoUpdate Repositories List
dialog box.
1 Under Repository details, type the path to the repository you selected and
determine whether to use the logged on account or add security by specifying
a user name and password. System variables are supported. See System
variables on page 189 for more information.
Path. Type the path to the location from which you want to retrieve the
update files.
Local path. Type the path of the local folder in which you have placed
the update files, or click Browse to navigate to the folder.
NOTE
The path can be that of a folder on a local drive or a
network drive.
NOTE
Download credentials are required for FTP and UNC
repositories, but are optional for HTTP repositories. The
credentials you specify are used by AutoUpdate to access the
repository so that it can download the required update files.
When configuring the account credentials on the repository,
you ensure that the account has read permissions to the folders
containing the update files.
With UNC updates, you have the additional option to use the
logged on account. This allows the update task to make use of
the logged on users’ permissions to access the repository.
If your network uses a proxy server, you can specify which proxy settings to use,
the address of the proxy server, and whether to use authentication. Proxy
information is stored in the AutoUpdate repository list (SITELIST.XML). The proxy
settings you configure here apply to all the repositories in this repository list.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
4 Determine whether you want to use a proxy and, if you do, which settings you
want to use. Choose from these options:
Don’t use a proxy. Do not specify a proxy server. Select this option, then
click OK to save your settings and close the Edit AutoUpdate Repository List
dialog box.
Use Internet Explorer proxy settings. This option is selected by default. Use the
proxy settings for the currently installed version of Internet Explorer.
Select this option, then click OK to save your settings and close the Edit
AutoUpdate Repository List dialog box.
Manually configure the proxy settings. Configure the proxy settings to meet
your specific needs. System variables are supported. See System variables
on page 189 for more information.
Select this option, then type the address and port information for the
repository you selected:
HTTP Port. Type the port number of the HTTP proxy server.
FTP Port. Type the port number of the FTP proxy server.
Determine whether to use authentication for either the HTTP or FTP proxy
server you specified. Choose from these options:
b Click OK to save your changes and return to the Proxy settings tab.
6 Click OK to save your changes and close the Edit AutoUpdate Repository List
dialog box.
Mirror tasks
The VirusScan Enterprise software relies on a directory structure to update itself.
The mirror task allows you to replicate the update files from the first accessible
repository defined in the repository list, to a mirror site on your network. It is
important to remember to replicate the entire directory structure when mirroring
a site. This directory structure also supports previous versions of VirusScan and
NetShield, as long as the entire directory structure is replicated in the same
locations that VirusScan 4.5.1 used for updating.
The following shows the directory structure in the repository after using a mirror
task to replicate the Network Associates repository:
After you replicate the Network Associates site that contains the update files,
computers on your network can download the files from the mirror site. This
approach is practical because it allows you to update any computer on your
network, whether or not it has Internet access; and efficient because your
computers are communicating with a server that is probably closer than a Network
Associates Internet site, therefore economizing access and download time. The
most common use of this task is to mirror the contents of the Network Associates
download site to a local server.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
Right-click a blank area in the console without selecting an item in the task list,
then select New Mirror Task.
Select New Mirror task from the Task menu.
A new mirror task appears, highlighted, in the VirusScan Console task list.
3 Accept the default task name or type a new name for your task, then press
ENTER to open the AutoUpdate Properties dialog box. See Configuring a mirror
task on page 214 for detailed configuration information.
NOTE
If you create mirror tasks via ePolicy Orchestrator 3.0 or later,
and enable task visibility, these mirror tasks are visible in the
VirusScan Console. These ePolicy Orchestrator tasks are
read-only and cannot be configured from the VirusScan
Console. See the VirusScan Enterprise Configuration Guide for
use with ePolicy Orchestrator 3.0 for more information.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
2 Open the AutoUpdate Properties dialog box using one of these methods:
Highlight the task in the console task list, then select Properties from
the Task menu.
NOTE
Configure the mirror task before click Schedule or Mirror Now.
3 In the Log file text box, accept the default log file name and location, type a
different log file name and location, or click Browse to locate a suitable
location. System variables are supported. See System variables on page 189 for
more information.
NOTE
By default, log information is written to the
VSEMIRRORLOG.TXT file in this folder:
<drive>:Winnt\Profiles\All Users\Application
Data\Network Associates\VirusScan
4 Click Mirror Location to open the Mirror Location Settings dialog box:
a Type the path to the destination on the local system that you are using for
the mirror site, or click Browse to navigate to the desired location. System
variables are supported. See System variables on page 189 for more
information.
5 Under Run options, you can specify an executable file to start after the mirror
task finishes running. For example, you might use this option to start a
network message utility that notifies the administrator that the update
operation completed successfully.
Enter the executable to be run after the Mirror has completed. Type the path
of the executable you want to run, or click Browse to locate it.
Only run after successful mirror. Run the executable program only after a
successful update. If the update is not successful, the program you selected
does not run.
NOTE
The program file that you specify must be executable by the
currently logged on user. If the currently logged on user does
not have access to the folder containing the program files, or if
there is no currently logged on user, the program does not
run.
6 Click Schedule to schedule the mirror task. See Scheduling Tasks on page 221 for
more information about scheduling tasks.
Mirror immediately. You can start mirror tasks immediately using two
methods:
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
2 Use one of these methods to start an immediate mirror task from the VirusScan
Console:
Highlight the task in the console task list, then select Start from the Task
menu.
When the task finishes, click Close to exit the McAfee Updater dialog box,
or wait for the dialog box to close automatically.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
2 Open the AutoUpdate Properties dialog box for the selected mirror task. For
instructions, see Configuring a mirror task on page 214.
3 Click Mirror Now in the AutoUpdate Properties dialog box.
4 When the task finishes, click Close to exit the McAfee Updater dialog box, or
wait for the dialog box to close automatically.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
Highlight the task, then select Activity Log from the Task menu.
Right-click the task in the task list and select View Log.
3 To close the activity log, select Exit from the File menu.
When you roll back the DAT files, the current DAT files are replaced with the version
in the OldDats folder, and a flag is set in the registry at this location:
HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan
Enterprise\CurrentVersion\szRollbackedDATS
Once the rollback occurs, you cannot go back to the previous version again. The
next time an update is performed, the DAT version in the registry is compared with
the DAT files in the update repository. If the new DAT files are the same as the ones
flagged in the registry, no update occurs.
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
3 The rollback appears to be the same as an update, except that the details show
Performing DAT rollback. When the rollback finishes, click Close to exit the
McAfee AutoUpdate dialog box, or wait for the dialog box to close
automatically.
NOTE
When you perform a rollback, the last backup of the DAT files
is restored.
Manual updates
McAfee Security recommends that you use the AutoUpdate task supplied with the
VirusScan Enterprise software to install new DAT file or scanning engine versions.
This utility offers an easy method for correctly updating the DAT files and scanning
engine. To install DAT files yourself, however, you can download DAT and engine
files manually from these update sites:
http:www.networkassociates.com/us/downloads/updates
ftp://ftp.nai.com/CommonUpdater
Regular DAT files. McAfee Security stores these files on its FTP site as .ZIP
archives with the name DAT-XXXX.ZIP. The XXXX in the file name is a series
number that changes with each DAT file release. To download these files, use a
web browser or FTP client to connect with:
ftp://ftp.nai.com/CommonUpdater
Installable .EXE files. McAfee Security stores these files on its web site as a
self-executing setup file named XXXXUPDT.EXE. Here, too, the XXXX is a series
number that changes with each new DAT release. To download these files, use
a web browser to connect with:
http:www.networkassociates.com/us/downloads/updates
Both files contain exactly the same DAT files. The difference between them is in
how you use them to update your copy of the VirusScan Enterprise software.
To use the DAT-XXXX.ZIP archive, you must download the file, extract it from its
archive, copy the files into the DAT folder, then restart the on-access scanner. See
Updating from DAT file archives on page 220 for detailed steps.
To install DAT files that come with their own setup utility, you need only to
download the files to a temporary folder on your hard disk, then run or
double-click the XXXUPDT.EXE file. The setup utility stops the on-access scanner,
copies the files to the correct folder, then restarts the on-access scanner.
NOTE
You may need administrator rights to write to the DAT folder.
Once updated, the new DAT files are picked up by the on-access scanner, the
on-demand scanner, and the e-mail scanner, the next time each scanner starts.
1 Create a temporary folder on your hard disk, then copy the DAT file .ZIP archive
you downloaded to that folder.
CLEAN.DAT
NAMES.DAT
SCAN.DAT
If you accepted the default installation path, these files are located in:
<drive>:\Program Files\Common Files\Network Associates\Engine\
3 Use WINZIP, PKUNZIP, or a similar utility to open the .ZIP archive and extract the
updated DAT files.
4 Log on to the server you want to update. You must have administrator rights
for the destination computer.
5 Copy the DAT files to the DAT folder.
For more information about mirror tasks, see Mirror tasks on page 212.
The following topics are addressed in this section:
Task properties
Schedule properties
Task properties
Use the options on the Task tab to enable scheduling, specify a limit for the task run
time, and add authentication for this task.
1 Select the Task tab.
2 Under Schedule Settings, specify whether you want the task to run at a specific
time. You have these options:
Enable (scheduled task runs at specified time). Schedule the task to run at a
specified time.
Stop the task if it runs for. Stop the task after a limited time. If you select this
option, also type in or select the hours and minutes.
NOTE
If the task is interrupted before it completes, the next time it
starts it resumes scanning from where it left off, unless the
DAT files have been updated and you have selected the
option to rescan all files when DAT files are updated. In that
case, the scan starts over instead of resuming from where it
left off.
3 Under Task, specify authentication credentials for this task by entering the
following information:
NOTE
The use of credentials is optional. If you do not type
credentials here, the scheduled task runs under the local
system account.
User. Type the user ID under which this task executes.
Password. Type the password for the user ID and domain you specified.
Schedule properties
Use the options on the Schedule tab to specify the task frequency, when the task
runs in time zones, whether you want to run the task at random times within
specified intervals, whether to run missed tasks, and specify delay times for
missed tasks.
At System Startup. Run the task at system startup and specify whether to run
the task once per day and the number of minutes to delay the task. See At
System Startup on page 233.
At Logon. Run the task at log on and specify whether to run the task once per
day and the number of minutes to delay the task. See At Logon on page 234.
When Idle. Run the task when the computer is idle and specify the number of
minutes. See When Idle on page 235.
Run Immediately. Run the task immediately. See Run Immediately on page 236.
Run On Dialup. Run the task on Dialup and specify whether to run the task once
per day. See Run On Dialup on page 237.
Start Date. Click to select a date from the calendar. This field is optional.
End Date. Click to select a date from the calendar. This field is optional.
Repeat Task. Repeat the task at the frequency selected.
Every. Type the frequency or use the arrows to select a number, then select
whether you want the frequency to be in minutes or hours.
Until. Select either Time (Local) and type in or select the time, or select
Duration and type in or select the hour(s) and minute(s).
Daily
Weekly
Monthly
Once
At System Startup
At Logon
When Idle
Run Immediately
Run On Dialup
Daily
1 On the Schedule tab, under Schedule:
Start Time. Type the start time the for the scheduled task or use the arrows
to select a time.
UTC Time. Coordinated Universal Time (UTC). Select this option to run the
task simultaneously in all time zones.
Local Time. This option is selected by default. Run the task independently in
each local time zone.
Enable randomization. Run the task at a random point within the interval of
time you set. If you select this option, also type in or select the hours and
minutes for the maximum time lapse.
You can type in or select a time lapse interval between one minute
(minimum) and 24 hours (maximum). For example, setting the task
schedule to 1:00 and the randomization to three hours, would cause the
task to run at any time between 1:00 and 4:00.
Run missed task. To ensure that missed tasks run when the computer starts
up again. If the computer was offline when a task was scheduled to be run,
it may have been missed. This feature ensures that remote users and the
network are fully protected if they happen to be offline when a task is
scheduled to run.
Delay missed task by. Type the number of minutes by which you want to
delay the missed task, or use the arrows to select the number of minutes.
Choose from 0 to 99 minutes.
3 Click OK to save your settings and close the Schedule Settings dialog box.
Weekly
1 On the Schedule tab, under Schedule:
Start Time. Type the start time the for the scheduled task or use the arrows
to select a time.
UTC Time. Coordinated Universal Time (UTC). Select this option to run the
task simultaneously in all time zones.
Local Time. This option is selected by default. Run the task independently in
each local time zone.
Enable randomization. Run the task at a random point within the interval of
time you set. If you select this option, also type in or select the hours and
minutes for the maximum time lapse.
You can type a time lapse interval between one minute (minimum) and 24
hours (maximum). For example, setting the task schedule to 1:00 and the
randomization to three hours, would cause the task to run at any time
between 1:00 and 4:00.
Run missed task. To ensure that missed tasks run when the computer starts
up again. If the computer was offline when a task was scheduled to be run,
it may have been missed. This feature ensures that remote users and the
network are fully protected if they happen to be offline when a task is
scheduled to run.
Delay missed task by. Type the number of minutes by which you want to
delay the missed task, or use the arrows to select the number of minutes.
Choose from 0 to 99 minutes.
3 Click OK to save your settings and close the Schedule Settings dialog box.
Monthly
1 On the Schedule tab, under Schedule:
Start Time. Type the start time the for the scheduled task or use the arrows
to select a time.
UTC Time. Coordinated Universal Time (UTC). Select this option to run the
task simultaneously in all time zones.
Local Time. This option is selected by default. Run the task independently in
each local time zone.
Enable randomization. Run the task at a random point within the interval of
time you set. If you select this option, also type the hours and minutes for
the maximum time lapse.
You can type a time lapse interval between one minute (minimum) and 24
hours (maximum). For example, setting the task schedule to 1:00 and the
randomization to three hours, would cause the task to run at any time
between 1:00 and 4:00.
Run missed task. To ensure that missed tasks run when the computer starts
up again. If the computer was offline when a task was scheduled to be run,
it may have been missed. This feature ensures that remote users and the
network are fully protected if they happen to be offline when a task is
scheduled to run.
Delay missed task by. Type the number of minutes by which you want to
delay the missed task, or use the arrows to select the number of minutes.
Choose from 0 to 99 minutes.
Day of the month. Select the option and the day of the month.
Weekday of the month. Select this option to run the task on a specific day of
the month (for example, first Sunday or second Wednesday).
3 Click OK to save your settings and close the Schedule Settings dialog box.
Once
1 On the Schedule tab, under Schedule:
Start Time. Type the start time the for the scheduled task or use the arrows
to select a time.
UTC Time. Coordinated Universal Time (UTC). Select this option to run the
task simultaneously in all time zones.
Local Time. This option is selected by default. Run the task independently in
each local time zone.
Enable randomization. Run the task at a random point within the interval of
time you set. If you select this option, also type in or select the hours and
minutes for the maximum time lapse.
You can type in or select a time lapse interval between one minute
(minimum) and 24 hours (maximum). For example, setting the task
schedule to 1:00 and the randomization to three hours, would cause the
task to run at any time between 1:00 and 4:00.
Run missed task. To ensure that missed tasks run when the computer starts
up again. If the computer was offline when a task was scheduled to be run,
it may have been missed. This feature ensures that remote users and the
network are fully protected if they happen to be offline when a task is
scheduled to run.
Delay missed task by. Type the number of minutes by which you want to
delay the missed task, or use the arrows to select the number of minutes.
Choose from 0 to 99 minutes.
2 Under Schedule Task Once, click to select the date on which you want to
run the task.
3 Click OK to save your settings and close the Schedule Settings dialog box.
At System Startup
1 On the Schedule tab, under Schedule:
Only run this task once per day. Select this option to run this task once a day.
If you do not select this option, the task runs every time startup occurs.
Delay task by. Select the number of minutes to delay the task. Choose from
0 to 99 minutes. This allows time for logon scripts to execute or user logon
time.
3 Click OK to save your settings and close the Schedule Settings dialog box.
At Logon
1 On the Schedule tab, under Schedule:
Only run this task once per day. Select this option to run this task once a day.
If you do not select this option, the task runs every time log on occurs.
Delay task by. Type the number of minutes to delay the task. Choose from
0 to 99 minutes. This allows time for logon scripts to execute or user logon
time.
3 Click OK to save your settings and close the Schedule Settings dialog box.
When Idle
1 On the Schedule tab, under Schedule:
2 Under Schedule Task When Idle, type in or select the number of minutes that
you want the computer to be idle before it starts the task. Choose from 0 to 999
minutes.
3 Click OK to save your settings and close the Schedule Settings dialog box.
Run Immediately
1 On the Schedule tab, under Schedule:
Enable randomization. Run the task at a random point within the interval of
time you set. If you select this option, also type in or select the hours and
minutes for the maximum time lapse.
You can type in or select a time lapse interval between one minute
(minimum) and 24 hours (maximum). For example, setting the task
schedule to 1:00 and the randomization to three hours, would cause the
task to run at any time between 1:00 and 4:00.
2 Click OK to save your settings and close the Schedule Settings dialog box.
Run On Dialup
1 On the Schedule tab, under Schedule:
Enable randomization. Run the task at a random point within the interval of
time you set. If you select this option, also type in or select the hours and
minutes for the maximum time lapse.
You can type in or select a time lapse interval between one minute
(minimum) and 24 hours (maximum). For example, setting the task
schedule to 1:00 and the randomization to three hours, would cause the
task to run at any time between 1:00 and 4:00.
2 Under Schedule Task Run On Dialup, select whether to run the task once per
day.
NOTE
Scheduling a task to Run On Dialup may be more useful for an
AutoUpdate task than an on-demand task.
3 Click OK to save your settings and close the Schedule Settings dialog box.
The following table lists the options that can be added to the command SCAN. All
the options listed can be used to configure both on-demand and on-access scans,
unless otherwise noted.
/LOAD <file name> Load scanning options from the named file.
Use this option to perform a scan you’ve already configured
by loading custom settings saved in an ASCII-formatted file.
/MANALYZE Enables heuristic scanning target macro viruses.
Note: /PANALYZE targets program viruses only; /ANALYZE
targets both program and macro viruses.
/MANY Scans multiple disks consecutively in a single drive. The
program prompts you for each disk.
Use this option to examine multiple disks quickly.
You cannot use the /MANY option if you run the VirusScan
software from a boot disk and you have only one floppy drive.
/MOVE <dir> Moves all infected files found during a scan to the specified
directory, preserving drive letter and directory structure.
Note: This option has no effect if the Master Boot Record or
boot sector is infected, since these are not files.
/NOBEEP Disables the tone that sounds whenever the scanners find a
virus.
/NOBREAK Disables CTRL+C and CTRL+BREAK during scans.
Users are not be able to halt scans in progress with
/NOBREAK in use.
/NOCOMP Skips the examination of compressed executables created
with the LZ.EXE or PkLite file-compression programs.
This reduces scanning time when a full scan is not needed.
Otherwise, by default, VirusScan examines inside
executable, or self-decompressing files by decompressing
each file in memory and checking for virus signatures.
/NODDA No direct disk access. This prevents the scanners from
accessing the boot record.
This feature has been added to allow the scanners to run
under Windows NT.
You might need to use this option on some device-driven
drives.
Using /NODDA with the /ADN or /ADL switches may
generate errors when accessing empty CD-ROM drives or
empty Zip drives. If this occurs, type F (for Fail) in response
to the error messages to continue the scan.
/NOXMS Does not use extended memory (XMS).
The following table lists the options that can be added to the command SCAN32.
All the registry keys shown in this table are subkeys of:
hkey_local_machine\software\network associates\tvd.
VirusScan
Enterprise
CurrentVersion
DefaultTask
VirusScan
Enterprise
CurrentVersion
Tasks
VirusScan
Enterprise
CurrentVersion
VirusScan
Enterprise
CurrentVersion
Tasks
On-Demand Scan32.exe A program that VirusScan If Scan32 does not
Scanner performs on-demand Enterprise have a writable key to
scanning activities of CurrentVersion it's own task, then it
targets specified on runs but does not
the VirusScan update statistics.
Enterprise Console. VirusScan Scanning results data is
Enterprise not generated.
CurrentVersion\
Tasks This does not affect
scheduled on-demand
tasks, which are
Note: Also controlled by the Task
requires Read Manager service
rights to: described in the
Shared following section.
Components
VirusScan
Engine
4.0.xx
VirusScan
Enterprise NT
CurrentVersion
Tasks
all subkeys
Shared
Components
On-Access
Scanner
McShield
Shared
Components
On-Access
scanner
McShield
Configuration
Alert nai alert A component that Shared The user can see the
Manager manager provides immediate Components property pages for the
notification that the Alert Manager alerting methods and
scanner has detected messages, but cannot
a virus, or that the change the
event scheduler has configuration.
encountered a
problem.
Scanning questions
Virus questions
General questions
Installation questions
I just installed the software using the Silent Install method, and there is no
VirusScan Enterprise icon in the Windows system tray.
The icon does not appear in the system tray until you restart your system.
However, even though there is no icon, VirusScan Enterprise is running, and your
computer is protected.
HKEY_Local_Machine\SOFTWARE/Microsoft\Windows\CurrentVersion\Run
ShStatEXE=”C:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE\STANDALONE
Scanning questions
In On-Access Scanning, what is the difference between scanning “when
writing to disk” and scanning “when reading from disk”?
Scanning when writing is a file-writing action. It scans the following:
Incoming files being written to the local hard drive.
Files being created on the local hard drive or a mapped network drive (this
includes new files, modified files, or files being copied or moved from one
drive to another).
Any file being renamed on the local hard drive, if the file properties have
changed.
Virus questions
I suspect I have a virus but VirusScan Enterprise is not detecting it.
You can download the latest DAT file while it is still being tested prior to the
official release. To use the daily DAT file, refer to:
www.mcafeeb2b.com/naicommon/avert/avert-research-enter/virus-4d.asp
I cannot get VirusScan Enterprise installed, but I think I have a virus. How
can I determine if my computer is infected?
If you have not been able to install VirusScan Enterprise, you can still run a scan at
the command line, using a single file downloaded from the Network Associates
web site. To run a command-line scan on a computer that does not have anti-virus
software installed:
2 Right-click the Scan folder and select Properties. Make sure that the read-only
attribute is selected.
3 Go to http://nai.com/naicommon/download/dats/superdat.asp. Click
sdatxxxx.exe for Windows-Intel to start the download.
5 From the Start menu, select Run and type C:\Scan\sdatxxxx.exe /e in the
text box. Click OK.
6 Open a DOS prompt (also called a Command Prompt). At the C:\> prompt,
type cd c:\Scan. Your prompt now looks like this: C:\Scan>
7 At the C:\Scan> prompt, type:
scan.exe /clean /all /adl /unzip /report report.txt
This scans all local drives and create a report in a file named REPORT.TXT.
8 After scanning, browse to your C:\Scan directory and read the REPORT.TXT file.
NOTE
We recommend that you disconnect the system from the
network before scanning.
On Windows 2000 and Windows XP systems, boot into Safe Mode Command
Prompt only to perform the scan. On Windows NT systems, run the scan from
VGA Mode, then a command prompt.
We recommend that you rerun the command-line scanner until no virus files are
found. You may want to rename the report text file as REPORT2.TXT to record the
second scan and REPORT3.TXT for the third scan, and so on, to avoid overwriting the
reports file each time.
WARNING
You may receive an error that an application is attempting to
directly access the hard disk on Windows NT systems. Click
Ignore to continue. If you do not click Ignore, the scan
terminates.
General questions
The VirusScan Enterprise icon in my system tray appears to be disabled.
If there is a red circle and line covering the VirusScan Enterprise icon, that
indicates that On-Access Scan is disabled. Here are the most common causes and
solutions. If none of these solves your problem, contact technical support.
Make sure that the On-Access Scan is enabled. To do this:
http://update.nai.com/Products/CommonUpdater/catalog.z
and try to download the file.
If you are not able to download the file, but you can see it (in other words,
your browser does not allow you to download it), that means you have a
proxy issue and need to talk to your network administrator.
If you are able to download the file, that means VirusScan Enterprise
should be able to download it as well. Contact technical support for
assistance in troubleshooting your installation of VirusScan Enterprise.
If you are using a mirror site for updates, make sure that your mirror site is
pointing to the correct site for updates. If you are unsure, try changing your
settings to use the default Network Associates site.
I have some computers that will continue using VirusScan 4.5x and others
using VirusScan Enterprise 7.0. Can all the computers use the same
repository for DAT files?
Yes, a network of computers running multiple versions of VirusScan can all use the
same repository for DAT files. First, make sure that you are using the correct
directory structure in the repository list for VirusScan 4.5.x, then, make sure that
in the McAfee AutoUpdate Architect console, you have selected the option I want
to make my site compatible with legacy software. See the McAfee AutoUpdate
Architect Product Guide for more information.
http://update.nai.com/Products/CommonUpdater/catalog.z
If I do detect a virus and I have chosen “prompt user for action,” what
action should I choose (Clean, Delete, Move)?
Our general recommendation is to choose Clean if you are not sure what to do with
an infected file. The VirusScan Enterprise default action is to Clean a file, then Move
it.
-302: Failed to get the agent’s framework interface — The scheduler interface
is not available. Stop and restart the framework service.
-409: Master site not found — The master repository for the update is not
available, is inaccessible, or is in use. Attempt to manually download the
PKGCATALOG.Z file using the network protocol. If this fails, verify the path and
user credentials.
-414: Verify the Domain, User Name, and Password you provided are typed
correctly. Verify that the user account has permissions to the location where
the repository resides — While creating the repository, the credentials entered
were determined invalid when Verify was selected. Either now, or after the
repository is created, correct the credential information. Click Verify again.
Repeat this process until the credentials are verified.
-503: Product package not found — Update files are not present in the
repository or may be corrupt. Ensure that the repository is populated with the
update files. If these files are present, create a replication or pull task to
overwrite the current task setting. If the files were not present, populate the
repository, then attempt to update again.
-530: Site catalog not found — You performed a pull task from a repository
that does not have a catalog file, or contains a corrupted catalog file. To correct
this issue, verify that the source repository contains a valid catalog directory.
-531: Package catalog not found — The PKGCATALOG.Z was not found in the
repository. Try to download the file using the network protocol. If it cannot be
downloaded, perform a replication or pull task (depending on the type of
repository).
-602: Failed to upload file — You performed a pull task but the master
repository credentials or settings are invalid (or the location is not available).
Verify the credentials and location.
-804: Sit status not found — You performed a replication task but the master
repository is not available (or the credentials are invalid). Verify that the
master repository is active, accessible, and that the credentials are valid.
-1113: Replication has been done partially — One or more repositories may
be inaccessible at the time of replication. Consequently, not all repositories are
up-to-date. Verify that all repositories are accessible and that no files are
marked as read-only, then perform the task again.
agent
See ePolicy Orchestrator agent.
agent host
See client computer.
Agent Monitor
A dialog box for prompting the agent to send properties or events to the ePolicy Orchestrator
server; enforce policies and tasks locally; check the ePolicy Orchestrator server for new or
updated policies and tasks, then enforce them immediately upon receipt.
agent policies
Settings that affect how the agent behaves.
agent-to-server communication
A communications technique where the agent contacts the server at a predefined interval to see
if there are any new policies or tasks for the agent to enforce or execute.
alert
A message or notification regarding computer activity such as virus detection. It can be sent
automatically according to a predefined configuration, to system administrators and users, via
e-mail, pager, or phone.
anti-virus policy
See policy.
archive
A compressed file that must be extracted prior to accessing the files within it.
AutoUpdate
The automatic updating program in McAfee Security anti-virus products; it automatically installs
updates to existing products or upgrades to new versions of products.
AVERT
Anti-Virus Emergency Response Team, a division of Network Associates, Inc., is an anti-virus
research center that supports the computing public and Network Associates customers by
researching the latest threats, and by uncovering threats that may arise in the future. It is
comprised of three integrated teams that provide Anti-Virus Services and Support, Virus
Analysis, and Advanced Virus Research.
background scanning
A type of on-access scanning, made possible by Microsoft VS API2, in which not all files are
scanned when accessed, reducing the workload of the scanner when it is busy. It scans databases
on which it has been enabled, for example, Mailbox store and Public Folder store.
Centralized Alerting
An alternative to using regular Alert Manager. Alert messages generated by anti-virus software,
such as VirusScan Enterprise 7.0, are saved to a shared folder on a server. Alert Manager is
configured to read alert notifications from that same folder. When the contents of the shared
folder change, Alert Manager sends new alert notifications using whatever alerting methods
Alert Manager is already configured to use, such as sending e-mail messages to a pager.
client computer
A computer on the client-side of the program.
client tasks
Tasks that are executed on client computers.
common framework
A common core technologies architecture to allow different McAfee Security products to share
the same common components and code. The architecture for this is referred to as the common
framework. The Scheduler, AutoUpdate, and ePolicy Orchestrator agent components are
common components that are part of the common framework.
computers
The physical computers on the network.
console tree
The left pane of the console, which contains all console tree items.
DAT files
Virus definition files that allow the anti-virus software to recognize viruses and related
potentially unwanted code embedded in files.
default process
In VirusScan Enterprise, any process that is not defined as a low-risk process or high-risk process.
deployment
Sending and installing products (and the agent) to groups, computers and users.
details pane
The right pane of the console, which shows details of the currently selected console tree item.
Depending on the console tree item selected, the details pane can be divided into upper and lower
panes.
directional scanning
Scanning where one appliance is dedicated to inbound scanning, and another appliance is
dedicated to outbound scanning.
Directory
Lists all computers to be managed via ePolicy Orchestrator, and is the link to the primary
interfaces for managing these computers.
download site
A repository from which you retrieve product or DAT updates.
EICAR
European Institute of Computer Anti-Virus Research has developed a string of characters that can
be used to test the proper installation and operation of anti-virus software.
events
Generated by supported products, events identify activity on client computers, from service
events to infection detection events. Each event is assigned a severity from informational to
critical. Events and properties comprise the data that appears on reports and queries.
EXTRA.DAT file
Supplemental virus definition file that is created in response to an outbreak of a new virus or a
new variant of an existing virus.
See also DAT files, incremental DAT files, and SuperDAT.
fallback repository
The repository from which client computers retrieve updates when none of the repositories in
their repository list (SITELIST.XML) are available. Only one fallback repository can be defined.
firewall
A program that acts as a filter between your computer and the network or Internet. It can scan all
traffic arriving at your computer (incoming traffic) and all traffic sent by your computer (outgoing
traffic). It scans traffic at the packet level, and either blocks it or allows it, based on rules that you
set up.
FRAMEPKG.EXE
The agent installation package. When it executes, this file installs the ePolicy Orchestrator agent
on a client computer.
frequency
The repetitive interval for which you want to schedule the task.
global administrator
A user account with read, write, and delete permissions, and rights to all operations. Operations
that affect the entire installation are reserved for use only by global administrator user accounts.
global reviewer
A user account with read-only permissions; the global reviewer can view all settings in the
software, but cannot change any of these settings.
Compare to site reviewer and global administrator.
global updating
A method for deploying product updates as soon as the corresponding packages are checked into
the master repository. Packages are immediately replicated to all SuperAgent and global
distributed repositories; the ePolicy Orchestrator server sends a wakeup call to all SuperAgents;
SuperAgents send a broadcast wakeup call to all agents in the same subnet; then all agents
retrieve the update from the nearest repository.
group
In the console tree, a logical collection of entities assembled for ease of management. Groups can
contain other groups or computers. You can assign IP address ranges or IP subnet masks to
groups to sort computers by IP address. If you create a group by importing a Windows NT
domain, you can automatically send the agent installation package to all imported computers in
the domain.
high-risk process
In VirusScan Enterprise, these are processes that McAfee Security considers to have a higher
possibility of being infected.
inactive agent
An agent that has not communicated with the ePolicy Orchestrator server within a specified time
period.
inheritance
See task inheritance and policy inheritance.
item
See console tree item.
joke program
A non-replicating program that may alarm or annoy an end user, but does not do any actual harm
to files or data.
log
A record of the activities of a component of McAfee anti-virus software. Log files record the
actions taken during an installation or during the scanning or updating tasks.
Lost&Found group
A location on the ePolicy Orchestrator server for computers whose appropriate location in the
Directory cannot be determined. The server uses the IP management settings, computer names,
domain names, and site or group names to determine where to place computers. Only global
administrators have full access to the global Lost&Found; site administrators can access only
Lost&Found groups in sites for which they have rights.
low-risk process
In VirusScan Enterprise, these are processes that McAfee Security considers to have a lower
possibility of being infected.
See also default process and high-risk process.
macro virus
A malicious macro — a saved set of instructions created to automate tasks within certain
applications or systems — that can be executed inadvertently, causing damage or replicating
itself.
master repository
The ePolicy Orchestrator server; it maintains an original copy of the packages in the source
repository, and can replicate packages to distributed repositories. At the master repository level,
you can check in product and product update packages; schedule tasks to replicate packages to
global or SuperAgent distributed repositories; and schedule tasks to pull packages from source or
fallback repositories, and integrate them into the master repository.
mirror task
Tasks that copy the contents of the first repository in the repository list to the local directory you
specify on the client computer.
.MSI file
A Microsoft Windows Installer package that includes installation and configuration instructions
for the software being deployed.
.NAP file
Network Associates Package file. This file extension is used to designate McAfee software
program files that are installed in the software repository for ePolicy Orchestrator to manage.
node
See console tree items.
on-access scanning
An examination of files in use to determine if they contain a virus or other potentially unwanted
code. It can take place whenever a file is read from the disk and/or written to the disk.
on-demand scanning
A scheduled examination of selected files to determine if a virus or other potentially unwanted
code is present. It can take place immediately, at a future scheduled time, or at regularly
scheduled intervals.
package
Contains binary files, detection and installation scripts, and a package catalog (PKGCATALOG.Z)
file used to install products and product updates.
packed executable
A packed executable is a file that, when run, extracts itself into memory only. Packed
executable files are never extracted to disk.
pane
A subsection of the console.
policy
Configuration settings for each product that can be managed via ePolicy Orchestrator, and that
determine how the product behaves on client computers.
Compare to task. See also agent policies.
policy inheritance
Determines whether the policy settings for any one console tree item under the Directory are
taken from the item directly above it.
policy pages
Part of the ePolicy Orchestrator console; they allow you to set policies and create scheduled tasks
for products, and are stored on individual ePolicy Orchestrator servers (they are not added to the
master repository).
properties
Properties are attributes or characteristics of an object used to define its state, appearance, or
value.
pull task
See Repository Pull server task.
quarantine
Enforced isolation of a file or folder to prevent infection by a virus. VirusScan Enterprise
quarantines infected files or folders until action can be taken to clean or remove the item.
randomization
A random point within an interval of time that you set for a scheduled task.
real-time scanning
See on-access scanning.
remote console
The console running on a computer that does not have the ePolicy Orchestrator server running
on it. Remote consoles allow more than one person access to the server to review actions or to
manage sites and installations.
replication task
See Repository Replication server task.
repository
The location that stores policy pages used to manage products.
repository list
The SITELIST.XML file that McAfee anti-virus products using AutoUpdate 7.0 use to access
distributed repositories and retrieve packages from them.
scan action
The action that takes place when an infected file is found.
scanning
An examination of files to determine if a virus or other potentially unwanted code is present.
selective updating
Specifying which version (Evaluation, Current, or Previous) of updates you want client
computers to retrieve.
server tasks
Tasks that the server performs for maintenance on the ePolicy Orchestrator database and
Repository. Default server tasks include Inactive Agent Maintenance, Repository Pull,
Repository Replication, and Synchronize Domains.
silent installation
An installation method that installs a software package onto a computer silently, without need for
user intervention.
site
In the console tree, a logical collection of entities assembled for ease of management. Sites can
contain groups or computers, and can be organized by IP address range, IP subnet mask, location,
department, and others.
site administrator
A user account with read, write, and delete permissions, and rights to all operations (except those
restricted to the global administrator) on the specified site and all groups and computers
underneath it on the console tree.
site reviewer
A user account with read-only permissions; the site reviewer can view the same settings as the
site administrator, but cannot change any of these settings.
Compare to global reviewer and site administrator.
source repository
A location from which a master repository retrieves packages.
SPIPE
Secured PIPE, a secured communications protocol used by ePolicy Orchestrator servers.
SuperAgent
An agent with the ability to contact all agents in the same subnet as the SuperAgent, using the
SuperAgent wakeup call. It is used in global updating and supports distributed software
repositories, alleviating the need for a dedicated server. It provides a bandwidth-efficient method
of sending agent wakeup calls.
SuperDAT
A utility that installs updated virus definition (SDAT*.EXE) files and, when necessary, upgrades the
scanning engine.
See also DAT files, EXTRA.DAT file, and incremental DAT files.
system scan
A scan of the designated system.
task
An activity (both one-time such as on-demand scanning, and routine such as updating) that is
scheduled to occur at a specific time, or at specified intervals.
Compare to policy.
task inheritance
Determines whether the client tasks scheduled for any one console tree item under the Directory
are taken from the item directly above it.
Trojan horse
A program that either pretends to have, or is described as having, a set of useful or desirable
features, but actually contains a damaging payload. Trojan horses are not technically viruses,
because they do not replicate.
update package
Package files from Network Associates that provide updates to a product. All packages are
considered product updates with the exception of the product binary (Setup) files.
update site
The repository from which you retrieve product or DAT updates.
updating
The process of installing updates to existing products or upgrading to new versions of products.
user accounts
The ePolicy Orchestrator user accounts include global administrator, global reviewer, site
administrator, and site reviewer. Administrator-level user accounts have read, write, and delete
permissions; reviewer-level user accounts have read-only permissions.
See also global administrator, global reviewer, site administrator, and site reviewer.
UTC time
Coordinated Universal Time (UTC). This refers to time on the zero or Greenwich meridian.
virus
A program that is capable of replicating with little or no user intervention, and the replicated
program(s) also replicate further.
virus-scanning engine
The mechanism that drives the scanning process.
warning priority
The value that you assign each alert message for informational purposes. Alert messages can be
assigned a Critical, Major, Minor, Warning, or Informational priority.
worm
A virus that spreads by creating duplicates of itself on other drives, systems, or networks.
C E
.CAB, scanning files with extension, 246 Edit menu, 21
CATALOG.Z file, 197 e-mail scanning, on-delivery
Centralized Alerting, 179 activity log, viewing, 132
command line, Windows, 27 scan statistics, viewing, 130
options, 240 tasks, configuring, 116
running the on-demand scanner from, 246 action properties, 123
compressed files advanced properties, 120
scanning from command line alert properties, 126
archive type, 246 detection properties, 118
configuring report properties, 128
AutoUpdate task, 192 e-mail scanning, on-demand
mirror task, 213 activity log, viewing, 148
on-access scanning, 39 tasks, configuring, 132
on-delivery e-mail scanning, 116 action properties, 139
on-demand e-mail scanning, 132 advanced properties, 135
on-demand scanning, 86 alert properties, 142
via ePolicy Orchestrator (See Configuration detection properties, 133
Guide)
report properties, 144
connecting to remote servers, 37
tasks, running, 147
console (See VirusScan Console)
e-mail, sending virus alert via, 166
contacting McAfee Security, 12
enable randomization, 228
conventions used in this manual, 10
excluding files, folders, and drives (using the
customer service, contacting, 12 Exclusions feature), 70
EXTRA.DAT, 187, 198
D
DAT file updates, web site, 12 F
DAT files FAQ (frequently asked questions), 261
rolling back, 217 features, descriptions of, 15
date and time, recorded in log file, 48, 104, 130, 146 file type extensions, what to scan
default processes, 50 to 51 adding file types (using the Additions
definition of terms (See Glossary) feature), 68
detections, virus
Q
quarantine folder
on-access scanning, 44
on-delivery e-mail scanning, 124
on-demand e-mail scanning, 141
on-demand scanning, 100
R operations
registry, secure, 253 to 260 automatic, 34
remote administration, 37 on schedule, 35
Remote Connection, in Tools menu, 37 periodical, 35
report properties, configuring selective, 35
on-access scanning, 47 setting up, 33
on-delivery e-mail scanning, 128 periodically, 35
on-demand e-mail scanning, 144 results, viewing
on-demand scanning, 102 AutoUpdate activity log, 198
repositories, 208 mirror task activity log, 217
repository list on-access scan
adding repositories, 202 activity log, 79
editing repositories, 201 statistics, 78
importing repositories, 201 on-delivery e-mail scan
removing and reorganizing repositories, 208 activity log, 132
restarting on-demand tasks, 108 statistics, 130
resumable scanning, 109 on-demand e-mail scan activity log, 148
right-click menus, 24 on-demand scan
right-click scan, 25 activity log, 111
from system tray, 26 statistics, 110
right-click scan, 25
S from system tray, 26
Scan menu selectively, 35
Statistics, 78 to 79, 131 to 132 shell extension scan, 25
scan time troubleshooting questions, 263
on-access scanning, 44 scanning, scheduled, 35
scanning scheduling, 221
automatically, 34 advanced options, 226
configuring enable randomization., 228
on-access scanner for, 39 schedule properties, 224
on-delivery e-mail scanner for, 116 frequencies, 225
on-demand e-mail scanner for, 132 task properties, 223
on-demand scanner for, 86
immediately, 107
on access vs. on-demand scanning, 33
on schedule, 35
on-access, 39
on-delivery e-mail, 116
on-demand, 86
on-demand e-mail, 132
tasks configuring
at logon, 234 AutoUpdate task, 192
at system startup, 233 mirror task, 213
AutoUpdate, 195 on-access scanner, 39
daily, 227 on-delivery e-mail scanner, 116
mirror, 216 on-demand e-mail scanner, 132
monthly, 230 on-demand scanner, 86
once, 232 definition of, 23
on-demand scanning, 106 pausing, 108
to run immediately, 236 restarting, 108
to run on dialup, 237 running immediately, 107
weekly, 229 stopping, 109
when idle, 235 types available in VirusScan Enterprise, 23
secure registry, 253 to 260 technical support, 12
security headquarters, contacting AVERT, 12 testing alerting configuration, 156
service portal, PrimeSupport, 12 toolbar, 22
session settings, recorded in log file, 48, 104, 130, Tools menu, 21
146 training web site, 12
session summary, recorded in log file, 48, 104, 130, troubleshooting, 261
146
frequently asked questions
SMTP mail server, configuring for e-mail
alerting, 168 general, 265
SNMP installation, 262
sending alerts via, 172 scanning, 263
specifying file type extensions (using the Specified viruses, 264
feature), 69 Minimum Escalation Tool, 261
Start menu, 18 update error codes, 268
startup, scanning at, 44 truncating alert message, forced, 169
Statistics, in Scan menu, 78 to 79, 131 to 132
statistics, viewing U
on-access scanning, 78 unlocking user interface, 31
on-delivery e-mail scanning, 130 Update Now command, 197
on-demand scanning, 110 updating
status bar, 24 activities, 197
submitting a sample virus, 12 download sites, 200
system startup, scanning at, 44 FTP default download site, 200, 205, 219
system tray, setting options, 26 HTTP default download site, 200, 205
system variables, 189 error codes, 268
system variables, alerting, 185 manually, 219
mirror task, 214
T proxy settings, 209
task list, 23 repository list, 199
Task menu, 20 editing repositories, 201
tasks removing and reorganizing
V
variables, system, 189
View menu, 21
Virus Information Library, 12, 35
virus, submitting a sample, 12
viruses
detections
on-access scanning, 80
on-demand scanning, 111
frequently asked questions, 264
submitting a sample, 36
VirusScan Console, 19
configuring
AutoUpdate via (See AutoUpdate)
mirror task via (See mirror task)
on-access scanning via (See on-access
scanning)
on-delivery e-mail scanning via (See e-mail
scanning, on-delivery)
on-demand e-mail scanning via (See e-mail
scanning, on-demand)
on-demand scanning via (See on-demand
scanning)
connecting to remote servers via, 37