McAfee 8.8 User Product Guide

All from『McAfee VirusScan Enterprise 8.8 software Product Guide』


I、Introducing VirusScan Enterprise


What it is and does

VirusScan Enterprise offers easily scalable protection, fast performance, and a mobile design
to protect your environment from the following:

• Viruses, worms and Trojan horses

• Access point violations and exploited buffer overflows

• Potentially unwanted code and programs

It detects threats, then takes the actions you configured to protect your environment.


What is new

This release includes the following new features:

• Enhanced performance.

• Allows ePolicy Orchestrator 4.5 and 4.6 to manage your VirusScan Enterprise systems.

• A new ScriptScan URL exclusion feature allows you to configure exclusions instead of manually
editing the registry.

• The AntiSpyware Enterprise Module has been fully integrated into the VirusScan Enterprise
8.8 software.

• Support for Outlook 2010 email scanning.

• Support for Lotus Notes 8.0x through 8.5.1 email scanning.



II、Components and how they interact



Client system

This is where VirusScan Enterprise and optional McAfee Agent are installed and configured.

• DAT files — Detection definition files, also called malware signatures, work with the scanning
engine to identify and take action on threats.

• Scan engine — Used to scan the files, folders, and disks on the client computer and
compares them to the information in the DAT files for known viruses.

NOTE: DAT files and scan engine are updated as needed using the Internet connection to
McAfee Headquarters, or using the optional connections over the Enterprise Intranet to a
designated server.

• Artemis (Heuristic network check for suspicious files) — Looks for suspicious programs
and DLLs running on client systems that are protected by VirusScan Enterprise. When the
real-time malware defense detects a suspicious program, it sends a DNS request containing
a fingerprint of the suspicious file to a central database server hosted by McAfee Labs.

• McAfee Agent (optional) — Provides secure communication between McAfee managed
products and McAfee ePolicy Orchestrator server. The agent also provides local services like
updating, logging, reporting events and properties, task scheduling, communication, and
policy storage.


McAfee Headquarters

McAfee Headquarters, home to McAfee Labs and McAfee Technical Support, provides the
following VirusScan Enterprise services:

• DAT updates — Stored on a McAfee central database server, and using AutoUpdate, these
DAT update files are copied to the VirusScan Enterprise clients or optional DAT repositories
to provide information to fight known threats and new lists of known viruses as they are
found in real time.

• Scan engine updates — Stored on a central database server, scan engine updates are
downloaded as needed to keep the VirusScan Enterprise scan engine up-to-date.

• McAfee Labs — This threat library has detailed information on virus, Trojan, hoax, and
potentially unwanted program (PUP) threats — where they come from, how they infect your
system, and how to handle them. The Artemis feature sends the fingerprint of the suspicious
file to McAfee Labs, where they analyze the file and determine what action to take.


Server

The optional server uses the following components to manage and update many client systems
remotely:

• ePolicy Orchestrator — Centrally manages and enforces VirusScan Enterprise policies,
then uses queries and dashboards to track activity and detections.

NOTE: This document addresses using ePolicy Orchestrator 4.0, 4.5, and 4.6. For information
about ePolicy Orchestrator, see the product documentation for your version.

• DAT repository — Retrieves the DAT updates from the McAfee download site. From there,
DAT files can be replicated throughout your organization, providing access for all other
computers. This minimizes the amount of data transferred across your network by automating
the process of copying updated files to your share sites.



III、The importance of creating a security strategy

Protecting your client systems from viruses, worms, and Trojan files using VirusScan Enterprise
requires a well-planned strategy: defining threat prevention and detection, response to threats,
and ongoing analysis and tuning.

Prevention — avoiding threats

Define your security needs to ensure that all of your data sources are protected, then develop
an effective strategy to stop intrusions before they gain access to your environment. Configure
these features to prevent intrusions:

• User Interface Security — Set display and password protection to control access to the
VirusScan Enterprise user interface.

• Access Protection — Use access protection rules to protect your computer from undesirable
behavior with respect to files, registry, and ports.

• Buffer Overflow Protection — Prevent abnormal programs or threats from overrunning the
buffer's boundary and overwriting adjacent memory while writing data to a buffer. These
exploited buffer overflows can execute arbitrary code on your computer.

• Unwanted Program Protection— Eliminate potentially unwanted programs such as spyware
and adware from your computer.


Detection — finding threats

Develop an effective strategy to detect intrusions when they occur. Configure these features
to detect threats:

• Update Task — Get automatic updates of DAT and scanning engine from the McAfee download
website.

• On-Access Scanner— Detect potential threats from any possible source as files are read
from or written to disk. You can also scan for potentially unwanted cookies in the cookies
folder.

• On-Demand Scan Tasks — Detect potential threats using immediate and scheduled scan
tasks. You can also scan for potentially unwanted cookies and spyware-related registry
entries that were not previously cleaned.

• On-Delivery and On-Demand Email Scanner — Detect potential threats on Microsoft Outlook
email clients using on-delivery scanning of messages, attachments, and public folders. Detect
potential threats on Lotus Notes email clients when messages are accessed.

• Quarantine Manager Policy — Specify the quarantine location and the length of time to keep
quarantined items. Restore quarantined items as necessary.



Response — handling threats

Use product log files, automatic actions, and other notification features to decide the best way
to handle detections.

• Actions — Configure features to take action on detections.

• Log files — Monitor product log files to view a history of detected items.

• Queries and dashboards — Use ePolicy Orchestrator queries and dashboards to monitor
scanning activity and detections.



Tuning — monitoring, analyzing, and fine-tuning your protection

After initially configuring VirusScan Enterprise, it is always a good practice to monitor and
analyze your configuration. This can improve your system and network performance, plus
enhance your level of virus protection, if needed. For example, the following VirusScan Enterprise
tools and features can be modified as part of your monitoring, analyzing, and fine-tuning
processes:

• Log files (VirusScan Console) — View a history of detected items. Analyzing this information
could tell you if you need to enhance your protection or change the configuration to improve
system performance.

• Queries and dashboards (ePolicy Orchestrator console) — Monitor scanning activity and
detections. Analyzing this information could tell you if you need to enhance your protection
or change the configuration to improve system performance.

• Scheduled tasks — Modify tasks (like AutoUpdate) and scan times to improve performance
by running them during off-peak times.

• DAT repositories — Reduce network traffic over the enterprise Internet or intranet by moving
these source files closer to the clients needing the updates.

• Modifying the scanning policies — Increase performance or virus protection depending on
your analysis of the log files or queries. For example, configuring exclusions, when to use
high and low risk profile scanning, and when to disable scan on write can all improve
performance.

CAUTION: Failure to enable When reading from disk scanning leaves your system
unprotected from numerous malware attacks.

When the software is installed, it uses the DAT files packaged with the product, which provide
general security for your environment. McAfee recommends you get the latest DAT files and
customize the configuration to meet your requirements before you deploy the product to client
systems.

Take these actions immediately after installing the product.

1   Set user interface security. Configure the display and password options to prevent users
from accessing specific components or the entire VirusScan Enterprise user interface. See
Controlling Access to the User Interface for more information.

2   Update DAT files. Perform an Update Now task to ensure that you have the most current
DAT files. See Updating detection definitions for more information.

3   Prevent intrusions. Configure these features to prevent potential threats from accessing
your systems:

  • Access Protection. Configure access protection rules to prevent unwanted changes
to your computer and enable the option to prevent McAfee processes from being
terminated. See Protecting your system access points for more information.

  • Buffer Overflow Protection. Enable buffer overflow detection and specify exclusions.
See Blocking buffer overflow exploits for more information.

  • Unwanted Programs Policy. Configure the policy that the on-access, on-demand,
and email scanners use to detect potentially unwanted programs. Select unwanted
program categories to detect from a predefined list, then define additional programs to
detect or exclude. See Restricting potentially unwanted programs for more information.

4  Detect intrusions. Configure these features to detect potential threats on your systems,
then notify you and take action when detections occur:

  • AutoUpdate. Configure update tasks to get the most current DAT files, scanning engine,
and product upgrades. See Updating detection definitions for more information.

  • On-Access Scanner. Configure the scanner to detect and take action on potential
threats as the threats are accessed in your environment. Enable scanning of unwanted
programs and scan for cookies in the cookies folder. See Scanning items on-access for
more information.

  • On-Demand Scanner. Configure scan tasks to detect and take action on potential
threats in your environment. Enable scanning of unwanted programs and scan for
cookies in the cookies folder and potentially unwanted spyware-related registry entries
that were not previously cleaned. See Scanning items on-demand for more information.

  • Email Scanners. Configure the on-delivery and on-demand scanning of Microsoft
Outlook and Lotus Notes email clients. Enable scanning of unwanted programs. See
Scanning email on-delivery and on-demand for more information.

5  Send alerts and quarantine threats. Configure these features to alert you when
detections occur and manage quarantined items:

  • Alerts and Notifications. Configure how and when you receive detection notifications
and alerts. See Configuring alerts and notifications for more information.

  • Quarantine Manager Policy. Configure the location of the quarantine folder and the
number of days to keep quarantined items before automatically deleting them. See
Quarantined items for more information.

I、Access protection

Preventing threat access to your client system is your first line of defense against malware. The
Access Protection feature of VirusScan Enterprise compares an action being requested against
a list of configured rules. Each rule can be configured to block or report, or block and report
access violations when they occur.

Access protection prevents unwanted changes to your computer by restricting access to specified
ports, files, shares, registry keys, and registry values. It also protects McAfee processes by
preventing users from stopping them. This protection is critical before and during outbreaks.

This feature uses predefined rules and user-defined rules to specify which items can and cannot
be accessed. Each rule can be configured to block or report, or block and report access violations
when they occur. Predefined rules and categories can be updated from the McAfee update sites.

NOTE: The on-access scanner, which detects access violations, must be enabled to detect
attempts to access ports, files, shares, and registry keys and registry values.


How threats gain access

The most common ways threats gain access to your system include:

• Macros — As part of word processing documents and spreadsheet applications.

• Executable files — Seemingly benign programs can include viruses along with the expected
program. For example, some common file extensions are .EXE, .COM, .VBS, .BAT, .HLP and
.DLL.

• Email — Jokes, games, and images as part of email messages with attachments.

• Scripts — Associated with web pages and emails, scripts such as ActiveX and JavaScript,
if allowed to run, can include viruses.

• Internet Relay Chat (IRC) messages — Files sent along with these messages can easily
contain malware as part of the message. For example, automatic startup processes can
contain worms and Trojan threats.

• Browser and application Help files — Downloading these Help files exposes the system
to embedded viruses and executables.

• Combinations of all these — Sophisticated malware creators combine all of these delivery
methods and even embed one piece of malware within another to try and access your
computer.


How access threats are stopped


By enabling or changing the configuration of the Access Protection feature you can configure
anti-spyware protection, anti-virus protection, common protection, virtual machine protection,
and define your own rules of protection. Following is the basic process VirusScan Enterprise
uses to provide access protection.

Steps taken when a threat occurs

1  A user or process tries to take an action.

2  That action is examined by Access Protection according to the defined rules.

3  When a rule is broken, the action requested by the user or process is managed using the
information in the rules configured. For example, the action causes nothing to happen, it
is blocked, or it is blocked and a report is sent.

4  The Access Protection log file is updated, and an event is generated for the ePolicy
Orchestrator Global Administrator.

Example of an access threat

1 A user downloads a program, MyProgram.exe, from the Internet.
NOTE: For this example, MyProgram.exe is not malware.

2 The user launches the program and it seems to launch as expected.

3 MyProgram.exe then launches a child process called AnnoyMe.exe and it attempts to modify
the operating system to ensure it always loads on startup.

4 Access Protection processes the request and matches it against an existing rule that is
configured to block and report.

5 AnnoyMe.exe is denied access when it attempts to modify the operating system, Access
Protection logs the details of the attempt, and it generates an alert to the ePolicy
Orchestrator Global Administrator.

Log report and alerts generated

This is an example of an Access Protection log entry.

2/10/2010 11:00AM Blocked by Access Protection rule TestDomain\TestUser C:\Users\TestUser\Desktop\AnnoyMe.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Window\CurrentVersion\Run\ Prevent programs registering to autorun

This table describes the data in the previous Access Protection log entry:



Similar information is available using ePolicy Orchestrator queries. For details, refer to Access
queries and dashboards.



II、Protecting your system access points


Access protection prevents unwanted changes to your computer by restricting access to specified
ports, files, shares, registry keys, and registry values. It also protects McAfee processes by
preventing users from stopping them. This protection is critical before and during outbreaks.
This feature uses predefined rules and categories and user-defined rules to specify which items
can and cannot be accessed. Each rule can be configured to block and report access point
violations when they occur. Predefined rules and categories are subject to content updates via
the McAfee update sites.


一、How access protection rules are defined


Rule type Descriptions

1、Anti-virus

These preconfigured rules protect your computer from common behaviors of malware
threats. You can enable, disable, and change the configuration, but you cannot delete
these rules.

Two rule examples are:

• Prevent disabling or changing of critical processes, remote creation or modification
of executable files, hijacking of executable files, Windows Process spoofing, and
mass mailing worms from sending mail.

• Protect phone book files from password and email stealers.

These protection levels apply to anti-virus rules:

• Standard Protection

• Maximum Protection

• Outbreak Control


2、Anti-spyware

Rule examples are:

• Prevent Internet Explorer favorites and settings.

• Prevent programs from running and execution of scripts from the Temp folder.


3、Common

These preconfigured rules prevent modification of commonly used files and settings.
You can enable, disable, and change the configuration, but you cannot delete these
rules.

Three rule examples are:

• Prevent modification of McAfee files and settings.

• Protect Mozilla and Firefox files and settings, Internet Explorer settings, and network
settings.

• Prevent installation of Browser Helper Objects and automatically running programs
from the Temp folder.

These protection levels apply to the common rules:

• Standard Protection

• Maximum Protection


4、Virtual Machine Protection

These preconfigured rules prevent termination of VMWare processes and modification
of VMWare files. You can enable, disable, and change the configuration, but you cannot
delete these rules.

Rule examples are:

• Prevent termination of VMWare Processes.

• Prevent modification of VMWare workstation, server, or virtual machine files.


5、User-defined

These custom rules supplement the protection provided by the Anti-virus and
Common rules.


Protection level descriptions

Standard——Anti-virus and common rules that protect some critical settings and files from being
modified, but generally allow you to install and execute legitimate software.

Maximum——Anti-virus and common rules that protect most critical settings and files from being
modified. This level provides more protection than Standard, but might prevent you from installing legitimate software. If you cannot install software, we recommend that you disable the Access Protection feature first, then enable it again after installation.

Outbreak control——Anti-virus and common rules that protect most critical settings and files from being
modified. This level provides more protection than Standard, but might prevent you from installing legitimate software. If you cannot install software, we recommend that you disable the Access Protection feature first, then enable it again after installation.



二、Access point violations and how VirusScan Enterprise responds

An access violation occurs when a restricted user or process tries to start, stop, or access
restricted components of your computer.

When an access point violation occurs:

• Information is recorded in the log file, if you selected the Report option for the rule that
detected the violation.

• The event is recorded in the local event log and to SNMP, if you configured Alert Properties
to do so.

• The event is reported to Alert Manager and ePolicy Orchestrator, if those products are
configured to do so.

• A Block and Report action for a rule determine what happens when a rule detects a
violation.

• On the standalone client system, a red frame surrounds the system tray icon and remains
visible for 30 minutes, unless you reset it.

NOTE: To reset the icon, open the Access Protection Log File from the system tray icon.
Opening the log file by any other method does not reset the icon to its normal state.

一、Types of user-defined rules

When you configure a new access protection user-defined rule you are allowed to create port
blocking, file and folder blocking, and registry blocking rules.


Rule descriptions

1、Port Blocking Rule

Blocks incoming or outgoing network traffic on specific ports or ranges of ports.

Option definitions


NOTE: When you block a port, Transmission Control Protocol (TCP) and User Datagram
Protocol (UDP) accesses are blocked.

NOTE: When you block a port any protocol using that port or range of ports is blocked.
For example, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
accesses are blocked.

2、File/Folder Blocking Rule

Blocks write access to files and folders, file execution, plus new file creation and file
deletion.

Option definitions

NOTE: Once you restrict access to a file or folder, the restriction remains in place until
the administrator removes it. This helps prevent intrusions and stops them from spreading
during an outbreak.

3、Registry Blocking Rule

Protects registry keys or values by blocking these actions: write to, create, or delete.

NOTE: When creating a registry blocking rule, use the best matching hive registry subtree
abbreviation. For example, to block HKLM\System\CurrentControlSet\Services\MyService, choose
the HKCCS hive rather than HKLM.

Option definitions



二、Include or exclude specific process options

To change the rule details, such as the name, and which process to include or exclude, use
Access Protection and click Edit.

Option definitions



三、Removing user-defined rules

Remove rules that you created but no longer use.

Remove the user-defined rules using one of these user interface consoles.

I、Blocking buffer overflow exploits

Buffer overflow protection prevents exploited buffer overflows from executing arbitrary code
on your computer. It monitors user-mode API calls and recognizes when they are called as a
result of a buffer overflow.

When a detection occurs, information is recorded in the activity log and displayed in the
On-Access Scan Messages dialog box, if you configured those options to do so.

VirusScan Enterprise uses a Buffer Overflow and Access Protection DAT file to protect
approximately 30 applications, for example, Internet Explorer, Microsoft Outlook, Outlook
Express, Microsoft Word, and MSN Messenger.


How buffer overflow exploits occur

Attackers use buffer overflow exploits to run executable code by overflowing the fixed-size
memory buffers reserved for an input process. This code lets the attacker take over the target
computer or compromise its data.

There are two types of buffer overflow exploits:

• Heap based attacks — They flood the memory space reserved for a program, but they
are difficult to perform and rare.

• Stack based attacks — They use the stack memory objects to store user input and are
the most common.

The following process describes stack-based buffer overflow attacks:

1  Normal stack memory process — The fixed-size stack memory object is usually empty
and waiting for user input. When a program receives input from the user, such as their
name, the data is stored on top of the stack and assigned a return memory address. When
the stack is processed, the user's input is sent to the return address specified by the
program.

2  Overflowing the stack — When the program is written, a specific amount of memory
space is reserved for the data. The stack overflows if the data written is larger than the
space reserved for it within the memory stack. This is only a problem when combined with
malicious input.

3  Exploiting the overflow — If the program is waiting for a user to enter their name, but
the attacker enters an executable command that exceeds the stack size, that command is
saved outside of the reserved space.

4  Running the malicious code — The command is not automatically run just because it
exceeds the stack buffer space. But it could be if a return address that points to the malicious
command is provided by the attacker. Initially the program starts to crash because of the
buffer overflow, but the program tries to recover by using the return address provided by
the attacker. If the return address is a valid address, the malicious command is executed.

5  Exploiting the permissions — Since programs usually run either in kernel mode or with
permissions inherited from a service account, the malicious code is now running with the
same permissions as the application that was compromised. This could mean the attacker
can gain full control of the operating system.




II、Restricting potentially unwanted programs

VirusScan Enterprise protects your computer from potentially unwanted programs that are a
nuisance or present a security risk. One common unwanted program policy is configured, but
you can individually enable or disable the policy and specify actions for each of the VirusScan
Enterprise scanners.

Potentially unwanted programs (PUPs) are defined as software programs written by legitimate
companies that can alter the security state, or the privacy policy of the computer on which they
are installed. This software can, but does not necessarily, include spyware, adware, and dialers.
These embedded PUPs can be downloaded with a program that you actually want.
Security-minded users recognize such programs and, in some cases, remove them.




III、Updating detection definitions

The VirusScan Enterprise software depends on the scanning engine and the information in the
detection definition (DAT) files to identify and take action on threats. New threats appear on a
regular basis. To meet this challenge, McAfee releases new DAT files every day that incorporate
the results of its ongoing threat research. The update task retrieves the most current DAT files
from the external McAfee update site and installs them.

NOTE: An ePolicy Orchestrator-managed environment can also retrieve the most current DAT
files, EXTRA.DAT file, scanning engine, Service Packs, and Patches.

1、DAT files and how they work

When the scanning engine searches through files looking for threats, it compares the contents
of the scanned files to known threat information stored in the detection definition (DAT) files.
The known threat information, called signatures, is information McAfee Labs has found and
added to the DAT files.

Besides the signatures, the DAT files also includes how to clean and counteract the damage
created by the detected virus. That is why it is so important to download the most recent version
of DAT file used by VirusScan Enterprise.

CAUTION: If the signature of a certain virus is not contained in any of the DAT files you have
installed, that virus will not be detected by the scanning engine. Also, the scanning engine must
be the latest version to be able to fully utilize the latest DAT files.

VirusScan Enterprise also uses heuristics, called Artemis, to check for suspicious files along with
the DAT files. Refer to How Artemis works for more information.

The various DAT files are stored at the following path:

\Program Files\Common Files\McAfee\Engine

2、The importance of an update strategy

The importance of an update strategy cannot be overstated. Without the latest DAT files and
scanning engine installed on your system, it is not fully protected from the latest viruses. There
has been an unprecedented rise in the number, propagation rate, and prevalence of new
malware. In addition, the growing amount of adware and spyware requires more consistent
and available detection and removal.

McAfee Labs releases DAT file updates at about 6:00 PM (GMT) almost every day. Naturally,
outbreaks will still occur at awkward times and require emergency releases. When a daily DAT
is released early, to pre-empt a potential outbreak, no second DAT is released that day at the
normally scheduled time, unless another emergency situation requires one.




IV、Excluding scan items

Each of the VirusScan Enterprise scanners allows you to fine-tune the list of file types scanned.
For example, you can exclude from scanning individual files, folders, and disks. These exclusions
might be needed because the scanners could scan and lock a file when that file is being used
by a database or server. This could cause the database or server to fail or generate errors.

Specifying exclusions

Specify files, folders, and drives to exclude from scanning operations. You can also remove any
exclusions you specified previously.

How to use wildcards to specify scan items

You can use wildcards to exclude types of files by extension.

When using wildcards, these limitations apply.

• Valid wildcards are question mark (?) for excluding single characters and asterisk (*) for
excluding multiple characters.

• Wildcards can appear in front of a back slash (\) in a path. For example: C:\ABC\*\XYZ
matches C:\ABC\DEF\XYZ.

• An exclusion containing question mark (?) characters applies if the number of characters
matches the length of the file or folder name. For example: The exclusion W?? excludes
WWW, but does not exclude WW or WWWW.

• The syntax is extended to include a double asterisk (**), which means zero or more of any
characters including back slash. This allows multiple-depth exclusions. For example:
C:\ABC\**\XYZ matches C:\ABC\DEF\XYZ and C:\ABC\DEF\DEF\XYZ, etc.

I、On-access scanning and how it works

The on-access scanner hooks into the system at the lowest levels (File-System Filter Driver), it
scans files where they first enter your system. The on-access scanner acts as part of the system
(System Service), and delivers notifications via the interface when detections occur.

When an attempt is made to open, close, or rename a file, the scanner intercepts the operation
and takes these actions.

1   The scanner determines if the file should be scanned based on this criteria:

  • The file’s extension matches the configuration.

  • The file has not been cached.

  • The file has not been excluded.

  • The file has not been previously scanned.

2   If the file meets the scanning criteria, it is scanned by comparing the information in the
file to the known malware signatures in the currently loaded DAT files.

  • If the file is clean, the result is cached and read, write, or rename operation is granted.

  • If the file contains a threat, the operation is denied and the configured action is taken.

For example:

  • If the file needs to be cleaned, that cleaning process is determined by the currently
loaded DAT files.

  • The results are recorded in the activity log, if the scanner was configured to do so.

  • The On-Access Scan Messages alert appears describing the file name and the
action taken, if the scanner was configured to do so.

3  If the file does not meet the scanning requirements, it is not scanned. It is cached and the
operation is granted.

NOTE: The scan file cache is flushed and all files are rescanned whenever, for example,
the on-access scan configuration is changed, an EXTRA.DAT file is added, or when the
cache is full.




II、Scanning comparison


1、writing to disk vs. reading from disk

The on-access scanner performs scans differently, depending on whether the user is writing to
disk or reading from disk.

When files are being written to disk, the on-access scanner scans these items:

  • Incoming files being written to the local hard drive.

  • Files being created on the local hard drive or a mapped network drive (this includes new
files, modified files, or files being copied or moved from one drive to another).

NOTE: To scan mapped network drives, you must enable the On Network Drives option.
Refer to Enabling on-network drives.
These scans are only accessible by the same client where VirusScan Enterprise is installed.
It does not detect access to the mapped network drive by other systems.

When files are being read from disk, the on-access scanner scans these items:

  • Outgoing files being read from the local hard drive or mapped network drives.

NOTE: To scan mapped network drives, select the On network drives option, described
in the previous bullets, to include remote network files.

  • Any file attempting to execute a process on the local hard drive.

  • Any file opened on the local hard drive.

  • Any file being renamed on the local hard drive, if the file properties have changed.


2、scanning all files vs. scanning default +additional file types

The on-access scanner scans files differently depending on whether it is configured to scan all
files, or to scan default files plus additional file types.

When scanning All files, the scanner examines every file type for all possible threats.

When scanning Default + additional file types, the scanner examines a list of specific files
based on the file types you select.

  • Default file types: The on-access scanner examines the specified file type only for threats
that attack that file type.

  • Additional file types: The on-access scanner examines the files with matching extensions
for all possible threats.

  • Specified files types: The on-access scanner examines the user defined list of file extensions
for all possible threats.




III、Script scanning and how it works

The script scanner operates as a proxy component to the real Windows scripting host component.
It intercepts scripts, then scans them before they are executed.

For example, the script scanner confirms:

  • If the script is clean, it is passed on to the real scripting host component.

  • If the script contains a potential threat, the script is not executed.

Trusted processes and also websites that utilize scripts can be excluded from inspection.

NOTE: On Windows Server 2008 systems, Script Scan URL exclusions do not work with Windows
Internet Explorer unless you click the checkbox Enable third-party browser extensions to
enable the setting and restart Windows Server 2008. For details, see
https://kc.mcafee.com/corporate/ ... ent&id=KB69526.




IV、How Artemis works

The Artemis feature uses heuristics to check for suspicious files. It provides users with
Windows-based McAfee anti-virus products that have the most up-to-date real-time detections
for certain malware.

Artemis does not provide protection for entire classes of malware; just for suspicious samples.
The benefit of protecting against specific threats is the capability to protect users with McAfee
security at virtually the same time that McAfee Labs determines a sample is malicious.

You can configure the administrator-configured sensitivity levels Artemis uses to look for
suspicious programs and DLLs running on client systems protected by VirusScan Enterprise.

When Artemis detects a suspicious program, it sends a DNS request containing a fingerprint of
the suspicious file to a central database server hosted by McAfee Labs.

NOTE: In this release, the Artemis feature is enabled by default, with the sensitivity level set
to very low.




V、Determine the number of scanning policies

Follow this process to determine whether to configure more than one on-access scanning policy





VI、How general and process settings are configured

The on-access scanner’s general and process policies are configured separately.

  • General Settings — Includes options that apply to all processes.

General settings apply to the scanning of all processes and include parameters, such as maximum
scan time, scanning scripts, blocking unwanted threats from a remote computer, sending
messages when threats are detected, and reporting detections.

  • Process Settings —Allow you to configure one scanning policy for all processes, or
configure different policies for processes that you define as default, low-risk, and high-risk.

On-access scan processes are configured based on the risk that you assign to each process.
You can configure one default scanning policy for all processes, or configure different policies
based on the risk assigned to each process. Parameters include assigning risk you assign to
processes, defining items to scan, performing Artemis scanning, scanning compressed files,
taking actions on detections, and scanning for potentially unwanted programs.





Scanning email on-delivery and on-demand

The email scanner automatically examines email messages and attachments.

The email is scanned using:

  • Microsoft Outlook — Email is scanned on-delivery, or you can invoke on-demand email
scans directly from Microsoft Outlook.

NOTE: If you configure Heuristics and Artemis features, the email on-delivery and on-demand
scanner uses heuristics to check for suspicious files. For details see, How Artemis works.

  • Lotus Notes — Allows you to configure:

     • When accessed, email is scanned.

     • When invoked, on-demand email scans directly from Lotus Notes.

     • Which Notes databases to exclude.

All is English , for that if you want to know you read and you'll understand it , or the opposite .


And Now，You Can Download Chinese Manual：

angelazhangkai

中文翻译啊，看不懂

qzmxy2006

storyhare 发表于 2011-10-16 14:19
All is English , for that if you want to know you read and you'll understand it , or the opposite  ...

帖子终于开了 过来支持下~
ps：求翻译~

卡卡洛夫

偶比较关心path1.。。。