Product Guide Revision 1.0 VirusScan Enterprise ® version 7.1.0 COPYRIGHT © 2003 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 5000 Headquarters Drive, Plano, Texas 75024, or call +1-972-963-8000. TRADEMARK ATTRIBUTIONS Active Firewall, Active Security, Active Security (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, Appera, AVERT, Bomb Shelter, Certified Network Expert, Clean-Up, CleanUp Wizard, ClickNet, CNX, CNX Certification Certified Network Expert and design, Covert, Design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, E and Design, Entercept, Enterprise SecureCast, Enterprise SecureCast (in Katakana), ePolicy Orchestrator, Event Orchestrator (in Katakana), EZ SetUp, First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HelpDesk, HelpDesk IQ, HomeGuard, Hunter, Impermia, InfiniStream, Intrusion Prevention Through Innovation, IntruShield, IntruVert Networks, LANGuru, LANGuru (in Katakana), M and design, Magic Solutions, Magic Solutions (in Katakana), Magic University, MagicSpy, MagicTree, McAfee, McAfee (in Katakana), McAfee and design, McAfee.com, MultiMedia Cloaking, NA Network Associates, Net Tools, Net Tools (in Katakana), NetAsyst, NetCrypto, NetOctopus, NetScan, NetShield, NetStalker, Network Associates, Network Performance Orchestrator, Network Policy Orchestrator, NetXray, NotesGuard, nPO, Nuts & Bolts, Oil Change, PC Medic, PCNotary, PortalShield, Powered by SpamAssassin, PrimeSupport, Recoverkey, Recoverkey – International, Registry Wizard, Remote Desktop, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, SecureSelect, Service Level Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SpamKiller, SpamAssassin, Stalker, SupportMagic, ThreatScan, TIS, TMEG, Total Network Security, Total Network Visibility, Total Network Visibility (in Katakana), Total Service Desk, Total Virus Defense, Trusted Mail, UnInstaller, VIDS, Virex, Virus Forum, ViruScan, VirusScan, WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall, What's The State Of Your IDS?, Who’s Watching Your Network, WinGauge, Your E-Business Defender, ZAC 2000, Zip Manager are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer® brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO NETWORK ASSOCIATES OR THE PLACE OF PURCHASE FOR A FULL REFUND. Attributions This product includes or may include: Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). Cryptographic software written by Eric A. Young ([email protected]) and software written by Tim J. Hudson ([email protected]). Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that Network Associates provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Software originally written by Robert Nordier, Copyright © 1996-7 Robert Nordier. All rights reserved. Software written by Douglas W. Sauder. Software developed by the Apache Software Foundation (http://www.apache.org/). International Components for Unicode (“ICU”) Copyright © 1995-2002 International Business Machines Corporation and others. All rights reserved. Software developed by CrystalClear Software, Inc., Copyright © 2000 CrystalClear Software, Inc. FEAD® Optimizer® technology, Copyright Netopsystems AG, Berlin, Germany. Issued SEPTEMBER 2003 / VirusScan® Enterprise software version 7.1.0 DOCUMENT BUILD 011-EN Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Getting information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Contacting McAfee Security & Network Associates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1 Introducing VirusScan Enterprise . . . . . . . . . . . . . . . . . . . . . . . . 13 What’s new in this release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Product components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Orientation to the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Start menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 VirusScan Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Menu bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Task menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Edit menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 View menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Tools menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Help menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Task list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Status bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Right-click menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Right-click menus from the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Right-click scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 System tray . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Right-click scan or update from the system tray . . . . . . . . . . . . . . . . . . . . . . . . 26 Command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Setting user interface options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Display options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Password options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Product Guide iii Contents Unlocking and locking the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Setting up scanning operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 On-access scanning vs. on-demand scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Scanning automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Scanning periodically, selectively, or on schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Virus Information Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Submitting a virus sample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Setting up remote administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 3 On-Access Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Configuring the on-access scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 On-access scan properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 General properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Message properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Process settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Default processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Process properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Low-risk and high-risk processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Assigning risk to a process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Process properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Adding file type extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Adding user-specified file type extensions . . . . . . . . . . . . . . . . . . . . . . . . 69 Excluding files, folders, and drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Viewing scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Viewing scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Viewing the activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Responding to virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Receiving notification of virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Viewing on-access scan messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Taking action on virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 iv VirusScan® Enterprise software version 7.1.0 Contents 4 On-Demand Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Creating on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Creating tasks from the start menu or system tray . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Creating tasks from the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Configuring on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Where properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Adding, removing, and editing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Adding items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Removing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Editing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Resetting or saving default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Scheduling on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Scanning operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Running on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Pausing and restarting on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Stopping on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Resumable scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Viewing scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Viewing scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Viewing the activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Responding to virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Receiving notification of virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Taking action on virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 VirusScan Alert dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 On-Demand Scan Progress dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 5 E-mail Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 On-delivery e-mail scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Configuring the on-delivery e-mail scan for a local or remote host . . . . . . . . . . . . . 116 Configuring the on-delivery e-mail scan properties . . . . . . . . . . . . . . . . . . . . . . . . . 117 Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Alert properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Product Guide v Contents Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Viewing on-delivery e-mail scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Viewing on-delivery e-mail scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Viewing the on-delivery e-mail activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 On-demand e-mail scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Configuring the on-demand e-mail task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Alert properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Running the on-demand e-mail task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Viewing on-demand e-mail scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Viewing the on-demand e-mail activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 6 Virus Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Configuring Alert Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Configuring recipients and methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Overview of adding alert methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Sending a test message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Setting the alert priority level for recipients . . . . . . . . . . . . . . . . . . . . . . . 157 Viewing the Summary page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Forwarding alert messages to another computer . . . . . . . . . . . . . . . . . . . . . . 160 Sending an alert as a network message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Sending alert messages to e-mail addresses . . . . . . . . . . . . . . . . . . . . . . . . . 166 Sending alert messages to a printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Sending alert messages via SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Launching a program as an alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Logging alert notifications in a computer’s event log . . . . . . . . . . . . . . . . . . . . 175 Sending a network message to a terminal server . . . . . . . . . . . . . . . . . . . . . . 177 Using Centralized Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Customizing alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Enabling and disabling alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Editing alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Changing alert priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Editing alert message text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Using Alert Manager system variables . . . . . . . . . . . . . . . . . . . . . . . . . . 185 vi VirusScan® Enterprise software version 7.1.0 Contents 7 Updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Update strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 System variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 AutoUpdate tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 AutoUpdate task overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Creating an AutoUpdate task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Configuring an AutoUpdate task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Running AutoUpdate tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Running the update task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Activities that occur during an update task . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Viewing the activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 AutoUpdate repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Configuring the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Importing the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Editing the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Adding and editing repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Removing and reorganizing repositories . . . . . . . . . . . . . . . . . . . . . . . . 208 Specifying proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Mirror tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Creating a mirror task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Configuring a mirror task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Running mirror tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Viewing the mirror task activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Rollback DAT files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Manual updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Updating from DAT file archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 8 Scheduling Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Configuring task schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Task properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Schedule properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Schedule task frequencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Advanced schedule options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Scheduling tasks by frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Weekly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Product Guide vii Contents Once . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 At System Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 At Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 When Idle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Run Immediately . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Run On Dialup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 A Command-Line Scanner Program . . . . . . . . . . . . . . . . . . . . . . . 239 VirusScan Enterprise command-line options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 On-demand scanning command-line options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Customized installation properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 B Secure Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Registry keys requiring write access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 C Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Minimum Escalation Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Installation questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Scanning questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Virus questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 General questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Updating error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 viii VirusScan® Enterprise software version 7.1.0 Preface This guide introduces McAfee® VirusScan® Enterprise software version 7.1.0, and provides the following information: Overview of the product. Descriptions of product features. Descriptions of all new features in this release of the software. Detailed instructions for configuring and deploying the software. Procedures for performing tasks. Troubleshooting information. Glossary of terms. Audience This information is intended primarily for two audiences: Network administrators who are responsible for their company’s anti-virus and security program. Users who are responsible for updating virus definition (DAT) files on their computer, or configuring the software’s detection options. Product Guide 9 Preface Conventions This guide uses the following conventions: Bold All words from the user interface, including options, menus, buttons, and dialog box names. Example Type the User name and Password of the desired account. Courier Text that represents something the user types exactly; for example, a command at the system prompt. Example To enable the agent, run this command line on the client computer: FRMINST.EXE /INSTALL=AGENT /SITEINFO=C:\TEMP\SITELIST.XML Italic Names of product manuals and topics (headings) within the manuals; emphasis; introducing a new term. Example Refer to the VirusScan Enterprise Product Guide for more information. <TERM> Angle brackets enclose a generic term. Example In the console tree under ePolicy Orchestrator, right-click <SERVER>. 10 NOTE Supplemental information; for example, an alternate method of executing the same command. WARNING Important advice to protect a user, computer system, enterprise, software installation, or data. VirusScan® Enterprise software version 7.1.0 Getting information Getting information Installation Guide *† System requirements and instructions for installing and starting the software. VirusScan Enterprise 7.1.0 Installation Guide Product Guide * Product introduction and features, detailed instructions for configuring the software, information on deployment, recurring tasks, and operating procedures. VirusScan Enterprise 7.1.0 Product Guide Help § High-level and detailed information on configuring and using the software. What’s This? field-level help. Configuration Guide * For use with ePolicy Orchestrator™. Procedures for configuring, deploying, and managing your McAfee Security product through ePolicy Orchestrator management software. Implementation Guide * Supplemental information for product features, tools, and components. Release Notes ‡ ReadMe. Product information, resolved issues, any known issues, and last-minute additions or changes to the product or its documentation. Contacts ‡ Contact information for McAfee Security and Network Associates services and resources: technical support, customer service, AVERT (Anti-Virus Emergency Response Team), beta program, and training. This file also includes phone numbers, street addresses, web addresses, and fax numbers for Network Associates offices in the United States and around the world. * † ‡ § An Adobe Acrobat .PDF file on the product CD or the McAfee Security download site. A printed manual that accompanies the product CD. Note: Some language manuals may be available only as a .PDF file. Text files included with the software application and on the product CD. Help accessed from the software application: Help menu and/or Help button for page-level help; right-click option for What’s This? help. Product Guide 11 Preface Contacting McAfee Security & Network Associates Technical Support Home Page http://www.networkassociates.com/us/support/ KnowledgeBase Search https://knowledgemap.nai.com/phpclient/homepage.aspx PrimeSupport Service Portal * http://mysupport.nai.com McAfee Security Beta Program http://www.networkassociates.com/us/downloads/beta/ Security Headquarters — AVERT (Anti-Virus Emergency Response Team) Home Page http://www.networkassociates.com/us/security/home.asp Virus Information Library http://vil.nai.com Submit a Sample — AVERT WebImmune https://www.webimmune.net/default.asp AVERT DAT Notification Service http://www.networkassociates.com/us/downloads/updates/ Download Site Home Page http://www.networkassociates.com/us/downloads/ DAT File and Engine Updates http://www.networkassociates.com/us/downloads/updates/ ftp://ftp.nai.com/pub/antivirus/datfiles/4.x Product Upgrades * https://secure.nai.com/us/forms/downloads/upgrades/login.asp Training McAfee Security University http://www.networkassociates.com/us/services/education/mcafee/unive rsity.htm Network Associates Customer Service E-mail [email protected] Web http://www.nai.com/us/index.asp http://www.networkassociates.com/us/products/mcafee_security_home .htm US, Canada, and Latin America toll-free: Phone +1-888-VIRUS NO or +1-888-847-8766 Monday – Friday, 8 a.m. – 8 p.m., Central Time For additional information on contacting Network Associates and McAfee Security— including toll-free numbers for other geographic areas — see the Contact file that accompanies this product release. * Logon credentials required. Technical Support 12 VirusScan® Enterprise software version 7.1.0 1 Introducing VirusScan Enterprise The VirusScan Enterprise 7.1.0 software provides protection from viruses for both servers and workstations. The software offers easy scalable protection, fast performance, and mobile design. You can specify scanning of local and network drives, as well as Microsoft Outlook e-mail messages and attachments, configure the application to respond to any infections the scanner finds, and generate reports on its actions. The VirusScan Enterprise software is a replacement for: VirusScan version 4.5.1 software for workstations. NetShield® NT version 4.5 software for servers. NetShield for Celerra™ version 4.5 for Celerra™ filers. VirusScan Enterprise version 7.0. for workstations and servers. This Product Guide provides information on configuring and using the VirusScan Enterprise software. For system requirements and installation instructions, refer to the VirusScan Enterprise Installation Guide. The following topics are addressed in this section: What’s new in this release Product components Product Guide 13 Introducing VirusScan Enterprise What’s new in this release This release of VirusScan Enterprise includes the following enhancements: Check Point™ VPN-1®/FireWall-1® SCV integration — The VirusScan Enterprise software has been enhanced to integrate with Check Point VPN-1/FireWall-1 SCV. When installed and enabled, the Check Point product can be configured to prevent clients without up-to-date anti-virus protection from accessing the corporate network through the Virtual Private Network (VPN). See the VirusScan Enterprise 7.1.0 Installation Guide for more information about configuring Check Point. McAfee Installation Designer™ and McAfee Desktop Firewall™ integration — Use McAfee Installation Designer to configure McAfee Desktop Firewall with VirusScan Enterprise 7.1.0. After configuration, you can deploy both products together and reduce restarts to a maximum of one. See the McAfee Installation Designer Product Guide for more information. Smaller installation package — The VirusScan Enterprise installation package has been optimized using Netopsystems’ Fast Electronic Application Distribution (FEAD® Optimizer®) technology. This reduces network bandwidth required in deployments. You can use McAfee Installation Designer 7.1 or later to recompose the package, then optimize the package again after changes have been made. When executing SETUP.EXE from the command line, you can apply special commands and switches to recompose the installation files. See the VirusScan Enterprise 7.1.0 Installation Guide for more information about configuring Netopsystems’ FEAD Optimizer. Engine and DAT files are contained in the .MSI file — The engine and DAT files have been added to the .MSI file for VirusScan Enterprise 7.1.0. This allows customers to deploy the product using a single .MSI file. Visibility of ePolicy Orchestrator tasks — If you are using ePolicy Orchestrator 3.0 or later to manage the VirusScan Enterprise software, you can view ePolicy Orchestrator tasks for on-demand scan, update, and mirror in the VirusScan Console. This allows users to see all tasks running on their computers and also aids administrators and help desk operators in debugging ePolicy Orchestrator tasks over the phone. See the VirusScan Enterprise 7.1.0 Configuration Guide for use with ePolicy Orchestrator 3.0 for details about enabling ePolicy Orchestrator task visibility. 14 VirusScan® Enterprise software version 7.1.0 Product components Product components The VirusScan Enterprise software consists of several components that are installed as features. Each feature plays a part in defending your computer against viruses and other potentially unwanted software. The features are: VirusScan Console. The console is the control point that allows you to create, configure, and run VirusScan Enterprise tasks. A task can include anything from running a scan operation on a set of drives at a specific time or interval, to running an update operation. You can also enable or disable the on-access scanner from the console if you have administrator rights and if required, type the password. See VirusScan Console on page 19. On-access scanner. The on-access scanner gives you continuous anti-virus protection from viruses that arrive on disks, from your network, or from various sources on the Internet. The scanner is fully configured upon installation of the software; it starts when you start your computer, and stays in memory until you shut down. The scanner provides process-based scanning that allows scanning policies to be linked to applications such as Internet Explorer. A flexible set of property pages lets you configure the scanner to determine which parts of your system to examine, what to look for, which parts to leave alone, and how to respond to any infected files the scanner finds. In addition, the scanner can alert you when it finds a virus, and can generate reports that summarize each of its actions. See On-Access Scanning on page 39. On-demand scanner. The on-demand scanner allows you to initiate a scan at any time; specify scan targets and exclusions; determine how you want the scanner to respond when it detects a virus; and see virus incident reports and alerts. You can also create scan tasks that run at a specific time or within a specified interval. You can define as many different on-demand scan tasks as you require, then preserve the configured tasks for reuse. See On-Demand Scanning on page 85. E-mail scanner. The e-mail scanner allows you to scan your Microsoft Outlook messages, attachments, or public folders to which you have access, directly on the computer. If Outlook is running, e-mail is scanned on-delivery. You can also perform an on-demand e-mail scan at any time. This allows you to find potential infections before they make their way to your desktop. See E-mail Scanning on page 115. Product Guide 15 Introducing VirusScan Enterprise AutoUpdate. The AutoUpdate feature allows you to update virus definition (DAT) files and the scanning engine automatically, then distribute those updates to computers on your network. You can also use this feature to download HotFixes. Depending on the size of your network, you can designate one or more trusted computers, including one that hosts your internal HTTP site, to download new files automatically from the Network Associates HTTP web site. See Updating on page 187. NOTE AutoUpdate is one of the common core (common framework) technologies used by many products. Scheduler. This feature allows you to schedule on-demand, update, and mirror tasks at specific times or intervals. See Scheduling Tasks on page 221. NOTE The scheduler is one of the common core (common framework) technologies used by many products. Alert Manager. The Alert Manager™ product gives you the ability to receive or send virus related alert messages. After it is installed, you can configure Alert Manager to notify you as soon as the scanner detects a virus on the computer, via e-mail, a printer, SNMP traps, or by other means. By default, Alert Manager is not preconfigured; you must configure the software before you can receive or send virus related alert messages. See Virus Alerting on page 149 for specific details. Command-line scanner. The command-line scanner can be used to initiate targeted scan operations from the Command Prompt dialog box. SCAN.EXE, a scanner for Windows NT environments only, is the primary command-line interface. Ordinarily, you can use the VirusScan Enterprise interface to perform most scanning operations, but if you have trouble starting Windows or if the VirusScan Enterprise features do not run in your environment, you can use the command-line scanner as an alternative. See Command-Line Scanner Program on page 239. 16 VirusScan® Enterprise software version 7.1.0 Getting Started 2 After you have installed the VirusScan Enterprise software, you can configure the features. The following topics are addressed in this section: Orientation to the user interface Setting user interface options Setting up scanning operations Virus Information Library Submitting a virus sample Setting up remote administration Product Guide 17 Getting Started Orientation to the user interface The VirusScan Enterprise software gives you the flexibility of performing an action using several different methods. Although the specific details may vary, many of the actions may be performed from the console, the toolbar, a menu, or the desktop. Each of these methods is detailed in the following sections. These interfaces are addressed in this section: Start menu VirusScan Console Right-click menus System tray Command line Start menu You can use the Start menu to: Access Alert Manager configuration, if Alert Manager is installed. Access the VirusScan Console. Open the on-access scan property pages. Open the on-demand scan property pages. This is a one-time unsaved on-demand scan. Click Start, select Programs|Network Associates, then select a feature. Figure 2-1. VirusScan — Start menu 18 VirusScan® Enterprise software version 7.1.0 Orientation to the user interface VirusScan Console The VirusScan Console is the control point for all of the program’s activities. Use either of these methods to open the VirusScan Console: Click Start, select Programs|Network Associates|VirusScan Console. Right-click the VShield icon Console. in the system tray, then select VirusScan Menu bar Toolbar Task list Status bar Figure 2-2. The VirusScan Console The following topics are addressed in this section: Menu bar Toolbar Task list Status bar Product Guide 19 Getting Started Menu bar The VirusScan Console includes menus with commands that allow you to create, delete, configure, run, start, stop, and copy scan tasks to suit your most demanding security needs. You can also connect and disconnect from a remote VirusScan Enterprise computer. All of the commands are available from the menus. Some commands are also available when you right-click a task in the VirusScan Console. The following menus are addressed in this section: Task menu Edit menu View menu Tools menu Help menu Task menu Use the Task menu to create and configure tasks, and view statistics and activity logs. Figure 2-3. Task menu NOTE The menu items Start, Stop, Disable, Delete, Rename, Statistics, Activity Log, and Properties apply to the selected task. 20 VirusScan® Enterprise software version 7.1.0 Orientation to the user interface Edit menu Use the Edit menu to copy and paste selected tasks. Figure 2-4. Edit menu View menu Use the View menu to specify whether to show the toolbar and status bar, or refresh the console. Figure 2-5. View menu Tools menu Use the Tools menu to configure alerts, launch the event viewer, specify user interface options, lock or unlock user interface security, connect or disconnect a computer when configuring a remote console, import or edit the repository list, and roll back DAT files to a previous version. Figure 2-6. Tools menu Product Guide 21 Getting Started Help menu Use the Help menu to access online Help topics, the virus information library, or the Technical Support web site. You can also submit a sample virus to the Anti-Virus Emergency Response Team (AVERT). The About dialog box gives you product, DAT file version, and scanning engine information. Figure 2-7. Help menu Toolbar The toolbar gives you quick access to many commands just by clicking an icon. The icons are: Connect to a computer. Disconnect from a computer. Create a new task. Display properties of the selected item. Copy the selected item. Paste the selected item. Delete the selected item. Start the selected item. Stop the selected item. Access the Virus Information Library. Open the event viewer. Configure alerting options. 22 VirusScan® Enterprise software version 7.1.0 Orientation to the user interface Task list The VirusScan Console includes a list of tasks that VirusScan Enterprise can perform. A task is a set of instructions to run a program or scan operation, in a specific configuration, at a certain time. Figure 2-8. Task list To configure a task, select the task, then click or double-click the task to open its property pages. The following default tasks come with the VirusScan Enterprise software: On-Access Scan. This task allows you to perform automatic on-access scanning. This task is unique and cannot be copied. To configure the on-access scanner, see On-Access Scanning on page 39. AutoUpdate. This task allows you to download the latest virus definition (DAT) files and scanning engine. You can use this default update task and create other update tasks to meet your requirements. To create, configure, and schedule update tasks, see Updating on page 187. E-mail Scan. This task allows you to perform on-delivery e-mail scanning. This task is unique and cannot be copied. To configure an on-delivery or on-demand e-mail task, see E-mail Scanning on page 115. Scan All Fixed Disks. This task allows you to perform on-demand scanning. You can use this default on-demand scan task and create others to meet your requirements. To create, configure, and schedule on-demand tasks, see On-Demand Scanning on page 85. Product Guide 23 Getting Started Other tasks that you create from the VirusScan Console are added to the task list. For example: New mirror task. This task allows you to create a mirror site for use in downloading update files. You can create any number of mirror tasks. For more information about mirror tasks see Mirror tasks on page 212. In addition, you can view tasks created via ePolicy Orchestrator if you choose to do so. ePO Task - task name. If you are using ePolicy Orchestrator 3.0 or later to manage the VirusScan Enterprise software, you can choose to view ePolicy Orchestrator tasks in the VirusScan Console. This applies to on-demand, update, and mirror tasks. See the VirusScan Enterprise Configuration Guide for use with ePolicy Orchestrator 3.0 for information about enabling ePolicy Orchestrator task visibility. Status bar The status bar shows the status of the current activity. Right-click menus Use right-click menus for quick access to commonly used actions; such as creating new tasks, viewing task statistics and logs, opening task property pages, or scanning a specific file or folder for viruses. 24 Right-click menus from the console. The right-click menus available from the VirusScan Console vary, depending on whether you have selected a task in the task list, and on which task you select. See Right-click menus from the console on page 25 for details. Right-click scan. This right-click scan feature allows you to select a specific file or folder and immediately scan it for viruses. See Right-click scan on page 25 for details. Right-click scan from the system tray. This right-click scan feature allows you to create a one-time, unsaved on-demand scan task. See Right-click scan or update from the system tray on page 26 for details. VirusScan® Enterprise software version 7.1.0 Orientation to the user interface Right-click menus from the console You have these options when you right-click an item in the task list: On-access Scan. If you right-click the on-access scan task in the task list, you can enable or disable the task, view task statistics, view the activity log, and open the property pages. Update. If you right-click an update task in the task list, you can start or stop the task, delete the task, rename the task, view the activity log, and open the property pages. E-mail Scan. If you right-click an e-mail scan task in the task list, you can enable or disable the task, view task statistics, view the activity log, and open the property pages. On-demand Scan. If you right-click an on-demand scan task in the task list, you can start or stop the task, copy or paste the task, delete the task, rename the task, view task statistics, view the activity log, and open the property pages. When you right-click a blank area in the console, without selecting an item in the task list, you can perform these actions: New Scan task. Create a new on-demand scan task. New Update task. Create a new update task. New Mirror task. Create a new mirror task. Paste. Paste a copied task into the task list. User Interface options. Access the User Interface Options property pages. See Setting user interface options on page 27 for information about setting these options. Right-click scan You can perform an immediate on-demand scan of a selected file or folder by right-clicking on the file or folder in Windows Explorer, then selecting Scan for viruses. This is also known as shell extension scan. The on-demand scanner is invoked directly with all scan settings, such as archive scanning, heuristic scanning, and other options, enabled. This is useful if you are concerned that a specific folder or file may be infected. If a file or folder is found to be infected, it is displayed in a list view with the details of the infected item at the bottom of the scanning dialog box. You can take action on the infected item by right-clicking on it in the list view, and selecting either the clean, delete, or move action. You cannot customize scan options when performing a right-click scan. To customize the scan options or create a new on-demand scan task, see Creating on-demand tasks on page 86 for more information. Product Guide 25 Getting Started System tray The on-access scanner installs and activates itself by default when you perform a typical installation. Once active, the scanner displays the Vshield icon in the Windows system tray. Double-click in the system tray to view On-Access Scan Statistics. Right-click scan or update from the system tray Use this feature to create a one-time, unsaved on-demand scan or update task. This is useful when you want to quickly scan a drive, folder, or file at a time other than your regularly scheduled on-demand scan or perform an immediate update. Right-click in the system tray to display the menu. Figure 2-9. System tray menu The system tray menu includes these options: VirusScan Console. Display the VirusScan Console. Disable On-Access Scan. Deactivate the on-access scanner. This function toggles between Disable On-Access Scan and Enable On-Access Scan. On-Access Scan Properties. Open the on-access scanner property pages to configure the on-access scanner. On-Access Scan Statistics. View on-access scanner statistics. You can enable or disable the on-access scanner or open the on-access scanner property pages. On-Access Scan Messages. View the on-access scanner messages. You can remove a message, clean a file, delete a file, or move a file. On-Demand Scan. Open the on-demand scanner property pages to configure the on-demand scanner to perform a one-time unsaved on-demand scan. 26 VirusScan® Enterprise software version 7.1.0 Setting user interface options Update Now. Perform an immediate update of the default update task. NOTE Update Now only works with the default update task which was created when you installed the product. You can rename and reconfigure the default update task, but if you delete the default task, Update Now becomes disabled. About VirusScan Enterprise. View specific information about the installed software, such as virus definition (DAT) file and scanning engine version numbers, as well as license information for the product. Command line Use the command line feature to perform activities from the Command Prompt. See Command-Line Scanner Program on page 239 for more information. Setting user interface options Use these options to specify display and password settings when installing the program, through McAfee Installation Designer, or from the Tools menu in the VirusScan Console after installation. This section describes how to set the display and password options from the console. The following topics are addressed in this section: Display options Password options Unlocking and locking the user interface Product Guide 27 Getting Started Display options The Display Options dialog box allows you to determine which system tray options users can access and set refresh time for the local console. To set display options from the console: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Select Tools|User Interface Options|Display Options. Figure 2-10. Display Options 3 Determine which system tray options you want users to see. Under System tray icon, select an option: Show the system tray icon with all menu options. This option is selected by default. Allow users to see all menu options on the system tray. Show the system tray icon with minimal menu options. Limit the right-click menu items to only the About and On-Access Scan Statistics items. All other menu items are hidden on the right-click menu. Do not show the system tray icon. Do not allow users to have access to the system tray icon. 28 4 Under Local console refresh time, select the frequency, in seconds, for which you want to refresh the console. 5 Click Apply, then OK to save your changes and close the dialog box. VirusScan® Enterprise software version 7.1.0 Setting user interface options Password options The Password Options dialog box allows you to set a security password for the entire system or for only the tabs and controls you select. The same password is used for all the selected tabs and controls. Setting a password has the following impact for users: Non-administrators — Users who do not have Windows NT administrator rights. Non-administrators always run all VirusScan Enterprise applications in read-only mode. They can view some configuration parameters, run saved scan tasks, and run immediate scans and updates. They cannot change any configuration parameters or create, delete, or modify saved scan and update tasks. Administrators — Users who have Windows NT administrator rights. If a password is not set, administrators run all VirusScan Enterprise applications in read/write mode. They can view and change all configuration parameters, run tasks, and create, delete, and modify saved scan and update tasks. If a password is set, administrators see the protected tabs and controls in read-only mode if they have not entered the security password. Administrators can lock or unlock the user interface through the console. See Unlocking and locking the user interface on page 32 for more information. NOTE A locked red padlock indicates a password is required for the item. An unlocked green padlock indicates the item is read/write accessible. Product Guide 29 Getting Started To set password options from the console: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Select Tools|User Interface Options|Password Options. Figure 2-11. Password Options 3 Choose one of these options: No password. This option is selected by default. Password protection for all items listed below. Users must type the specified password before they can access any locked tabs or controls in the software. Select Password protection for all items listed below. Type and confirm the password. Password protection for the selected items below. Users must type the specified password before they can access the items you lock here. Items not locked do not require a password. Select Password protection for the selected items below. Type and confirm the password. Select all the items for which this password applies. 30 VirusScan® Enterprise software version 7.1.0 Setting user interface options 4 Click Apply to save your changes. 5 Click OK. WARNING If the Console and Miscellaneous password item is locked, you cannot perform the following: Enable or disable on-access scanning — The menu items to enable and disable on-access scanning, and equivalent toolbar icons, are disabled. In addition, the Disable button on the VirusScan On-Access Scan Statistics dialog box is disabled. Enable or disable e-mail scanning — The menu items to enable and disable e-mail scanning, and equivalent toolbar icons, are disabled. In addition, the Disable button on the VirusScan On-Delivery E-mail Scan Statistics dialog box is disabled. Create a new on-demand scan task, update task, or mirror task — The menu items to create new tasks, and equivalent toolbar icons are disabled. In addition for on-demand scanning tasks, the Save As and Save As Default buttons on the VirusScan On-Demand Scan Properties dialog box are disabled. Delete a task — The menu item to delete a task and equivalent toolbar icon are disabled. Rename a task — The menu item to rename a task and equivalent toolbar icon are disabled. Copy or paste a task — The menu items to copy and paste a task, and equivalent toolbar icons are disabled. Roll back the DAT files — The menu item to roll back the DAT files is disabled. Product Guide 31 Getting Started Unlocking and locking the user interface Administrators can unlock and lock protected tabs and controls through the console. NOTE If password protection is selected for any item, the User Interface Options dialog box is automatically protected as well. If password protection has been set for any item and the user logs out, the user interface is automatically locked again. To unlock the user interface: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Select Tools|Unlock User Interface. Figure 2-12. Security Password 3 Type the password. 4 Click OK. To lock the user interface: 32 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Select Tools|Lock User Interface. VirusScan® Enterprise software version 7.1.0 Setting up scanning operations Setting up scanning operations The VirusScan Enterprise software provides different types of scanning for different needs. The following topics are addressed in this section: On-access scanning vs. on-demand scanning Scanning automatically Scanning periodically, selectively, or on schedule On-access scanning vs. on-demand scanning The VirusScan Enterprise software provides two types of scanning activities. You can perform scanning activities: Scanning automatically Scanning periodically, selectively, or on schedule On-access scanning. Automatic scanning for viruses is called on-access scanning. You must have administrator rights, and the password if one is required, to configure the on-access scan. See Scanning automatically on page 34 for more information. On-demand scanning. Periodic, selective, or scheduled scanning is called on-demand scanning. You must have administrator rights, and the password if one is required, to schedule an on-demand scan task, but any user can run an on-demand task. See Scanning periodically, selectively, or on schedule on page 35 for more information. Because the on-access scanner provides your computer with ongoing, background scanning protection, it may seem redundant to run on-demand scan tasks. But good anti-virus security measures incorporate complete, regular system scans because: On-access scanning operations examine files as they are accessed or used. The on-access scanner looks for viruses as files are used. If there is a rarely-used but infected file on your system, the on-access scanner does not detect the virus until the file is used. However, on-demand scan operations can detect viruses in files stored on your hard disk, even if no one has yet used them. An on-demand scan operation can detect a virus before the file executes. Viruses are unexpected. Accidentally leaving a disk in your drive as you start your computer could load a virus into memory before the on-access service starts, particularly if you do not have the service configured to scan disks. Once in memory, a potent virus can infect nearly any program. Product Guide 33 Getting Started On-access scanning takes time and resources. Scanning for viruses as you run, copy or save files can delay software launch times and other tasks. Depending on your situation, this could be time you might devote to important work. Although the impact is slight, you might be tempted to disable on-access scanning if you need every bit of available system power for demanding tasks. In that case, performing regular scan operations during idle periods can guard your system against infection without compromising performance. Good security is redundant security. In the networked, web-centric world in which most computer users operate today, it takes only a moment to download a virus from a source you might not even realize you visited. If a software conflict disables background scanning for a moment, or if background scanning is not configured to watch a vulnerable entry point, you could end up with a virus. Regular scan operations can often catch infections before they spread or do any harm. Scanning automatically On-access scanning provides continuous, real-time virus detection and response, based on users’ activities. The VirusScan Enterprise anti-virus software program provides a single on-access scan task, which examines for infections each time a network user writes a file to the computer or reads a file from the computer. The scanner attempts to clean any infection it finds, and records its activities in a log file. You can change its settings to define: Files and file types to be scanned. Circumstances that precipitate a scan. Action you want the scanner to take when it detects an infection. Contents, if any, of the scanner’s activity report. Files to exclude from on-access scanning. See On-Access Scanning on page 39 for specific details about configuring on-access scanning. 34 VirusScan® Enterprise software version 7.1.0 Virus Information Library Scanning periodically, selectively, or on schedule Two types of on-demand scan tasks are available: One-time, unsaved on-demand scan tasks. Saved on-demand scan tasks. A one-time unsaved on-demand task can be configured and scheduled, but is not saved for future use unless you choose to save it. A saved on-demand scan task can be planned in advance, and run whenever you feel it is necessary, or on a regularly scheduled basis. You can create an unlimited number of scan tasks that target specific locations on the network. You can define them narrowly to a specific drive, folder, or file, or broadly, to multiple drives, folders, or files. Once created, saved scan tasks remain available until they are deleted from the VirusScan Console. They can be edited, as needed. For a complete discussion of setting up on-demand scanning activities, see On-Demand Scanning on page 85. Virus Information Library The McAfee Security Anti-Virus Emergency Response Team (AVERT) Virus Information Library has detailed information on where viruses come from, how they infect your system, and how to remove them. In addition to genuine viruses, the Virus Information Library contains useful information on virus hoaxes, those dire e-mail warnings about disk-eating attachments. A Virtual Card For You and SULFNBK are two of the best-known hoaxes, but there are many others. Next time you receive a well-meaning virus warning, view our hoax page before you pass the message on to your friends. Product Guide 35 Getting Started To access the Virus Information Library: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. Figure 2-13. VirusScan Console 2 Select Virus Information from the Help menu. Submitting a virus sample If you have a suspicious file that you believe contains a virus, or experience a system condition that might result from an infection, McAfee Security recommends that you send a sample to its anti-virus research team for analysis. Submission not only initiates an analysis, but a real-time fix, if warranted. To submit a sample virus to AVERT: 36 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Select Submit a Sample from the Help menu. 3 Follow the directions on the web site. VirusScan® Enterprise software version 7.1.0 Setting up remote administration Setting up remote administration You can perform operations such as modifying or scheduling scanning or update tasks, or enabling or disabling the on-access scanner on a remote computer. To do so, you must have administrator rights and the Remote Registry Service must be running. NOTE If you do not have administrator rights to connect to the remote computer, you receive an Insufficient user rights, access denied error message. When you start the VirusScan Console, the name of the computer you are connected to appears in the console title bar, and in the menu at the left of the console toolbar. If you have not connected to a computer elsewhere on the network, the title bar shows the name of your local computer. To administer a remote computer on which the VirusScan Enterprise program is installed: 1 From the Tools menu, select Remote Connection or click in the toolbar. The Connect to Remote Computer dialog box appears. Figure 2-14. Connect to Remote Computer 2 Click to select a computer in the Connect to computer list or type the name of the computer that you want to administer in the text box. You can also click Browse to locate the computer on the network. NOTE If environment variables are used while configuring the path name of the file or folder for a remote task, be sure that the environmental variable exists on the remote computer. The VirusScan Console cannot validate environmental variables on the remote computer. Product Guide 37 Getting Started 3 Click OK to make a connection attempt to the destination computer. NOTE When you connect to the remote computer, the title bar changes to reflect that computer’s name, and the tasks in the task list are those for the remote computer. You can add, delete, or reconfigure tasks for the remote computer. The console reads the remote computer’s registry and displays the tasks of the remote computer. Once the tasks appear in the console, you can perform on a local computer. To disconnect from the computer you have connected to, click in the console toolbar, or select Disconnect Computer from the Tools menu. When you disconnect from the remote computer, the console refreshes to display the local computer’s tasks. 38 VirusScan® Enterprise software version 7.1.0 On-Access Scanning 3 The VirusScan Enterprise anti-virus program uses its on-access scanner to provide your computer with continuous, real-time virus detection and response based on the settings you configure. You can configure process-based scanning that allows scanning policies to be linked to applications. When an infection is detected, the on-access scanner records a message with details about the infected file, allows you to quickly access the message and take immediate action on the infected file. The following topics are addressed in this section: Configuring the on-access scanner Viewing scan results Responding to virus detections Product Guide 39 On-Access Scanning Configuring the on-access scanner To ensure its optimal performance on your computer or in your network environment, you need to configure the program to determine what you want it to scan, what you want it to do if it finds a virus, and how it should notify you when it has. The on-access scanner comes configured with most response properties enabled. By default, the scanner is set to clean a virus when it finds one. If the virus is not cleanable, the default secondary action is to quarantine the virus. The scanner also records the incident in the log file. The following topics are addressed in this section: 40 On-access scan properties General settings Process settings Adding file type extensions Adding user-specified file type extensions Excluding files, folders, and drives VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner On-access scan properties To configure the on-access scanner: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. Figure 3-1. VirusScan Console 2 Open the On-Access Scan Properties using one of these methods: Select On-Access Scan Properties from the console’s Task menu. Right-click On-Access Scan in the console, then select Properties. Double-click On-Access Scan in the console. Highlight On-Access Scan in the console, then click in the console toolbar. Right-click in the system tray and select On-Access Scan Properties. Click Start, then select Programs|Network Associates|VirusScan On-Access Scan. Product Guide 41 On-Access Scanning The On-Access Scan Properties dialog box appears. Figure 3-2. On-Access Scan Properties — default view The On-Access Scan Properties dialog box allows you to configure general settings and three types of processes. The icons in the left pane of the dialog box give you access to the configurable options. When the On-Access Properties dialog box first opens, the default view provides access to properties for General Settings and All Processes. General Settings. Set general detection, message, and reporting properties for all types processes. See General settings on page 43 for detailed information about setting these properties. All Processes. Set process, detection, advanced, and action properties to be the same for all processes, or set them to be different for default, low-risk and/or high-risk processes. See Process settings on page 49 for detailed information about setting these properties. 42 VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner General settings The properties you specify in General Settings apply to default, low-risk, and high-risk processes. These properties can be configured: General properties Message properties Report properties General properties Use the options on the General tab to configure basic properties for on-access scanning. 1 Open the On-Access Scan Properties dialog box, then select General Settings in the left pane. 2 Select the General tab. Figure 3-3. General Settings — General tab Product Guide 43 On-Access Scanning 3 Under Scan, choose which parts of the computer you want the scanner to examine. Select from these options: Boot sectors. This option is selected by default. Include the disk boot sector during scanning activities. The scanner includes the disk boot sector when a disk is mounted. In some situations it may be appropriate to disable boot sector analysis when a disk contains a unique or abnormal boot sector that cannot be subjected to virus scanning. 4 Floppy during shutdown. This option is selected by default. Scan the boot sector of any floppy disk left in your drive as you shut down your computer. If the disk is infected, the computer does not shut down until the disk is removed. Under General, select from these options: Enable on-access scanning at system startup. This option is selected by default. Start the on-access service when you start your computer. Quarantine Folder. Accept the default location and name for the quarantine folder, type a path to a different location for the quarantine folder, or click Browse to locate a suitable folder on your local drive. The default location and name for the quarantine folder is: <drive>:\quarantine NOTE The quarantine folder should not be located on a floppy drive or CD drive. It must be located on a hard drive. 5 Under Scan time, specify the maximum archive and scanning time, in seconds, for all files. If a file takes longer than the specified time to scan, the scan stops cleanly and a message is logged. If the scan cannot be stopped cleanly, it terminates and restarts, and a different message is logged. Select from these options: Maximum archive scan time (seconds). The default setting is 15 seconds. Accept the default or select the maximum number of seconds the scanner should spend scanning an archive file. The time you select for the archive time must be less than the time you select for scanning all files. Enforce a maximum scanning time for all files. This option is selected by default. Define a maximum scanning time and enforce it for all files. Maximum scan time (seconds). The default setting is 45 seconds. Accept the default or select the maximum number of seconds the scanner should spend scanning a file. 6 44 Click Apply to save your changes. VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner Message properties Use the options on the Messages tab to configure user message properties for on-access scanning. 1 Open the On-Access Scan Properties dialog box, then select General Settings in the left pane. 2 Select the Messages tab. Figure 3-4. General Settings — Messages tab 3 Under Messages for local users, select message options. Some of these options apply to all users and others apply only to users without administrator rights. These options apply to all users: Show the messages dialog when a virus is detected. This option is selected by default. Display the On-Access Scan Messages dialog box when a virus is detected. See Responding to virus detections on page 80 for more information about the On-Access Scan Messages dialog box. Text to display in message. If you selected Show the messages dialog when a virus is detected, you can accept the default message or type a custom message that displays when an infection is detected. The default message is VirusScan Alert! Product Guide 45 On-Access Scanning The following options apply to the actions that users without administrator rights are allowed to take on messages listed in the On-Access Scan Messages dialog box. Select any combination of these options: Remove messages from the list. This option is selected by default. Allow users without administrator rights to remove messages from the list. Clean infected files. This option is selected by default. Allow users without administrator rights to clean infected files referenced by the messages in the list. Delete infected files. Allow users without administrator rights to delete infected files referenced by the messages in the list. Move infected files to the quarantine folder. This option is selected by default. Allow users without administrator rights to move infected files, which are referenced by messages in the list, to the quarantine folder. 4 Under Response to network users, select from these options: Send message to user. Send a message to the network user when a virus is detected. For example, you can send an alert message to a network user that is running on a remote computer and accesses the protected file system through a network share. If you select this option, you can accept the default message or type a custom message in the text box provided. The default message is Virus Alert!!! WARNING The Windows Messenger service must be running to receive this message. 5 46 Disconnect remote users and deny access to network share. Automatically disconnect any user who reads from, or writes to, an infected file in a shared folder on your computer. The scanner then rewrites the permissions to exclude the user who attempted to read from, or write to, the infected file in the shared folder. Click Apply to save your changes. VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner Report properties Use the options on the Reports tab to configure logging activity and specify what information you want to capture for each log entry. NOTE The log file can serve as an important management tool for tracking virus activity on your network and to note which settings you used to detect and respond to any virus that the scanner found. The incident reports recorded in the file can help you determine which files you need to replace from backup copies, examine in quarantine, or delete from your computer. See Viewing the activity log on page 79 for more information about how to view the log. To configure Reports properties: 1 Open the On-Access Scan Properties dialog box, then select General Settings in the left pane. 2 Select the Reports tab. Figure 3-5. General Settings — Reports tab Product Guide 47 On-Access Scanning 3 Under Log file, select from these options: Log to file. This option is selected by default. Record on-access scanning virus activity in a log file. In the text box, accept the default log file name and location, type a different log file name and location, or click Browse to locate a suitable file elsewhere on your computer or network. NOTE By default, the scanner writes log information to the ONACCESSSCANLOG.TXT file in this folder: <drive>:Winnt\Profiles\All Users\Application Data\Network Associates\VirusScan Limit size of log file to. This option is selected by default. The default log file size is 1MB. Accept the default log size or set a different size for the log. If you select this option, type a value between 1MB and 999MB. NOTE If the data in the log file exceeds the file size you set, the oldest 20 percent of the log file entries are deleted and new data is appended to the file. 4 Under What to log in addition to virus activity, select the additional information that you want to record in the log file: Session settings. Record the properties that you chose for each scanning session in the log file. NOTE A scanning session is the period of time that the scanner remains loaded in memory on your computer. It ends when you either unload the program or restart your computer. Session summary. This option is selected by default. Summarize the scanner’s actions during each scanning session and add the information to the log file. Summary information includes the number of files scanned, the number and type of viruses detected, the number of files moved, cleaned, or deleted, and other information. Failure to scan encrypted files. This option is selected by default. Record the name of encrypted files that the scanner failed to scan in the log file. User name. This option is selected by default. Record the name of the user logged on to the computer at the time the scanner records each log entry, in the log file. 5 48 Click Apply to save your changes. VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner Process settings Choose whether to use the same settings for all processes, or whether to specify different settings for default, low-risk, and high-risk processes. Figure 3-6. On-Access Scan Properties — All Processes Use the settings on these tabs for all processes. Specify the same scanning properties for all processes. The procedure for setting properties for all processes is the same as the procedure for setting properties for default processes. See Default processes on page 50 for a step-by-step procedure. Use different settings for high-risk and low-risk processes. Specify different properties for processes based on whether they are default processes or are defined as low-risk or high risk. See Low-risk and high-risk processes on page 60 for more information. Product Guide 49 On-Access Scanning NOTE When you select this option, the All Processes icon changes to Default Processes, and both the Low-Risk Processes and High-Risk Processes icons become available in the left pane. . Figure 3-7. On-Access Scan Properties These topics are addressed in this section: Default processes Low-risk and high-risk processes Default processes A default process is any process that is not defined as a low-risk or high-risk process. NOTE When setting properties for all processes, follow the procedures for setting default process properties. These properties can be configured: 50 Process properties Detection properties Advanced properties Action properties VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner Process properties Use the options on the Processes tab to specify properties for default processes or all processes: 1 Open the On-Access Scan Properties dialog box, then select All Processes in the left pane. 2 Select the Processes tab if it is not already selected, then select one of these options: Use the settings on these tabs for all processes. This option is selected by default. If you specify properties with this option selected, the properties you select apply to all processes. You cannot set different properties for default, low-risk and high-risk processes. Use different settings for high-risk and low-risk processes. Set different properties for default, low-risk and high-risk processes. NOTE When you select this option, the All Processes icon changes to Default Processes, and both the Low-Risk Processes and High-Risk Processes icons become available in the left pane. Figure 3-8. Default Processes — Processes tab 3 Click Apply to save your changes. Product Guide 51 On-Access Scanning Detection properties Use the options on the Detection tab to specify what types of files you want the on-access scanner to examine, and when you want to scan them. 1 Open the On-Access Scan Properties dialog box, then select All Processes in the left pane. 2 Select one of these options: Use the settings on these tabs for all processes. This option is selected by default. If you specify properties with this option selected, the properties you select apply to all processes. You cannot set different properties for default, low-risk and high-risk processes. Use different settings for high-risk and low-risk processes. Set different properties for default, low-risk and high-risk processes. NOTE When you select this option, the All Processes icon changes to Default Processes, and both the Low-Risk Processes and High-Risk Processes icons become available in the left pane. 3 Select the Detection tab. Figure 3-9. Default Processes — Detection tab 52 VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner 4 Under Scan Files, select any combination of these scanning options: When writing to disk. This option is selected by default. Scan all files as they are written to or modified on the server, workstation, or other data storage device. When reading from disk. This option is selected by default. Scan all files as they are read from the server, workstation, or other data storage device. On network drives. Include network resources during on-access scans. This is a convenient way to extend virus protection. NOTE Including network resources could have a negative effect on the overall performance of the system that is running the scan. WARNING If you are copying or moving a file from one computer to another, and the on-access scan properties on both computers have been configured to scan files both written to disk and read from disk, scanning occurs when the file is read by the source computer and again when it is written to the destination computer. If the prevailing traffic pattern on your network is copying or moving files from one computer to another, you may want to configure your scanning properties to scan only files written to disk, and not to scan files read from disk. This eliminates double-scanning of the same file. It is possible to achieve the same result by configuring all computers to scan only files read from them, and not files written to them. If you use either of these configuration patterns, it is important that all computers be configured identically. Do not configure some computers to scan only files written to disk, and others to scan only files read from disk. This would allow an infected file to be copied from a computer that scans only files written to disk to a computer that scans only files read from disk. Product Guide 53 On-Access Scanning 5 Under What to scan, select from these options: All files. This option is selected by default. Scan all files regardless of extension. Default + additional file types. Scan the default list of extensions plus any additions you specify. The default list of file type extensions is defined by the current DAT file. You can add or remove user-specified file type extensions, but you cannot delete any file type extensions from the default list. You can, however, exclude extensions that appear in the default list. See Excluding files, folders, and drives on page 70 for more information. Additions. If you selected Default + additional file types, click Additions to add or remove user-specified file type extensions. See Adding file type extensions on page 68 for detailed instructions. The maximum number of additional extensions that the on-access scanner can list is 1,000. Also scan for macro viruses in all files. Scan all files, regardless of extension, for macro viruses. This option is only available when the Default + additional file types option is selected. NOTE Scanning for macro viruses in all files could affect performance. Specified file types. Scan only the extensions you specify. Specified. If you selected Specified file types, click Specified to add or remove user-specified file type extensions. You can also set the list of file type extensions to the default list. See Adding user-specified file type extensions on page 69 for detailed instructions. The maximum number of specified extensions that the on-access scanner can list is 1,000. 54 6 Under What not to scan, click Exclusions to specify the files, folders, and drives that you want to exclude from scanning. See Excluding files, folders, and drives on page 70 for detailed instructions. 7 Click Apply to save your changes. VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner Advanced properties Use the options on the Advanced tab to specify advanced scan options for heuristics, non-virus program files, and compressed files. 1 Open the On-Access Scan Properties dialog box, then select All Processes in the left pane. 2 Select one of these options: Use the settings on these tabs for all processes. This option is selected by default. If you specify properties with this option selected, the properties you select apply to all processes. You cannot set different properties for default, low-risk and high-risk processes. Use different settings for high-risk and low-risk processes. Set different properties for default, low-risk and high-risk processes. NOTE When you select this option, the All Processes icon changes to Default Processes, and both the Low-Risk Processes and High-Risk Processes icons become available in the left pane. 3 Select the Advanced tab. . Figure 3-10. Default Processes — Advanced tab Product Guide 55 On-Access Scanning 4 Under Heuristics, specify whether you want the scanner to evaluate the probability that an unknown piece of code or a Microsoft Office macro is a virus. When this feature is enabled, the scanner analyzes the likelihood that the code is a variant of a known virus. Select any combination of these options: Find unknown program viruses. This option is selected by default for default processes and high-risk processes. Treat executable files that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab. Find unknown macro viruses. This option is selected by default for default processes and high-risk processes. Treat embedded macros that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab. NOTE This option is not the same as Also scan for macro viruses in all files on the Detection tab, which instructs the scanner to find all known macro viruses. This option instructs the scanner to assess the probability that an unknown macro is a virus. 5 Under Non-viruses, specify if you want the scanner to search for non-virus programs that are potentially unwanted. Find potentially unwanted programs. Detect programs that are potentially unwanted. Find joke programs. If you selected Find potentially unwanted programs, you can also scan for joke programs. WARNING VirusScan Enterprise does not take any action on potentially unwanted program files or joke programs that it detects. Detections are logged in the log file. If you want to take action on a detected potentially unwanted program file or joke program, you must take action manually. For example, if you want to remove a detected joke program, you must remove it manually. 56 VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner 6 Under Compressed files, specify which types of compressed files you want the scanner to examine: Scan inside packed executables. This option is selected by default for default processes and high-risk processes. Examine compressed files that contain executable files. A packed executable is a file that, when run, extracts itself into memory only. Packed executable files are never extracted to disk. Scan inside archives. Examine archive files and their contents. An archive file is a compressed file that must be extracted prior to accessing the files within it. Files contained inside archives are scanned when they are written to disk. Decode MIME encoded files. Detect Multipurpose Internet Mail Extensions (MIME) encoded files, decode them, then scan them. NOTE Although it does give you better protection, scanning compressed files can increase the amount of time required to perform a scanning activity. 7 Click Apply to save your changes. Action properties Use the options on the Actions tab to specify the primary and secondary actions you want the scanner to take when it detects a virus. 1 Open the On-Access Scan Properties dialog box, then select All Processes in the left pane. 2 Select one of these options: Use the settings on these tabs for all processes. This option is selected by default. If you specify properties with this option selected, the properties you select apply to all processes. You cannot set different properties for default, low-risk and high-risk processes. Use different settings for high-risk and low-risk processes. Set different properties for default, low-risk, and high-risk processes. NOTE When you select this option, the All Processes icon changes to Default Processes, and both the Low-Risk Processes and High-Risk Processes icons become available in the left pane. Product Guide 57 On-Access Scanning 3 Select the Actions tab. Figure 3-11. Default Processes — Actions tab 4 Under When a virus is found, select the primary action that you want the scanner to take when a virus is detected. NOTE The default primary action is Clean infected files automatically. Click to select one of these actions: Deny access to infected files. Denies all users access to any infected files the scanner finds. Be sure to enable the Log to file property on the General Settings, Reports tab, so that you have a record of which files are infected. NOTE If the file is written to the local system from an outside source, for example a CD-ROM or the Internet, the scanner adds a .VIR extension to the end of the file name. The scanner considers this type of file action to be a write action. If the file is copied, for example from one location on a hard disk to another location, the .VIR extension is not added to the file name. The scanner considers this to be a move action. 58 Move infected files to a folder. The scanner moves infected files to a folder that is named quarantine by default. You can change the name of the folder in the Quarantine Folder text box on the General Settings, General tab. VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner Delete infected files automatically. The scanner deletes infected files as soon as it detects them. Be sure to enable the Log to file property on the General Settings, Reports tab, so that you have a record of which files were infected. If you select this option, you are required to confirm your selection. Click Yes to confirm your selection, or click No to deselect this option. WARNING If you selected Find unknown macro viruses on the Advanced tab, the action you select here applies to any macro that has code resembling a virus. If you select Delete infected files automatically, any file that has code resembling a macro virus is deleted, and any archive that contains an infected file is deleted. If that is not your intention, be certain that your choice of action corresponds with your choice of action for macros. Clean infected files automatically. This option is selected by default. The scanner tries to remove the virus from the infected file. If the scanner cannot, or if the virus has damaged the file beyond repair, the scanner performs the secondary action. See Step 5 for more information. 5 Under If the above Action fails, select the secondary action that you want to the scanner to take if the first action fails. The available options depend on the primary action you selected. NOTE The default secondary action is Move infected files to a folder. Click to select the secondary action: Deny access to infected files. Move infected files to a folder. This option is selected by default. Delete infected files automatically. If you select this option, you are required to confirm your selection. Click Yes to confirm your selection, or click No to deselect this option. 6 Click Apply to save your changes. Product Guide 59 On-Access Scanning Low-risk and high-risk processes Process-based scanning allows you to define scanning policies based on your perceived risk of infection from a defined process. Determine which processes should be designated as low-risk or high-risk, then set the properties for each type of process. The following topics are addressed in this section: 60 Assigning risk to a process Process properties Detection properties Advanced properties Action properties VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner Assigning risk to a process A process is a program in execution. A program may initiate one or more processes. When deciding what risk or scanning policy to assign to a process, remember that only the child processes of the defined parent process adhere to the scanning policy. For example, if you define the Microsoft Word executable file, WINWORD.EXE, as a high-risk scanning process, any Microsoft Word documents that are accessed would be scanned based on the high-risk scanning policy. However, when the parent process, Microsoft Word, is launched the WINWORD.EXE file would be scanned based on the policy of the process that launched it. You can assign two types of risks to processes: Low-risk processes are defined as those processes that have a lower possibility of being infected. These can be processes that access a lot of files, but do so in a way that has a lower risk of spreading viruses. Some examples are: Backup software. Compiling processes. High-risk processes are defined as those processes that have a higher possibility of being infected. Some examples are: Processes that launch other processes. For example, Microsoft Windows Explorer, or the command prompt. Processes that execute. For example, WINWORD or CSCRIPT. Processes used for downloading from the Internet. For example, browsers, instant messengers, and mail clients. NOTE When you install VirusScan Enterprise with default settings, the Use the settings on these tabs for all processes option is selected. If you select Use different settings for high-risk and low-risk processes some processes are predefined as high-risk. You can change this list to meet your needs. Any process that is not defined as either low-risk or high-risk is considered to be a default process and is scanned with the properties that you set for default processes. Product Guide 61 On-Access Scanning To determine which risk to assign to which processes, complete these steps: 1 Decide why you want to have different scanning policies. The two most common reasons when balancing performance against risk are: To scan some processes, such as web downloads, more thoroughly than is accomplished by the default scanning policy. To scan some processes to a lesser extent based on the risk and impact on performance that occurs during scanning. For example, capturing streaming media such as video has little risk, but is very resource intensive. 2 Decide which processes are low-risk and which are high-risk. First determine which program is responsible for each process, then decide what risk is associated with that process. Use the Windows Task Manager or Windows Performance Monitor to help you understand which processes are using the most CPU time and memory. Once you have this information you can associate each process with a scanning policy based on the processes’ performance and risk. 3 Configure the scanning policies for each of the three levels: default, low-risk and high-risk. NOTE We do not recommend reducing the level of scanning for high-risk processes. The high-risk scanning policy is initially set the same as default processes to ensure that high-risk processes maintain an in-depth level of scanning. Process properties Use the options on the Processes tab to define processes as either low-risk or high-risk: NOTE Any process that is not defined as either low-risk or high-risk is considered to be a default process and is scanned with the properties that you set for default processes. 1 Open the On-Access Scan Properties dialog box, then select All Processes in the left pane. 2 Select Use different settings for high-risk and low-risk processes. NOTE When you select this option, the All Processes icon changes to Default Processes, and both the Low-Risk Processes and High-Risk Processes icons become available in the left pane. 3 62 Select either Low-Risk Processes or High-Risk Processes. VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner 4 Select the Processes tab. Figure 3-12. Low-Risk or High-Risk Processes — Processes tab The list shows the current list of processes, in alphabetical order by file name. Each process is shown with its application icon, file name, and description if available. The default settings are: The Low-Risk Processes list is empty. The High-Risk Processes list is populated with processes that McAfee Security considers to be high-risk. You can add or remove processes from this list to meet your security needs. NOTE The steps you take to add or select processes are identical for low-risk and high-risk processes. Product Guide 63 On-Access Scanning 5 To add applications, click Add. The Select Application dialog box appears. Figure 3-13. Select Application a Select application(s) that you want to add, using these methods: Select application(s) from the list. Use CTRL + SHIFT to select more than one application. Click Browse to locate an application on the network. b 64 When you have finished selecting applications, click OK to save your selections and return to the Processes tab. 6 To remove applications, highlight one or more applications in the list, then click Remove. 7 Click Apply to save your changes. 8 Repeat Step 3 through Step 7 to define applications as either low-risk or high-risk. VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner Detection properties Use the options on the Detection tab to specify what types of files you want the on-access scanner to examine, and when you want to scan them. 1 Open the On-Access Scan Properties dialog box, then select All Processes in the left pane. 2 Select Use different settings for high-risk and low-risk processes. NOTE When you select this option, the All Processes icon changes to Default Processes, and both the Low-Risk Processes and High-Risk Processes icons become available in the left pane. 3 Select either Low-Risk Processes or High-Risk Processes. 4 Select the Detection tab. Figure 3-14. Low-Risk or High-Risk Processes — Detection tab NOTE After you select the process icon from the left pane, the steps you take to set Detection options are identical for low-risk and high-risk processes. Product Guide 65 On-Access Scanning 5 Under Scan Files, select any combination of these scanning options: When writing to disk. This option is selected by default. Scan all files as they are written to or modified on the server, workstation, or other data storage device. When reading from disk. This option is selected by default. Scan all files as they are read from the server, workstation, or other data storage device. On network drives. Include network resources during on-access scans. This is a convenient way to extend virus protection. NOTE Including network resources could have a negative effect on the overall performance of the system that is running the scan. WARNING If you are copying or moving a file from one computer to another, and the on-access scan properties on both computers have been configured to scan files both written to disk and files read from disk, scanning occurs when the file is read by the source computer and again when it is written to the destination computer. If the prevailing traffic pattern on your network is copying or moving files from one computer to another, you may want to configure your scanning properties to scan only files written to disk, and not to scan files read from disk. This eliminates double-scanning of the same file. It is possible to achieve the same result by configuring all computers to scan only files read from them, and not files written to them. If you use either of these configuration patterns, it is important that all computers be configured identically. Do not configure some computers to scan only files written to disk, and others to scan files only read from disk. This would allow an infected file to be copied from a computer that scans only files written to disk to a computer that scans only files read from disk. 66 VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner 6 Under What to scan, select from these options: All files. This option is selected by default. Scan all files regardless of extension. Default + additional file types. Scan the default list of extensions plus any additions you specify. The default list of file type extensions is defined by the current DAT file. You can add or remove user-specified file type extensions, but you cannot delete any file type extensions from the default list. You can, however, exclude extensions that appear in the default list. See Excluding files, folders, and drives on page 70 for more information. Additions. If you selected Default + additional file types, click Additions to add or remove user-specified file type extensions. See Adding file type extensions on page 68 for detailed instructions. The maximum number of additional extensions that the on-access scanner can list is 1,000. Also scan for macro viruses in all files. Scan all files, regardless of extension, for macro viruses. This option is only available when the Default + additional file types option is selected. NOTE Scanning for macro viruses in all files could affect performance. Specified file types. Scan only the extensions you specify. Specified. If you selected Specified file types, click Specified to add or remove user-specified file type extensions. You can also set the list of file type extensions to the default list. See Adding user-specified file type extensions on page 69 for detailed instructions. The maximum number of specified extensions that the on-access scanner can list is 1,000. 7 Under What not to scan, click Exclusions to specify the files, folders, and drives you want to exclude from scanning. See Excluding files, folders, and drives on page 70 for detailed instructions. 8 Click Apply to save your changes. 9 Repeat Step 3 through Step 8 to specify detection settings for low-risk or high-risk processes. Product Guide 67 On-Access Scanning Adding file type extensions Add user-specified file types to the default list of file types. You can also use this feature to remove any user-specified file types you added. The default list plus any user-specified file types are scanned during scanning operations. NOTE You cannot change or remove file types from the default list of file types. The default list is defined by the latest DAT file you downloaded. To prevent an extension from being scanned, exclude it. See Excluding files, folders, and drives on page 70 for more information. 1 Click Additions to open the Additional File Types dialog box. Figure 3-15. Additional File Types 2 Under Add File Type, you can add user-specified file type extensions in two ways: Type a file type extension in the text box, then click Add. NOTE You only need to type the first three letters of the file type extension. If you type an HTM file extension, the scanner searches for HTM and HTML files. You can use a wildcard or a combination of characters with a wildcard. Click Select to open the Select File Type dialog box. Select one or more file type extensions from the list, then click OK. Use CTRL + SHIFT to select more than one file type extension. The file type extensions you added appear in the User-specified additional file types list. 68 VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner 3 You can remove user-specified file type extensions from the user-specified list in two ways: Select one or more file type extensions in the User specified additional file types list, then click Remove. Click Clear to remove all items from the User specified additional file types list. Adding user-specified file type extensions Create a list of user-specified file type extensions to be scanned during scanning operations. You can also use this feature to remove any of the user-specified file type extensions you added previously. 1 Click Specified to open the Specified File Types dialog box. Figure 3-16. Specified File Types 2 Under Add File Type, you can add user-specified file type extensions in two ways: Type a file type extension in the text box, then click Add. NOTE You only need to type the first three letters of the file type extension. If you type an HTM file extension, the scanner searches for HTM and HTML files. You can use a wildcard or a combination of characters with a wildcard. Click Select to open the Select File Type dialog box. Select one or more file type extensions from the list, then click OK. The file type extensions you added appear in the list under Only files of these types will be scanned. Product Guide 69 On-Access Scanning 3 You can remove user-specified file type extensions from the list in two ways: Select one or more file type extensions in the list under Only files of these types will be scanned, then click Remove. Click Clear to remove all items from the list under Only files of these types will be scanned. 4 Click Set to Default to replace the current list of user-specified file type extensions with the default list. The default list of file type extensions is defined by the current DAT file. 5 Click OK to save your changes and return to the Detection tab. Excluding files, folders, and drives Specify files, folders, and drives to exclude from scanning operations. You can also use this feature to remove any of the exclusions you specified previously. 1 Click Exclusions to open the Set Exclusions dialog box. Figure 3-17. Set Exclusions 2 Add or edit files, folders, or drives. Windows File Protection is listed by default. To add an item, click Add to open the Add Exclusion Item dialog box. To edit an item, double-click the item or select it, then click Edit to open the Edit Exclusion Item dialog box. NOTE The exclusion options are the same whether you are adding an exclusion item or editing it. 70 VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner Figure 3-18. Add Exclusion Item 3 Under What to exclude, select one of these options: By name/location. This option is selected by default. Specify the name or location. This can include wildcards * and ?. You can type specific information in the text box or click Browse to locate a name or location. NOTE You can specify full pathnames such as C:\WINNIT\SYSTEM*, file names such as PAGEFILE.SYS, or PAGEFILE.*, or P*.*, or *.SYS, or folder names such as BACKUP. For example, specifying BACKUP folder excludes all folders named BACKUP, where ever they are located. When using wildcards, these limitations apply: Valid wildcards are ? for excluding single characters and * for excluding multiple characters. A \ cannot follow wildcard characters. For example, C:\ABC\WWW? is valid, but C:\ABC\WWW?\123 is not valid. An exclusion that does not begin with a path or \ such as WWW* is treated as a file only. An exclusion containing ? characters applies if the number of characters matches the length of the file or folder name. For example, the exclusion W?? excludes WWW, but does not exclude WW or WWWW. Product Guide 71 On-Access Scanning Also exclude subfolders. If you selected By name/location, you can exclude the subfolders of the folders that match the specified pattern. By file type. Specify a file extension by type. Type a file extension in the text box or click Select to open the Select File Type dialog box, where you can select one or more extensions from the list. Click OK to save your entries and close the dialog box. NOTE The file extension that you specify can include wildcards. Valid wildcards are ? for excluding single characters and * for excluding multiple characters. By file age. Specify whether you want to exclude files by age. Access type. If you selected By file age, click type of Modified or Created. Minimum age in days. If you selected By file age, specify the minimum to specify an access number age of the file in days. The file must be at least this many days old before it is excluded. Files protected by Windows File Protection. Specify that this exclusion is based on a file’s Windows File Protection status. 4 Under When to exclude, specify when to exclude the items from scanning: On read. This option is selected by default. Specify that the exclusion items are excluded from scans when read from disk. On write. This option is selected by default. Specify that the exclusion items are excluded from scans when written to disk. NOTE The On read and On write options are not available for on-demand scan tasks. 5 Click OK to save your changes and return to the Set Exclusions dialog box. 6 You can remove user-specified file type extensions from the item list in two ways: Select one or more file type extensions in the list, then click Remove. Click Clear to remove all items from the list. 72 7 Click OK to save your changes and return to the Detection tab. 8 Click Apply to save your changes. VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner Advanced properties Use the options on the Advanced tab to specify advanced scan options for heuristics, non-virus program files, and compressed files. 1 Open the On-Access Scan Properties dialog box, then select All Processes in the left pane. 2 Select Use different settings for high-risk and low-risk processes. NOTE When you select this option, the All Processes icon changes to Default Processes, and both the Low-Risk Processes and High-Risk Processes icons become available in the left pane. 3 Select either Low-Risk Processes or High-Risk Processes. 4 Select the Advanced tab. . Figure 3-19. Low-Risk or High-Risk Processes — Advanced tab NOTE After you select the process icon from the left pane, the steps you take to set Advanced options are identical for low-risk and high-risk processes. Product Guide 73 On-Access Scanning 5 Under Heuristics, specify whether you want the scanner to evaluate the probability that an unknown piece of code or a Microsoft Office macro is a virus. When this feature is enabled, the scanner analyzes the likelihood that the code is a variant of a known virus. Select any combination of these options: Find unknown program viruses. This option is selected by default for default processes and high-risk processes. Treat executable files that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab. Find unknown macro viruses. This option is selected by default for default processes and high-risk processes. Treat embedded macros that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab to those files. NOTE This option is not the same as Also scan for macro viruses in all files on the Detection tab, which instructs the scanner to find all known macro viruses. This option instructs the scanner to assess the probability that an unknown macro is a virus. 6 Under Non-viruses, specify if you want the scanner to search for non-virus programs that are potentially unwanted. Find potentially unwanted programs. Detect programs that are potentially unwanted. Find joke programs. If you selected Find potentially unwanted programs, you can also scan for joke programs. WARNING VirusScan Enterprise does not take any action on potentially unwanted program files or joke programs that it detects. Detections are logged in the log file. If you want to take action on a detected potentially unwanted program file or joke program, you must take action manually. For example, if you want to remove a detected joke program, you must remove it manually. 7 Under Compressed files, specify which types of compressed files you want the scanner to examine. You have these options: 74 Scan inside packed executables. This option is selected by default for default processes and high-risk processes. Examine compressed files that contain executable files. A packed executable is a file that, when run, extracts itself into memory only. Packed executable files are never extracted to disk. VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner Scan inside archives. Examine archive files and their contents. An archive file is a compressed file that must be extracted prior to accessing the files within it. Files contained inside archives are scanned when they are written to disk. Decode MIME encoded files. Detect Multipurpose Internet Mail Extensions (MIME) encoded files, decode them, then scan them. NOTE Although it does give you better protection, scanning compressed files can increase the amount of time required to perform a scanning activity. 8 Click Apply to save your changes. 9 Repeat Step 3 through Step 8 to configure advanced settings for low-risk or high-risk processes. Action properties Use the options on the Actions tab to specify the primary and secondary actions you want the scanner to take when it detects a virus. 1 Open the On-Access Scan Properties dialog box, then select All Processes in the left pane. 2 Select Use different settings for high-risk and low-risk processes. NOTE When you select this option, the All Processes icon changes to Default Processes, and both the Low-Risk Processes and High-Risk Processes icons become available in the left pane. 3 Select either Low-Risk Processes or High-Risk Processes. Product Guide 75 On-Access Scanning 4 Select the Actions tab. Figure 3-20. Low-Risk or High-Risk Processes — Actions tab NOTE After you select the process icon from the left pane, the steps you take to set Actions options are identical for low-risk and high-risk processes. 5 Under When a virus is found, select the primary action that you want the scanner to take when a virus is detected. NOTE The default primary action is Clean infected files automatically. Click to select one of these actions: Deny access to infected files. Denies all users access to any infected files the scanner finds. Be sure to enable the Log to file property on the General Settings, Reports tab, so that you have a record of which files are infected. NOTE If the file is written to the local system from an outside source, for example a CD-ROM or the Internet, the scanner adds a .VIR extension to the end of the file name. The scanner considers this type of file action to be a write action. If the file is copied, for example from one location on a hard disk to another location, the .VIR extension is not added to the file name. The scanner considers this to be a move action. 76 VirusScan® Enterprise software version 7.1.0 Configuring the on-access scanner Move infected files to a folder. The scanner moves infected files to a folder that is named quarantine by default. You can change the name of the folder in the Quarantine Folder text box on the General Settings, General tab. Delete infected files automatically. The scanner deletes infected files as soon as it detects them. Be sure to enable the Log to file property on the General Settings, Reports tab, so that you have a record of which files were infected. If you select this option, you are required to confirm your selection. Click Yes to confirm your selection, or click No to deselect this option. WARNING If you selected Find unknown macro viruses on the Advanced tab, the action you select here applies to any macro that has code resembling a virus. If you select Delete infected files automatically, any file that has code resembling a macro virus is deleted, and any archive that contains an infected file is deleted. If that is not your intention, be certain that your choice of action corresponds with your choice of action for macros. Clean infected files automatically. This option is selected by default. The scanner tries to remove the virus from the infected file. If the scanner cannot, or if the virus has damaged the file beyond repair, the scanner performs the secondary action. See Step 6 for more information. 6 Under If the above Action fails, select the secondary action that you want to the scanner to take if the first action fails. The available options depend on the primary action you selected. NOTE The default secondary action is Move infected files to a folder. Click to select the secondary action: Deny access to infected files. Move infected files to a folder. This option is selected by default. Delete infected files automatically. If you select this option, you are required to confirm your selection. Click Yes to confirm your selection, or click No to deselect this option. 7 Click Apply to save your changes. 8 Repeat Step 3 through Step 7 to configure action settings for low-risk or high-risk processes. Product Guide 77 On-Access Scanning Viewing scan results You can view the results from your on-access scanning operation in the statistics summary and the activity log. The following topics are addressed in this section: Viewing scan statistics Viewing the activity log Viewing scan statistics The On-Access Scan Statistics summary shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response. 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Use either of these methods to open the On-Access Scan Statistics dialog box: Double-click in the system tray. Right-click the on-access scan task in the task list and select Statistics. Figure 3-21. On-Access Scan Statistics The On-Access Scan Statistics dialog box shows the Last file scanned in the upper pane, and a statistical summary in the lower pane. 78 VirusScan® Enterprise software version 7.1.0 Viewing scan results 3 You can perform either of these functions if you have administrator rights and type the password, as required: NOTE The Disable and Properties buttons are hidden if the user interface is configured to show minimal menu options. This option is set on the Tools|User Interface Options|Display Options tab. Click Disable to deactivate the on-access scanner. This function toggles between Disable and Enable. Click Properties to open the On-Access Scan Properties dialog box, change the scan properties you want to modify, then click Apply to save your changes. The scan runs with your new settings immediately. 4 When you have finished reviewing scan statistics, click Close. Viewing the activity log The on-access scan activity log shows specific details about the scanning operation. For example, it shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response. 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Use either of these methods to open the activity log file: Highlight the task, then select Activity Log from the Task menu. Right-click the task in the task list and select View Log. 3 To close the activity log, select Exit from the File menu. Product Guide 79 On-Access Scanning Responding to virus detections The on-access scanner looks for viruses based on the configuration settings you selected in the On-Access Scan Properties dialog box. See Configuring the on-access scanner on page 40 for more information. When a virus is detected, these actions occur: You receive a notification if you have configured Alert Manager and/or the on-access scanner to notify you when a virus is detected. The on-access scanner records a message in the On-Access Scan Messages dialog box. The following topics are addressed in this section: 80 Receiving notification of virus detections Viewing on-access scan messages Taking action on virus detections VirusScan® Enterprise software version 7.1.0 Responding to virus detections Receiving notification of virus detections The on-access scanner can send three types of notifications when it detects a virus: On-Access Scan Messages dialog box — The On-Access Scan Messages dialog box displays when a virus is detected, if you configured the on-access scanner to do so. See Message properties on page 45 for more information about configuring message options. See Viewing on-access scan messages on page 82 for more detailed information about the On-Access Scan Messages dialog box. Messenger Service to network users — A message is sent to network users when a virus is detected, if you configured the on-access scanner to do so. See Message properties on page 45 for more information about configuring message options. The message provides details about the infected file, such as the name and location of the file, type of virus detected, and the version of scanning engine and DAT file used to detect the virus. View the message details, then click OK to dismiss the message. Messenger Service — A network message displays, if you have configured Alert Manager to do so. See Configuring Alert Manager on page 150 for more information. Following is an example of a network message from Alert Manager. Figure 3-22. On-Access Scan — Messenger Service The message provides details about the infected file, such as the name and location of the file, type of virus detected, and the version of scanning engine and DAT file used to detect the virus. You may receive more than one notification depending on how you have configured Alert Manager and the on-access scanner. View the message details, then click OK to dismiss the message. Product Guide 81 On-Access Scanning NOTE If you do not have any of the three message options configured to send a message when a virus is detected, you do not receive any notification. However, you can always review the On-Access Scan Messages dialog box to see detected viruses. See Viewing on-access scan messages on page 82 for more information. Viewing on-access scan messages When a virus is detected, the on-access scanner records a message in the On-Access Scan Messages dialog box. This dialog box lists all messages for the current user in chronological order. If the user is an administrator, it can optionally list all messages on the local system. This dialog box automatically displays when a virus is detected, if you have configured the on-access scanner to do so. You can open this dialog box at any time by right-clicking and selecting On-Access Scan Messages. in the system tray Figure 3-23. On-Access Scan Messages The On-Access Scan Messages dialog box is separated into several sections: Menus — Provides menus for taking actions on files or messages. The File menu provides actions that can be taken on files or messages in the list. The View menu provides options for controlling visibility of parts of the dialog box. The Options menu gives options for showing all messages and always keeping the On-Access Scan Messages dialog box on top. 82 VirusScan® Enterprise software version 7.1.0 Responding to virus detections The Help menu provides access to help topics for the VirusScan Enterprise product, access to the Virus Information, Submit a Sample, and Technical Support web sites, as well as information about the currently installed product, license, scanning engine, and DAT files. VirusScan Message — Displays specific details about the selected message. Buttons — Displays buttons for actions that are available for the selected message. If an action is not available for the selected message, the corresponding button is disabled. Message List — Lists the messages for viruses detected by the on-access scanner. The columns in the list area are sortable by clicking on the column header. Status bar — Displays the status of the selected message. Taking action on virus detections This section describes the actions that you can take when a virus is detected by the on-access scanner. NOTE You also have the option of sending a virus sample to AVERT for analysis. See Submitting a virus sample on page 36 for more information. Use the On-Access Scan Messages dialog box to take action on viruses detected by the on-access scanner. 1 Right-click 2 Highlight a message in the list, then select an action using one of these methods: in the system tray and select On-Access Scan Messages. File menu. Buttons to select an action. Right-click the highlighted message and select an action. Product Guide 83 On-Access Scanning Following are the actions that may be taken on messages in the list: Clean File — Attempts to clean the file referenced by the selected message. In some cases, a file cannot be cleaned, either because it has no cleaner or because the virus has damaged the file beyond repair. If the file cannot be cleaned, the scanner appends a .VIR extension to the file name and denies access to it. An entry is recorded in the log file. NOTE If a file cannot be cleaned, we recommend that you delete the file and restore it from an uninfected backup copy. Move File — Moves the file referenced by the selected message to the quarantine folder. The location of the quarantine folder is defined on the General Settings, General tab in the On-Access Scan Properties. Delete File — Deletes the file referenced by the selected message. The file name is recorded in the log, so that you can restore it from a backup copy. Select All (CTRL+A) — Selects all the messages in the list. Remove Message (CTRL+D) — Removes the selected message from the list. Messages that have been removed from the list are still visible in the log file. If an action is not available for the current message, the corresponding icon, button, and menu items are disabled. For example, Clean File is not available if the file has already been deleted. The administrator can use the options on the General Settings, Messages tab in the On-Access Scan Properties, to configure what actions users without administrator rights can perform on messages in the list. If an action is suppressed by the administrator, the button is hidden, and the icon and menu items are disabled. Other actions that are available: 84 Open Log File — Opens the activity log file. Close Window — Closes the On-Access Scan Messages dialog box. VirusScan® Enterprise software version 7.1.0 On-Demand Scanning 4 The on-demand scanner provides you with a method for scanning all parts of your computer for viruses, at convenient times or at regular intervals. Use it to supplement the continuous protection that the on-access scanner offers, or to schedule regular scan operations when they do not interfere with your work. In memory process scanning and incremental scanning make virus detection more efficient than ever. In memory process scanning checks all active processes prior to running the on-demand scan. Where infected processes are found, we highlight the infection and stop the process. This means that only a single pass with the on-demand scanner is required to remove all instances of a virus. Incremental, or resumable scanning allows the scanner to start where it last left off. You can define a start and stop time for scheduled scans. The on-demand scanner logically works through each folder and related files. When the time limit is reached, the scan is stopped. With incremental scanning on the next scheduled scan, the on-demand scan continues from the point in the file and folder structure where the previous scan stopped. The following topics are addressed in this section: Creating on-demand tasks Configuring on-demand tasks Resetting or saving default settings Scheduling on-demand tasks Scanning operations Viewing scan results Responding to virus detections Product Guide 85 On-Demand Scanning Creating on-demand tasks You can create on-demand tasks using three methods. The type of scan you create, saved or unsaved, depends on the method you use. Choose from these options: From the Start menu — Tasks created from the Start menu are one-time, unsaved tasks, unless you choose to save the task for future use. From the icon in the system tray — Tasks created from the system tray are one-time, unsaved tasks, unless you choose to save the task for future use. From the VirusScan Console — Tasks created from the console are automatically saved in the task list for future use. NOTE If you create on-demand scanning tasks via ePolicy Orchestrator 3.0 or later, and enable task visibility, you can also see these on-demand scanning tasks in the VirusScan Console. These ePolicy Orchestrator tasks are read-only and cannot be configured from the VirusScan Console. See the VirusScan Enterprise Configuration Guide for use with ePolicy Orchestrator 3.0 for more information. The following topics are addressed in this section: Creating tasks from the start menu or system tray Creating tasks from the console Creating tasks from the start menu or system tray The on-demand scan task you create from either the start menu or the system tray is a one-time, unsaved task. The task you create can then be configured, scheduled, and run, but unless you choose to save it, the task is discarded when you close the On-Demand Scan Properties dialog box. 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Open the On-Demand Scan Properties using one of these methods: Click Start, then select Programs|Network Associates|VirusScan On-Demand Scan. Right-click 86 in the system tray and select On-Demand Scan. VirusScan® Enterprise software version 7.1.0 Creating on-demand tasks The On-Demand Scan Properties (Unsaved Task) dialog box appears. Figure 4-1. On-Demand Scan Properties — (Unsaved Task) NOTE You can identify this as an unsaved on-demand scan task because the title bar shows (Unsaved Task). Click Save As to save the task to the console for use again. When you save the task, the On-Demand Scan Properties title bar changes from (Unsaved Task) to the task name you specify. 3 Configure the one-time, unsaved on-demand scan task. See Configuring on-demand tasks on page 89 for detailed instructions. 4 Click Apply to save your changes. 5 To schedule the task, you must first save the task, then click Schedule. You cannot schedule an unsaved task. See Configuring task schedules on page 222 for detailed instructions. 6 To run the task, click Scan Now. See Running on-demand tasks on page 107 for more information. Product Guide 87 On-Demand Scanning Creating tasks from the console The VirusScan Console comes with a default Scan All Fixed Disks on-demand scan task. You can rename this task and/or create an unlimited number of on-demand tasks. To create a new on-demand task from the console: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. Figure 4-2. VirusScan Console 2 Create a new scan task using one of these methods: Right-click a blank area in the console, without selecting an item in the task list, then select New Scan Task. Select New Scan task from the Task menu. Click in the console toolbar. A new on-demand task appears, highlighted, in the VirusScan Console task list. 88 VirusScan® Enterprise software version 7.1.0 Configuring on-demand tasks 3 Type a new name for your task, then press ENTER to open the On-Demand Scan Properties dialog box. Figure 4-3. On-Demand Scan Properties Configuring on-demand tasks You can configure the on-demand scanner to determine where and what you want to scan, what you want it to do if it finds a virus, and how it should notify you when it has. The following topics are addressed in this section: Where properties Detection properties Advanced properties Action properties Report properties Adding items Removing items Editing items Product Guide 89 On-Demand Scanning Where properties Use the options on the Where tab to specify the locations you want to scan for viruses. 1 Open the On-Demand Scan Properties dialog box for the task you are configuring. 2 Select the Where tab. Figure 4-4. On-Demand Scan Properties — Where tab NOTE By default, the dialog box lists all of the drives on your computer and all of the subfolders they contain. A scan operation this inclusive can take a long time. You may want to narrow this scan for regular use later. 3 Under Item name, specify where you want scanning to take place. All fixed disks and Memory of running processes are listed by default. NOTE If you are creating a new scan task, All Local Drives and Memory of running processes are listed by default. Use the Add, Remove, and/or Edit buttons to specify the items to scan. See Adding, removing, and editing items on page 91 for detailed instructions. 90 VirusScan® Enterprise software version 7.1.0 Configuring on-demand tasks 4 Under Scan options, specify additional scanning criteria. Select from these options: Include subfolders. This option is selected by default. The scanner examines all subfolders in the volumes you target for scanning. To scan only the root level of your chosen volumes, deselect Include subfolders. Scan boot sector(s). This option is selected by default. The scanner examines the disk boot sector. It may be appropriate to disable boot sector analysis when a disk contains a unique or abnormal boot sector that cannot be subjected to virus scanning. 5 Click Apply to save your changes. Adding, removing, and editing items Follow these procedures to Add, Remove, or Edit items in the Item name list of the On-Demand Scan Properties. Adding items Removing items Editing items Adding items 1 Open the On-Demand Scan Properties dialog box for the task you are configuring. 2 On the Where tab, click Add to open the Add Scan Item dialog box. Figure 4-5. Add Scan Item Product Guide 91 On-Demand Scanning 3 Click to select a scan item from the list. Choose from these options: My computer. This option is selected by default. Scans all local and mapped drives. All local drives. Scans all of the drives on your computer and all of the subfolders they contain. All fixed disks. Scans hard drives physically connected to your computer. All removable media. Scans only floppy disks, CD-ROM discs, Iomega ZIP disks, or similar storage devices physically attached to your computer. All network drives. Scans network drives logically mapped to a drive letter on your computer. Memory of running processes. Scans the memory of all running processes. This scan occurs before all other scans. User’s home folder. Scans the home folder of the user who starts the scan. User’s profile folder. Scans the profile of the user who starts the scan. This includes the My Documents folder. Drive or folder. Scans a specific drive or folder. Type the path to the drive or folder in the Location text box, or click Browse to locate and select a drive or folder. When you have finished browsing, click OK to return to the Add Scan Item dialog box. File. Scan a specific file. Type the path to the file in the Location text box, or click Browse to open the Select Item To Scan dialog box where you can locate and select a file. When you have selected an item, click Open to return to the Add Scan Item dialog box. 92 4 Click OK to save your changes and return to the On-Demand Scan Properties dialog box. 5 Click Apply to save your changes. VirusScan® Enterprise software version 7.1.0 Configuring on-demand tasks Removing items 1 Open the On-Demand Scan Properties dialog box for the task you are configuring. 2 On the Where tab, select one or more items that you want to delete in the Item name list, then click Remove. 3 Click Yes to confirm that you want to remove the item. 4 Click Apply to save your changes. Editing items 1 Open the On-Demand Scan Properties dialog box for the task you are configuring. 2 On the Where tab, select an item in the Item name list, then click Edit to open the Edit Scan Item dialog box. Figure 4-6. Edit Scan Item 3 Click to select a scan item from the Item to scan list. All local drives is selected by default. NOTE The options you have here are the same as the options in Adding items. See Step 3 on page 92 for a complete list and description of available options. 4 Click OK to return to the On-Demand Scan Properties dialog box. 5 Click Apply to save your changes. Product Guide 93 On-Demand Scanning Detection properties Use the options on the Detection tab to specify what types of files you want the on-demand scanner to examine, and when you want to scan them. 1 Open the On-Demand Scan Properties dialog box for the task you are configuring. 2 Select the Detection tab. Figure 4-7. On-Demand Scan Properties — Detection tab 94 VirusScan® Enterprise software version 7.1.0 Configuring on-demand tasks 3 Under What to scan, select from these options: All files. This option is selected by default. Scan all files regardless of extension. Default + additional file types. Scan the default list of extensions plus any additions you specify. The default list of file type extensions is defined by the current DAT file. You can add or remove user-specified file type extensions, but you cannot delete any file type extensions from the default list. You can, however, exclude extensions that appear in the default list. See Excluding files, folders, and drives on page 70 for more information. Additions. If you selected Default + additional file types, click Additions to add or remove user-specified file type extensions. See Adding file type extensions on page 68 for detailed instructions. The maximum number of additional extensions that the on-demand scanner can list is 1,000. Also scan for macro viruses in all files. Scan all files, regardless of extension, for macro viruses. This option is only available when the Default + additional file types option is selected. NOTE Scanning for macro viruses in all files could affect performance. Specified file types. Scan only the extensions you specify. Specified. If you selected Specified file types, click Specified to add or remove user-specified file type extensions. You can also set the list of file type extensions to the default list. See Adding user-specified file type extensions on page 69 for detailed instructions. The maximum number of specified extensions that the on-demand scanner can list is 1,000. 4 Under What not to scan, click Exclusions to specify the files, folders, and drives to exclude from scanning. See Excluding files, folders, and drives on page 70 for detailed instructions. Product Guide 95 On-Demand Scanning 5 Under Compressed files, specify which types of compressed files you want the scanner to examine. You have these options: Scan inside packed executables. This option is selected by default. Examine compressed files that contain executable files. A packed executable is a file that, when run, extracts itself into memory only. Packed executable files are never extracted to disk. 6 Scan inside archives. Examine archive files and their contents. An archive file is a compressed file that must be extracted prior to accessing the files within it. Files contained inside archives are scanned when they are written to disk. Decode MIME encoded files. Detect Multipurpose Internet Mail Extensions (MIME) encoded files, decode them, then scan them. Click Apply to save your changes. Advanced properties Use the options on the Advanced tab to specify advanced scanning properties, such as scanning for unknown program viruses and potentially unwanted programs, setting the CPU utilization level, and miscellaneous options. 1 Open the On-Demand Scan Properties dialog box for the task you are configuring. 2 Select the Advanced tab. Figure 4-8. On-Demand Scan Properties— Advanced tab 96 VirusScan® Enterprise software version 7.1.0 Configuring on-demand tasks 3 Under Heuristics, specify whether you want the scanner to evaluate the probability that an unknown piece of code or a Microsoft Office macro is a virus. When this feature is enabled, the scanner analyzes the likelihood that it is a variant of a known virus. Select any combination of these options: Find unknown program viruses. This option is selected by default. Treat executable files that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab. Find unknown macro viruses. This option is selected by default. Treat embedded macros that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab to those files. NOTE This option is not the same as Also scan for macro viruses in all files on the Detection tab, which instructs the scanner to find all known macro viruses. This option instructs the scanner to assess the probability that an unknown macro is a virus. 4 Under Non-viruses, specify whether you want the scanner to find non-virus programs that are potentially unwanted. Find potentially unwanted programs. Detect programs that are potentially unwanted. Find joke programs. If you selected Find potentially unwanted programs, you can also scan for joke programs that are potentially unwanted. WARNING VirusScan Enterprise does not take any action on potentially unwanted program files or joke programs that it detects. Detections are logged in the log file. If you want to take action on a detected potentially unwanted program file or joke program, you must take action manually. For example, if you want to remove a detected joke program, you must remove it manually. Product Guide 97 On-Demand Scanning 5 Under CPU utilization, use the slider to set the utilization level for the scan task in relation to the other tasks running on your computer. 100% is selected by default. This ensures that other running software does not slow down during a scan operation, but the scan takes longer. Set the scan task to a lower scanning level if you plan to run it at a time when the CPU is in heavy use with other essential operations. NOTE The CPU limitation you specify does not work when scanning encrypted files. The decryption is done by LSASS.EXE, not by the SCAN32 process. Scanning encrypted files is CPU intensive, therefore even if the CPU limit on the scanning thread is low, it is still scanning files fast enough that LSASS.EXE must keep busy to supply the decrypted data. 6 Under Miscellaneous, select from these options: Scan files that have been migrated to storage. Scan files that have been moved to offline storage. NOTE If you are using Remote Storage to extend disk space on your server, the on-demand scanner can scan the cached files. Remote Storage data storage is hierarchical, with two defined levels. The upper level, called local storage, includes the NTFS disk volumes of the computer running Remote Storage on Windows 2000 Server. The lower level, called remote storage, is located on the robotic tape library or stand-alone tape drive that is connected to the server computer. Remote Storage automatically copies eligible files on your local volumes to a tape library, then monitors space available on the local volumes. File data is cached locally so that it can be accessed quickly as needed. When necessary, Remote Storage moves data from the local storage to remote storage. When you need to access a file on a volume managed by Remote Storage, open the file as usual. If the data for the file is no longer cached on your local volume, Remote Storage recalls the data from a tape library. Rescan all files when DAT files are updated. Re-examine all files when new files are installed or updated. This is best used for scheduled, resumable scans. Using this feature reduces the risk of infection by re-examining files for new viruses. DAT 98 VirusScan® Enterprise software version 7.1.0 Configuring on-demand tasks Scan window. Normal is selected by default. Click to specify how you want the scan window to appear during on-demand scans. The options are: Normal Minimized Hidden NOTE Although the scan window can be configured to be normal, minimized, or hidden, the scheduled and remote task windows are always hidden regardless of the configured mode. 7 Click Apply to save your changes. Action properties Use the options on the Actions tab to specify the primary and secondary actions you want the scanner to take when it detects a virus. 1 Open the On-Demand Scan Properties dialog box for the task you are configuring. 2 Select the Actions tab. Figure 4-9. On-Demand Scan Properties — Actions tab Product Guide 99 On-Demand Scanning 3 Under When a virus is found, select the primary action you want the scanner to take when a virus is detected. NOTE The default primary action is Clean infected files. Click to select one of these actions: Prompt for action. Prompt the user for action when a virus is detected. If you select this option, you can also select what actions are allowed in addition to Stop and Continue. The additional choices are: Clean file. Allow the infected file to be cleaned. Delete file. Allow the infected file to be deleted. Move file. Allow the infected file to be moved. No secondary action is allowed for this option. Continue scanning. Continue scanning when an infected file is found. No secondary action is allowed for this option. Move infected files to a folder. The scanner moves infected files to a quarantine folder. You can accept the default location of the folder in the Folder text box, or click Browse to navigate to the location where the folder is located. The default location and name for the quarantine folder is: <drive>:\quarantine NOTE The quarantine folder should not be located on a floppy drive or CD drive. It must be located on a hard drive. 100 Clean infected files. This option is selected by default. The scanner tries to remove the virus from the infected file. If the scanner cannot, or if the virus has damaged the file beyond repair, the scanner performs the secondary action. See Step 4 for more information. VirusScan® Enterprise software version 7.1.0 Configuring on-demand tasks Delete infected files. The scanner deletes infected files as soon as it detects them. Be sure to enable Log to file on the Reports tab, so that you have a record of which files are infected. If you select this option, you are required to confirm your selection. Click Yes to confirm your selection, or click No to deselect this option. WARNING If you selected Find unknown macro viruses on the Advanced tab, the action you select here applies to any macro that has code resembling a virus. If you select Delete infected files, any file that has code resembling a macro virus is deleted, and any archive that contains an infected file is deleted. If that is not your intention, be certain that your choice of action corresponds with your choice of action for macros. 4 Under If the above Action fails, select the secondary action you want the scanner to take if the first action fails. NOTE The default secondary action is Move infected files to a folder. Click to select one of these actions: Prompt for action. If you select this option, you can also select what actions are allowed in addition to Stop and Continue. The additional choices are: Clean file. Allow the infected file to be cleaned. This option is disabled if you selected Clean file as the primary action. Delete file. Allow the infected file to be deleted. This option is disabled if you selected Delete file as the primary action. Move file. Allow the infected file to be moved. This option is disabled if you selected Move file as the primary action. Continue scanning. Continue scanning when an infected file is found. Product Guide 101 On-Demand Scanning Move infected files to a folder. This option is selected by default. The scanner moves infected files to a quarantine folder. You can accept the default location of the folder in the Folder text box, or click Browse to navigate to the location where the folder is located. The default location and name for the quarantine folder is: <drive>:\quarantine NOTE The quarantine folder should not be located on a floppy drive or CD drive. It must be located on a hard drive. 5 Delete infected files. The scanner deletes infected files as soon as it detects them. Be sure to enable Log to file on the Reports tab, so that you have a record of which files are infected. Click Apply to save your changes. Report properties Use the options on the Reports tab to configure logging activity. Specify the log file location and size, and what information to capture for each log entry. NOTE The log file can serve as an important management tool for tracking virus activity on your network and to note which settings you used to detect and respond to any virus that the scanner found. The incident reports recorded in the file can help you determine which files you need to replace from backup copies, examine in quarantine, or delete from your computer. See Viewing the activity log on page 111 for more information. 1 102 Open the On-Demand Scan Properties dialog box. VirusScan® Enterprise software version 7.1.0 Configuring on-demand tasks 2 Select the Reports tab. Figure 4-10. On-Demand Scan Properties — Reports tab 3 Under Log file, select from these options: Log to file. This option is selected by default. Record on-demand scanning virus activity in a log file. In the text box, accept the default log file name and location, type a different log file name and location, or click Browse to locate a suitable file elsewhere on your computer or network. NOTE By default, the scanner writes log information to the ONDEMANDSCANLOG.TXT file in this folder: <drive>:Winnt\Profiles\All Users\Application Data\Network Associates\VirusScan. Limit size of log file to. This option is selected by default. The default log file size is 1MB. Accept the default log size or set a different size for the log. If you select this option, type a value between 1MB and 999MB. NOTE If the data in the log file exceeds the file size you set, the oldest 20 percent of the log file entries are deleted and new data is appended to the file. Product Guide 103 On-Demand Scanning 4 Under What to log in addition to virus activity, select the additional information to record in the log file: Session settings. Record the properties that you chose for each scanning session in the log file. Session summary. This option is selected by default. Summarize the scanner’s actions during each scanning session and add the information to the log file. Summary information includes the number of files scanned, the number and type of viruses detected, the number of files moved, cleaned, or deleted, and other information. Failure to scan encrypted files. This option is selected by default. Record the name of encrypted files that the scanner failed to scan in the log file. User name. This option is selected by default. Record the name of the user logged on to the computer at the time the scanner records each log entry in the log file. 5 104 Click Apply to save your changes. VirusScan® Enterprise software version 7.1.0 Configuring on-demand tasks Resetting or saving default settings After you have configured the on-demand task, you have the option of resetting the configuration settings to the default settings or saving the current configuration settings as the default. If you do not want to reset the defaults or save the current settings as the default, skip these steps. 1 2 Select from these options: Reset to Default. Restores the default scan settings. Save as Default. Saves the current scanning configuration as the default configuration. If you Save as Default, all new tasks are created with this configuration. Click Apply to save your changes. Product Guide 105 On-Demand Scanning Scheduling on-demand tasks After you have configured an on-demand task, you can schedule it to run at specific dates and times, or intervals. Figure 4-11. On-Demand Scan Properties — Schedule 106 1 Open the On-Demand Scan Properties dialog box for the task you are configuring. 2 Click Schedule. See Scheduling Tasks on page 221 for detailed instructions about how to schedule a task. VirusScan® Enterprise software version 7.1.0 Scanning operations Scanning operations You can run scheduled on-demand tasks unattended, start immediate scan tasks, and pause, stop, and restart tasks during the scanning operation. NOTE The on-demand scanner does not scan its own quarantine folder during scanning operations. The on-demand scanner is designed to exclude the quarantine folder during scanning operations to avoid repeat scanning or scanning loops. The following topics are addressed in this section: Running on-demand tasks Pausing and restarting on-demand tasks Stopping on-demand tasks Resumable scanning Running on-demand tasks Once you have configured your task with the scan properties you want, you can run the scan task using one of these methods: Scan as scheduled. If you scheduled the scan, allow the task to run unattended. Figure 4-12. On-Demand Scan Task — In Progress NOTE For the scanner to run your task, your computer must be active. If your computer is down when the task is scheduled to start, the task starts at the next scheduled time if the computer is active, or when the computer starts if you selected the Run missed task option on the Schedule Settings, Schedule tab. Product Guide 107 On-Demand Scanning NOTE The scanner always exits after completing scheduled tasks that are launched by the Scheduler and remote tasks that are run on a remote computer. Scan immediately. You can start on-demand scan tasks immediately using several methods: Create an on-demand scan task from the system tray or Start menu, then from the On-Demand Scan Properties dialog box, click Scan Now. From the VirusScan Console, right-click an on-demand scan task and select Start. From Windows Explorer, right-click a file, folder, drive, or other item, then select Scan for viruses. The On-Demand Scan dialog box appears. Figure 4-13. On-Demand Scan — In Progress NOTE The scanner does not exit automatically upon completion of the scan for these types of immediate scans. To exit the scanner, select Exit from the Scan menu. Pausing and restarting on-demand tasks You can pause and restart an on-demand task during the scanning operation. 108 To pause an on-demand task, click , in the On-Demand Scan dialog box. To restart an on-demand task, click , in the On-Demand Scan dialog box. VirusScan® Enterprise software version 7.1.0 Viewing scan results Stopping on-demand tasks You can stop an on-demand task during the scanning operation using one of these methods: Click in the On-Demand Scan dialog box. From the On-Demand Scan Properties dialog box, click Stop. Resumable scanning The on-demand scanner automatically resumes scanning where it left off if the scan is interrupted before it completes. The incremental scan feature of the on-demand scanner recognizes the last file it scanned, so the next time the scan starts, you have the option of starting the scan from where it left off, or starting the scan from the beginning. Figure 4-14. Resumable scan Viewing scan results You can view the results from your on-demand scanning operation in the statistics summary and the activity log. The following topics are addressed in this section: Viewing scan statistics Viewing the activity log Product Guide 109 On-Demand Scanning Viewing scan statistics The On-Demand Scan Statistics summary shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response. To see statistics and results for your task: 1 Open the VirusScan Console, right-click the on-demand task in the task list, and select Statistics. Figure 4-15. On-Demand Scan Statistics The On-Demand Scan Statistics dialog box shows each of the scan targets you have chosen for this task in an upper pane, progress of the scan in the center pane, and a statistical summary in the lower pane. If your scan task is still in progress, the center pane shows the file that the scanner is currently examining, and the status of the scan operation. NOTE If the task is run again, the statistics shown here are only for the last scan. 2 Click Properties to open the On-Demand Scan Properties dialog box, change the scan properties you want to modify, then click Apply to save your changes. The scan runs with your new settings when the next on-demand scan starts. If an on-demand scan is in process when you change the scan properties, the new settings do not take effect until the next on-demand scan starts. 3 110 When you have finished reviewing scan statistics, click Close. VirusScan® Enterprise software version 7.1.0 Responding to virus detections Viewing the activity log The on-demand scan activity log shows specific details about the scanning operation. For example, it shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response. 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Use either of these methods to open the activity log file: Highlight the task, then select Activity Log from the Task menu. Right-click the task in the task list and select View Log. 3 To close the activity log, select Exit from the File menu. Responding to virus detections The on-demand scanner looks for viruses based on the configuration settings you selected in the On-Demand Scan Properties dialog box. See Configuring on-demand tasks on page 89 for more information. When a virus is detected, you receive a notification if you have configured Alert Manager and/or the on-demand scanner to notify you when a virus is detected. The following topics are addressed in this section: Receiving notification of virus detections Taking action on virus detections Product Guide 111 On-Demand Scanning Receiving notification of virus detections The on-demand scanner can send three types of notifications when it detects a virus: VirusScan Alert — An alert dialog box displays when a virus is detected, if you configured the on-demand scanner to Prompt for action as either the primary or secondary action on the Actions tab. See Action properties on page 99 for more information. See Taking action on virus detections on page 113 for more information about the VirusScan Alert dialog box. Messenger Service — A network message displays, if you have configured Alert Manager to do so. See Configuring Alert Manager on page 150 for more information. Following is an example of a network message from Alert Manager: Figure 4-16. On-Demand Scan — Messenger Service The message provides details about the infected file, such as name of the file, location of the file, type of virus detected, and version of scanning engine and DAT file used to detect the virus. View the message details, then click OK to dismiss the message. On-Demand Scan Progress dialog box — The On-Demand Scan Progress dialog box displays while the on-demand scanner is performing a task. If any infections are found, they appear in the lower pane of the dialog box. See On-Demand Scan Progress dialog box on page 114 for more information. You may receive more than one notification depending on how you have configured Alert Manager and the on-demand scanner. NOTE If you have not configured the on-demand scanner or Alert Manager to send notification, you do not receive a VirusScan Alert or network message. However, you can always see detected viruses in the On-Demand Scan Progress dialog box, during the scan operation. 112 VirusScan® Enterprise software version 7.1.0 Responding to virus detections Taking action on virus detections This section describes the actions that you can take when a virus is detected by the on-demand scanner. NOTE You also have the option of sending a virus sample to AVERT for analysis. See Submitting a virus sample on page 36 for more information. Use either the VirusScan Alert dialog box or the On-Demand Scan Progress dialog box to take action on the detected virus, depending on how you were notified of virus detection. If you were notified with a VirusScan Alert take action on the detected virus from that dialog box. If you saw the virus detection in the On-Demand Scan Progress dialog box, take action on the detected virus from there. VirusScan Alert dialog box The VirusScan Alert dialog box appears to notify you of a virus detection if you have configured the on-demand scanner to Prompt for action. It provides information about where the detected file is located and what type of virus it detected in the file. Figure 4-17. VirusScan Alert Select an action to perform on the infected file: Continue — Continues the scanning operation, records each detection in the activity, and lists each infected file in the On-Demand Scan dialog box. Stop — Stops the scanning operation immediately. Product Guide 113 On-Demand Scanning Clean — Attempts to clean the file referenced by the selected message. If the file cannot be cleaned, either because it has no cleaner or because the virus has damaged the file beyond repair, an entry is recorded in the log file. Alternative responses may be suggested. For example, if a file cannot be cleaned, you should delete the file and restore it from a backup copy. Delete — Deletes the file referenced by the selected message. The file name is recorded in the log, so that you can restore it from a backup copy. Move File to — Moves the file referenced by the selected message, to the folder you select from the dialog box. On-Demand Scan Progress dialog box The On-Demand Scan Progress dialog box displays when the on-demand scanner is performing tasks. The lower pane shows viruses detected during the on-demand scan operation. Figure 4-18. On-Demand Scan Progress- Virus detected 1 Take action on the detected virus using one of these methods: Right-click the name of the file in the lower pane and select an action that you want to take from the menu. Highlight the name of the file in the lower pane and select an action to take from the Scan menu. 2 114 When you have finished taking actions on all the virus detections in the list, select Exit from the Scan menu to close the dialog box. VirusScan® Enterprise software version 7.1.0 E-mail Scanning 5 The e-mail scanner provides you with two methods of scanning e-mail folders, attachments, and message bodies for either a local host or a remote host: The on-delivery e-mail scanner examines e-mail messages and attachments as they are delivered, if Microsoft Outlook is running. You can configure and run the on-delivery e-mail scanner from the VirusScan Console. The on-demand e-mail scanner examines e-mail messages and attachments as needed, from Microsoft Outlook. You can configure and run the on-demand e-mail scanner from Microsoft Outlook. Use the on-demand e-mail scanner to supplement the protection that the on-delivery e-mail scanner provides. For example, if you have had Microsoft Outlook closed or you are installing the VirusScan Enterprise product for the first time, we recommend running an on-demand e-mail scan first. The following topics are addressed in this section: On-delivery e-mail scan On-demand e-mail scan Product Guide 115 E-mail Scanning On-delivery e-mail scan The on-delivery e-mail scanner examines e-mail attachments, and message bodies as they are delivered to Microsoft Outlook. WARNING The on-delivery scanner does not scan incoming e-mail messages while Microsoft Outlook is offline. If you have had Microsoft Outlook offline, we recommend running an on-demand e-mail scan as soon as you bring Outlook online. See On-demand e-mail scan on page 132 for detailed instructions. The following topics are addressed in this section: Configuring the on-delivery e-mail scan for a local or remote host Configuring the on-delivery e-mail scan properties Viewing on-delivery e-mail scan results Configuring the on-delivery e-mail scan for a local or remote host To configure the on-delivery E-mail Scan from the VirusScan Console for either a local or remote host. 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. Figure 5-1. VirusScan Console If you are configuring the E-mail Scan for a local host, skip Step 2 and go to Configuring the on-delivery e-mail scan properties on page 117. 116 VirusScan® Enterprise software version 7.1.0 On-delivery e-mail scan 2 If you are configuring the E-mail Scan for a remote host: a Select Remote Connection from the Tools menu. b Type the computer name or click Browse to locate the computer. c Click OK to return to the VirusScan Console. Configuring the on-delivery e-mail scan properties You can configure the on-delivery e-mail scanner to examine e-mail as it is delivered to Microsoft Outlook. The following topics are addressed in this section: Detection properties Advanced properties Action properties Alert properties Report properties Product Guide 117 E-mail Scanning Detection properties Use the options on the Detection tab to specify which attachments and file type extensions you want to scan. 1 Open the On-Delivery Scan Properties dialog box using one of these methods: Highlight E-mail Scan in the task list, then click . Right-click E-mail Scan in the task list and select Properties. Double-click E-mail Scan in the task list. NOTE If Outlook has not been configured, the Outlook configuration dialog box is launched. If you have not logged on to your mailbox, you are prompted to log on. 2 Select the Detection tab. Figure 5-2. On-Delivery Scan Properties — Detection tab 3 Under Scanning of e-mail, Enable Microsoft Exchange (MAPI, IMAP) is selected by default. Deselect this option if you do not want to perform e-mail scanning. 4 Under Scanning of attachments, select one of these options: 118 All file types. This option is selected by default. Scan all attachments regardless of extension. VirusScan® Enterprise software version 7.1.0 On-delivery e-mail scan Default + additional file types. Scan the default list of extensions plus any additions you specify. The default list of file type extensions is defined by the current DAT file. You can add or remove user-specified file type extensions, but you cannot delete any file type extensions from the default list. Additions. If you selected Default + additional file types, click Additions to add or remove user-specified file type extensions. See Adding file type extensions on page 68 for detailed instructions. The maximum number of additional extensions that the on-delivery e-mail scanner can list is 1,000. Also scan for macro viruses in all attachments. Scan all attachments, regardless of extension, for macro viruses. This option is only available when the Default + additional file types option is selected. NOTE Scanning for macro viruses in all attachments could affect performance. Specified file types. Scan only the extensions you specify. Specified. If you selected Specified file types, click Specified to add or remove user-specified file type extensions. You can also set the list of file type extensions to the default list. See Adding user-specified file type extensions on page 69 for detailed instructions. The maximum number of specified extensions that the on-delivery e-mail scanner can list is 1,000. NOTE Excluding file types is not supported for e-mail scanning. 5 Click Apply to save your changes. Product Guide 119 E-mail Scanning Advanced properties Use the options on the Advanced tab to specify advanced scanning properties, such as scanning for unknown program viruses, potentially unwanted programs, compressed files, and e-mail message bodies. 1 Open the On-Delivery Scan Properties dialog box using one of these methods: Highlight E-mail Scan in the task list, then click . Right-click E-mail Scan in the task list and select Properties. Double-click E-mail Scan in the task list. NOTE If Outlook has not been configured, the Outlook configuration dialog box is launched. If you have not logged on to your mailbox, you are prompted to log on. 2 Select the Advanced tab. Figure 5-3. On-Delivery Scan Properties — Advanced tab 120 VirusScan® Enterprise software version 7.1.0 On-delivery e-mail scan 3 Under Heuristics, specify whether you want the scanner to evaluate the probability that an unknown piece of code or a Microsoft Office macro is a virus. When this feature is enabled, the scanner analyzes the likelihood that it is a variant of a known virus. Select any combination of these options: Find unknown program viruses. This option is selected by default. Treat executable files that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab. Find unknown macro viruses. This option is selected by default. Treat embedded macros that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab to those files. NOTE This option is not the same as Also scan for macro viruses in all files on the Detection tab, which instructs the scanner to find all known macro viruses. This option instructs the scanner to assess the probability that an unknown macro is a virus. Find attachments with multiple extensions. Treat attachments that have multiple extensions as if they were infected. The scanner applies the action you choose on the Actions tab to those files. When you select this option, the E-mail Scan Warning dialog box appears. E-mail Scan Warning. Read the warning carefully. Click OK to continue and accept the selection to treat attachments that have multiple extensions as if they were infected, or click Cancel to deselect the option. Figure 5-4. E-mail Scan Warning Product Guide 121 E-mail Scanning 4 Under Non-viruses, specify whether you want the scanner to find non-virus programs that are potentially unwanted. Find potentially unwanted programs. Detect programs that are potentially unwanted. Find joke programs. If you selected Find potentially unwanted programs, you can also scan for joke programs. WARNING VirusScan Enterprise does not take any action on potentially unwanted program files or joke programs that it detects. Detections are logged in the log file. If you want to take action on a detected potentially unwanted program file or joke program, you must take action manually. For example, if you want to remove a detected joke program, you must remove it manually. 5 Under Compressed files, specify which types of compressed files you want the scanner to examine. You have these options: Scan inside packed executables. This option is selected by default. Examine compressed files that contain executable files. A packed executable is a file that, when run, extracts itself into memory only. Packed executable files are never extracted to disk. Scan inside archives. This option is selected by default. Examine archive files and their contents. An archive file is a compressed file that must be extracted prior to accessing the files within it. Files contained inside archives are scanned when they are written to disk. Decode MIME encoded files. This option is selected by default. Detect Multipurpose Internet Mail Extensions (MIME) encoded files, decode them, then scan them. NOTE Although it does give you better protection, scanning compressed files can increase the amount of time required to perform a scanning activity. 122 6 Under E-mail message body, Scan e-mail message body is selected by default. If you deselect this option, e-mail message bodies are not scanned. 7 Click Apply to save your changes. VirusScan® Enterprise software version 7.1.0 On-delivery e-mail scan Action properties Use the options on the Actions tab to specify the primary and secondary actions you want the scanner to take when it detects a virus. 1 Open the On-Delivery Scan Properties dialog box using one of these methods: Highlight E-mail Scan in the task list, then click . Right-click E-mail Scan in the task list and select Properties. Double-click E-mail Scan in the task list. NOTE If Outlook has not been configured, the Outlook configuration dialog box is launched. If you have not logged on to your mailbox, you are prompted to log on. 2 Select the Actions tab. Figure 5-5. On-Delivery Scan Properties — Actions tab Product Guide 123 E-mail Scanning 3 Under When infected attachments found, select the primary action that you want the scanner to take when a virus is detected. NOTE The default primary action is Clean infected attachments. Click to select one of these actions: Prompt for action. Prompt the user for action when a virus is detected. If you select this option, you can also select what actions are allowed in addition to stop and continue. The additional choices are: Clean attachment. Allow the infected attachment to be cleaned. Move attachment. Allow the infected attachment to be moved. Delete attachment. Allow the infected attachment to be deleted. No secondary action is allowed for this option. Continue scanning. Continue scanning when an infected attachment is found. No secondary action is allowed for this option. Move infected attachments to a folder. Move infected attachments to a quarantine folder. The default quarantine folder is named Quarantine. You can accept the default name for the quarantine folder or type a new name. NOTE The quarantine folder is created in the MAPI database and can be viewed from the Folder List in Microsoft Outlook. Clean infected attachments. This option is selected by default. The scanner tries to remove the virus from the infected attachment. If the scanner cannot remove a virus from an infected attachment, or if the virus has damaged the attachment beyond repair, the scanner performs the secondary action. Delete infected attachments. Delete infected attachments as soon as they are detected. Be sure to enable the Log to file property on the Reports tab, so that you have a record of which attachments are infected. If you select this option, you are required to confirm your selection. Click Yes to confirm your selection, or click No to deselect this option. 124 VirusScan® Enterprise software version 7.1.0 On-delivery e-mail scan 4 Under If the above Action fails, select the secondary action that you want the scanner to take if the first action fails. NOTE The default secondary action is Move infected attachments to a folder. Click to select one of these actions: Prompt for action. Prompt the user for action when a virus is detected. If you select this option, you can also select what actions are allowed in addition to stop and continue. The additional choices are: Clean attachment. Allow the infected attachment to be cleaned. This option is disabled if you selected Clean attachment as the primary action. Move attachment. Allow the infected attachment to be moved. This option is disabled if you selected Move attachment as the primary action. Delete attachment. Allow the infected attachment to be deleted. This option is disabled if you selected Delete attachment as the primary action. Continue scanning. Continue scanning when an infected file is found. Move infected attachments to a folder. This option is selected by default. Move infected attachments to a quarantine folder. The default quarantine folder is named Quarantine. You can accept the default name for the quarantine folder or type a new name. NOTE The Quarantine folder is created in the MAPI database and can be viewed from the Folder List in Microsoft Outlook. Delete infected attachments. Delete infected attachments as soon as they are detected. Be sure to enable the Log to file property on the Reports tab, so that you have a record of which attachments are infected. If you select this option, you are required to confirm your selection. Click Yes to confirm your selection, or click No to deselect this option. 5 Click Apply to save your changes. Product Guide 125 E-mail Scanning Alert properties Use the options on the Alerts tab to configure how to warn users that an infected e-mail message or attachment has been detected. 1 Open the On-Delivery Scan Properties dialog box using one of these methods: Highlight E-mail Scan in the task list, then click . Right-click E-mail Scan in the task list and select Properties. Double-click E-mail Scan in the task list. NOTE If Outlook has not been configured, the Outlook configuration dialog box is launched. If you have not logged on to your mailbox, you are prompted to log on. 2 Select the Alerts tab. Figure 5-6. On-Delivery Scan Properties — Alerts tab 126 VirusScan® Enterprise software version 7.1.0 On-delivery e-mail scan 3 Under E-mail alert, specify how you want to notify the mail sender and another user when an infected mail message is detected. You have these options: Return reply mail to sender. To send a return reply to the sender. If you select this option, click Configure to open the Return Mail Configuration dialog box. Figure 5-7. E-mail Scan — Return Mail Configuration Type the message you want to send, then click OK. Send alert mail to user. Send an e-mail alert to another user. If you select this option, click Configure to open the Send Mail Configuration dialog box. Figure 5-8. E-mail Scan — Send Mail Configuration Type the message you want to send, then click OK. Product Guide 127 E-mail Scanning 4 Click Apply to save your changes. 5 Under If Prompt for Action is selected, specify how you want to notify users when an infected e-mail is detected. You have these options: Display custom message. This option is selected by default. Notify the user with a custom message. If you select this option, you can type the custom message in the text box. Sound audible alert. This option is selected by default. Notify the user with an audible alert. 6 Click Apply to save your changes. Report properties Use the options on the Reports tab to configure logging activity. Specify the log file location and size, and what information you want to capture for each log entry. NOTE The log file can serve as an important management tool for tracking virus activity on your network and to note which settings you used to detect and respond to any virus that the scanner found. The incident reports recorded in the file can help you determine which files you need to replace from backup copies, examine in quarantine, or delete from your computer. See Viewing the on-delivery e-mail activity log on page 132 for more information. 1 Open the On-Delivery Scan Properties dialog box using one of these methods: Highlight E-mail Scan in the task list, then click . Right-click E-mail Scan in the task list and select Properties. Double-click E-mail Scan in the task list. NOTE If Outlook has not been configured, the Outlook configuration dialog box is launched. If you have not logged on to your mailbox, you are prompted to log on. 128 VirusScan® Enterprise software version 7.1.0 On-delivery e-mail scan 2 Select the Reports tab. Figure 5-9. On-Delivery Scan Properties — Reports tab 3 Under Log file, select from these options: Log to file. This option is selected by default. Record on-delivery e-mail scanning virus activity in a log file. In the text box, accept the default log file name and location, type a different log file name and location, or click Browse to locate a suitable file elsewhere on your computer or network. NOTE By default, the scanner writes log information to the EMAILONDELIVERYLOG.TXT file in this folder: <drive>:Winnt\Profiles\All Users\Application Data\Network Associates\VirusScan Limit size of log file to. This option is selected by default. The default log file size is 1MB. Accept the default log size or set a different size for the log. If you select this option, type a value between 1MB and 999MB. NOTE If the data in the log file exceeds the file size you set, the oldest 20 percent of the log file entries are deleted and new data is appended to the file. Product Guide 129 E-mail Scanning 4 Under What to log, select the additional information that you want to record in the log file: Session settings. Record the properties that you chose for each scanning session in the log file. Session summary. This option is selected by default. Summarize the scanner’s actions during each scanning session and add the information to the log file. Summary information includes the number of files scanned, the number and type of viruses detected, the number of files moved, cleaned, or deleted, and other information. Date and time. This option is selected by default. Record the date and time when a virus is detected. User name. This option is selected by default. Record the name of the user logged on to e-mail at the time the scanner records each log entry, in the log file. Failure to scan encrypted files. This option is selected by default. Record the name of encrypted files that the scanner failed to scan in the log file. 5 Click Apply to save your changes. Viewing on-delivery e-mail scan results You can view the results from your scanning operation in the statistics summary and the activity log. The following topics are addressed in this section: 130 Viewing on-delivery e-mail scan statistics Viewing the on-delivery e-mail activity log VirusScan® Enterprise software version 7.1.0 On-delivery e-mail scan Viewing on-delivery e-mail scan statistics The On-Delivery E-mail Scan Statistics summary shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response. 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Use either of these methods to open the On-Delivery E-mail Scan Statistics dialog box: Highlight the e-mail scan task in the task list, then select Statistics from the Task menu. Right-click the e-mail scan task in the task list and select Statistics. Figure 5-10. On-Delivery E-mail Scan Statistics The On-Delivery E-mail Scan Statistics dialog box shows the Last attachment scanned in the upper pane, and a statistical summary in the lower pane. If your scan is still in progress, it shows the file that the scanner is currently examining, and the status of the scan operation. 3 You can perform either of these functions if you have administrator rights and type the password, as required: Click Disable to deactivate the e-mail on-delivery scanner. This function toggles between Disable and Enable. Click Properties to open the On-Delivery E-mail Scan Properties dialog box, change the scan properties you want to modify, then click Apply to save your changes. The scan runs with your new settings immediately. 4 When you have finished viewing scan statistics, click Close. Product Guide 131 E-mail Scanning Viewing the on-delivery e-mail activity log The on-delivery scan activity log shows specific details about the scanning operation. For example, it shows the number of files that the scanner examined, the number of viruses it found, and the actions it took in response. 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Use either of these methods to open the activity log file: Highlight the e-mail scan task, then select Activity Log from the Task menu. Right-click the e-mail scan task in the task list and select View Log. 3 To close the activity log, select Exit from the File menu. On-demand e-mail scan The on-demand e-mail scan task can be run directly from Microsoft Outlook, as needed, to scan selected messages and attachments. Use the on-demand e-mail scanner to supplement the on-delivery e-mail scanner after periods of time when Microsoft Outlook has been closed. NOTE If Microsoft Outlook was open during the VirusScan Enterprise installation, we recommend restarting Microsoft Outlook after the installation process completes. The following topics are addressed in this section: Configuring the on-demand e-mail task Running the on-demand e-mail task Viewing on-demand e-mail scan results Configuring the on-demand e-mail task You can use Microsoft Outlook to configure the on-demand e-mail scan task that scans messages and attachments. The following topics are addressed in this section: 132 Detection properties Advanced properties Action properties Alert properties Report properties VirusScan® Enterprise software version 7.1.0 On-demand e-mail scan Detection properties Use the options on the Detection tab to specify which attachments and file type extensions you want to scan. 1 Start Microsoft Outlook. 2 Use one of these methods to open the On-Demand E-mail Scan Properties dialog box: Select E-mail Scan Properties from the Tools menu. Click in the Outlook toolbar. NOTE If the icon is not visible in the Outlook toolbar, click on the right side of the standard toolbar, then select the icon. 3 Select the Detection tab. Figure 5-11. On-Demand E-mail Scan Properties — Detection tab Product Guide 133 E-mail Scanning 4 Under Messages to scan, specify what messages you want to scan. You have these options: All highlighted item(s). This option is selected by default. Scan selected e-mail messages or folders. All messages in the Inbox folder. Scan all messages currently in the Inbox folder and its subfolders. 5 Scan unread messages only. Scan only unread messages in the Inbox folder and its subfolders. If you did not select All messages in the Inbox folder, this option is disabled. Under Attachments to scan, specify what files, folders, or drives that you want to scan. You have these options: All file types. This option is selected by default. Scan all attachments regardless of extension. Default + additional file types. Scan the default list of extensions plus any additions you specify. The default list of file type extensions is defined by the current DAT file. You can add or remove user-specified file type extensions, but you cannot delete any file type extensions from the default list. Additions. If you selected Default + additional file types, click Additions to add or remove user-specified file type extensions. See Adding file type extensions on page 68 for detailed instructions. The maximum number of additional extensions that the on-demand e-mail scanner can list is 1,000. Also scan for macro viruses in all attachments. Scan all attachments, regardless of extension, for macro viruses. This option is only available when the Default + additional file types option is selected. NOTE Scanning for macro viruses in all attachments could affect performance. 134 VirusScan® Enterprise software version 7.1.0 On-demand e-mail scan Specified file types. Scan only the extensions you specify. Specified. If you selected Specified file types, click Specified to add or remove user-specified file type extensions. You can also set the list of file type extensions to the default list. See Adding user-specified file type extensions on page 69 for detailed instructions. The maximum number of specified extensions that the on-demand e-mail scanner can list is 1,000. NOTE Excluding file types is not supported for e-mail scanning. 6 Click Apply to save your changes. Advanced properties Use the options on the Advanced tab to specify advanced scanning properties, such as scanning for unknown program viruses, potentially unwanted programs, compressed files, and e-mail message bodies. 1 Start Microsoft Outlook. 2 Use one of these methods to open the On-Demand E-mail Scan Properties dialog box: Select E-mail Scan Properties from the Tools menu. Click in the Outlook toolbar. NOTE If the icon is not visible in the Outlook toolbar, click on the right side of the standard toolbar, then select the icon. Product Guide 135 E-mail Scanning 3 Select the Advanced tab. Figure 5-12. On-Demand E-mail Scan Properties — Advanced tab 4 Under Heuristics, specify whether you want the scanner to evaluate the probability that an unknown piece of code or a Microsoft Office macro is a virus. When this feature is enabled, the scanner analyzes the likelihood that it is a variant of a known virus. You have these options: Find unknown program viruses. This option is selected by default. Treat executable files that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab to those files. Find unknown macro viruses. This option is selected by default. Treat embedded macros that have code resembling a virus as if they were infected. The scanner applies the action you choose on the Actions tab to those files. NOTE This option is not the same as Also scan for macro viruses in all files on the Detection tab, which instructs the scanner to find all known macro viruses. This option instructs the scanner to assess the probability that an unknown macro is a virus. 136 VirusScan® Enterprise software version 7.1.0 On-demand e-mail scan Find attachments with multiple extensions. Treat attachments that have multiple extensions as if they were infected. The scanner applies the action you choose on the Actions tab to those files. When you select this option, the E-mail Scan Warning dialog box appears: E-mail Scan Warning. Read the warning carefully. Click OK to continue and accept the selection to treat attachments that have multiple extensions as if they were infected, or click Cancel to deselect the option. Figure 5-13. E-mail Scan Warning 5 Under Non-viruses, specify whether you want the scanner to find non-virus programs that are potentially unwanted. Find potentially unwanted programs. Detect programs that are potentially unwanted. Find joke programs. If you selected Find potentially unwanted programs, you can also scan for joke programs. WARNING VirusScan Enterprise does not take action on potentially unwanted program files or joke programs. Detections are logged in the log file. Product Guide 137 E-mail Scanning 6 Under Compressed files, specify which types of compressed files you want the scanner to examine. You have these options: Scan inside packed executables. This option is selected by default. Examine compressed files that contain executable files. A packed executable is a file that, when run, extracts itself into memory only. Packed executable files are never extracted to disk. Scan inside archives. This option is selected by default. Examine archive files and their contents. An archive file is a compressed file that must be extracted prior to accessing the files within it. Files contained inside archives are scanned when they are written to disk. Decode MIME encoded files. This option is selected by default. Detect Multipurpose Internet Mail Extensions (MIME) encoded files, decode them, then scan them. NOTE Although it does give you better protection, scanning compressed files can increase the amount of time required to perform a scanning activity. 138 7 Under E-mail message body, Scan e-mail message body is selected by default. If you deselect this option, e-mail message bodies are not scanned. 8 Click Apply to save your changes. VirusScan® Enterprise software version 7.1.0 On-demand e-mail scan Action properties Use the options on the Actions tab to specify the primary and secondary actions you want the scanner to take when it detects a virus. 1 Start Microsoft Outlook. 2 Use one of these methods to open the On-Demand E-mail Scan Properties dialog box: Select E-mail Scan Properties from the Tools menu. Click in the Outlook toolbar. NOTE If the icon is not visible in the Outlook toolbar, click on the right side of the standard toolbar, then select the icon. 3 Select the Actions tab. Figure 5-14. On-Demand E-mail Scan Properties — Actions tab Product Guide 139 E-mail Scanning 4 Under When infected attachments found, select the primary action that you want to the scanner to take when a virus is detected. NOTE The default primary action is Clean infected attachments. Click to select one of these actions: Prompt for action. Prompt the user for action when a virus is detected. If you select this option, you can also select what actions are allowed in addition to stop and continue. The additional choices are: Clean attachment. Allow the infected attachment to be cleaned. This option is disabled if you selected Clean attachment as the primary action. Move attachment. Allow the infected attachment to be moved. This option is disabled if you selected Move attachment as the primary action. Delete attachment. Allow the infected attachment to be deleted. This option is disabled if you selected Delete attachment as the primary action. No secondary action is allowed for this option. Continue scanning. Continue scanning when an infected attachment is found. No secondary action is allowed for this option. Move infected attachments to a folder. Move infected attachments to a quarantine folder. The default quarantine folder is named quarantine. You can accept the default name for the quarantine folder or type a new name. NOTE The quarantine folder is created in the MAPI database and can be viewed from the Folder List in Microsoft Outlook. Clean infected attachments. This option is selected by default. The scanner tries to remove the virus from the infected attachment. If the scanner cannot remove a virus from an infected attachment, or if the virus has damaged the attachment beyond repair, the scanner performs the secondary action. Delete infected attachments. Delete infected attachments as soon as they are detected. Be sure to enable the Log to file property on the Reports tab, so that you have a record of which attachments are infected. If you select this option, you are required to confirm your selection. Click Yes to confirm your selection, or click No to deselect this option. 140 VirusScan® Enterprise software version 7.1.0 On-demand e-mail scan 5 Under If the above Action fails, select the secondary action that you want the scanner to take if the first action fails. NOTE The default secondary action is Move infected attachments to a folder. Click to select one of these actions: Prompt for action. Prompt the user for action when a virus is detected. If you select this option, you can also select what actions are allowed in addition to stop and continue. The additional choices are: Clean attachment. Allow the infected attachment to be cleaned. Move attachment. Allow the infected attachment to be moved. Delete attachment. Allow the infected attachment to be deleted. Continue scanning. Continue scanning when an infected file is found. Move infected attachments to a folder. This option is selected by default. Move infected attachments to a quarantine folder. The default quarantine folder is named quarantine. You can accept the default name for the quarantine folder or type a new name. NOTE The quarantine folder is created in the MAPI database and can be viewed from the Folder List in Microsoft Outlook. Delete infected attachments. Delete infected attachments as soon as they are detected. Be sure to enable the Log to file property on the Reports tab, so that you have a record of which attachments are infected. If you select this option, you are required to confirm your selection. Click Yes to confirm your selection, or click No to deselect this option. 6 Click Apply to save your changes. Product Guide 141 E-mail Scanning Alert properties Use the options on the Alerts tab to configure how to warn users that an infected e-mail message or attachment has been detected. 1 Start Microsoft Outlook. 2 Use one of these methods to open the On-Demand E-mail Scan Properties dialog box: Select E-mail Scan Properties from the Tools menu. Click in the Outlook toolbar. NOTE If the icon is not visible in the Outlook toolbar, click on the right side of the standard toolbar, then select the icon. 3 Select the Alerts tab. Figure 5-15. On-Demand E-Mail Scan Properties — Alerts tab 142 VirusScan® Enterprise software version 7.1.0 On-demand e-mail scan 4 Under E-mail alert, specify how you want to notify the mail sender and another user when an infected mail message is detected. You have these options: Return reply mail to sender. To send a return reply to the sender. If you select this option, click Configure to open the Return Mail Configuration dialog box. Figure 5-16. E-mail Scan — Return Mail Configuration Type the message you want to send, then click OK. Send alert mail to user. Send an e-mail alert to another user. If you select this option, click Configure to open the Send Mail Configuration dialog box. Figure 5-17. E-mail Scan — Send Mail Configuration Type the message you want to send, then click OK. Product Guide 143 E-mail Scanning 5 6 Under If Prompt for Action is selected, specify how you want to notify users when an infected e-mail is detected. You have these options: Display custom message. Notify the user with a custom message. If you select this option, you can type the custom message in the text box. Sound audible alert. Notify the user with an audible alert. Click Apply to save your changes. Report properties Use the options on the Reports tab to configure logging activity. Specify the log file location and size, and what information you want to capture for each log entry. NOTE The log file can serve as an important management tool for tracking virus activity in e-mail and to record which settings you used to detect and respond to any virus that the scanner found. You can open the log file from your text editor for later review. The incident reports recorded in the file can help you determine which files you need to replace from backup copies, examine in quarantine, or delete from your computer. 1 Start Microsoft Outlook. 2 Use one of these methods to open the On-Demand E-mail Scan Properties dialog box: Select E-mail Scan Properties from the Tools menu. Click in the Outlook toolbar. NOTE If the icon is not visible in the Outlook toolbar, click on the right side of the standard toolbar, then select the icon. 144 VirusScan® Enterprise software version 7.1.0 On-demand e-mail scan 3 Select the Reports tab. Figure 5-18. On-Demand E-mail Scan Properties — Reports tab 4 Under Log file, select from these options: Log to file. This option is selected by default. Record on-demand e-mail scanning virus activity in a log file. In the text box, accept the default log file name and location, type a different log file name and location, or click Browse to locate a suitable file elsewhere on your computer or network. NOTE By default, the scanner writes log information to the EMAILONDEMANDLOG.TXT file in this folder: <drive>:Winnt\Profiles\All Users\Application Data\Network Associates\VirusScan. Limit size of log file to. This option is selected by default. The default log file size is 1MB. Accept the default log size or set a different size for the log. If you select this option, type a value between 1MB and 999MB. NOTE If the data in the log file exceeds the file size you set, the oldest 20 percent of the log file entries are deleted and new data is appended to the file. Product Guide 145 E-mail Scanning 5 Under What to log in addition to virus activity, select the additional information that you want to record in the log file: Session settings. Record the properties that you chose for each scanning session in the log file. Session summary. This option is selected by default. Summarize the scanner’s actions during each scanning session and add the information to the log file. Summary information includes the number of files scanned, the number and type of viruses detected, the number of files moved, cleaned, or deleted, and other information. Date and time. This option is selected by default. Record the date and time when a virus is detected. User name. This option is selected by default. Record the name of the user logged on to the computer at the time the scanner records each log entry, in the log file. Failure to scan encrypted files. This option is selected by default. Record the name of encrypted files that the scanner failed to scan in the log file. 6 146 Click Apply to save your changes. VirusScan® Enterprise software version 7.1.0 On-demand e-mail scan Running the on-demand e-mail task To run your on-demand e-mail task: 1 Start Microsoft Outlook. 2 Use one of these methods to start an on-demand e-mail scan from Microsoft Outlook: Select Scan for viruses from the Tools menu. Click in the Outlook toolbar. NOTE If the icon is not visible in the Outlook toolbar, click on the right side of the standard toolbar, then select the icon. Figure 5-19. On-Demand E-mail Scan 3 Close the dialog box when the on-demand e-mail scan completes. Product Guide 147 E-mail Scanning Viewing on-demand e-mail scan results You can view the results from your scanning operation in the On-Demand E-Mail Scan dialog box while the scan is running, or in the activity log after the scan completes. The following topic is addressed in this section: Viewing the on-demand e-mail activity log Viewing the on-demand e-mail activity log The on-demand e-mail scan activity log shows specific details about the scanning operation. For example, it shows the number of attachments that the scanner examined, the number of viruses it found, and the actions it took in response. 1 Navigate to the EMAILONDEMANDLOG.TXT file in this location: <drive>:Winnt\Profiles\All Users\Application Data\Network Associates\VirusScan. 148 2 Open the activity log file. 3 To close the activity log, select Exit from the File menu. VirusScan® Enterprise software version 7.1.0 6 Virus Alerting VirusScan Enterprise software provides several methods for informing you of the progress and outcome of scanning activities. For example, you can review the results of any scan after it has concluded by examining the Activity Log. You can also see the results of all scans on the VirusScan Enterprise Console. But neither of these methods notifies you immediately when the scanner detects a virus on the computer. Although the console also includes a real-time display of scanning activities, you cannot be watching the screen at all times. Providing you with immediate notification that a virus has been detected is the function of Alert Manager, a discrete component that is incorporated into VirusScan Enterprise software and other Network Associates client/server security and management solutions. Alert Manager handles alerts and events generated by your anti-virus software in real time. In a typical configuration, Alert Manager resides on a central server and listens for alerts sent to it by client or server anti-virus software applications on the network. This client software can be workstation or server applications. Alert Manager allows you to configure two basic aspects of alerting: Where and how alerts are sent. What the alert message is. See the Alert Manager Product Guide for more detailed information. The following topics are addressed in this section: Configuring Alert Manager Configuring recipients and methods Customizing alert messages Product Guide 149 Virus Alerting Configuring Alert Manager Use the options on the Alert Properties dialog box to determine when and how you are notified when the scanner detects a virus. To open the Alert Properties dialog box: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. Figure 6-1. VirusScan Console 2 150 Select Alerts from the Tools menu. VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager The Alerts Properties dialog box appears. Figure 6-2. Alert Properties 3 Under Which components will generate alerts, select the components that you want to communicate with Alert Manager. Choose any combination of these options: On-Access Scan. This option is selected by default. On-Demand Scan and scheduled scans. This option is selected by default. E-Mail Scan. This option is selected by default. AutoUpdate. This option is selected by default. Product Guide 151 Virus Alerting 4 Under Alert Manager destination selection, click Destination to open the Alert Manager Client Configuration dialog box. Figure 6-3. Alert Manager Client Configuration You can disable or enable the alerting feature, determine which method of alerting to use when an event occurs, and specify which server receives alerts. a Under Alerting Options, specify the alerting method that meets your needs: Disable Alerting. Do not send an alert when an event occurs. Enable Alert Manager alerting. This option is selected by default. Activates the Alert Manager alerting method. Configure. If you selected Enable Alert Manager alerting, click Configure to open the Select Alert Manager Server dialog box. Figure 6-4. Select Alert Manager Server 152 VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager Under Destination for Alerts, type the location for the Alert Manager Server to receive alerts, or click Browse to navigate to the location. Click OK to save your changes and return to the Alert Manager Client Configuration dialog box. Enable Centralized alerting. Activates the Centralized alerting method. Centralized alerting provides an alternative to using regular Alert Manager messages. See Using Centralized Alerting on page 179 for more information. NOTE Due to security issues with shared folders, McAfee Security recommends that you do not use centralized alerting. Configure. If you selected the option to Enable Centralized alerting, click Configure to open the Central Alerting Configuration dialog box. Figure 6-5. Centralized Alerting Configuration Under Destination for Alerts, type the location for the Central Alerting Shared Directory, or click Browse to navigate to location. Click OK to save your changes and return to the Alert Manager Client Configuration dialog box. b Click OK to save your changes and return to the Alert Properties dialog box. Product Guide 153 Virus Alerting 5 Under Configure the selected Alert Manager: a Click Alert Messages to configure the Alert Manager Messages. See Customizing alert messages on page 181 for detailed instructions. b Click Recipients to configure the Alert Manager Properties. See Configuring recipients and methods on page 155 for detailed instructions. c Click Alert Messages to configure the Alert Manager Messages. See Customizing alert messages on page 181 for detailed instructions. d When you have finished configuring Alert Manager Properties and Alert Manager Messages, click OK to close the Alert Properties dialog box. NOTE The buttons are disabled if Alert Manager is not installed. 154 VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager Configuring recipients and methods In the Alert Properties dialog box, click Recipients to open the Alert Manager Properties dialog box. The Alert Manager Properties dialog box allows you to configure the recipients of alert messages sent out by Alert Manager, and also the method by which those recipients receive the alert messages. Recipients can be e-mail addresses or computers on your network. The methods by which recipients receive alert notifications can include e-mail messages or network pop-up messages. Figure 6-6. Alert Manager Properties To configure the recipients for a specific alert method: 1 Click the appropriate tab for a given alert method, such as Logging. 2 Configure the recipients that receive alert notifications using that alert method. 3 Click other tabs to configure recipients for any additional alert methods as required. 4 When finished, click OK to save the configurations and close the Alert Manager Properties dialog box. Product Guide 155 Virus Alerting For details on configuring specific alert methods and the recipients to which Alert Manager sends alert messages via those methods, refer to the sections of this Product Guide: Viewing the Summary page on page 159 Forwarding alert messages to another computer on page 160 Sending an alert as a network message on page 164 Sending alert messages to e-mail addresses on page 166 Sending alert messages to a printer on page 170 Sending alert messages via SNMP on page 172 Launching a program as an alert on page 173 Logging alert notifications in a computer’s event log on page 175 Sending a network message to a terminal server on page 177. This method is only available if terminal services are running on the computer where Alert Manager is installed. Using Centralized Alerting on page 179 Overview of adding alert methods The various tabs of the Alert Manager Properties dialog box allow you to configure alerting methods. As you add each new method to your configuration, you have two options: Sending a test message. Setting the alert priority level for recipients. Sending a test message When using the tabs of the Alert Manager Properties dialog box to add new alert notification recipients, such as a network computer or an e-mail address, you can test whether the destination can receive the message. To send the selected destination a test message when configuring that method, click the Test button. The message should appear at the configured destination if all is configured correctly. NOTE An e-mail alert may take some time to reach its destination, depending on both your SMTP server and the receiving e-mail server. 156 VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager Test messages that do not reach the target If the target does not receive the message, review the list and confirm, as applicable, that: Any communication service required to implement the selected alerting method, such as e-mail or SNMP, is enabled. Any device required to transmit or receive the message, such as a modem or pager, exists and is operational. Any program that is to be executed in response to virus detection is located at the path specified and is installed properly. Any destination printer or computer that you have targeted exists on your network. Your network is functioning properly. The configuration information you have provided is accurate and complete. Some property pages include secondary pages. For example, the E-Mail Properties page links to a Mail Settings page. Be certain to review the information on these secondary pages as well. If you installed Alert Manager using an account and password, make sure that the specified account has sufficient rights for the action you are trying to perform. Setting the alert priority level for recipients You can specify a priority level for each recipient that you add to your Alert Manager configuration. Alert Manager only sends alert notifications of that priority level or higher to the specified recipient, such as an e-mail address. This is useful for filtering alert notifications. For example, you may want to record alert messages of all priority levels to a computer’s event log using the Logging tab of the Alert Manager Properties dialog box (see Logging alert notifications in a computer’s event log on page 175). However, you may want Alert Manager to send only serious alert notifications to a network administrator’s pager via e-mail. To do this, set separate priority thresholds for your logging and e-mail recipients. Product Guide 157 Virus Alerting To set the alert priority level for a specific recipient: 1 On the Properties dialog box for an alert method, click the Priority Level button. See Figure 6-13 on page 165 for an example. Figure 6-7. Priority Level 2 In the Priority Level dialog box, drag the slider right or left to set the priority level. Drag to the right to send the recipient fewer, higher priority messages. Drag the slider to the left to send the recipient more alert messages, including lower priority messages. 3 Click OK to save the priority settings. NOTE On the Priority Level dialog box, you can specify the priority level for specific recipients, such as a computer on a network or an e-mail address. However, you cannot set the priority of individual alert messages here. For information on setting the priority levels of individual alert messages, see Customizing alert messages on page 181. 158 VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager Viewing the Summary page The Summary tab of the Alert Manager Properties dialog box lists the recipients to which Alert Manager sends any alert notifications it receives. Recipients are grouped by alert method. Figure 6-8. Alert Manager Properties — Summary tab Click next to each listed alert method to display the recipient computers, printers, or e-mail addresses. To remove an alert notification recipient, select it, then click Remove. To change the configuration options for a listed recipient, select it, then click Properties to open the Properties dialog box for that alert method. When you install Alert Manager, it is by default configured to send pop-up network message to the computer on which it is installed and to log alert notifications in that computer’s event log. If you have not yet configured Alert Manager to send alert notifications to any recipients, the Summary tab displays only these two methods. Alert Manager sets priority levels for these two default methods to send alert notifications of all priorities except for the lowest, Informational. See Setting the alert priority level for recipients on page 157 for details on priority. The following sections describe the options available for each method. Product Guide 159 Virus Alerting Forwarding alert messages to another computer Alert Manager can forward the alert messages received from McAfee anti-virus client or server products to another computer on your network that has Alert Manager installed. Typically, you would do this when you want to forward messages to another Alert Manager server for further distribution. NOTE Alert Manager 4.7 can only forward alert notifications to, and receive alerts forwarded from, servers running the same version of Alert Manager. Forwarding alert notifications between servers running older versions of Alert Manager is not supported. These topics are included in this section: 160 Forwarding alerts in a large organization. Forwarding alerts in a small organization. Configuring alert forwarding options. VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager Forwarding alerts in a large organization In a large organization you can use the forwarding feature to send alert notifications to a central notification system or to an MIS (Management Information System) department for tracking virus statistics and problem areas. Also, large organizations tend to be spread out geographically, often with offices in several different countries. In this case, you may want to use a single Alert Manager installed on a local server to handle alerting for that local subnetwork. You can then configure that local Alert Manager server to forward high priority alert notifications to another server in another part of your network for further distribution. Figure 6-9. Forward alerts to another Alert Manager To do this, configure the local Alert Manager to forward alerts to the computer where the second Alert Manager is installed. You then need to configure the second Alert Manager to distribute alert notifications as desired. See Configuring alert forwarding options on page 162 for instructions. Product Guide 161 Virus Alerting Forwarding alerts in a small organization In a small organization, forwarding can also be useful. Suppose, for example, you want to send all high priority alert notifications to a specific pager via e-mail, but only one server on your network has direct Internet access. To satisfy this requirement: 1 Configure Alert Manager on each Alert Manager server to forward high priority alert messages to the modem-equipped computer. 2 Configure Alert Manager on the modem-equipped computer to send high priority messages to the target pager’s e-mail address. Configuring alert forwarding options To configure forwarding options: 1 From the Alert Manager Properties dialog box, click the Forward tab. The Forward page appears with a list of all of the computers you have chosen to receive forwarded messages. If you have not yet chosen a destination computer, this list is blank. Figure 6-10. Alert Manager Properties — Forward tab 162 VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager 2 To update this list, you can do any of the following: To add a computer, click Add to open the Forward Properties dialog box, then type the name of the computer that receives forwarded messages in the text box. You can type the computer name in Universal Naming Convention (UNC) notation, or click Browse to locate the computer on the network. To remove a listed computer, select one of the destination computers listed, then click Remove. To change configuration options, select one of the destination computers listed, then click Properties. Alert Manager opens the Forward Properties dialog box. Type the name of the computer to which you want Alert Manager to forward messages, or click Browse to locate the computer on the network. Figure 6-11. Forward Properties 3 Click Priority Level to specify which types of alert messages the destination computer receives. See Setting the alert priority level for recipients on page 157. 4 Click Test to send the destination computer a test message. See Sending a test message on page 156. 5 Click OK to return to the Alert Manager Properties dialog box. Product Guide 163 Virus Alerting Sending an alert as a network message Alert Manager can send alert messages to other computers. A standard message appears as a pop-up box on the recipient computer’s screen and requires the recipient to acknowledge it. It is not necessary for the recipient computers to have Alert Manager installed. However, you might need to have the appropriate messaging client software for your operating system running on the recipient computer. This messaging software is always pre-installed on newer versions of the Windows operating system, such as Windows NT, Windows 2000, and Windows XP. This service is usually running by default. To configure Alert Manager to send alert notifications as network messages: 1 Open the Alert Manager Properties dialog box. 2 Click the Network Message tab. The Network Message page appears with a list of the computers that you have configured to receive a network message. If you have not yet chosen a recipient computer, this list is blank. Figure 6-12. Alert Manager Properties — Network Message tab 164 VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager 3 To update this list, you can do any of the following: To add a computer, click Add to open the Network Message Properties dialog box. You can specify a recipient computer in one of two ways. You can type the name of the computer directly into the Computer: text box in UNC format, or you can select Browse to locate the computer on the network. To remove a listed computer, select one of the recipient names listed, then click Remove. To change configuration options, select one of the recipient names listed, then click Properties. Alert Manager opens the Network Message Properties dialog box. Change the information in the Computer: text box as necessary. Figure 6-13. Network Message Properties 4 Click Priority Level to specify which types of alert messages the recipient receives. See Setting the alert priority level for recipients on page 157. 5 Click Test to send the recipient a test message. See Sending a test message on page 156. 6 Click OK to return to the Alert Manager Properties dialog box. Product Guide 165 Virus Alerting Sending alert messages to e-mail addresses Alert Manager can send alert messages to a recipient’s e-mail address via Simple Mail Transfer Protocol (SMTP). Alert messages appear in the recipient’s mail box. If your message is particularly urgent, you can supplement an e-mail message with other methods, such as pop-up network messages, to ensure that your recipient sees the alert in time to take appropriate action. NOTE An e-mail alert may take some time to reach its destination, depending on both your SMTP server and the receiving e-mail server. To configure Alert Manager to send e-mail alert notifications to recipients: 1 Open the Alert Manager Properties dialog box. 2 Click the E-Mail tab. The E-Mail page appears with a list of the e-mail addresses that you have chosen to receive alert messages. If you have not yet chosen an e-mail address, this list is blank. Figure 6-14. Alert Manager Properties — E-Mail tab 166 VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager 3 To update this list, you can do any of the following: To add an e-mail address to the list, click Add to open the E-Mail Properties dialog box. Type the e-mail address for your alert notification recipient in the Address text box, type a subject in the Subject text box, then type your e-mail address in the From text box. Use the standard Internet address format <user name>@<domain>, such as [email protected]. To control the truncation of longer messages, for example, a message containing a very long file and path name, append the address with a “*”, like this: [email protected]*. For more information, see Forcing truncation of messages sent to specific e-mail addresses on page 169. To remove a listed address, select one of the e-mail addresses listed, then click Remove. To change configuration options, select one of the e-mail addresses listed, then click Properties. Alert Manager opens the E-Mail Properties dialog box. Change the information in the text boxes as necessary. Figure 6-15. E-Mail Properties Product Guide 167 Virus Alerting 4 Click Mail Settings to specify the network server you use to send Internet mail via SMTP. NOTE You must click Mail Settings and specify an SMTP server to be able to send e-mail alert notifications. Do not skip this step. Also, after configuring your SMTP mail settings the first time, you are not be required to configure them again unless your SMTP mail server information changes. Figure 6-16. SMTP Mail Settings a In the dialog box that appears, type the mail Server. You can type the server name as an Internet Protocol (IP) address, as a name your local domain name server can recognize, or in Universal Naming Convention (UNC) notation. b If your SMTP server requires it, type a Login name to use for the mail server. NOTE Only type a login name in the Login field if your SMTP mail server is configured to use a login. Check your SMTP configuration to see if this is required. Typing a login name here when your mail server is not configured to use it may cause problems with e-mail alerting. c 168 Click OK to return to the E-Mail Properties dialog box. VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager 5 Click Priority Level to specify which types of alert messages the recipient computer receives. See Setting the alert priority level for recipients on page 157. 6 Click Test to send the recipient computer a test message. See Sending a test message on page 156. 7 If the test message is successful, click OK to return to the Alert Manager Properties dialog box. Forcing truncation of messages sent to specific e-mail addresses Sometimes alert notification messages can become very long, particularly when containing %FILENAME% system variables populated with file names containing very long path information. Very long messages containing long file and names can be confusing and inconvenient. For example, when e-mail messages are sent to a pager, some pager services truncate long messages abruptly, potentially removing important information from the message. On the other hand, if a very long message does get through to a pager, the recipient might be forced to scroll through lines of path information in a file name to get to the critical information contained in the alert. You have two options for managing long messages in e-mail alert notifications: Append e-mail addresses with an asterisk (*), such as [email protected]*. Alert Manager truncates alerts sent to e-mail addresses that are appended with an asterisk according to the current system SMTP message length settings. The default SMTP length is 240 characters. This is particularly valuable if Alert Manager sends alerts to pagers via e-mail. Some pager services have a short message length limit, for example 200 characters. If a message is intended to be delivered to a pager via an e-mail address, appending the address with an asterisk (*) lets you, instead of the pager company, control where the message is truncated. You can also edit the message text in the Alert Manager Messages dialog box to make sure important message content is preserved in truncated messages. To do this, you could either abbreviate some parts of the message or move critical information to the beginning of the message, perhaps leaving long file names for the end of the message. Product Guide 169 Virus Alerting Sending alert messages to a printer Alert Manager can send alert notifications to a printer to print hardcopy messages. To configure Alert Manager to send alert notifications to a print queue: 1 Open the Alert Manager Properties dialog box. 2 Click the Printer tab. The Printer page appears with a list of all of the printer queues that you have chosen to receive alert messages. If you have not yet chosen a printer queue, this list is blank. Figure 6-17. Alert Manager Properties — Printer tab 170 VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager 3 To update this list, you can do any of the following: To add a print queue to the list, click Add to open the Printer Properties dialog box, then type the name of the print queue to which you want to send messages. You can type the print queue name or you can click Browse to locate the printer on the network. To remove a listed print queue, select one of the printers listed, then click Remove. To change configuration options, select one of the printers listed, then click Properties. Alert Manager opens the Printer Properties dialog box. Change the information in the Printer text box as necessary. Figure 6-18. Printer Properties 4 Click Priority Level to specify which types of alert notifications the recipient printer receives. See Setting the alert priority level for recipients on page 157. 5 Click Test to send the recipient printer a test message. See Sending a test message on page 156. 6 Click OK to return to the Alert Manager Properties dialog box. Product Guide 171 Virus Alerting Sending alert messages via SNMP Alert Manager can send alert messages to other computers via the Simple Network Management Protocol (SNMP). To use this option, you must install and activate the Microsoft SNMP service on your computer; see your operating system documentation for details. To view the alert messages that the client anti-virus software sends, you must also have an SNMP management system configured properly with an SNMP viewer. To set up and configure your SNMP management system, see the documentation for your SNMP management product. Figure 6-19. Enable SNMP alerting To configure the scanner to send alert messages via SNMP: 172 1 Open the Alert Manager Properties dialog box. 2 Click the SNMP tab. 3 Select Enable SNMP traps. 4 If Alert Manager is installed on a computer running the Windows NT 4 operating system, you can click Configure SNMP to display your Windows Network dialog box and configure the Microsoft SNMP service. See your operating system documentation for details. 5 Click Priority Level to specify which types of alert messages the recipient computer receives. See Setting the alert priority level for recipients on page 157. 6 Click Test to send the recipient computer a test message via SNMP. See Sending a test message on page 156. VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager 7 Click OK to save your changes and return to the Alert Manager Properties dialog box. Launching a program as an alert Whenever Alert Manager receives an alert that a virus has been detected, it can automatically start any executable program on your computer or anywhere on your network. By default, Alert Manager runs VIRNOTFY.EXE, which is installed in your Alert Manager installation folder. VIRNOTFY.EXE displays names of infected files in a scrolling dialog box on the screen of the computer where Alert Manager is installed. NOTE Alert Manager only launches a program when it receives alerts specifically pertaining to viruses. The %VIRUSNAME% and %FILENAME% system variables must be present in the alert message. See Using Alert Manager system variables on page 185. Alert Manager does not start a program unless these fields are present in the alert, regardless of the priority level set for the Program method. See Setting the alert priority level for recipients on page 157 for more information about priority levels. To configure Alert Manager to execute a program when it finds a virus: 1 Open the Alert Manager Properties dialog box. 2 Click the Program tab to open the Program page. Figure 6-20. Alert Manager Properties — Program tab Product Guide 173 Virus Alerting 3 Select Execute Program. 4 Type the path and file name of the executable program that you want to run when your anti-virus software finds a virus, or click Browse to locate the program file on your computer or network. 5 Select one of the following: To start the program only when your anti-virus software first finds a specific virus, click First Time. To start the program each time the scanner finds a virus, click Every Time. NOTE If you select First time, the program you designate starts as soon as the scanner initially encounters a specific virus, for example VirusOne. If the scanner finds more than one occurrence of VirusOne in the same folder, it does not start the program again. However, if, after encountering VirusOne, the scanner then encounters a different virus (VirusTwo), then encounters VirusOne again, the program starts in response to each encounter, in this example, three times in a row. Starting multiple instances of the same program might cause your server to run out of memory. 6 Click Priority Level to specify which types of alert messages the recipient computer receives. See Setting the alert priority level for recipients on page 157. Remember that the Program method does not run a program unless the alert pertains specifically to viruses. In other words, the alert must contain the %VIRUSNAME% and %FILENAME% system variables. All other alerts, regardless of priority level, are ignored. 7 174 Click Test to send the recipient computer a test message. See Sending a test message on page 156. VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager Logging alert notifications in a computer’s event log Alert Manager can log alert messages to the local event log on your computer or the event log of another computer on your network. To configure logging options: 1 Open the Alert Manager Properties dialog box. 2 Click the Logging tab. The Logging page appears with a list of all of the computers you have chosen to receive messages for logging. If you have not yet chosen a recipient computer, this list is blank. Figure 6-21. Alert Manager Properties — Logging tab Product Guide 175 Virus Alerting 3 To update this list, you can do any of the following: To add a computer, click Add to open the Logging Properties dialog box, then type the name of the computer that receives forwarded messages in the text box. You can type the computer name in Universal Naming Convention (UNC) notation, or you can click Browse to locate the computer on the network. To remove a listed computer, click the computer in the list and click the Remove button. To change configuration options, select one of the recipient computers listed, then click Properties. Alert Manager opens the Logging Properties dialog box. Type the name of the computer to which you want Alert Manager to forward messages for logging. Click Browse to locate the destination computer. Figure 6-22. Logging Properties 176 4 Click Priority Level to specify which types of alert messages the recipient computer receives. See Setting the alert priority level for recipients on page 157. 5 Click Test to send the recipient computer a test message. See Sending a test message on page 156. 6 Click OK to return to the Alert Manager Properties dialog box. VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager Sending a network message to a terminal server Alert Manager can send alert messages to a terminal server. Pop-up network messages display to the user whose session originated the alert. The Alert Manager Properties dialog box only displays the Terminal Server tab if the computer on which Alert Manager is installed is a terminal server. To configure Alert Manager to send a message to a terminal server: 1 Open the Alert Manager Properties dialog box. 2 Click the Terminal Server tab. Figure 6-23. Alert Manager Properties — Terminal Server tab 3 To enable terminal server alerting, select Enable alerting to client. Product Guide 177 Virus Alerting 4 Click Test to send the recipient computer a test message. The Select client for test message dialog box appears, listing the current terminal server user sessions for that computer. Figure 6-24. Send a terminal server user a test message 178 5 Select a user from the list and click OK to send that user a test message and return to the Alert Manager Properties dialog box. 6 Click Priority Level to specify which types of alert messages the terminal server users should receive. See Setting the alert priority level for recipients on page 157. 7 Click OK to save the terminal server settings and return to the Alert Manager Properties dialog box. VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager Using Centralized Alerting Centralized Alerting provides an alternative to using regular Alert Manager messaging. With centralized alerting, alert messages generated by anti-virus software, such as VirusScan Enterprise, are saved to a shared folder on a server. Then, Alert Manager is configured to read alert notifications from that same folder. When the contents of the shared folder change, Alert Manager sends new alert notifications using whatever alerting methods Alert Manager is already configured to use, such as sending e-mail messages to a pager. WARNING Due to security issues with shared folders, McAfee Security recommends that you do not use centralized alerting. Instead, you should configure your client anti-virus software to use the regular Alert Manager alert notification methods. To use centralized alerting: 1 Configure the anti-virus software on client computers to send alert messages to the appropriate alert folder. See your anti-virus software documentation for instructions on how to do this. NOTE To allow other workstations on your network to send messages to this folder, you must give file scan, write, create and modify permissions for this folder to all users and computers. See your operating system documentation for details. 2 Make sure that all your users and computers are able to read and write to this shared alert folder. If the folder is located on a computer running Windows NT, you must properly configure a null session share. See your operating system documentation for details. Product Guide 179 Virus Alerting 3 Configure Alert Manager to monitor the centralized alert folder for activity. To do this: a From the Alert Manager Properties dialog box, select Centralized Alert tab. Figure 6-25. Centralized Alerting Properties b Select Enable centralized alerts. c Type the location of the alert folder or click Browse to locate a folder elsewhere on your server or on the network. This must be the same folder to which your anti-virus software on client computers is using for centralized alerts (see Step 1). The default location of the alert folder is: C:\Program Files\Network Associates\Alert Manager\Queue\. 180 4 Click Priority Level to specify which types of alert messages the recipient computer receives. See Setting the alert priority level for recipients on page 157. 5 Click Test to send the recipient computer a test message. See Sending a test message on page 156. 6 Click OK to save your centralized alerting settings and return to the Alert Manager Properties dialog box. VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager Customizing alert messages Alert Manager comes with a wide range of alert messages suited to nearly all of the situations you may encounter when a virus is detected on a computer in your network. The alert messages include a preset priority level and incorporate system variables that identify the infected file and system, the infecting virus, and other information that you can use to get a quick but thorough overview of the situation. To suit your own circumstances, you can enable or disable individual alert messages or change the contents and priority level for any message. Because Alert Manager still activates the alert message in response to specific trigger events, you should try to retain the overall sense of any alert messages you choose to edit. Use the Alert Manager Messages dialog box to customize alert messages. See Configuring Alert Manager on page 150 for details on how to access the Alert Manager Messages dialog box. Figure 6-26. Alert Manager Messages From here, you can do either of the following: Enabling and disabling alert messages. Editing alert messages. Product Guide 181 Virus Alerting Enabling and disabling alert messages Although VirusScan Enterprise can alert you whenever your anti-virus software finds a virus or whenever nearly any aspect of its normal operation changes significantly, you might not want to receive alert messages in each of these circumstances. Use the Alert Manager Messages dialog box to disable specific alert messages that you do not want to receive. Next to each alert listed in the Alert Manager Messages dialog box is a checkbox. If this is selected, the alert is enabled. If it is not selected, it is disabled. By default, all of the available alert messages are enabled. To enable or disable alert messages: 1 Select or deselect the corresponding checkbox for any alert messages you want to enable or disable. 2 Click OK to save your changes and close the Alert Manager Messages dialog box. Editing alert messages You can edit alert messages in the following two ways: 182 Changing alert priority. Editing alert message text. VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager Changing alert priority Some of the alerts that Alert Manager receives from your client anti-virus software require more immediate attention than others. A default priority level is set for each alert message, corresponding to the urgency most system administrators would assign them. You can reassign these priority levels to suit your own needs. Use them to filter the messages that Alert Manager sends to your recipients so your recipients can concentrate on the most important ones first. To change the priority level assigned to an alert message: 1 On the Alert Manager Messages dialog box (see Customizing alert messages on page 181), click a message in the list once to select it. 2 Click Edit to open the Edit Alert Manager Message dialog box. Figure 6-27. Edit the priority and text of an alert message 3 Choose a priority level from the Priority list. You can assign each alert message a Critical, Major, Minor, Warning, or Informational priority. The icons shown beside each message listed in the Alert Manager Messages dialog box identify the priority level currently assigned to a message. Each icon corresponds to a choice in the Priority drop-down list. The priority levels are: Critical. Indicates your anti-virus software detected viruses in files that could not be cleaned, quarantined or deleted. Major. Indicates either that successful virus detection and cleaning has occurred or that serious errors and problems that might cause your anti-virus software to stop working. Examples include “Infected file deleted,” “No licenses are installed for the specified product,” or “Out of memory!” Minor. Indicates lesser detection or status messages. Warning. Indicates status messages that are more serious than informational messages. These often relate to non-critical problems encountered during the anti-virus scan. Product Guide 183 Virus Alerting Informational. Indicates standard status and informational messages, such as “On-Access scan started” or “Scan completed. No viruses found.” As you reassign the priority for a message, the icon beside it changes to show its new priority status. 4 Click OK. Filtering messages by priority level To filter your messages, configure each alert method you have set up in Alert Manager to accept only messages of a certain priority. For example, suppose you want to have Alert Manager page you whenever your client anti-virus software finds a virus on your network, but do not want it to send routine operational messages. To do this, you would assign a Critical or Major priority to virus alerts, and a Minor, Warning, or Informational priority to the routine informational messages. Then, configure Alert Manager to send only high priority messages to the e-mail address that goes to your pager. See Setting the alert priority level for recipients on page 157 for information about applying priority level filters for specific recipients. Editing alert message text To help you respond to a situation that requires your attention, Alert Manager includes enough information in its messages to identify the source of whatever problem it has found and some information about the circumstances in which it found the problem. You can edit the message text as desired. For example, you can add comments to the alert message that describe more about the problem or list support contact information. NOTE Although you can edit the alert message text to state what you want, you should try to keep its essence intact, because Alert Manager sends each message only when it encounters certain conditions. Alert Manager sends the “task has started” alert message, for example, only when it starts a task. To edit the alert message text: 184 1 From the Alert Manager Messages dialog box, click the alert message in the list to select it. 2 Click Edit to open the Edit Alert Manager Message dialog box. 3 Edit the message text as desired. Text enclosed in percentage signs, such as %COMPUTERNAME%, represents a variable that Alert Manager replaces with text at the time it generates the alert message. See Using Alert Manager system variables on page 185. 4 Click OK to save your changes and return to the Alert Properties dialog box. VirusScan® Enterprise software version 7.1.0 Configuring Alert Manager Using Alert Manager system variables Alert Manager 4.7 includes system variables that you can use in alert message text. These variables refer to system features like system date and time, file names, or computer names. When sending alert notifications, Alert Manager dynamically replaces the variable with a specific value. For example, the major alert Infected file successfully cleaned (1025) listed in the Alert Manager Messages dialog box is by default set to the following: The file %FILENAME% was infected with %VIRUSNAME% %VIRUSTYPE%. The file was successfully cleaned with Scan engine version %ENGINEVERSION% and DAT version %DATVERSION%. When this alert is sent to Alert Manager from an anti-virus application, Alert Manager dynamically populates the system variables with real values, for example displaying MYDOCUMENT.DOC for the %FILENAME% variable. Some of the most commonly-used system variables are: %DATVERSION% The version of the current DAT files used by the antivirus software that generated the alert. %ENGINEVERSION% The version of the current antivirus engine used by the antivirus software to detect an infection or other problem. %FILENAME% The name of a file. This could include the name of an infected file it found, or the name of a file it excluded from a scan operation. %TASKNAME% The name of an active task, such as an On-Access scan or AutoUpdate task in VirusScan Enterprise. Alert Manager might use this to report the name of the task that found a virus, or the name of a task that reported an error during a scan operation. %VIRUSNAME% The name of an infecting virus. %DATE% The system date of the Alert Manager computer. %TIME% The system time of the Alert Manager computer. %COMPUTERNAME% The name of a computer as it appears on the network. This could include an infected computer, a computer that reported a device driver error, or any other computer with which the program interacted. %SOFTWARENAME% The file name of an executable file. This could include the application that detected a virus, an application that reported an error, or any other application with which the program interacted. Product Guide 185 Virus Alerting %SOFTWAREVERSION% The version number taken from an active software package. This could include the application that detected a virus, an application that reported an error, or any other application with which the program interacted. %USERNAME% The login name of the user currently logged on to the server. This can, for instance, inform you if somebody cancelled a scan. WARNING Be careful when editing message text to include system variables that might not be used by the event generating that alert message. Using system variables in alerts that do not use that system variable field could cause unexpected results, including garbled message text or even a system crash. Following is a complete list of the Alert Manager system variables that can be used in Alert Manager messages: %ACCESSPROCESSNAME% %NOTEID% %RESOLUTION% %CLIENTCOMPUTER% %NOTESDBNAME% %SCANRETURNCODE% %COMPUTERNAME% %NOTESSERVERNAME% %SEVERITY% %DATVERSION% %LANGUAGECODE% %SHORTDESCRIPT% %DOMAIN% %LOCALDAY% %SOFTWARENAME% %ENGINESTATUS% %LOCALHOUR% %SOFTWAREVERSION% %ENGINEVERSION% %LOCALMIN% %SOURCEIP% %EVENTNAME% %LOCALMONTH% %SOURCEMAC% %FILENAME% %LOCALSEC% %SOURCESEG% %GMTDAY% %LOCALTIME% %TARGETCOMPUTERNAME% %GMTHOUR% %LOCALYEAR% %TARGETIP% %GMTMIN% %LONGDESCRIPT% %TARGETMAC% %GMTMONTH% %MAILCCNAME% %TASKID% %GMTSEC% %MAILFROMNAME% %TASKNAME% %GMTTIME% %NUMCLEANED% %TRAPID% %GMTYEAR% %NUMDELETED% %TSCLIENTID% %INFO% %NUMQUARANTINED% %URL% %MAILIDENTIFIERINFO% %NUMVIRS% %USERNAME% %MAILSUBJECTLINE% %OBRULENAME% %VIRUSNAME% %MAILTONAME% %OS% %VIRUSTYPE% %PROCESSORSERIA% 186 VirusScan® Enterprise software version 7.1.0 Updating 7 The VirusScan Enterprise software depends on information in the virus definition (DAT) files to identify viruses. Without updated files, the product software might not detect new virus strains or respond to them effectively. Software that is not using current DAT files can compromise your virus-protection program. New viruses appear at the rate of more than 500 per month. To meet this challenge, McAfee Security releases new DAT files every week, incorporating the results of its ongoing research into the characteristics of new or mutated viruses. The AutoUpdate feature makes it easy to take advantage of this service. It allows you to download the latest DAT files, scanning engine, and EXTRA.DAT simultaneously, using an immediate or scheduled update. The following topics are addressed in this section: Update strategies System variables AutoUpdate tasks AutoUpdate repository list Mirror tasks Rollback DAT files Manual updates Product Guide 187 Updating Update strategies Updates can be performed using many methods. You can use update tasks, manual updates, login scripts, or you can schedule updates with management tools. This document discusses using the update tools provided in VirusScan Enterprise and updating manually. Any other implementations are beyond of the scope of this document. An efficient updating strategy generally requires that at least one client or server in your organization retrieve the updates from the Network Associates download site. From there, the files can be replicated throughout your organization, providing access for all other computers. Ideally, you should minimize the amount of data transferred across your network by automating the process of copying the updated files to your share sites. For efficient updating, the main factors to consider are the number of clients and the number of sites. There may be additional considerations that affect your update schema, for example, the number of systems at each remote site and how remote sites access the Internet. However, the basic concepts of populating your share sites and scheduling updates apply to any size organization. Using an update task to perform updates allows you to: Schedule network-wide DAT file rollouts at convenient times and with minimal intervention from either administrators or network users. You might, for example, stagger your update tasks, or set a schedule that phases in, or rotates, DAT file updates to different parts of the network. Split rollout administration duties among different servers or domain controllers, among different regions of wide-area networks, or across other network divisions. Keeping update traffic primarily internal can also reduce the potential for network security breaches. Reduce the likelihood that you need to wait to download new DAT or upgraded engine files. Traffic on McAfee computers increases dramatically on regular DAT file publishing dates and whenever new product versions appear. Avoiding the competition for network bandwidth enables you to deploy your new software with minimal interruptions. For more information about updating and using McAfee Installation Designer or McAfee AutoUpdate Architect to configure and manage updates, see the VirusScan Enterprise Updating Implementation Guide. 188 VirusScan® Enterprise software version 7.1.0 System variables System variables System variables are supported for path definition when configuring AutoUpdate tasks, mirror tasks, and repositories. Some commonly-used system variables are: Variable Definition <COMPUTER_NAME> The name of the computer as it appears on the network. <USER_NAME> The login name of the user currently logged on to the computer. <DOMAIN_NAME> The name of the domain. <SYSTEM_DRIVE> The name of the system drive. For example: C: <SYSTEM_ROOT> The path to the root directory. For example: C:\WinNT <SYSTEM_DIR> The path to the system directory. For example: C:\WinNT\System32 <TEMP_DIR> The path to the temporary directory. For example: C:\Document and Settings\Administrator\Local Settings\Temp <PROGRAM_FILES_DIR> The path to the Program Files directory. For example: C:\Program Files <PROGRAM_FILES_COMMON_DIR> The path to the Common Files directory: For example: C:\Program Files\Common Files <SOFTWARE_INSTALLED_DIR> The path to the location where the software is installed. <PP_VAR_NAME> McAfee product variable name. For example: %ALLUSERSPROFILE% Product Guide 189 Updating AutoUpdate tasks The AutoUpdate task is used to perform scheduled or immediate updates. You can update DAT files, the scanning engine, and the EXTRA.DAT file. See the VirusScan Enterprise Updating Implementation Guide for information about downloading HotFix, Service Pack, SuperDAT package, or .CAB files. The VirusScan Enterprise product provides a default update task that is scheduled to update every Friday at 5:00 p.m. with one-hour randomization. The default update task is named AutoUpdate.You can rename and reconfigure the default AutoUpdate task. You can also create additional update tasks to meet your updating requirements. The following topics are addressed in this section: 190 AutoUpdate task overview Creating an AutoUpdate task Configuring an AutoUpdate task Running AutoUpdate tasks Viewing the activity log VirusScan® Enterprise software version 7.1.0 AutoUpdate tasks AutoUpdate task overview The following diagram shows an overview of an AutoUpdate task: Figure 7-1. AutoUpdate task overview Product Guide 191 Updating Creating an AutoUpdate task To create a new AutoUpdate task: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Create a new update task using one of these methods: Right-click a blank area in the console without selecting an item in the task list, then select New Update Task. Select New Update task from the Task menu. A new update task appears, highlighted, in the VirusScan Console task list. 3 Accept the default task name or type a new name for your task, then press ENTER to open the AutoUpdate Properties dialog box. See Configuring an AutoUpdate task on page 193 for detailed configuration information. NOTE If you create update tasks via ePolicy Orchestrator 3.0 or later, and enable task visibility, these update tasks are visible in the VirusScan Console. These ePolicy Orchestrator tasks are read-only and cannot be configured from the VirusScan Console. See the VirusScan Enterprise Configuration Guide for use with ePolicy Orchestrator 3.0 for more information. 192 VirusScan® Enterprise software version 7.1.0 AutoUpdate tasks Configuring an AutoUpdate task You can configure and schedule an AutoUpdate task to meet your requirements. 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Open the AutoUpdate Properties dialog box using one of these methods: Highlight the task in the console task list, then select Properties from the Task menu. Double-click the task in the task list. Right-click the task in the task list, then select Properties. Highlight the task in the task list, then click . Figure 7-2. AutoUpdate Properties — New Update Task NOTE Configure the update task before you click either Schedule or Update Now. 3 In the Log file text box, accept the default log file name and location, type a different log file name and location, or click Browse to locate a suitable location. System variables are supported. See System variables on page 189 for more information. NOTE By default, log information is written to the UPDATELOG.TXT file in this folder: <drive>:Winnt\Profiles\All Users\Application Data\Network Associates\VirusScan Product Guide 193 Updating 4 Under Run options, you can specify an executable file to start after the AutoUpdate task finishes running. For example, you might use this option to start a network message utility that notifies the administrator that the update operation completed successfully. Enter the executable to be run after the Update has completed. Type the path of the executable you want to run, or click Browse to locate it. Only run after successful update. Run the executable program only after a successful update. If the update is not successful, the program you specified does not run. NOTE The program file that you specify must be executable by the currently logged on user. If the currently logged on user does not have access to the folder containing the program files, or if there is no currently logged on user, the program does not run. 5 Click Schedule to schedule the update task. See Scheduling Tasks on page 221 for more information. 6 Click Apply to save your changes. 7 To run the update task immediately, click Update Now. 8 Click OK to close the AutoUpdate Properties dialog box. NOTE The update task uses the configuration settings in the AutoUpdate repository list to perform the update. See AutoUpdate repository list on page 199 for more information. 194 VirusScan® Enterprise software version 7.1.0 AutoUpdate tasks Running AutoUpdate tasks Once you have configured your task with the update properties you want, you can run the update task. The following topics are addressed in this section: Running the update task Activities that occur during an update task Running the update task Updates can be executed immediately as needed or scheduled for a convenient time. If the update task is interrupted during execution, it automatically resumes as follows: Tasks that are updating from an HTTP, UNC, or local site. If the update task is interrupted for any reason during the update, the task resumes where it left off the next time the update task starts. Tasks that are updating from an FTP site. The task does not resume if interrupted during a single file download. However, if a task is downloading several files and is interrupted, the task resumes before the file that was being downloaded at the time of the interruption. To run an update task: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Run the update task using one of these methods: Update as scheduled. If you scheduled the update, allow the task to run unattended. NOTE Your computer must be active to run an update task. If your computer is not operating when the task is scheduled to start, the task starts at the next scheduled time if the computer is active, or when the computer starts if you selected the Run missed task option on the Schedule Settings, Schedule tab. Update immediately. You can start update tasks immediately using three methods: Update Now command for the default update task. Start command for all update tasks. Update Now command for all update tasks. Product Guide 195 Updating Update Now command for the default update task You can use Update Now to immediately start the default update task. NOTE Update Now only works with the default update task which was created when you installed the product. You can rename and reconfigure the default update task, but if you delete the default task, Update Now becomes disabled. 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Use one of these methods to perform an immediate update using Update Now: From the VirusScan Console, select Update Now from the Task menu. Right-click 3 in the system tray, then select Update Now. When the task finishes, click Close to exit the McAfee Updater dialog box, or wait for the dialog box to close automatically. Start command for all update tasks You can use Start from the VirusScan Console to immediately begin any update task. 1 2 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. Use one of these methods to start an immediate update from the VirusScan Console: Highlight the task in the console task list, then select Start from the Task menu. Right-click the task in the task list, then select Start. Highlight the task in the task list, then click 3 196 . When the task finishes, click Close to exit the McAfee Updater dialog box, or wait for the dialog box to close automatically. VirusScan® Enterprise software version 7.1.0 AutoUpdate tasks Update Now command for all update tasks You can use Update Now in the AutoUpdate Properties dialog box to immediately begin any update task. 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Open the AutoUpdate Properties dialog box for the selected update task. For instructions, see Configuring an AutoUpdate task on page 193. 3 Click Update Now in the AutoUpdate Properties dialog box. 4 When the task finishes, click Close to exit the McAfee Updater dialog box, or wait for the dialog box to close automatically. Activities that occur during an update task The following activities occur when you run an AutoUpdate task: A connection is made to the first enabled repository (update site) in the repository list. If this repository is not available, the next repository is contacted, and so on until a connection is made, or until the end of the list is reached. An encrypted CATALOG.Z file downloads from the repository. The CATALOG.Z file contains the fundamental data required to complete updating. This data is used to determine what files and/or updates are available. The software versions in the CATALOG.Z are checked against the versions on the computer. If new software updates are available, they are downloaded. Once the update is checked into the repository, the update is verified to confirm that it is applicable to VirusScan Enterprise and that the version is newer than the current version. Once this is verified, VirusScan Enterprise downloads the update when the next update task runs. Product Guide 197 Updating An EXTRA.DAT file can be used in an emergency to detect a new threat until the new virus is added to the weekly virus definition file. The EXTRA.DAT file is downloaded from the repository on each update. This ensures that if you modify and re-check the EXTRA.DAT in as a package, all VirusScan Enterprise clients download and use the same updated EXTRA.DAT package. For example, you may use the EXTRA.DAT as an improved detector for the same virus or additional detection for other new viruses. VirusScan Enterprise supports using only one EXTRA.DAT file. NOTE When you have finished using the EXTRA.DAT file, you should remove it from the master repository and run a replication task to ensure it is removed from all distributed repository sites. This stops VirusScan Enterprise clients from attempting to download the EXTRA.DAT file during an update. By default, detection for the new virus in the EXTRA.DAT is ignored once the new virus definition is added to the weekly DAT files. See AutoUpdate task overview on page 191 for a diagram of the updating process. Viewing the activity log The update task activity log shows specific details about the updating operation. For example, it shows the updated DAT file and engine version numbers. To view the activity log: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Use either of these methods to open the activity log file: Highlight the task, then select Activity Log from the Task menu. Right-click the task in the task list and select View Log. 3 198 To close the activity log, select Exit from the File menu. VirusScan® Enterprise software version 7.1.0 AutoUpdate repository list AutoUpdate repository list The AutoUpdate repository list (SITELIST.XML) specifies repositories and configuration information necessary to perform an update task. For example: Repository information and location. Repository order preference. Proxy settings, where required. Credentials required to access each repository. NOTE These credentials are encrypted. The AutoUpdate repository list (SITELIST.XML) is located at different locations depending on your operating system. For example, for Windows NT: C:\Program Files\Network Associates\Common Framework\Data For example, for Windows 2000: C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework The following topics are addressed in this section: AutoUpdate repositories Configuring the AutoUpdate repository list Product Guide 199 Updating AutoUpdate repositories A repository is a location from which you receive updates. The VirusScan Enterprise software comes pre-configured with two repositories: ftp://ftp.nai.com/CommonUpdater http://update.nai.com/Products/CommonUpdater The FTP repository is the default site. If you plan to use the FTP repository to perform updates, you are automatically configured to do so after the VirusScan Enterprise 7.1.0 installation process completes. You can use either of these sites to download the latest updates if you are using VirusScan Enterprise 7.1.0 exclusively, or if you are using VirusScan Enterprise 7.1.0 in a mixed environment with VirusScan 4.5.1 or NetShield 4.5. You can reorganize the repositories in the list or create new repositories to meet your requirements. The number of repositories that you need depends on your updating requirements. See Editing the AutoUpdate repository list on page 201 for more information. Configuring the AutoUpdate repository list You can configure the AutoUpdate repository list (SITELIST.XML) before installation, during installation, or after installation. This guide addresses post installation options. See the VirusScan Enterprise Updating Implementation Guide for more information about installation options. The following topics are addressed in this section: 200 Importing the AutoUpdate repository list Editing the AutoUpdate repository list VirusScan® Enterprise software version 7.1.0 AutoUpdate repository list Importing the AutoUpdate repository list To import an AutoUpdate repository list from another location: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Select Tools|Import AutoUpdate Repository List. Figure 7-3. Import AutoUpdate Repository List 3 In the Look in box, type the location for the .XML file, or click the location, then select a file. 4 Click Open to import the AutoUpdate repository list. to navigate to NOTE To import a customized AutoUpdate repository list, to specify source repositories from which to obtain software, or to use multiple update locations that can replicate from a master repository, you must use the McAfee AutoUpdate Architect™ utility with VirusScan Enterprise. Refer to the McAfee AutoUpdate Architect Product Guide for more information. Editing the AutoUpdate repository list Use the Edit AutoUpdate Repository List dialog box to add new AutoUpdate repositories to the list, configure them, edit and remove existing repositories, and organize the repositories in the list. The following topics are addressed in this section: Adding and editing repositories Removing and reorganizing repositories Specifying proxy settings Product Guide 201 Updating Adding and editing repositories AutoUpdate repositories can be added or edited from the Edit AutoUpdate Repository List dialog box. NOTE You can also create repositories using McAfee AutoUpdate Architect and export them to VirusScan Enterprise. See the McAfee AutoUpdate Architect Product Guide for more information about using it to create and export AutoUpdate repositories. AutoUpdate repositories can have a state of Enabled or Disabled. Enabled — A defined repository that may be used during the AutoUpdate process. Disabled — A defined repository that you do not want to access during the AutoUpdate process. To add or edit a repository in the AutoUpdate repository list: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Select Tools|Edit AutoUpdate Repository List. 3 Select the Repositories tab. The FTP repository is the default download site. Figure 7-4. Edit AutoUpdate Repository List — Repositories tab 202 VirusScan® Enterprise software version 7.1.0 AutoUpdate repository list 4 Choose from these actions: To add a repository, click Add to open the Repository Settings dialog box. To edit a repository, highlight it in the Repository Description list, then click Edit to open the Repository Settings dialog box. Figure 7-5. Repository Settings 5 In the Repository description text box, type the name or description for this repository. 6 Under Retrieve files from, select the repository type or path from these choices: HTTP repository. This option is selected by default. Use the HTTP repository location that you designate as the repository from which you retrieve the update files. NOTE An HTTP site, like FTP, offers updating independent of network security, but supports higher levels of concurrent connections than FTP. Product Guide 203 Updating FTP repository. Use the FTP repository location that you designate as the repository from which you retrieve the update files. NOTE An FTP site offers flexibility of updating without having to adhere to network security permissions. FTP has been less prone to unwanted code attack than HTTP, so it may offer better tolerance. UNC path. Use the UNC path that you designate as the repository from which you retrieve the update files. NOTE A UNC site is the quickest and easiest to set up. Cross domain UNC updates require security permissions for each domain, which makes update configuration more involved. Local path. Use the local site that you designate as the repository from which you retrieve the update files. 7 Under Repository details, the information you type depends on the repository type or path you selected under Retrieve files from. System variables are supported. See System variables on page 189 for more information. Choose from the following: If you selected HTTP repository or FTP repository, see HTTP or FTP repository details on page 205 for detailed instructions. If you selected UNC path or Local path, see UNC path or Local path repository details on page 206 for detailed instructions. 204 VirusScan® Enterprise software version 7.1.0 AutoUpdate repository list HTTP or FTP repository details If you selected HTTP or FTP repository: Figure 7-6. Repository details — HTTP or FTP site 1 Under Repository details, type the path to the repository you selected, the port number, and specify security credentials for accessing the repository. URL. Type the path to the HTTP or FTP repository location: HTTP. Type the location for the HTTP server and folder where the update files are located. The default McAfee HTTP repository for DAT file updates is located at: http://update.nai.com/Products/CommonUpdater FTP. Type the location for the FTP server and folder where the update files are located. The default McAfee FTP repository for DAT file updates is located at: ftp://ftp.nai.com/CommonUpdater Product Guide 205 Updating Port. Type the port number for the HTTP or FTP server you selected. Use authentication or Use anonymous login. The title differs depending on whether you have selected HTTP path or FTP path. Specify security credentials for accessing the repository. Type a User name and Password, then Confirm password. NOTE Download credentials are required for FTP and UNC repositories, but are optional for HTTP repositories. The credentials you specify are used by AutoUpdate to access the repository so that it can download the required update files. When configuring the account credentials on the repository, you ensure that the account has read permissions to the folders containing the update files. FTP 2 updates support anonymous repository connections. Click OK to save your changes and return to the AutoUpdate Repositories List dialog box. UNC path or Local path repository details If you selected UNC or Local path: Figure 7-7. Repository details — UNC or Local path 206 VirusScan® Enterprise software version 7.1.0 AutoUpdate repository list 1 Under Repository details, type the path to the repository you selected and determine whether to use the logged on account or add security by specifying a user name and password. System variables are supported. See System variables on page 189 for more information. Path. Type the path to the location from which you want to retrieve the update files. UNC path. Using UNC notation (\\servername\path\), type the path of the repository where the update files are located. Local path. Type the path of the local folder in which you have placed the update files, or click Browse to navigate to the folder. NOTE The path can be that of a folder on a local drive or a network drive. Use logged on account. Determine which account you want to use: Select Use logged on account to use the account that is currently logged on. Deselect Use logged on account to use a different account, then type the Domain, User name, Password, and Confirm password. NOTE Download credentials are required for FTP and UNC repositories, but are optional for HTTP repositories. The credentials you specify are used by AutoUpdate to access the repository so that it can download the required update files. When configuring the account credentials on the repository, you ensure that the account has read permissions to the folders containing the update files. With UNC updates, you have the additional option to use the logged on account. This allows the update task to make use of the logged on users’ permissions to access the repository. 2 Click OK to save your changes and return to the Repositories tab. Product Guide 207 Updating Removing and reorganizing repositories To remove or reorganize repositories in the repository list: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Select Tools|Edit AutoUpdate Repository List. Figure 7-8. Edit AutoUpdate Repository List — Repositories tab 3 Select the Repositories tab. 4 To remove or reorganize repositories in the repository list, choose from the following: To remove a repository, highlight it in the list, then click Delete. To reorganize the repositories in the list, highlight a repository, then click Move up or Move down repeatedly until the repository has moved to the place in the list that you want it. NOTE The order in which the repositories are listed, is the order in which they are accessed during an update operation. 208 VirusScan® Enterprise software version 7.1.0 AutoUpdate repository list Specifying proxy settings Proxy servers are commonly used as part of Internet security to mask Internet users’ computers from the Internet, and improve access speed by caching commonly accessed sites. If your network uses a proxy server, you can specify which proxy settings to use, the address of the proxy server, and whether to use authentication. Proxy information is stored in the AutoUpdate repository list (SITELIST.XML). The proxy settings you configure here apply to all the repositories in this repository list. To specify proxy settings: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Select Tools|Edit AutoUpdate Repository List. 3 Select the Proxy settings tab. Figure 7-9. Edit AutoUpdate Repository List — Proxy settings tab Product Guide 209 Updating 4 Determine whether you want to use a proxy and, if you do, which settings you want to use. Choose from these options: Don’t use a proxy. Do not specify a proxy server. Select this option, then click OK to save your settings and close the Edit AutoUpdate Repository List dialog box. Use Internet Explorer proxy settings. This option is selected by default. Use the proxy settings for the currently installed version of Internet Explorer. Select this option, then click OK to save your settings and close the Edit AutoUpdate Repository List dialog box. Manually configure the proxy settings. Configure the proxy settings to meet your specific needs. System variables are supported. See System variables on page 189 for more information. Select this option, then type the address and port information for the repository you selected: HTTP Address. Type the address of the HTTP proxy server. HTTP Port. Type the port number of the HTTP proxy server. FTP Address. Type the address of the FTP proxy server. FTP Port. Type the port number of the FTP proxy server. Determine whether to use authentication for either the HTTP or FTP proxy server you specified. Choose from these options: 210 Use authentication for HTTP. Select this option to add authentication to the HTTP proxy, then type the HTTP user name, HTTP password, and HTTP confirm password. Use authentication for FTP. Select this option to add authentication to the FTP proxy server, then type the FTP user name, FTP password, and FTP confirm password. VirusScan® Enterprise software version 7.1.0 AutoUpdate repository list 5 Click Exceptions to specify proxy exceptions. If you do not want to specify exceptions, skip this step and go to Step 6. Figure 7-10. Proxy Exceptions 6 a Select Specify exceptions, then type the exceptions, using semicolons to separate the entries. b Click OK to save your changes and return to the Proxy settings tab. Click OK to save your changes and close the Edit AutoUpdate Repository List dialog box. Product Guide 211 Updating Mirror tasks The VirusScan Enterprise software relies on a directory structure to update itself. The mirror task allows you to replicate the update files from the first accessible repository defined in the repository list, to a mirror site on your network. It is important to remember to replicate the entire directory structure when mirroring a site. This directory structure also supports previous versions of VirusScan and NetShield, as long as the entire directory structure is replicated in the same locations that VirusScan 4.5.1 used for updating. The following shows the directory structure in the repository after using a mirror task to replicate the Network Associates repository: Figure 7-11. Mirrored site After you replicate the Network Associates site that contains the update files, computers on your network can download the files from the mirror site. This approach is practical because it allows you to update any computer on your network, whether or not it has Internet access; and efficient because your computers are communicating with a server that is probably closer than a Network Associates Internet site, therefore economizing access and download time. The most common use of this task is to mirror the contents of the Network Associates download site to a local server. 212 VirusScan® Enterprise software version 7.1.0 Mirror tasks The following topics are addressed in this section: Creating a mirror task Configuring a mirror task Running mirror tasks Viewing the mirror task activity log Creating a mirror task You can create a mirror task for each mirror location you need. To create a new mirror task: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Create a mirror task using one of these methods: Right-click a blank area in the console without selecting an item in the task list, then select New Mirror Task. Select New Mirror task from the Task menu. A new mirror task appears, highlighted, in the VirusScan Console task list. 3 Accept the default task name or type a new name for your task, then press ENTER to open the AutoUpdate Properties dialog box. See Configuring a mirror task on page 214 for detailed configuration information. NOTE If you create mirror tasks via ePolicy Orchestrator 3.0 or later, and enable task visibility, these mirror tasks are visible in the VirusScan Console. These ePolicy Orchestrator tasks are read-only and cannot be configured from the VirusScan Console. See the VirusScan Enterprise Configuration Guide for use with ePolicy Orchestrator 3.0 for more information. Product Guide 213 Updating Configuring a mirror task You can configure and schedule a mirror task to meet your requirements. 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Open the AutoUpdate Properties dialog box using one of these methods: Highlight the task in the console task list, then select Properties from the Task menu. Double-click the task in the task list. Right-click the task in the task list, then select Properties. Highlight the task in the task list, then click . Figure 7-12. AutoUpdate Properties — New Mirror Task NOTE Configure the mirror task before click Schedule or Mirror Now. 3 In the Log file text box, accept the default log file name and location, type a different log file name and location, or click Browse to locate a suitable location. System variables are supported. See System variables on page 189 for more information. NOTE By default, log information is written to the VSEMIRRORLOG.TXT file in this folder: <drive>:Winnt\Profiles\All Users\Application Data\Network Associates\VirusScan 214 VirusScan® Enterprise software version 7.1.0 Mirror tasks 4 Click Mirror Location to open the Mirror Location Settings dialog box: Figure 7-13. Mirror Location Settings 5 a Type the path to the destination on the local system that you are using for the mirror site, or click Browse to navigate to the desired location. System variables are supported. See System variables on page 189 for more information. b Click OK to return to the AutoUpdate Properties dialog box. Under Run options, you can specify an executable file to start after the mirror task finishes running. For example, you might use this option to start a network message utility that notifies the administrator that the update operation completed successfully. Enter the executable to be run after the Mirror has completed. Type the path of the executable you want to run, or click Browse to locate it. Only run after successful mirror. Run the executable program only after a successful update. If the update is not successful, the program you selected does not run. NOTE The program file that you specify must be executable by the currently logged on user. If the currently logged on user does not have access to the folder containing the program files, or if there is no currently logged on user, the program does not run. 6 Click Schedule to schedule the mirror task. See Scheduling Tasks on page 221 for more information about scheduling tasks. 7 Click Apply to save your changes. 8 To run the mirror task immediately, click Mirror Now. 9 Click OK to close the AutoUpdate Properties dialog box. NOTE The Mirror task uses the configuration settings in the repository list to perform the update. See AutoUpdate repository list on page 199 for more information. Product Guide 215 Updating Running mirror tasks Once you have configured the mirror task with the properties you want, you can run the mirror task using one of these methods: Mirror as scheduled. If you scheduled the mirror task, allow it to run unattended. NOTE Your computer must be active to run a mirror task. If your computer is not operating when the task is scheduled to start, the task starts at the next scheduled time if the computer is active, or when the computer starts if you selected the Run missed task option on the Schedule Settings, Schedule tab. Mirror immediately. You can start mirror tasks immediately using two methods: Start command for mirror task. Mirror Now command for mirror tasks. Start command for mirror tasks You can use Start from the VirusScan Console to immediately start any mirror task. 1 2 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. Use one of these methods to start an immediate mirror task from the VirusScan Console: Highlight the task in the console task list, then select Start from the Task menu. Right-click the task in the task list, then select Start. Highlight the task in the task list, then click . When the task finishes, click Close to exit the McAfee Updater dialog box, or wait for the dialog box to close automatically. 216 VirusScan® Enterprise software version 7.1.0 Rollback DAT files Mirror Now command for mirror tasks You can use Mirror Now in the AutoUpdate Properties dialog box to immediately start any mirror task. 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Open the AutoUpdate Properties dialog box for the selected mirror task. For instructions, see Configuring a mirror task on page 214. 3 Click Mirror Now in the AutoUpdate Properties dialog box. 4 When the task finishes, click Close to exit the McAfee Updater dialog box, or wait for the dialog box to close automatically. Viewing the mirror task activity log The mirror task activity log shows specific details about the updating operation. For example, it shows the updated DAT file and engine version numbers. 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Use either of these methods to open the activity log file: Highlight the task, then select Activity Log from the Task menu. Right-click the task in the task list and select View Log. 3 To close the activity log, select Exit from the File menu. Rollback DAT files Use this feature to roll back the DAT files to the last backed up version, if you find that the current DAT files are corrupt or incompatible for some reason. When you update DAT files, the old version is stored in this location: C:\Program Files\Common Files\Network Associates\Engine\OldDats When you roll back the DAT files, the current DAT files are replaced with the version in the OldDats folder, and a flag is set in the registry at this location: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szRollbackedDATS Once the rollback occurs, you cannot go back to the previous version again. The next time an update is performed, the DAT version in the registry is compared with the DAT files in the update repository. If the new DAT files are the same as the ones flagged in the registry, no update occurs. Product Guide 217 Updating To roll back the DAT files: 1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions. 2 Select Tools|Rollback DATs. The McAfee Updater dialog box opens. Figure 7-14. Rollback DATs — Update in Progress 3 The rollback appears to be the same as an update, except that the details show Performing DAT rollback. When the rollback finishes, click Close to exit the McAfee AutoUpdate dialog box, or wait for the dialog box to close automatically. NOTE When you perform a rollback, the last backup of the DAT files is restored. 218 VirusScan® Enterprise software version 7.1.0 Manual updates Manual updates McAfee Security recommends that you use the AutoUpdate task supplied with the VirusScan Enterprise software to install new DAT file or scanning engine versions. This utility offers an easy method for correctly updating the DAT files and scanning engine. To install DAT files yourself, however, you can download DAT and engine files manually from these update sites: http:www.networkassociates.com/us/downloads/updates ftp://ftp.nai.com/CommonUpdater Regular DAT files. McAfee Security stores these files on its FTP site as .ZIP archives with the name DAT-XXXX.ZIP. The XXXX in the file name is a series number that changes with each DAT file release. To download these files, use a web browser or FTP client to connect with: ftp://ftp.nai.com/CommonUpdater Installable .EXE files. McAfee Security stores these files on its web site as a self-executing setup file named XXXXUPDT.EXE. Here, too, the XXXX is a series number that changes with each new DAT release. To download these files, use a web browser to connect with: http:www.networkassociates.com/us/downloads/updates Both files contain exactly the same DAT files. The difference between them is in how you use them to update your copy of the VirusScan Enterprise software. To use the DAT-XXXX.ZIP archive, you must download the file, extract it from its archive, copy the files into the DAT folder, then restart the on-access scanner. See Updating from DAT file archives on page 220 for detailed steps. To install DAT files that come with their own setup utility, you need only to download the files to a temporary folder on your hard disk, then run or double-click the XXXUPDT.EXE file. The setup utility stops the on-access scanner, copies the files to the correct folder, then restarts the on-access scanner. NOTE You may need administrator rights to write to the DAT folder. Once updated, the new DAT files are picked up by the on-access scanner, the on-demand scanner, and the e-mail scanner, the next time each scanner starts. Product Guide 219 Updating Updating from DAT file archives To install DAT file updates directly from a .ZIP archive without using AutoUpdate: 1 Create a temporary folder on your hard disk, then copy the DAT file .ZIP archive you downloaded to that folder. 2 Back up or rename these existing DAT files. CLEAN.DAT NAMES.DAT SCAN.DAT If you accepted the default installation path, these files are located in: <drive>:\Program Files\Common Files\Network Associates\Engine\ 220 3 Use WINZIP, PKUNZIP, or a similar utility to open the .ZIP archive and extract the updated DAT files. 4 Log on to the server you want to update. You must have administrator rights for the destination computer. 5 Copy the DAT files to the DAT folder. 6 Disable on-access scanning by stopping the McShield service, then enable it again by starting the McShield service. 7 Stop Microsoft Outlook, then restart it. 8 Stop on-demand scan tasks, then restart them. VirusScan® Enterprise software version 7.1.0 Scheduling Tasks 8 You have the option of scheduling VirusScan Enterprise tasks to run at specific dates and times, or intervals. Schedules can be configured to meet your company’s needs. The following topics are addressed in this section: Configuring task schedules Product Guide 221 Scheduling Tasks Configuring task schedules You can schedule three types of tasks: On-demand tasks — To schedule an on-demand task, open the On-Demand Scan Properties for the task, then click Schedule. The Schedule Settings dialog box opens. For more information about on-demand tasks, see On-Demand Scanning on page 85. AutoUpdate tasks — To schedule an AutoUpdate task, open the AutoUpdate Properties for the AutoUpdate task, then click Schedule. The Schedule Settings dialog box opens. For more information about AutoUpdate tasks, see AutoUpdate tasks on page 190. Mirror tasks — To schedule a mirror task, open the AutoUpdate Properties for the mirror task, then click Schedule. The Schedule Settings dialog box opens. For more information about mirror tasks, see Mirror tasks on page 212. The following topics are addressed in this section: 222 Task properties Schedule properties VirusScan® Enterprise software version 7.1.0 Configuring task schedules Task properties Use the options on the Task tab to enable scheduling, specify a limit for the task run time, and add authentication for this task. 1 Select the Task tab. Figure 8-1. Schedule Settings — Task tab 2 Under Schedule Settings, specify whether you want the task to run at a specific time. You have these options: Enable (scheduled task runs at specified time). Schedule the task to run at a specified time. Stop the task if it runs for. Stop the task after a limited time. If you select this option, also type in or select the hours and minutes. NOTE If the task is interrupted before it completes, the next time it starts it resumes scanning from where it left off, unless the DAT files have been updated and you have selected the option to rescan all files when DAT files are updated. In that case, the scan starts over instead of resuming from where it left off. Product Guide 223 Scheduling Tasks 3 Under Task, specify authentication credentials for this task by entering the following information: NOTE The use of credentials is optional. If you do not type credentials here, the scheduled task runs under the local system account. 4 User. Type the user ID under which this task executes. Domain. Type the domain for the user ID you specified. Password. Type the password for the user ID and domain you specified. Click Apply to save your changes. NOTE If you schedule a task using credentials, the account that you specify needs to have logon as a batch job privilege. Without this privilege, the spawned process cannot access network resources, even though it has the correct credentials. This is documented Windows NT behavior. To give an account this privilege: Start|Programs|Administrative Tools|Local Security Policy. Security Settings|Local Policies|User Rights Assignments. Double-click Log on as a batch job. Add the user to the list. Click OK to save your changes and close the dialog box. Schedule properties Use the options on the Schedule tab to specify the task frequency, when the task runs in time zones, whether you want to run the task at random times within specified intervals, whether to run missed tasks, and specify delay times for missed tasks. The following topics are addressed in this section: 224 Schedule task frequencies Advanced schedule options Scheduling tasks by frequency VirusScan® Enterprise software version 7.1.0 Configuring task schedules Schedule task frequencies The schedule frequency you select here affects the options you have available for scheduling days, weeks, months, and other frequencies. The frequency options are: Daily. This option is selected by default. Run the task daily on the specified day(s). See Daily on page 227. Weekly. Run the task weekly on the specified week(s) and day(s). See Weekly on page 229. Monthly. Run the task monthly on the specified day(s) and months. See Monthly on page 230. Once. Run the task once on the specified date. See Once on page 232. At System Startup. Run the task at system startup and specify whether to run the task once per day and the number of minutes to delay the task. See At System Startup on page 233. At Logon. Run the task at log on and specify whether to run the task once per day and the number of minutes to delay the task. See At Logon on page 234. When Idle. Run the task when the computer is idle and specify the number of minutes. See When Idle on page 235. Run Immediately. Run the task immediately. See Run Immediately on page 236. Run On Dialup. Run the task on Dialup and specify whether to run the task once per day. See Run On Dialup on page 237. Product Guide 225 Scheduling Tasks Advanced schedule options 1 On the Schedule tab, under Schedule, click Advanced to open the Advanced Schedule Options dialog box. Figure 8-2. Advanced Schedule Options 2 226 Start Date. Click to select a date from the calendar. This field is optional. End Date. Click to select a date from the calendar. This field is optional. Repeat Task. Repeat the task at the frequency selected. Every. Type the frequency or use the arrows to select a number, then select whether you want the frequency to be in minutes or hours. Until. Select either Time (Local) and type in or select the time, or select Duration and type in or select the hour(s) and minute(s). Click OK to return to the Schedule tab. VirusScan® Enterprise software version 7.1.0 Configuring task schedules Scheduling tasks by frequency You can schedule a task for a date and/or time that meets your needs. The following task frequencies are addressed in this section: Daily Weekly Monthly Once At System Startup At Logon When Idle Run Immediately Run On Dialup Daily 1 On the Schedule tab, under Schedule: Schedule Task. Click to select Daily. Figure 8-3. Schedule tab — Daily Product Guide 227 Scheduling Tasks Start Time. Type the start time the for the scheduled task or use the arrows to select a time. UTC Time. Coordinated Universal Time (UTC). Select this option to run the task simultaneously in all time zones. Local Time. This option is selected by default. Run the task independently in each local time zone. Enable randomization. Run the task at a random point within the interval of time you set. If you select this option, also type in or select the hours and minutes for the maximum time lapse. You can type in or select a time lapse interval between one minute (minimum) and 24 hours (maximum). For example, setting the task schedule to 1:00 and the randomization to three hours, would cause the task to run at any time between 1:00 and 4:00. Run missed task. To ensure that missed tasks run when the computer starts up again. If the computer was offline when a task was scheduled to be run, it may have been missed. This feature ensures that remote users and the network are fully protected if they happen to be offline when a task is scheduled to run. Delay missed task by. Type the number of minutes by which you want to delay the missed task, or use the arrows to select the number of minutes. Choose from 0 to 99 minutes. 2 Advanced. Click this button to set advanced scheduling properties. See Advanced schedule options on page 226 for more information. Under Schedule Task Daily, type in or select frequency in number of days, or use the arrows to select a number. NOTE Daily tasks can be run every so many days, or every day Monday through Sunday. If you only want to run the task on specific days of the week, other than every day Monday through Sunday, we recommend that you use the weekly task frequency. 3 228 Click OK to save your settings and close the Schedule Settings dialog box. VirusScan® Enterprise software version 7.1.0 Configuring task schedules Weekly 1 On the Schedule tab, under Schedule: Schedule Task. Click to select Weekly. Figure 8-4. Schedule tab — Weekly Start Time. Type the start time the for the scheduled task or use the arrows to select a time. UTC Time. Coordinated Universal Time (UTC). Select this option to run the task simultaneously in all time zones. Local Time. This option is selected by default. Run the task independently in each local time zone. Enable randomization. Run the task at a random point within the interval of time you set. If you select this option, also type in or select the hours and minutes for the maximum time lapse. You can type a time lapse interval between one minute (minimum) and 24 hours (maximum). For example, setting the task schedule to 1:00 and the randomization to three hours, would cause the task to run at any time between 1:00 and 4:00. Product Guide 229 Scheduling Tasks Run missed task. To ensure that missed tasks run when the computer starts up again. If the computer was offline when a task was scheduled to be run, it may have been missed. This feature ensures that remote users and the network are fully protected if they happen to be offline when a task is scheduled to run. Delay missed task by. Type the number of minutes by which you want to delay the missed task, or use the arrows to select the number of minutes. Choose from 0 to 99 minutes. 2 3 Advanced. Click this button to set advanced scheduling properties. See Advanced schedule options on page 226 for more information. Under Schedule Task Weekly: Every. Type the frequency in number of weeks. Week(s) on. Select the days of the week. Click OK to save your settings and close the Schedule Settings dialog box. Monthly 1 On the Schedule tab, under Schedule: Schedule Task. Click to select Monthly. Figure 8-5. Schedule tab — Monthly 230 VirusScan® Enterprise software version 7.1.0 Configuring task schedules Start Time. Type the start time the for the scheduled task or use the arrows to select a time. UTC Time. Coordinated Universal Time (UTC). Select this option to run the task simultaneously in all time zones. Local Time. This option is selected by default. Run the task independently in each local time zone. Enable randomization. Run the task at a random point within the interval of time you set. If you select this option, also type the hours and minutes for the maximum time lapse. You can type a time lapse interval between one minute (minimum) and 24 hours (maximum). For example, setting the task schedule to 1:00 and the randomization to three hours, would cause the task to run at any time between 1:00 and 4:00. Run missed task. To ensure that missed tasks run when the computer starts up again. If the computer was offline when a task was scheduled to be run, it may have been missed. This feature ensures that remote users and the network are fully protected if they happen to be offline when a task is scheduled to run. Delay missed task by. Type the number of minutes by which you want to delay the missed task, or use the arrows to select the number of minutes. Choose from 0 to 99 minutes. Advanced. Click this button to set advanced scheduling properties. See Advanced schedule options on page 226 for more information. 2 Under Schedule Task Monthly, choose from these options: Day of the month. Select the option and the day of the month. Weekday of the month. Select this option to run the task on a specific day of the month (for example, first Sunday or second Wednesday). Select First, Second, Third, Fourth, or Last option. Select the day of the week on which to run this task each month. Click Select Months to select specific months: Select the months for which you want to run the task. NOTE All months are selected by default. Click OK to return to the Schedule tab. 3 Click OK to save your settings and close the Schedule Settings dialog box. Product Guide 231 Scheduling Tasks Once 1 On the Schedule tab, under Schedule: Schedule Task. Click to select Once. Figure 8-6. Schedule tab — Once Start Time. Type the start time the for the scheduled task or use the arrows to select a time. UTC Time. Coordinated Universal Time (UTC). Select this option to run the task simultaneously in all time zones. Local Time. This option is selected by default. Run the task independently in each local time zone. Enable randomization. Run the task at a random point within the interval of time you set. If you select this option, also type in or select the hours and minutes for the maximum time lapse. You can type in or select a time lapse interval between one minute (minimum) and 24 hours (maximum). For example, setting the task schedule to 1:00 and the randomization to three hours, would cause the task to run at any time between 1:00 and 4:00. 232 VirusScan® Enterprise software version 7.1.0 Configuring task schedules Run missed task. To ensure that missed tasks run when the computer starts up again. If the computer was offline when a task was scheduled to be run, it may have been missed. This feature ensures that remote users and the network are fully protected if they happen to be offline when a task is scheduled to run. Delay missed task by. Type the number of minutes by which you want to delay the missed task, or use the arrows to select the number of minutes. Choose from 0 to 99 minutes. Advanced. Click this button to set advanced scheduling properties. See Advanced schedule options on page 226 for more information. 2 Under Schedule Task Once, click run the task. to select the date on which you want to 3 Click OK to save your settings and close the Schedule Settings dialog box. At System Startup 1 On the Schedule tab, under Schedule: Schedule Task. Click to select At System Startup. Figure 8-7. Schedule tab — At System Startup Product Guide 233 Scheduling Tasks 2 Under Schedule Task at System Startup: Only run this task once per day. Select this option to run this task once a day. If you do not select this option, the task runs every time startup occurs. Delay task by. Select the number of minutes to delay the task. Choose from 0 to 99 minutes. This allows time for logon scripts to execute or user logon time. 3 Click OK to save your settings and close the Schedule Settings dialog box. At Logon 1 On the Schedule tab, under Schedule: Schedule Task. Click to select At Logon. Figure 8-8. Schedule tab — At Logon 2 Under Schedule Task at Logon: Only run this task once per day. Select this option to run this task once a day. If you do not select this option, the task runs every time log on occurs. Delay task by. Type the number of minutes to delay the task. Choose from 0 to 99 minutes. This allows time for logon scripts to execute or user logon time. 3 234 Click OK to save your settings and close the Schedule Settings dialog box. VirusScan® Enterprise software version 7.1.0 Configuring task schedules When Idle 1 On the Schedule tab, under Schedule: Schedule Task. Click to select When Idle. Figure 8-9. Schedule tab — When Idle 2 Under Schedule Task When Idle, type in or select the number of minutes that you want the computer to be idle before it starts the task. Choose from 0 to 999 minutes. 3 Click OK to save your settings and close the Schedule Settings dialog box. Product Guide 235 Scheduling Tasks Run Immediately 1 On the Schedule tab, under Schedule: Schedule Task. Click to select Run Immediately. Figure 8-10. Schedule tab — Run Immediately Enable randomization. Run the task at a random point within the interval of time you set. If you select this option, also type in or select the hours and minutes for the maximum time lapse. You can type in or select a time lapse interval between one minute (minimum) and 24 hours (maximum). For example, setting the task schedule to 1:00 and the randomization to three hours, would cause the task to run at any time between 1:00 and 4:00. 2 236 Click OK to save your settings and close the Schedule Settings dialog box. VirusScan® Enterprise software version 7.1.0 Configuring task schedules Run On Dialup 1 On the Schedule tab, under Schedule: Schedule Task. Click to select Run On Dialup. Figure 8-11. Schedule tab — Run On Dialup Enable randomization. Run the task at a random point within the interval of time you set. If you select this option, also type in or select the hours and minutes for the maximum time lapse. You can type in or select a time lapse interval between one minute (minimum) and 24 hours (maximum). For example, setting the task schedule to 1:00 and the randomization to three hours, would cause the task to run at any time between 1:00 and 4:00. 2 Under Schedule Task Run On Dialup, select whether to run the task once per day. NOTE Scheduling a task to Run On Dialup may be more useful for an AutoUpdate task than an on-demand task. 3 Click OK to save your settings and close the Schedule Settings dialog box. Product Guide 237 Scheduling Tasks 238 VirusScan® Enterprise software version 7.1.0 Command-Line Scanner Program A A typical installation of the VirusScan Enterprise software includes the McAfee Security VirusScan Enterprise Command Line program. That program can be run from a Windows Command Line prompt. The following topics are addressed in this section: VirusScan Enterprise command-line options On-demand scanning command-line options Customized installation properties Product Guide 239 Command-Line Scanner Program VirusScan Enterprise command-line options To run the VirusScan Enterprise Command Line program, change to the folder in which the file SCAN.EXE is located, and type SCAN. If you installed the VirusScan Enterprise program to its default location, the file can be found in: C:\Program Files\Common Files\Network Associates\Engine\ The following table lists the options that can be added to the command SCAN. All the options listed can be used to configure both on-demand and on-access scans, unless otherwise noted. Table A-1. VirusScan Command-Line Options Command-Line Option Description /? or /HELP Displays a list of VirusScan command-line options, each with a brief description. You may find it helpful to add a list of scanning options to the report files that the VirusScan program creates. To do this, type scan /? /REPORT <file name> at the command prompt. The results of your scanning report are appended with the full set of options available for that scan task. /ADL Scan all local drives—including compressed drives and PC cards, but not disks—in addition to any other drive(s) specified on the command line. To scan both local and network drives, use the /ADL and /ADN commands together in the same command line. /ADN Scan all network drives—including CD-ROM—for viruses, in addition to any other drive(s) specified on the command line. Note: To scan both local drives and network drives, use the /ADL and /ADN commands together in the same command line. /ALERTPATH <dir> Designates the directory <dir> as a network path to a remote NetWare volume or Windows NT directory, monitored by Centralized Alerting. VirusScan sends an .ALR text file to the server when it detects an infected file. From this directory, VirusScan Enterprise, through its Centralized Alerting feature, broadcasts or compiles the alerts and reports according to its established configuration. Requirements: 240 You must have write-access to the directory you specify. The directory must contain the VirusScan Enterprise-supplied CENTALRT.TXT file. VirusScan® Enterprise software version 7.1.0 VirusScan Enterprise command-line options Table A-1. VirusScan Command-Line Options (Continued) Command-Line Option Description /ALL Overrides the default scan setting by scanning all infectable files—regardless of extension. Notes: Using the /ALL option substantially increases the scanning time required. Use it only if you find a virus or suspect that you have one. To get a current list of file type extensions run /EXTLIST at the command prompt. /ANALYZE Sets the software to scan using its full heuristics, both program and macro. Note: /MANALYZE targets macro viruses only; /PANALYZE targets program viruses only. /APPEND Used with /REPORT <file name> to append report message text to the specified report file instead of overwriting it. /BOOT Scan boot sector and master boot record only. /CLEAN Clean viruses from all infected files and system areas. /CLEANDOCALL As a precautionary measure against macro viruses, /CLEANDOCALL cleans all macros from Microsoft Word and Office documents if a single infection is found. Note: This option deletes all macros, including macros not infected by a virus. /CONTACTFILE <file name> Display the contents of <file name> when a virus is found. It is an opportunity to provide contact information and instructions to the user when a virus is encountered. (McAfee Security recommends using /LOCK in tandem with this option.) This option is especially useful in network environments, because you can easily maintain the message text in a central file instead of on each workstation. Note: Any character is valid in a contact message except a backslash (\). Messages beginning with a slash (/)or a hyphen (-) should be placed in quotation marks. Product Guide 241 Command-Line Scanner Program Table A-1. VirusScan Command-Line Options (Continued) Command-Line Option Description /DAM A repair switch: deletes all macros in the event an infected macro is found. If no infected macro is found, no deletions are made. If you suspect that there is an infection in your file, you may choose to strip all macros from a data file to minimize any possible exposure to a virus. To pre-emptively delete all macros in a file, use this option with /FAM: scan <file name> /fam /dam When using these two options in tandem, all found macros are deleted, whether or not an infection is found. /DEL Deletes infected files permanently. /EXCLUDE <file name> Do not scan the files listed in <file name>. Use this option to exclude specific files from a scan. List the complete path to each file that you want to exclude on its own line. You may use wildcards * and ? /EXTLIST Use this option to get a current list of file type extension from the current DAT file. /FAM Find all macros: not just macros suspected of being infected. It causes any macro found to be treated as a possible virus detection. No deletion of the found macros is made unless used in conjunction with the /DAM option. If you suspect that there is an infection in your file, you may choose to strip all macros from a data file to minimize any possible exposure to a virus. To pre-emptively delete all macros in a file, use this option with /FAM: scan <file name> /fam /dam When using these two options in tandem, all found macros are deleted, whether or not an infection is found. /FREQUENCY <n > Do not scan <n> hours after the previous scan. In environments where the risk of viral infection is low, use this option to prevent unnecessary scans. Remember, the greater the scan frequency, the better your protection against infection. /HELP or /? Displays a list of scanning options, each with a brief description. You may find it helpful to add a list of scanning options to the report files the VirusScan program creates. To do this, type scan /? /REPORT <file name> at the command prompt. The results of your scanning report are appended with the full set of options available for that scan task. 242 VirusScan® Enterprise software version 7.1.0 VirusScan Enterprise command-line options Table A-1. VirusScan Command-Line Options (Continued) Command-Line Option Description /LOAD <file name> Load scanning options from the named file. Use this option to perform a scan you’ve already configured by loading custom settings saved in an ASCII-formatted file. /MANALYZE Enables heuristic scanning target macro viruses. Note: /PANALYZE targets program viruses only; /ANALYZE targets both program and macro viruses. /MANY Scans multiple disks consecutively in a single drive. The program prompts you for each disk. Use this option to examine multiple disks quickly. You cannot use the /MANY option if you run the VirusScan software from a boot disk and you have only one floppy drive. /MOVE <dir> Moves all infected files found during a scan to the specified directory, preserving drive letter and directory structure. Note: This option has no effect if the Master Boot Record or boot sector is infected, since these are not files. /NOBEEP /NOBREAK Disables the tone that sounds whenever the scanners find a virus. Disables CTRL+C and CTRL+BREAK during scans. Users are not be able to halt scans in progress with /NOBREAK in use. /NOCOMP Skips the examination of compressed executables created with the LZ.EXE or PkLite file-compression programs. This reduces scanning time when a full scan is not needed. Otherwise, by default, VirusScan examines inside executable, or self-decompressing files by decompressing each file in memory and checking for virus signatures. /NODDA No direct disk access. This prevents the scanners from accessing the boot record. This feature has been added to allow the scanners to run under Windows NT. You might need to use this option on some device-driven drives. Using /NODDA with the /ADN or /ADL switches may generate errors when accessing empty CD-ROM drives or empty Zip drives. If this occurs, type F (for Fail) in response to the error messages to continue the scan. /NOXMS Does not use extended memory (XMS). Product Guide 243 Command-Line Scanner Program Table A-1. VirusScan Command-Line Options (Continued) Command-Line Option /PANALYZE Description Enables heuristic scanning for program viruses. Note: /MANALYZE targets macro viruses only; /ANALYZE targets both program and macro viruses. /PAUSE Enables screen pause. The “Press any key to continue” prompt appears when the program fills a screen with messages. Otherwise, by default, the program fills and scrolls a screen continuously without stopping, which allows it to run on PCs with multiple drives or that have severe infections without needing your input. McAfee Security recommends omitting /PAUSE when using the report options (/REPORT, /RPTALL, /RPTCOR, and /RPTERR). /REPORT <file name> Creates a report of infected files and system errors, and saves the data to <file name> in ASCII text file format. If <file name> already exists, /REPORT overwrites it. To avoid overwriting, use the /APPEND option with /REPORT: the software adds report information to the end of the file, instead of overwriting it. You can also use /RPTALL, /RPTCOR, and /RPTERR to add scanned files, corrupted files, modified files, and system errors to the report. You may find it helpful to add a list of scanning options to the report files the VirusScan program creates. To do this, type /? /report <file name> at the command prompt. The results of your scanning report are appended with the full set of options available for that scan task. You can include the destination drive and directory (such as D:\VSREPRT\ALL.TXT), but if the destination is a network drive, you must have rights to create and delete files on that drive. McAfee Security recommends omitting /PAUSE when using any report option. /RPTALL Includes the names of all scanned files in the /REPORT file. You can use /RPTCOR with /RPTERR on the same command line. McAfee Security recommends omitting /PAUSE when using any report option. 244 VirusScan® Enterprise software version 7.1.0 VirusScan Enterprise command-line options Table A-1. VirusScan Command-Line Options (Continued) Command-Line Option /RPTCOR Description Include corrupted files in /REPORT file. When used with /REPORT, this option adds the names of corrupted files to the report file. Corrupted files that the VirusScan scanners find may have been damaged by a virus. You can use /RPTCOR with /RPTERR on the same command line. There may be false readings in some files that require an overlay or another executable to run properly (that is, a file that is not executable on its own). McAfee Security recommends omitting /PAUSE when using any report option. /RPTERR Include errors in /REPORT file. When used with /REPORT, this option adds a list of system errors to the report file. /LOCK is appropriate in highly vulnerable network environments, such as open-use computer labs. You can use /RPTERR with /RPTCOR on the same command line. System errors can include problems reading or writing to a disk or hard disk, file system or network problems, problems creating reports, and other system-related problems. McAfee Security recommends omitting /PAUSE when using any report option. /SUB Scans subdirectories inside a directory. By default, when you specify a directory to scan other than a drive, the VirusScan scanners examine only the files it contains, not its subdirectories. Use /SUB to scan all subdirectories within any directories you have specified. It is not necessary to use /SUB if you specify an entire drive as a target. /UNZIP Scan inside compressed files. /VIRLIST Displays the name of each virus that the VirusScan software can detect. This file is over 250 pages long. This is too large for the MS-DOS “Edit” program to open; McAfee Security recommends using Windows Notepad or another text editor to open the virus list. Product Guide 245 Command-Line Scanner Program On-demand scanning command-line options The VirusScan Enterprise on-demand scanner can be run from the Windows Command Line prompt, or from the Start menu’s Run dialog box. To run the program, change to the folder in which the file SCAN32.EXE is located, and type SCAN32. If you installed the VirusScan Enterprise program to its default location, the file can be found in: C:\Program Files\Network Associates\VirusScan The following table lists the options that can be added to the command SCAN32. Table A-2. On-Demand Command-Line Arguments 246 Command-Line Option Description SPLASH Displays the VirusScan splash dialog when opening the on-demand scanner. NOSPLASH Conceals the VirusScan splash dialog when opening the on-demand scanner. AUTOEXIT Exits the on-demand scanner upon completion of a non-interactive scan. NOAUTOEXIT Does not exit on-demand scanner upon completion of a non-interactive scan. ALWAYSEXIT Forces exit from on-demand scan, even if scan completed with error/failure. NOALWAYSEXIT Does not force exit. UINONE Launch the scanner without making the user interface dialog box visible. SUB Include sub-folders of the target folders in the scan. NOSUB Exclude sub-folders of the target folder from the scan. ALL Scan all files in the target folder NOALL Scan only those files in the target folder that have file name extensions found on the list of specified file types. COMP Scans archive files such as .ZIP, .CAB, .LZH, and .UUE files. NOCOMP Excludes archive files from scan. CONTINUE Scanning continues after a virus is detected. PROMPT Prompts user for action when a virus is detected. NOPROMPT Does not prompt user for action when a virus is detected. CLEAN Cleans the infected target file when a virus is detected. DELETE Deletes the infected file when a virus is detected. VirusScan® Enterprise software version 7.1.0 On-demand scanning command-line options Table A-2. On-Demand Command-Line Arguments (Continued) Command-Line Option Description MOVE Move (quarantine) the infected file to a pre-specified quarantine folder when a a virus is detected. BEEP Plays an audible beep on completion of a scan if an infected item is detected. NOBEEP Suppresses the audible beep on completion of a scan even if an infected item is detected. RPTSIZE Sets the size of the alert log, in kilobytes. BOOT Scans the boot sectors before the current scan task runs. NOBOOT Excludes the boot sectors from scanning. EXT File extensions that you add, as parameters following this argument, replace the extensions on the list of selected filed types that are included in scanning. DEFEXT File extensions that you add, as parameters following this argument, are added to the list of selected file types that are included in scanning. TASK Launches the on-demand scanner task specified in the VirusScan Enterprise Console. Requires additional parameter specifying the specified task ID as recorded in the registry at: HKEY_LOCAL_MACHINE;SOFTWARE; NETWORK ASSOCIATES;TVD; VirusScan EnterpriseNT;CurrentVersion;Tasks. SERVER Use this argument to specify the computer on which you want to start or stop a scan task. CANCEL If a task fails, but the console continues to show it as running, use this argument to adjust the registry to show that the task is no longer running. LOG Log infection reports to previously specified log file. NOLOG Do not log infection reports. LOGALL Log all responses to virus detection as events. This includes Prompt, Clean, Delete, and Move. LOGDETECT Log detection of a virus as an event. NOLOGDETECT Do not log detection of a virus as an event. LOGCLEAN Log success or failure of a virus cleaning activity as an event. NOLOGCLEAN Do not log success or failure of a virus cleaning activity as an event. Product Guide 247 Command-Line Scanner Program Table A-2. On-Demand Command-Line Arguments (Continued) 248 Command-Line Option Description LOGDELETE Log deletion of an infected file as an event. NOLOGDELETE Do not log deletion of an infected file as an event. LOGMOVE Log the moving of an infected file to a quarantine folder as an event. NOLOGMOVE Do not log the moving of an infected file as an event. LOGSETTINGS Log the configuration settings of a scan task. NOLOGSETTINGS Do not log the configuration settings for a scan task. LOGSUMMARY Log a summary of scan task results. NOLOGSUMMARY Do not log a summary of scan task results LOGDATETIME Log the date, start time, and end time of scanning activities. NOLOGDATETIME Do not log date or time of scanning activities. LOGUSER Log identifying information about the user who executes a scan task. NOLOGUSER Do not log user information. PRIORITY Sets the priority of the scan task relative to other CPU processes. Requires an additional numerical parameter. A value of 1 assigns priority to all other CPU processes. A value of 5 assigns the highest priority to the scan task. VirusScan® Enterprise software version 7.1.0 Customized installation properties Customized installation properties You can customize the installation process using these properties when installing from the command line. Table A-3. Customized Installation Properties Command-Line Property Function ALERTMANAGERSOURCEDIR Sets the default Alert Manager source path. The default path is \AMG. You can set it yourself in SETUP.INI CMASOURCEDIR Set the source path for the SITELIST.XML. The default path is the current directory from which SETUP.EXE is being run. ENABLEONACCESSSCANNER False = A False value cannot be set. True = Enable on-access scanner upon completion of installation. This is the default. Note: If you do not want to enable the on-access scanner, set the property to ““. This literally means ENABLEONACCESSSCANNER=””, an empty string. EXTRADATSOURCEDIR Set the source path for the EXTRA.DAT. During installation, the EXTRA.DAT is copied into the location where the engine files reside. FORCEAMSINSTALL True = Install Alert Manager, if present. INSTALLDIR Sets the default installation directory. INSTALLCHECKPOINT False = Do not install the Check Point SCV integration. True = Install the Check Point SCV integration. LOCKDOWNVIURUSSCANSHORTCUTS False = A False value cannot be set. True = Do not display any shortcuts under the start menu. Note: To allow the shortcuts to be installed, set the property to ““. This literally means LOCKDOWNVIURUSSCANSHORTCUTS=””, an empty string. This is the default. Product Guide 249 Command-Line Scanner Program Table A-3. Customized Installation Properties (Continued) Command-Line Property Function PRESERVESETTINGS Preserves settings upon upgrade of NetShield 4.5 or VirusScan 4.5.1. False = A False value cannot be set. True = Preserve settings. This is the default. Note: If you do not want to preserve settings, set the property to ““. This literally means PRESERVESETTINGS=””, an empty string. RUNAUTOUPDATE False = A False value cannot be set. True = Run update upon completion of installation. This is the default. Note: If you do not want to run update upon completion of installation, set the property to ““. This literally means RUNAUTOUPDATE=””, an empty string. RUNONDEMANDSCAN False = A False value cannot be set. True = Run a scan of all local drives upon completion of installation. This is the default. Note: If you do not want to run the on-demand scanner at completion of installation, set the property to ““. This literally means RUNONDEMANDSCAN=””, an empty string. RUNAUTOUPDATESILENTLY False = A False value cannot be set. True = Run silent update upon completion of installation. Note: If you do not want to run a silent update upon completion of installation, set the property to ““. This literally means RUNAUTOUPDATESILENTLY=””, an empty string. RUNONDEMANDSCANSILENTLY False = A False value cannot be set. True = Run on-demand scan silently upon completion of installation. Note: If you do not want to run a silent on-demand scan upon completion of installation, set the property to ““. This literally means RUNONDEMANDSCANSILENTLY=””, an empty string. 250 VirusScan® Enterprise software version 7.1.0 Customized installation properties Table A-3. Customized Installation Properties (Continued) Command-Line Property Function SUPPRESSAMSINSTALL True = Suppress installation of Alert Manager. VIRUSSCANICONLOCKDOWN Lock down the product in two different levels. NORMAL = Show all the menu items on the VirusScan icon menu in the system tray.This is the default. MINIMAL = Show only the Enable On-Access Scan and About VirusScan Enterprise menu items on the VirusScan icon menu in the system tray. NOICON = Do not show the VirusScan icon menu in the system tray. Product Guide 251 Command-Line Scanner Program 252 VirusScan® Enterprise software version 7.1.0 Secure Registry B The VirusScan Enterprise program is compatible with the Windows secure registry feature. The program writes registry entries based on the limits imposed by the user's security permissions. Any program feature to which the user has no permission appear disabled and are unselectable or unresponsive. Previous releases of the product sometimes generated errors when the VirusScan Enterprise program attempted to write a registry entry for a function to which the user did not have permission. This topic is included in this section: Registry keys requiring write access Product Guide 253 Secure Registry Registry keys requiring write access This a list of the registry keys to which the VirusScan Enterprise program and its Alert Manager component require Write access. The table also displays the results that can be expected if a user does not have adequate permission to write to those keys. All the registry keys shown in this table are subkeys of: hkey_local_machine\software\network associates\tvd. Table B-1. Result of VirusScan Enterprise Registry Key Lock-down Feature Program or Windows Service Description Write access required to registry key for full functionality Result if Write Access is unavailable due to registry lockdown On-Access Scanner Network Associates McShield service A Windows service that can run only under the local System account. This service performs scans whenever a file is used. Shared Components Ordinarily not affected because the service runs under a System account. However, if this service does not have write access to this key, the on-access scanner does not function. ShCfg32.exe A program that runs the on-access configuration interface. Shared Components On-Access Scanner On-Access Scanner On-Access Scanner McShield Configuration 254 VirusScan® Enterprise software version 7.1.0 The user can see the on-access scanner property pages, but cannot change the configuration. Registry keys requiring write access Table B-1. Result of VirusScan Enterprise Registry Key Lock-down (Continued) Feature Program or Windows Service Description Write access required to registry key for full functionality Result if Write Access is unavailable due to registry lockdown On-Access Scanner ShStat.exe A program that gathers statistics on the activities of the on-access scanner. This program also places the VirusScan Enterprise icon in the system tray. Right-clicking the icon allows the user to view scanning statistics, disable and enable the program, and open several program components. Shared Components The user cannot enable or disable the on-access scanner using the icon in the system tray. A program that runs the on-demand configuration interface. This interface is accessed from the VirusScan Enterprise Console. VirusScan Enterprise On-Demand Scanner ScnCfg32 On-Access Scanner McShield Configuration CurrentVersion VirusScan Enterprise If write access fails for any of these keys, The user can see the on-demand scanner property pages, but cannot change the configuration. CurrentVersion Tasks VirusScan Enterprise CurrentVersion DefaultTask VirusScan Enterprise CurrentVersion Tasks Product Guide 255 Secure Registry Table B-1. Result of VirusScan Enterprise Registry Key Lock-down (Continued) Feature Program or Windows Service Description Write access required to registry key for full functionality Result if Write Access is unavailable due to registry lockdown On-Demand Scanner ScnStat.exe A program that gathers statistics on the activities of the on-demand scanner. VirusScan Enterprise No effect. CurrentVersion Tasks VirusScan Enterprise CurrentVersion VirusScan Enterprise CurrentVersion Tasks On-Demand Scanner Scan32.exe A program that performs on-demand scanning activities of targets specified on the VirusScan Enterprise Console. VirusScan Enterprise CurrentVersion VirusScan Enterprise If Scan32 does not have a writable key to it's own task, then it runs but does not update statistics. Scanning results data is not generated. CurrentVersion\ Tasks Note: Also requires Read rights to: 256 VirusScan® Enterprise software version 7.1.0 Shared Components VirusScan Engine 4.0.xx This does not affect scheduled on-demand tasks, which are controlled by the Task Manager service described in the following section. Registry keys requiring write access Table B-1. Result of VirusScan Enterprise Registry Key Lock-down (Continued) Feature Program or Windows Service Description Write access required to registry key for full functionality Result if Write Access is unavailable due to registry lockdown Task Manager Network Associates Task Manager Service A Windows service that can run under the System account or under an administrator’s account. This program allows scheduling of scanning and updating activities. VirusScan Enterprise NT Ordinarily not affected because the service runs under a system or administrator account. However, if this service does not have read/write access to any of these keys, the service fails to start. CurrentVersion VirusScan Enterprise NT CurrentVersion Alerts VirusScan Enterprise NT CurrentVersion Tasks all subkeys Shared Components On-Access Scanner McShield Shared Components On-Access scanner McShield Configuration Product Guide 257 Secure Registry Table B-1. Result of VirusScan Enterprise Registry Key Lock-down (Continued) Feature Program or Windows Service Description Write access required to registry key for full functionality Result if Write Access is unavailable due to registry lockdown McUpdate McUPdate.exe A program used to perform updating of DAT files and software upgrades. VirusScan Enterprise NT DAT information won't be updated. Current Version Shared Components McShield might not reload the DAT. On-Access Scanner McShield Configuration VirusScan Enterprise NT CurrentVersion Tasks VirusScan Enterprise NT Status information cannot be communicated to the VirusScan Enterprise Console. The user can see the Update property page, but cannot change the configuration. CurrentVersion Tasks Update VirusScan Enterprise NT CurrentVersion Tasks Upgrade 258 VirusScan® Enterprise software version 7.1.0 The user can see the Upgrade property page, but cannot change the configuration. Registry keys requiring write access Table B-1. Result of VirusScan Enterprise Registry Key Lock-down (Continued) Feature Program or Windows Service Description Write access required to registry key for full functionality Result if Write Access is unavailable due to registry lockdown VirusScan Enterprise Console McConsol.exe A program that runs the administrative interface for the VirusScan Enterprise program. VirusScan Enterprise NT Update of virus definitions does not function reliably. Also, The user can see the current screen refresh rate, but cannot change it. CurrentVersion VirusScan Enterprise NT CurrentVersion Alerts CurrentVersion VirusScan Enterprise NT CurrentVersion Tasks The Alert Manager settings visible by selecting Alerts from the Tools menu appear disabled and do not respond when selected. Also, some start/stop tasks that the VirusScan Enterprise Console controls may not be generated. Shared Components McShield The following options appear disabled and do not respond when selected: Configuration VirusScan Enterprise NT Enable/Disable the on-access scan task. Copy, Paste, Delete, Rename, Import and Export tasks. The Stop scanning control. On-Access Scanner CurrentVersion Tasks Xxxx The on-access task cannot be configured, enabled, or disabled. Any key that has been locked down cannot be configured. Product Guide 259 Secure Registry Table B-1. Result of VirusScan Enterprise Registry Key Lock-down (Continued) 260 Feature Program or Windows Service Description Write access required to registry key for full functionality Result if Write Access is unavailable due to registry lockdown Alert Manager nai alert A component that provides immediate notification that the scanner has detected a virus, or that the event scheduler has encountered a problem. Shared Components The user can see the property pages for the alerting methods and messages, but cannot change the configuration. manager VirusScan® Enterprise software version 7.1.0 Alert Manager Troubleshooting C This section contains troubleshooting information for the VirusScan Enterprise product. The following topics are addressed in this section: Minimum Escalation Tool Frequently asked questions Updating error codes Minimum Escalation Tool The McAfee Minimum Escalation Tool (MERTool) is a utility that is designed to gather reports and logs for the Network Associates software on your system. The information obtained can be used to help analyze problems. To get more information about MERTool and access the utility, click the MERTool file that was installed with the VirusScan Enterprise product. This file is located in the installation folder. If you accepted the default installation path, this file is located in: drive:\Program Files\Network Associates\VirusScan When you click the MERTool file, it accesses the URL for the MERTool web site. Follow the instructions on the web site. Frequently asked questions This section contains troubleshooting information in the form of frequently asked questions. The questions are divided into the following categories: Installation questions Scanning questions Virus questions General questions Product Guide 261 Troubleshooting Installation questions I just installed the software using the Silent Install method, and there is no VirusScan Enterprise icon in the Windows system tray. The icon does not appear in the system tray until you restart your system. However, even though there is no icon, VirusScan Enterprise is running, and your computer is protected. You can verify this by checking the following registry key: HKEY_Local_Machine\SOFTWARE/Microsoft\Windows\CurrentVersion\Run ShStatEXE=”C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE\STANDALONE Why can some users on my network configure their own settings in VirusScan Enterprise and others cannot? If the administrator configures the user interface to password protect the tasks, users cannot change the settings. Different Microsoft Windows operating systems have different user privileges. Windows NT users have permission to write to the system registry, while Windows XP or Windows 2000 users do not. Refer to your Microsoft Windows documentation for more information about user permissions. During a command-line installation, how can I prevent users who do not have administrator rights from obtaining administrator rights through the VirusScan Console? You can prevent users from obtaining administrator rights during a command-line installation by adding the following property: DONOTSTARTSHSTAT=True This prevents the SHSTAT.EXE from starting upon completion of installation. 262 VirusScan® Enterprise software version 7.1.0 Frequently asked questions Scanning questions In On-Access Scanning, what is the difference between scanning “when writing to disk” and scanning “when reading from disk”? Scanning when writing is a file-writing action. It scans the following: Incoming files being written to the local hard drive. Files being created on the local hard drive or a mapped network drive (this includes new files, modified files, or files being copied or moved from one drive to another). Scanning when reading is a file-reading action. It scans the following: Outgoing files being read from the local hard drive. NOTE Select on network drives in the On-Access Scan Properties dialog box to include remote network files. Any file being executed on the local hard drive. Any file opened on the local hard drive. Any file being renamed on the local hard drive, if the file properties have changed. When I detect a virus using On-Demand E-mail Scan or On-Delivery E-mail Scan, what do the different action options mean? See Action properties on page 123 for a detailed description of each of the action options. Product Guide 263 Troubleshooting Virus questions I suspect I have a virus but VirusScan Enterprise is not detecting it. You can download the latest DAT file while it is still being tested prior to the official release. To use the daily DAT file, refer to: www.mcafeeb2b.com/naicommon/avert/avert-research-enter/virus-4d.asp I cannot get VirusScan Enterprise installed, but I think I have a virus. How can I determine if my computer is infected? If you have not been able to install VirusScan Enterprise, you can still run a scan at the command line, using a single file downloaded from the Network Associates web site. To run a command-line scan on a computer that does not have anti-virus software installed: 1 Create a folder in the root of your C drive named Scan. 2 Right-click the Scan folder and select Properties. Make sure that the read-only attribute is selected. 3 Go to http://nai.com/naicommon/download/dats/superdat.asp. Click sdatxxxx.exe for Windows-Intel to start the download. 4 Download this file into your new folder (C:\Scan) 5 From the Start menu, select Run and type C:\Scan\sdatxxxx.exe /e in the text box. Click OK. 6 Open a DOS prompt (also called a Command Prompt). At the C:\> prompt, type cd c:\Scan. Your prompt now looks like this: C:\Scan> 7 At the C:\Scan> prompt, type: scan.exe /clean /all /adl /unzip /report report.txt This scans all local drives and create a report in a file named REPORT.TXT. 8 After scanning, browse to your C:\Scan directory and read the REPORT.TXT file. NOTE We recommend that you disconnect the system from the network before scanning. 264 VirusScan® Enterprise software version 7.1.0 Frequently asked questions On Windows 2000 and Windows XP systems, boot into Safe Mode Command Prompt only to perform the scan. On Windows NT systems, run the scan from VGA Mode, then a command prompt. We recommend that you rerun the command-line scanner until no virus files are found. You may want to rename the report text file as REPORT2.TXT to record the second scan and REPORT3.TXT for the third scan, and so on, to avoid overwriting the reports file each time. WARNING You may receive an error that an application is attempting to directly access the hard disk on Windows NT systems. Click Ignore to continue. If you do not click Ignore, the scan terminates. General questions The VirusScan Enterprise icon in my system tray appears to be disabled. If there is a red circle and line covering the VirusScan Enterprise icon, that indicates that On-Access Scan is disabled. Here are the most common causes and solutions. If none of these solves your problem, contact technical support. Make sure that the On-Access Scan is enabled. To do this: Right-click the VirusScan Enterprise icon in the system tray. If the on-access scanner is disabled, the words Enable On-Access Scan appear in the menu. Select Enable On-Access Scan to enable the on-access scanner. Make sure that the service is running. To do this: Open the Services Control Panel using one of these methods: For Windows NT, select Start|Settings|Control Panel|Services and confirm that Network Associates McShield has a Status of Started. For Windows 2000 or XP, select Start|Settings|Control Panel|Admin Tools|Services and confirm that Network Associates McShield has a Status of Started. If it is not started, highlight Network Associates McShield on the list of services and click Start or Resume. You can also select Start|Run, then type NetStart McShield. Product Guide 265 Troubleshooting Make sure that the service is set to start automatically. To do this: Open the Services Control Panel using one of these methods: For Windows NT, select Start|Settings|Control Panel|Services and confirm that Network Associates McShield has a Startup Type of Automatic. If it is not set to Automatic, highlight Network Associates McShield on the list of services, click Startup, then select Automatic as the Startup Type. For Windows 2000 or XP, select Start|Settings|Control Panel|Admin Tools|Services and confirm that Network Associates McShield has a Startup Type of Automatic. If it is not set to Automatic, right-click Network Associates McShield on the list of services, select Properties and General tab, then select Automatic as the Startup Type. I get an error that I cannot download catalog.z. This error can be caused by many things. Here are a few suggestions to help determine the source of the problem. If you are using the Network Associates default download site for updates, determine if you can download the catalog.z file via a web browser. To do this, go to the URL: http://update.nai.com/Products/CommonUpdater/catalog.z and try to download the file. If you are not able to download the file, but you can see it (in other words, your browser does not allow you to download it), that means you have a proxy issue and need to talk to your network administrator. If you are able to download the file, that means VirusScan Enterprise should be able to download it as well. Contact technical support for assistance in troubleshooting your installation of VirusScan Enterprise. 266 If you are using a mirror site for updates, make sure that your mirror site is pointing to the correct site for updates. If you are unsure, try changing your settings to use the default Network Associates site. VirusScan® Enterprise software version 7.1.0 Frequently asked questions I have some computers that will continue using VirusScan 4.5x and others using VirusScan Enterprise 7.0. Can all the computers use the same repository for DAT files? Yes, a network of computers running multiple versions of VirusScan can all use the same repository for DAT files. First, make sure that you are using the correct directory structure in the repository list for VirusScan 4.5.x, then, make sure that in the McAfee AutoUpdate Architect console, you have selected the option I want to make my site compatible with legacy software. See the McAfee AutoUpdate Architect Product Guide for more information. Where is the location of the HTTP download site? The CATALOG.Z file, which contains the latest updates, can be downloaded from the web site: http://update.nai.com/Products/CommonUpdater/catalog.z Where is the location of the FTP download site? The CATALOG.Z file, which contains the latest updates, can be downloaded from the FTP site: ftp://ftp.nai.com/CommonUpdater/catalog.z If I do detect a virus and I have chosen “prompt user for action,” what action should I choose (Clean, Delete, Move)? Our general recommendation is to choose Clean if you are not sure what to do with an infected file. The VirusScan Enterprise default action is to Clean a file, then Move it. I tried to Move or Delete a file and it failed. This can happen when a file is locked by another program, or you do not have permissions to move or delete the file. As a workaround, you can look in the VirusScan Enterprise log and see where the file is located, then move or delete it manually using Windows Explorer. Product Guide 267 Troubleshooting Updating error codes When your AutoUpdate fails, review the update log. See Viewing the activity log on page 198 for information about how to view the log file. Following are common error codes that you may encounter: 268 -215: Failed to get site status — The software cannot verify if the repository is available. Attempt to manually download the PKGCATALOG.Z file using the network protocol. If this fails, verify the path and user credentials. -302: Failed to get the agent’s framework interface — The scheduler interface is not available. Stop and restart the framework service. -409: Master site not found — The master repository for the update is not available, is inaccessible, or is in use. Attempt to manually download the PKGCATALOG.Z file using the network protocol. If this fails, verify the path and user credentials. -414: Verify the Domain, User Name, and Password you provided are typed correctly. Verify that the user account has permissions to the location where the repository resides — While creating the repository, the credentials entered were determined invalid when Verify was selected. Either now, or after the repository is created, correct the credential information. Click Verify again. Repeat this process until the credentials are verified. -503: Product package not found — Update files are not present in the repository or may be corrupt. Ensure that the repository is populated with the update files. If these files are present, create a replication or pull task to overwrite the current task setting. If the files were not present, populate the repository, then attempt to update again. -530: Site catalog not found — You performed a pull task from a repository that does not have a catalog file, or contains a corrupted catalog file. To correct this issue, verify that the source repository contains a valid catalog directory. -531: Package catalog not found — The PKGCATALOG.Z was not found in the repository. Try to download the file using the network protocol. If it cannot be downloaded, perform a replication or pull task (depending on the type of repository). -601: Failed to download file — The repository is not accessible. Try to download the file using network protocol. If it cannot be downloaded, verify the path and user rights. If the file is downloaded, try stopping and starting the service. -602: Failed to upload file — You performed a pull task but the master repository credentials or settings are invalid (or the location is not available). Verify the credentials and location. VirusScan® Enterprise software version 7.1.0 Updating error codes -804: Sit status not found — You performed a replication task but the master repository is not available (or the credentials are invalid). Verify that the master repository is active, accessible, and that the credentials are valid. -1113: Replication has been done partially — One or more repositories may be inaccessible at the time of replication. Consequently, not all repositories are up-to-date. Verify that all repositories are accessible and that no files are marked as read-only, then perform the task again. Product Guide 269 Troubleshooting 270 VirusScan® Enterprise software version 7.1.0 Glossary agent See ePolicy Orchestrator agent. agent host See client computer. Agent Monitor A dialog box for prompting the agent to send properties or events to the ePolicy Orchestrator server; enforce policies and tasks locally; check the ePolicy Orchestrator server for new or updated policies and tasks, then enforce them immediately upon receipt. agent policies Settings that affect how the agent behaves. agent wakeup call A scheduled task or on-demand command that prompts agents to contact the ePolicy Orchestrator server when needed, rather than waiting for the next ASCI. See also SuperAgent Wakeup call. agent-to-server communication A communications technique where the agent contacts the server at a predefined interval to see if there are any new policies or tasks for the agent to enforce or execute. agent-to-server communications interval (ASCI) Determines how often the agent and ePolicy Orchestrator server exchange information. alert A message or notification regarding computer activity such as virus detection. It can be sent automatically according to a predefined configuration, to system administrators and users, via e-mail, pager, or phone. anti-virus policy See policy. archive A compressed file that must be extracted prior to accessing the files within it. AutoUpdate The automatic updating program in McAfee Security anti-virus products; it automatically installs updates to existing products or upgrades to new versions of products. Product Guide 271 Glossary AVERT Anti-Virus Emergency Response Team, a division of Network Associates, Inc., is an anti-virus research center that supports the computing public and Network Associates customers by researching the latest threats, and by uncovering threats that may arise in the future. It is comprised of three integrated teams that provide Anti-Virus Services and Support, Virus Analysis, and Advanced Virus Research. background scanning A type of on-access scanning, made possible by Microsoft VS API2, in which not all files are scanned when accessed, reducing the workload of the scanner when it is busy. It scans databases on which it has been enabled, for example, Mailbox store and Public Folder store. Centralized Alerting An alternative to using regular Alert Manager. Alert messages generated by anti-virus software, such as VirusScan Enterprise 7.0, are saved to a shared folder on a server. Alert Manager is configured to read alert notifications from that same folder. When the contents of the shared folder change, Alert Manager sends new alert notifications using whatever alerting methods Alert Manager is already configured to use, such as sending e-mail messages to a pager. client computer A computer on the client-side of the program. client tasks Tasks that are executed on client computers. common framework A common core technologies architecture to allow different McAfee Security products to share the same common components and code. The architecture for this is referred to as the common framework. The Scheduler, AutoUpdate, and ePolicy Orchestrator agent components are common components that are part of the common framework. computers The physical computers on the network. console tree The left pane of the console, which contains all console tree items. console tree items Every item in the console tree. DAT files Virus definition files that allow the anti-virus software to recognize viruses and related potentially unwanted code embedded in files. See also EXTRA.DAT file, incremental DAT files, and SuperDAT. default process In VirusScan Enterprise, any process that is not defined as a low-risk process or high-risk process. See also high-risk process and low-risk process. 272 VirusScan® Enterprise software version 7.1.0 Glossary denial of service attack A means of attack, an intrusion, against a computer, server or network that disrupts the ability to respond to legitimate connection requests. A denial of service attack overwhelms its target with false connection requests, so that the target ignores legitimate requests. deployment Sending and installing products (and the agent) to groups, computers and users. details pane The right pane of the console, which shows details of the currently selected console tree item. Depending on the console tree item selected, the details pane can be divided into upper and lower panes. See also upper details pane and lower details pane. directional scanning Scanning where one appliance is dedicated to inbound scanning, and another appliance is dedicated to outbound scanning. Directory Lists all computers to be managed via ePolicy Orchestrator, and is the link to the primary interfaces for managing these computers. distributed software repository Architecture for deploying products and product updates throughout an enterprise; it creates a central library of supported products and product updates in the master repository. download site A repository from which you retrieve product or DAT updates. See also update site. EICAR European Institute of Computer Anti-Virus Research has developed a string of characters that can be used to test the proper installation and operation of anti-virus software. ePolicy Orchestrator agent An intelligent link between the ePolicy Orchestrator server and the anti-virus and security products. It enforces policies and tasks on client computers; gathers and reports data; installs products; enforces policies and tasks; and sends events back to the ePolicy Orchestrator server. ePolicy Orchestrator console A view of all virus activity and status, with the ability to manage and deploy agents and products. It provides the ability to set and enforce anti-virus and security policies to all agents on client computers, or to selected computers; provides a task scheduling feature that targets specific computers or groups with scheduled tasks and policies; and allows viewing and customizing reports to monitor deployment, virus outbreaks, and current protection levels. Product Guide 273 Glossary ePolicy Orchestrator server A repository for all data collected from distributed ePolicy Orchestrator agents. It includes a database that accrues data about product operation on client computers in the network; a report-generating engine for monitoring the virus protection performance in your company; a software repository that stores products and product updates for deploying to your network. events Generated by supported products, events identify activity on client computers, from service events to infection detection events. Each event is assigned a severity from informational to critical. Events and properties comprise the data that appears on reports and queries. EXTRA.DAT file Supplemental virus definition file that is created in response to an outbreak of a new virus or a new variant of an existing virus. See also DAT files, incremental DAT files, and SuperDAT. fallback repository The repository from which client computers retrieve updates when none of the repositories in their repository list (SITELIST.XML) are available. Only one fallback repository can be defined. firewall A program that acts as a filter between your computer and the network or Internet. It can scan all traffic arriving at your computer (incoming traffic) and all traffic sent by your computer (outgoing traffic). It scans traffic at the packet level, and either blocks it or allows it, based on rules that you set up. force install, force uninstall See product deployment client task. FRAMEPKG.EXE The agent installation package. When it executes, this file installs the ePolicy Orchestrator agent on a client computer. frequency The repetitive interval for which you want to schedule the task. global administrator A user account with read, write, and delete permissions, and rights to all operations. Operations that affect the entire installation are reserved for use only by global administrator user accounts. Compare to site administrator and global reviewer. global distributed repository An identical copy of the packages in the master repository. global reporting settings Reporting settings that affect all ePolicy Orchestrator database servers, reports, and queries. 274 VirusScan® Enterprise software version 7.1.0 Glossary global reviewer A user account with read-only permissions; the global reviewer can view all settings in the software, but cannot change any of these settings. Compare to site reviewer and global administrator. global updating A method for deploying product updates as soon as the corresponding packages are checked into the master repository. Packages are immediately replicated to all SuperAgent and global distributed repositories; the ePolicy Orchestrator server sends a wakeup call to all SuperAgents; SuperAgents send a broadcast wakeup call to all agents in the same subnet; then all agents retrieve the update from the nearest repository. group In the console tree, a logical collection of entities assembled for ease of management. Groups can contain other groups or computers. You can assign IP address ranges or IP subnet masks to groups to sort computers by IP address. If you create a group by importing a Windows NT domain, you can automatically send the agent installation package to all imported computers in the domain. heuristic analysis, heuristics A method of scanning that looks for patterns or activities that are virus-like, to detect new or previously undetected viruses. high-risk process In VirusScan Enterprise, these are processes that McAfee Security considers to have a higher possibility of being infected. See also default process and low-risk process. host, host computer See client computer. inactive agent An agent that has not communicated with the ePolicy Orchestrator server within a specified time period. incremental DAT files New virus definitions that supplement the virus definitions currently installed. Allows the update utility to download only the newest DAT files rather than the entire DAT file set. See also DAT files, EXTRA.DAT file and SuperDAT. inheritance See task inheritance and policy inheritance. item See console tree item. joke program A non-replicating program that may alarm or annoy an end user, but does not do any actual harm to files or data. Product Guide 275 Glossary local distributed repository Locations accessible only from the client computer; for example, a mapped drive or FTP server whose address can only be resolved from a local DNS server. Local distributed repositories are defined in the agent policy for selected client computers. log A record of the activities of a component of McAfee anti-virus software. Log files record the actions taken during an installation or during the scanning or updating tasks. See also events. Lost&Found group A location on the ePolicy Orchestrator server for computers whose appropriate location in the Directory cannot be determined. The server uses the IP management settings, computer names, domain names, and site or group names to determine where to place computers. Only global administrators have full access to the global Lost&Found; site administrators can access only Lost&Found groups in sites for which they have rights. lower details pane In the console, the lower division of the details pane, which displays the configuration settings for the products listed on the Policies tab in the upper details pane. See also details pane and upper details pane. low-risk process In VirusScan Enterprise, these are processes that McAfee Security considers to have a lower possibility of being infected. See also default process and high-risk process. macro virus A malicious macro — a saved set of instructions created to automate tasks within certain applications or systems — that can be executed inadvertently, causing damage or replicating itself. master repository The ePolicy Orchestrator server; it maintains an original copy of the packages in the source repository, and can replicate packages to distributed repositories. At the master repository level, you can check in product and product update packages; schedule tasks to replicate packages to global or SuperAgent distributed repositories; and schedule tasks to pull packages from source or fallback repositories, and integrate them into the master repository. McAfee AutoUpdate Architect McAfee Security software that works with ePolicy Orchestrator to deploy products and product updates throughout an enterprise. mirror distributed repository A local directory on client computers whose replication is done using a Mirror client task and other client computers can retrieve updates from it. 276 VirusScan® Enterprise software version 7.1.0 Glossary mirror task Tasks that copy the contents of the first repository in the repository list to the local directory you specify on the client computer. .MSI file A Microsoft Windows Installer package that includes installation and configuration instructions for the software being deployed. .NAP file Network Associates Package file. This file extension is used to designate McAfee software program files that are installed in the software repository for ePolicy Orchestrator to manage. node See console tree items. on-access scanning An examination of files in use to determine if they contain a virus or other potentially unwanted code. It can take place whenever a file is read from the disk and/or written to the disk. Compare to on-demand scanning. on-demand scanning A scheduled examination of selected files to determine if a virus or other potentially unwanted code is present. It can take place immediately, at a future scheduled time, or at regularly scheduled intervals. Compare to on-access scanning. package Contains binary files, detection and installation scripts, and a package catalog (PKGCATALOG.Z) file used to install products and product updates. package catalog file A file (PKGCATALOG.Z) that contains details about each update package, including the name of the product for which the update is intended, language version, and any installation dependencies. package signing, package security A signature verification system for securing packages created and distributed by Network Associates. Packages are signed with a key pair using the DSA (Digital Signature Algorithm) signature verification system, and are encrypted using 168-bit 3DES encryption. A key is used to encrypt or decrypt sensitive data. packed executable A packed executable is a file that, when run, extracts itself into memory only. Packed executable files are never extracted to disk. pane A subsection of the console. See details pane and console tree. Product Guide 277 Glossary policy Configuration settings for each product that can be managed via ePolicy Orchestrator, and that determine how the product behaves on client computers. Compare to task. See also agent policies. policy enforcement interval Determines how often the agent enforces the policies it has received from the ePolicy Orchestrator server. Because policies are enforced locally, this interval does not require any bandwidth. policy inheritance Determines whether the policy settings for any one console tree item under the Directory are taken from the item directly above it. policy pages Part of the ePolicy Orchestrator console; they allow you to set policies and create scheduled tasks for products, and are stored on individual ePolicy Orchestrator servers (they are not added to the master repository). product deployment client task A scheduled task for deploying all products currently checked into the master repository at once. It enables you to schedule product installation and removal during off-peak hours or during the policy enforcement interval. properties Properties are attributes or characteristics of an object used to define its state, appearance, or value. pull task See Repository Pull server task. quarantine Enforced isolation of a file or folder to prevent infection by a virus. VirusScan Enterprise quarantines infected files or folders until action can be taken to clean or remove the item. randomization A random point within an interval of time that you set for a scheduled task. real-time scanning See on-access scanning. remote console The console running on a computer that does not have the ePolicy Orchestrator server running on it. Remote consoles allow more than one person access to the server to review actions or to manage sites and installations. See also ePolicy Orchestrator console. replication task See Repository Replication server task. 278 VirusScan® Enterprise software version 7.1.0 Glossary repository The location that stores policy pages used to manage products. repository list The SITELIST.XML file that McAfee anti-virus products using AutoUpdate 7.0 use to access distributed repositories and retrieve packages from them. Repository Pull server task A task that specifies the source or fallback repository from which to retrieve packages, then integrate the packages into the specified branches in the master repository. Repository Replication server task A task that updates global and SuperAgent distributed repositories to maintain identical copies of all packages in all branches that are in the master repository. You can also update selected distributed repositories. scan action The action that takes place when an infected file is found. scanning An examination of files to determine if a virus or other potentially unwanted code is present. See on-access scanning and on-demand scanning. selective updating Specifying which version (Evaluation, Current, or Previous) of updates you want client computers to retrieve. server tasks Tasks that the server performs for maintenance on the ePolicy Orchestrator database and Repository. Default server tasks include Inactive Agent Maintenance, Repository Pull, Repository Replication, and Synchronize Domains. silent installation An installation method that installs a software package onto a computer silently, without need for user intervention. site In the console tree, a logical collection of entities assembled for ease of management. Sites can contain groups or computers, and can be organized by IP address range, IP subnet mask, location, department, and others. site administrator A user account with read, write, and delete permissions, and rights to all operations (except those restricted to the global administrator) on the specified site and all groups and computers underneath it on the console tree. Compare to global administrator and site reviewer. Product Guide 279 Glossary site reviewer A user account with read-only permissions; the site reviewer can view the same settings as the site administrator, but cannot change any of these settings. Compare to global reviewer and site administrator. source repository A location from which a master repository retrieves packages. spam e-mail, spam message Any unsolicited and unwelcome e-mail messages, including commercial e-mail messages, the electronic equivalent of “junk mail,” and unwanted non-commercial e-mail messages, such as a virus hoaxes, joke program, and chain letter. SPIPE Secured PIPE, a secured communications protocol used by ePolicy Orchestrator servers. SuperAgent An agent with the ability to contact all agents in the same subnet as the SuperAgent, using the SuperAgent wakeup call. It is used in global updating and supports distributed software repositories, alleviating the need for a dedicated server. It provides a bandwidth-efficient method of sending agent wakeup calls. See also ePolicy Orchestrator agent. SuperAgent distributed repository A replication of the master repository, used in place of dedicated servers for global distributed repositories. SuperAgent wakeup call A scheduled task or on-demand command that prompts SuperAgents (and all agents in the same subnet as each SuperAgent) to contact the ePolicy Orchestrator server when needed, rather than waiting for the next ASCI. See also agent wakeup call. SuperDAT A utility that installs updated virus definition (SDAT*.EXE) files and, when necessary, upgrades the scanning engine. See also DAT files, EXTRA.DAT file, and incremental DAT files. supplemental virus definition file See EXTRA.DAT file. system scan A scan of the designated system. 280 VirusScan® Enterprise software version 7.1.0 Glossary task An activity (both one-time such as on-demand scanning, and routine such as updating) that is scheduled to occur at a specific time, or at specified intervals. Compare to policy. task inheritance Determines whether the client tasks scheduled for any one console tree item under the Directory are taken from the item directly above it. Trojan horse A program that either pretends to have, or is described as having, a set of useful or desirable features, but actually contains a damaging payload. Trojan horses are not technically viruses, because they do not replicate. update package Package files from Network Associates that provide updates to a product. All packages are considered product updates with the exception of the product binary (Setup) files. update site The repository from which you retrieve product or DAT updates. See also download site. updating The process of installing updates to existing products or upgrading to new versions of products. upper details pane In the console, the upper division of the details pane, which contains the Policies, Properties, and Tasks tabs. See also details pane and lower details pane. user accounts The ePolicy Orchestrator user accounts include global administrator, global reviewer, site administrator, and site reviewer. Administrator-level user accounts have read, write, and delete permissions; reviewer-level user accounts have read-only permissions. See also global administrator, global reviewer, site administrator, and site reviewer. UTC time Coordinated Universal Time (UTC). This refers to time on the zero or Greenwich meridian. virus A program that is capable of replicating with little or no user intervention, and the replicated program(s) also replicate further. virus definition (DAT) files See DAT files. VirusScan Enterprise console The control point for the program’s activities. Product Guide 281 Glossary virus-scanning engine The mechanism that drives the scanning process. warning priority The value that you assign each alert message for informational purposes. Alert messages can be assigned a Critical, Major, Minor, Warning, or Informational priority. worm A virus that spreads by creating duplicates of itself on other drives, systems, or networks. 282 VirusScan® Enterprise software version 7.1.0 Index A activity log for AutoUpdate task, 198 mirror task, 217 on-access scanning, 79 on-delivery e-mail scanning, 132 on-demand e-mail scanning, 148 on-demand scanning, 111 adding file type extensions (using the Additions feature), 68 Alert folder function, 179 Alert Manager configuration e-mail alert, 166 forwarding an alert, 160 launching a program, 173 network broadcasting, 164 printed messages, 170 SNMP, 172 Summary page, 159 system variables, 185 Alert Manager Properties Summary, 159 alert messages broadcasting a network alert, 164 Centralized Alerting, 179 customizing, 181 disabling, 182 editing, 184 e-mail, 166 enabling, 182 forwarding, 160 launching a program in response to, 173 sending to a printer, 170 sending via SNMP traps, 172 truncating, 169 variables in, 185 alert method configuring recipients, 155 alert priority changing, 183 types, 183 archive files, scanning, 246 arguments, applicable to on-demand scanner, 246 audience for this manual, 9 automatic scanning, 34 AutoUpdate activity log, viewing, 198 description, 190 download sites, 200 FTP default download site, 200, 205, 219 HTTP default download site, 200, 205 error codes, 268 implementing (See Updating with VirusScan Enterprise Implementation Guide) proxy settings, 209 repository list, 199 adding repositories, 202 editing repositories, 201 importing repositories, 201 removing and reorganizing repositories, 208 tasks activities during update, 197 configuring, 193 creating, 192 overview of update process, 191 running, 195 from the console, 195 from the Start menu, 196 immediate update, 195 resumable update, 195 using Update Now, 197 scheduling, 195 Product Guide 283 Index AVERT (Anti-Virus Emergency Response Team), contacting, 12 beta program, contacting, 12 boot sectors scanning from command line, 241 scanning with on-access scanning, 44 scanning with on-demand scanning, 91 broadcasting network messages, 164 on-access scanning messages, viewing, 82 receiving notification, 81 taking action, 83 on-demand scanning receiving notification, 112 taking action, 113 Display Options, 28 documentation for the product, 11 download web site, 12 C E .CAB, scanning files with extension, 246 CATALOG.Z file, 197 Centralized Alerting, 179 command line, Windows, 27 options, 240 running the on-demand scanner from, 246 compressed files scanning from command line archive type, 246 configuring AutoUpdate task, 192 mirror task, 213 on-access scanning, 39 on-delivery e-mail scanning, 116 on-demand e-mail scanning, 132 on-demand scanning, 86 via ePolicy Orchestrator (See Configuration Guide) connecting to remote servers, 37 console (See VirusScan Console) contacting McAfee Security, 12 conventions used in this manual, 10 customer service, contacting, 12 Edit menu, 21 e-mail scanning, on-delivery activity log, viewing, 132 scan statistics, viewing, 130 tasks, configuring, 116 action properties, 123 advanced properties, 120 alert properties, 126 detection properties, 118 report properties, 128 e-mail scanning, on-demand activity log, viewing, 148 tasks, configuring, 132 action properties, 139 advanced properties, 135 alert properties, 142 detection properties, 133 report properties, 144 tasks, running, 147 e-mail, sending virus alert via, 166 enable randomization, 228 excluding files, folders, and drives (using the Exclusions feature), 70 EXTRA.DAT, 187, 198 B D DAT file updates, web site, 12 DAT files rolling back, 217 date and time, recorded in log file, default processes, 50 to 51 definition of terms (See Glossary) detections, virus 284 F 48, 104, 130, 146 VirusScan® Enterprise software version 7.1.0 FAQ (frequently asked questions), 261 features, descriptions of, 15 file type extensions, what to scan adding file types (using the Additions feature), 68 Index adding user-specified types (using the Specified feature), 69 excluding file types (using the Exclusions feature), 70 floppy during shutdown scanning with on-access scanning, 44 forwarding alerts large organization, 161 small organization, 162 frequently asked questions (FAQ), 261 FTP default download site, 200, 205, 219 G general questions, troubleshooting, 265 General Settings properties, on-access scanning, getting information, 11 getting started, 17 glossary, 271 H Help menu, 21 high-risk processes, 50, 60 definition, 61 HTTP default download site, 200, 205 I installation (See Installation Guide) installation questions, troubleshooting, K KnowledgeBase search, 12 L limiting log file size, 48, 103, 129, 145 list of tasks in VirusScan Console, 23 lockdown registry, 253 to 260 locking user interface, 31 log file for AutoUpdate task, 198 mirror task, 217 on-access scanning, 79 on-delivery e-mail scanning, 132 on-demand e-mail scanning, 148 on-demand scanning, 111 262 43 log file size limiting, 48, 103, 129, 145 low-risk processes, 50, 60 definition, 61 .LZH, scanning files with extension, 246 M mail server, configuring for e-mail alerting, 168 manuals, 11 McAfee Security University, contacting, 12 menu bar, 20 menus in VirusScan Console, 20 Edit, 21 Help, 21 right-click, 25 Task, 20 Tools, 21 View, 21 Start, 18 MERTool (Minimum Escalation Tool), 261 messages, on-access scanning, 45 clean infected files referenced, 46 delete infected file referenced, 46 deny access to network share, 46 disconnect remote users, 46 move infected file referenced, 46 remove messages from list, 46 send message to user, 46 show messages dialog box, 45 text to display, 45 viewing, 82 Minimum Escalation Tool (MERTool), 261 Mirror Now command, 217 mirror task, 212 activity log, viewing, 217 configuring, 214 creating, 213 running, 216 as scheduled, 216 from the Start command, 216 immediately, 216 using Mirror Now, 217 Product Guide 285 Index scheduling, 216 N new features, 14 O on-access scanning activity log, viewing, 79 configuring, 40 action properties, 57, 75 advanced properties, 55, 73 detection properties, 52, 65 general properties, 43 message properties, 45 process properties assigning risk, 61 default, 50 to 51 high-risk, 50, 60 low-risk, 50, 60 report properties, 47 messages, viewing, 82 scan statistics, viewing, 78 virus detections, responding, 80 on-access vs. on-demand scanning, 33 on-demand scanning activity log, viewing, 111 scan statistics, viewing, 110 tasks configuring, 89 action properties, 99 advanced properties, 96 detection properties, 94 report properties, 102 where properties, 90 creating, 86 from the console, 88 from the Start menu, 86 from the system tray, 86 resumable scanning, 109 running from the console, 107 from the Windows command line, 246 pausing, 108 restarting, 108 stopping, 109 scheduling, 106 virus detections, responding, 111 on-demand vs. on-access scanning, 33 P password options, 29 pausing on-demand tasks, 108 PrimeSupport, 12 prioritizing messages sent across the network, 163, 165, 169, 171 to 172, 174, 176, 178 to another computer, 158 priority level, setting for alerts, 157 product documentation, 11 product features, 15 product training, contacting, 12 proxy settings for updating, 209 Q quarantine folder on-access scanning, 44 on-delivery e-mail scanning, on-demand e-mail scanning, on-demand scanning, 100 286 VirusScan® Enterprise software version 7.1.0 124 141 Index R registry, secure, 253 to 260 remote administration, 37 Remote Connection, in Tools menu, 37 report properties, configuring on-access scanning, 47 on-delivery e-mail scanning, 128 on-demand e-mail scanning, 144 on-demand scanning, 102 repositories, 208 repository list adding repositories, 202 editing repositories, 201 importing repositories, 201 removing and reorganizing repositories, restarting on-demand tasks, 108 resumable scanning, 109 right-click menus, 24 right-click scan, 25 from system tray, 26 S Scan menu Statistics, 78 to 79, 131 to 132 scan time on-access scanning, 44 scanning automatically, 34 configuring on-access scanner for, 39 on-delivery e-mail scanner for, 116 on-demand e-mail scanner for, 132 on-demand scanner for, 86 immediately, 107 on access vs. on-demand scanning, 33 on schedule, 35 on-access, 39 on-delivery e-mail, 116 on-demand, 86 on-demand e-mail, 132 208 operations automatic, 34 on schedule, 35 periodical, 35 selective, 35 setting up, 33 periodically, 35 results, viewing AutoUpdate activity log, 198 mirror task activity log, 217 on-access scan activity log, 79 statistics, 78 on-delivery e-mail scan activity log, 132 statistics, 130 on-demand e-mail scan activity log, on-demand scan activity log, 111 statistics, 110 right-click scan, 25 from system tray, 26 selectively, 35 shell extension scan, 25 troubleshooting questions, 263 scanning, scheduled, 35 scheduling, 221 advanced options, 226 enable randomization., 228 schedule properties, 224 frequencies, 225 task properties, 223 Product Guide 148 287 Index tasks at logon, 234 at system startup, 233 AutoUpdate, 195 daily, 227 mirror, 216 monthly, 230 once, 232 on-demand scanning, 106 to run immediately, 236 to run on dialup, 237 weekly, 229 when idle, 235 secure registry, 253 to 260 security headquarters, contacting AVERT, 12 service portal, PrimeSupport, 12 session settings, recorded in log file, 48, 104, 130, 146 session summary, recorded in log file, 48, 104, 130, 146 SMTP mail server, configuring for e-mail alerting, 168 SNMP sending alerts via, 172 specifying file type extensions (using the Specified feature), 69 Start menu, 18 startup, scanning at, 44 Statistics, in Scan menu, 78 to 79, 131 to 132 statistics, viewing on-access scanning, 78 on-delivery e-mail scanning, 130 on-demand scanning, 110 status bar, 24 submitting a sample virus, 12 system startup, scanning at, 44 system tray, setting options, 26 system variables, 189 system variables, alerting, 185 T task list, 23 Task menu, 20 tasks 288 VirusScan® Enterprise software version 7.1.0 configuring AutoUpdate task, 192 mirror task, 213 on-access scanner, 39 on-delivery e-mail scanner, 116 on-demand e-mail scanner, 132 on-demand scanner, 86 definition of, 23 pausing, 108 restarting, 108 running immediately, 107 stopping, 109 types available in VirusScan Enterprise, technical support, 12 testing alerting configuration, 156 toolbar, 22 Tools menu, 21 training web site, 12 troubleshooting, 261 frequently asked questions general, 265 installation, 262 scanning, 263 viruses, 264 Minimum Escalation Tool, 261 update error codes, 268 truncating alert message, forced, 169 23 U unlocking user interface, 31 Update Now command, 197 updating activities, 197 download sites, 200 FTP default download site, 200, 205, 219 HTTP default download site, 200, 205 error codes, 268 manually, 219 mirror task, 214 proxy settings, 209 repository list, 199 editing repositories, 201 removing and reorganizing Index repositories, 208 strategies, 188 tasks configuring, 193 running immediate updates, 195 resumable update, 195 upgrade web site, 12 user interface options display, 28 locking, 31 password, 29 setting, 27 unlocking, 31 orientation, 18 user name, recorded in log file, 48, 104, 130, 146 UTC Coordinated Universal Time (UTC), 228 .UUE, scanning files with extension, 246 menus (See menus) status bar, 24 task list, 23 toolbar, 22 VirusScan Enterprise product features, 15 what’s new in this release, 14 W what’s new in this release, 14 Z .ZIP, scanning files with extension, 246 V variables, system, 189 View menu, 21 Virus Information Library, 12, 35 virus, submitting a sample, 12 viruses detections on-access scanning, 80 on-demand scanning, 111 frequently asked questions, 264 submitting a sample, 36 VirusScan Console, 19 configuring AutoUpdate via (See AutoUpdate) mirror task via (See mirror task) on-access scanning via (See on-access scanning) on-delivery e-mail scanning via (See e-mail scanning, on-delivery) on-demand e-mail scanning via (See e-mail scanning, on-demand) on-demand scanning via (See on-demand scanning) connecting to remote servers via, 37 Product Guide 289 Index 290 VirusScan® Enterprise software version 7.1.0
© Copyright 2024 Paperzz