Protection Pilot

7/29/2019 Protection Pilot

1/162

Product Guiderevision 1.0

ProtectionPilot

Maximum Protection. Simple Administration.

McAfee

System ProtectionIndustry-leading intrusion prevention solutions


2/162


3/162

Product Guiderevision 1.0

ProtectionPilot

Maximum Protection. Simple Administration.

McAfee

System ProtectionIndustry-leading intrusion prevention solutions


4/162

COPYRIGHTCopyright 2006 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any meanswithout the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSIONPREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NET TOOLS,NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUSDEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) areregistered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive ofMcAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVEACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILEAVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTHIN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FORA FULL REFUND.

AttributionsThis product includes or may include:

Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). Cryptographic software written by Eric A. Young andsoftware written by Tim J. Hudson. Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or othersimilar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have accessto the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the sourcecode also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software

licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rightsshall take precedence over the rights and restrictions herein. Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Software originally written by Robert Nordier, Copyright 1996-7 Robert Nordier. Software written by Douglas W. Sauder. Software developed by the ApacheSoftware Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. International Components for Unicode (ICU) Copyright 1995-2002 International Business Machines Corporation and others. Software developed byCrystalClear Software, Inc., Copyright 2000 CrystalClear Software, Inc. FEAD

Optimizer

technology, Copyright Netopsystems AG, Berlin, Germany. OutsideIn

Viewer Technology 1992-2001 Stellent Chicago, Inc. and/or Outside In

HTML Export, 2001 Stellent Chicago, Inc. Software copyrighted by Thai OpenSource Software Center Ltd. and Clark Cooper, 1998, 1999, 2000. Software copyrighted by Expat maintainers. Software copyrighted by The Regents of theUniversity of California, 1996, 1989, 1998-2000. Software copyrighted by Gunnar Ritter. Software copyrighted by Sun Microsystems, Inc., 4150 NetworkCircle, Santa Clara, California 95054, U.S.A., 2003. Software copyrighted by Gisle Aas. 1995-2003. Software copyrighted by Michael A. Chase, 1999-2000. Software copyrighted by Neil Winton, 1995-1996. Software copyrighted by RSA Data Security, Inc., 1990-1992. Software copyrighted by Sean M. Burke, 1999, 2000. Software copyrighted by Martijn Koster, 1995. Software copyrighted by Brad Appleton, 1996-1999. Software copyrighted by Michael G.Schwern, 2001. Software copyrighted by Graham Barr, 1998. Software copyrighted by Larry Wall and Clark Cooper, 1998-2000. Software copyrightedby Frodo Looijaard, 1997. Software copyrighted by the Python Software Foundation, Copyright 2001, 2002, 2003. A copy of the license agreement for thissoftware can be found at www.python.org. Software copyrighted by Beman Dawes, 1994-1999, 2002. Software written by Andrew Lumsdaine, Lie-QuanLee, Jeremy G. Siek 1997-2000 University of Notre Dame. Software copyrighted by Simone Bordet & Marco Cravero, 2002. Software copyrighted byStephen Purcell, 2001. Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). Software copyrighted by InternationalBusiness Machines Corporation and others, 1995-2003. Software developed by the University of California, Berkeley and its contributors. Software developed

by Ralf S. Engelschall for use in the mod_ssl project (http:// www.modssl.org/). Software copyrighted by Kevlin Henney, 2000-2002. Software copyrighted by Peter Dimov and Multi Media Ltd. 2001, 2002. Software copyrighted by David Abrahams, 2001, 2002. Seehttp://www.boost.org/libs/bind/bind.html for documentation. Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, 2000. Software copyrighted by Boost.org, 1999-2002. Software copyrighted by Nicolai M. Josuttis, 1999. Software copyrighted by Jeremy Siek, 1999-2001. Software copyrighted by Daryle Walker, 2001. Software copyrighted by Chuck Allison and Jeremy Siek, 2001, 2002. Software copyrighted by SamuelKrempp, 2001. See http://www.boost.org for updates, documentation, and revision history. Software copyrighted by Doug Gregor ([email protected]), 2001,2002. Software copyrighted by Cadenza New Zealand Ltd., 2000. Software copyrighted by Jens Maurer, 2000, 2001. Software copyrighted by JaakkoJrvi ([email protected]), 1999, 2000. Software copyrighted by Ronald Garcia, 2002. Software copyrighted by David Abrahams, Jeremy Siek, and DaryleWalker, 1999-2001. Software copyrighted by Stephen Cleary ([email protected]), 2000. Software copyrighted by Housemarque Oy, 2001. Software copyrighted by Paul Moore, 1999. Software copyrighted by Dr. John Maddock, 1998-2002. Software copyrighted by Greg Colvin and Beman Dawes, 1998, 1999. Software copyrighted by Peter Dimov, 2001, 2002. Software copyrighted byJeremy Siek and John R. Bandela, 2001. Software copyrighted by Joerg Walter and Mathias Koch, 2000-2002. Software copyrighted by Carnegie MellonUniversity 1989, 1991, 1992. Software copyrighted by Cambridge Broadband Ltd., 2001-2003. Software copyrighted by Sparta, Inc., 2003-2004. Software copyrighted by Cisco, Inc. and Information Network Center of Beijing University of Posts and Telecommunications, 2004. Software copyrighted bySimon Josefsson, 2003. Software copyrighted by Thomas Jacob, 2003-2004. Software copyrighted by Advanced Software Engineering Limited, 2004. Software copyrighted by Todd C. Miller, 1998. Software copyrighted by The Regents of the University of California, 1990, 1993, with code derived fromsoftware contributed to Berkeley by Chris Torek.

PATENT INFORMATIONProtected by US Patents 6,470,384; 6,493,756; 6,496,875; 6,553,377; 6,553,378.

Issued June 2006 / McAfee ProtectionPilot

software

DBN 005-EN


5/162

Product Guide v

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Getting help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Getting information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Contact information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1 Introducing ProtectionPilot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Maximum number of managed computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Supported products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Using the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Security Threats data monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2 Getting Started with ProtectionPilot . . . . . . . . . . . . . . . . . . . . . . 23What to do after installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Automatic DAT and engine updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Existing update locations (first-time installation only) . . . . . . . . . . . . . . . . . . . . . . . . 23

Manual upgrade of the agent (upgrade only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Novell environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Proxy settings for the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Windows Firewall exceptions on the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Answers to common questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

How is up-to-dateness defined? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Do I have the most current DAT and engine files available? . . . . . . . . . . . . . . . . . . . 27

Whats my current level of protection? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Are my computers up-to-date? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Have there been any detections lately? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Are any of my computers still infected or impacted? . . . . . . . . . . . . . . . . . . . . . . . . . 30


6/162

Contents

vi ProtectionPilot software

Which computers have the most detections? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

What are the most prevalent detections? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Are there any new threats or updates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Am I already protected against new threats? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

If Im not yet protected against new threats, what countermeasures can I take? . . . . 33

When did I get the latest updates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

What happens if the maximum number of managed computers is exceeded? . . . . . 33

What happens when multiple managed computers have the same name? . . . . . . . . 34

How can I provide feedback on the software? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

How do I resolve a failed status in the Security Threats data monitor? . . . . . . . . . . . 36

Where to find information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3 Making Sure Computers are Managed and Protected . . . . . . . . 39

Deploying products to new computers and putting them under management . . . . . . . . . . 40

Putting existing McAfee products under management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Updating groups of computers from domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Manually installing the agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Adding computers that use a system image of a managed computer . . . . . . . . . . . . . . . . 51

Adding products to the server repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

4 Keeping Products Up-To-Date . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Upgrading products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Adding policy pages to the server repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Adding extended policy pages to the server repository . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Performing immediate DAT and engine updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Changing the frequency of DAT and engine updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

5 Organizing Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Defining the organization of computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Renaming groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Moving computers between groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Uninstalling managed products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Removing a computer from management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Removing an entire group of computers from management . . . . . . . . . . . . . . . . . . . . . . . 66


7/162

Product Guide vii

Contents

6 Changing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Changing agent policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Changing managed product policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Restoring default policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

7 Scheduling Client Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Performing scheduled updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Performing scheduled scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Performing scheduled scans (GroupShield for Exchange) . . . . . . . . . . . . . . . . . . . . . . . . 78

Modifying default on-demand scan client tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Modifying user-defined client tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Deleting user-defined client tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

8 Investigating Detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Listing computers with reported detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Listing what has been detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Listing which files have been impacted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Viewing detections by type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Viewing detection history for computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Learning more about detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Scanning managed computers for possible infections . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Printing detection reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

9 Resolving Compliance Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Listing non-compliant computers and taking action to bring them up-to-date . . . . . . . . . . 96

Viewing agent log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Viewing computer and product properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Viewing update history for computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Printing compliance reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

10 Managing the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Adding proxy settings for the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Using the proxy settings in Internet Explorer for the server . . . . . . . . . . . . . . . . . . . 108

Defining custom proxy settings for the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Adding the agent-to-server communication port as a Windows Firewall exception . . . . . 110

Adding the server service and console-to-server communication port as Windows Firewall

exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111


8/162

Contents

viii ProtectionPilot software

Defining the minimum compliance level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Changing the definition of not communicating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Changing the server password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Changing port numbers used for server communication . . . . . . . . . . . . . . . . . . . . . . . . . 115

Changing the name of the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Viewing the server log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Modifying the size of the server log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Viewing the Avert Labs log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

A Managing AutoUpdate Repositories . . . . . . . . . . . . . . . . . . . . . 119

When to use AutoUpdate repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Download and replication credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Creating distributed repositories on non-dedicated computers . . . . . . . . . . . . . . . . . . . . 121

Creating distributed repositories on HTTP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Creating distributed repositories on FTP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Creating distributed repositories using UNC shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Modifying distributed repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Removing distributed repositories from management . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Replicating to distributed repositories immediately . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Adding proxy settings for managed computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Using the proxy settings in Internet Explorer for managed computers . . . . . . . . . . 129

Defining custom proxy settings for managed computers . . . . . . . . . . . . . . . . . . . . . 130

B Receiving Notification of Incidents . . . . . . . . . . . . . . . . . . . . . . 133

Setting up the Alert Manager server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Sending notifications of alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Sending notifications as text messages via email or pagers . . . . . . . . . . . . . . . . . . 136

Sending alert messages to the Alert Manager server . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Sending alert messages from VirusScan 4.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Sending alert messages from VirusScan Enterprise . . . . . . . . . . . . . . . . . . . . . . . . 139

Sending alert messages from NetShield for NetWare . . . . . . . . . . . . . . . . . . . . . . . 140

C Managing AntiSpyware Enterprise . . . . . . . . . . . . . . . . . . . . . . . 143

D Managing AntiSpyware Enterprise Standalone . . . . . . . . . . . . 145

E Managing GroupShield for Exchange . . . . . . . . . . . . . . . . . . . . 147


9/162

Product Guide ix

Contents

F Managing Earlier Versions of VirusScan . . . . . . . . . . . . . . . . . . 149

G Managing NetShield for NetWare . . . . . . . . . . . . . . . . . . . . . . . . 151

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153


10/162

Contents

x ProtectionPilot software


11/162

Product Guide 11

Preface

This guide introduces the McAfee ProtectionPilot software, and provides thefollowing information:

Overview of the product.

Descriptions of product features.

Detailed instructions for configuring and deploying the software.

Procedures for performing tasks.

Troubleshooting information.

AudienceThis information is designed for system and network administrators who aremanaging up to 500 computers and are responsible for their companys securityprogram.

Getting helpThere are a variety of resources available to you when you need more informationabout the product.

Click Help or from anywhere in the application.

Review the ProtectionPilot Release Notes (ReadMe.txt) for a list of known issuesand last-minute updates to the product and its documentation. The defaultlocation is:

C:\Program Files\McAfee\ProtectionPilot\

Click McAfee Support under Resource Sites on the Welcome to McAfeeProtectionPilot page for access to a free knowledgebase of known issues and

supplemental documentation.


12/162

Preface

12 ProtectionPilot software

ConventionsThis guide uses the following conventions:

Bold All words from the user interface, including options, menus,buttons, and dialog box names.

Example

Type the User name and Password of the desired account.

Courier Text that represents something the user types exactly (forexample, a command at the system prompt).

Examples

Run this command on the computer:C:\SETUP.EXE

Italic For emphasis or when introducing a new term; for names ofproduct manuals and topics (headings) within the manuals.

Example

For more information, see the ProtectionPilot Product Guide.

Angle brackets enclose a generic term.

Example

In the tree pane under ePolicy Orchestrator, right-click.

NOTE Supplemental information; for example, an alternate method ofexecuting the same command.

WARNING Important advice to protect a user, computer system, enterprise,software installation, or data.


13/162

Product Guide 13

Getting information

Getting information

Installation Guide Procedures on preparing for, installing, and deploying the software in a production

environment.

Product Guide Procedures on customizing the software for your environment and maintaining the

software.

Product introduction and features, detailed instructions for configuring the software,

information on deployment, recurring tasks, and operating procedures.

Help Context-sensitive Help topics accessible from most pages that list the procedures

related to that page, reference information, and all information found in the Product

Guide.

Release Notes ReadMe. Product information, system requirements, resolved issues, any known

issues, and last-minute additions or changes to the product or its documentation.

Contact information for McAfee services and resources: technical support, customer

service, McAfee Avert Labs), beta program, and training. A text file is included with

the software application and on the product CD.

License Agreement The McAfee License Agreement booklet that includes all of the license types you can

purchase for your product. The License Agreement presents general terms and

conditions for use of the licensed product.


14/162

Preface


Contact informationThreat Center: McAfee Avert Labs http://www.mcafee.com/us/threat_center/default.asp

Avert Labs Threat Library

http://vil.nai.com

Avert Labs WebImmune & Submit a Sample(Logon credentials required)

https://www.webimmune.net/default.aspAvert Labs DAT Notification Service

http://vil.nai.com/vil/signup_DAT_notification.aspx

Download Site http://www.mcafee.com/us/downloads/Product Upgrades(Valid grant number required)

Security Updates (DATs, engine)

HotFix and Patch Releases

For Security Vulnerabilities(Available to the public)

For Products(ServicePortal account and valid grant number required)

Product Evaluation

McAfee Beta Program

Technical Support http://www.mcafee.com/us/support/KnowledgeBase Search

http://knowledge.mcafee.com/

McAfee Technical Support ServicePortal (Logon credentials required)

https://mysupport.mcafee.com/eservice_enu/start.swe

Customer ServiceWeb

http://www.mcafee.com/us/support/index.html

http://www.mcafee.com/us/about/contact/index.html

Phone US, Canada, and Latin America toll-free:

+1-888-VIRUS NO or +1-888-847-8766 Monday Friday, 8 a.m. 8 p.m., Central Time

Professional ServicesEnterprise: http://www.mcafee.com/us/enterprise/services/index.html

Small and Medium Business: http://www.mcafee.com/us/smb/services/index.html
http://www.mcafee.com/us/threat_center/default.asphttp://vil.nai.com/https://www.webimmune.net/default.asphttp://vil.nai.com/vil/signup_DAT_notification.aspxhttp://www.mcafee.com/us/downloads/http://www.mcafee.com/us/support/http://knowledge.mcafee.com/https://mysupport.mcafee.com/eservice_enu/start.swehttp://www.mcafee.com/us/support/index.htmlhttp://www.mcafee.com/us/about/contact/index.htmlhttp://www.mcafee.com/us/enterprise/services/index.htmlhttp://www.mcafee.com/us/smb/services/index.htmlhttp://www.mcafee.com/us/smb/services/index.htmlhttp://www.mcafee.com/us/enterprise/services/index.htmlhttp://www.mcafee.com/us/about/contact/index.htmlhttp://www.mcafee.com/us/support/index.htmlhttps://mysupport.mcafee.com/eservice_enu/start.swehttp://knowledge.mcafee.com/http://www.mcafee.com/us/support/http://www.mcafee.com/us/downloads/http://vil.nai.com/vil/signup_DAT_notification.aspxhttps://www.webimmune.net/default.asphttp://vil.nai.com/http://www.mcafee.com/us/threat_center/default.asp


15/162

Product Guide 15

1Introducing ProtectionPilot

The ProtectionPilot software is a security management system that simplifiessecurity management tasks for network administrators who manage up to 500computers.

Management consists of deploying (sending and installing) security products,configuring product settings, and keeping those products up-to-date.

The software is a system made up of these components: server, console, database,and agent.

Maximum number of managed computersYou can manage up to 500 computers using ProtectionPilot. You are notifiedwhenever this limit is exceeded. However once the number of managed computersreaches 600, you can no longer add new computers. You are also notifiedwhenever this upper limit is reached or exceeded. Computers above 600 areautomatically removed from management (the agent is uninstalled from thecomputers). The security products remain.

Supported productsFor a list of the McAfee products you can manage using the McAfeeProtectionPilot software, see the ProtectionPilot Release Notes (ReadMe.txt).


16/162

Introducing ProtectionPilot


ServerExecuting all console requests and handling the exchange of data from the consoleand agents to the database, the ProtectionPilot server does a majority of the workof the software.

Figure 1-1. How the server handles data received from agents and the console

Agents

Database

Server

Consoles


17/162

Product Guide 17

Console

ConsoleThe piece you interact with directly to execute tasks and view data is theProtectionPilot console. Although a console is always installed with the server, youcan also install it separately. In this case, it is called a remote console because it isused to access the server remotely (from a different computer). Remote consoles

are useful if you need to access the server from another computer or location; forexample, if access to the server room is restricted or it isnt set up as a work space.

Figure 1-2. Relationship between the console, remote consoles, and the server

Server

Console

Computer

Remote Consoles

Computer


18/162



Using the consoleThe main user interface components of the ProtectionPilot console are describedbelow.

Sections Click the buttons at the top of the center pane of the console to godirectly to the corresponding section (a group of related pages). For example,

click the Server button to display the Server section.

Tree pane You can also click the items in the tree pane (left pane of theconsole) to go directly to the corresponding section. This is the only way to go

directly to the group and computer sections.

Back Click to go back to the page that you last viewed.

Print Click to open a printer-friendly version of the contents of the center

pane. The right pane of the console (contains the back, print, and help buttons, andManagement Tasks) is excluded.

Help Click to open the Help file. Descriptions of the options on the currentpage appear.

Management Tasks Provides quick access to tasks related to the current page.

Security Threats data monitor Displays newly discovered and recentlyupdated threats. The detection definition (DAT) files and scanning engine that

provide protection against these threats are automatically retrieved as theybecome available.

Figure 1-3. User interface components

1

2

3

4

5

1

2

3

4

5


19/162

Product Guide 19

Console

Security Threats data monitor

Protection Status and Risk Assessment You can easily determine whether theDAT and engine files in the server repository provide protection against all

known threats and, if not, the highest risk level of any new threats.

Security Threats Click Security Threats to view details (such as risk level,discovery date, and detection type) about each threat. For instructions, see

Viewing and managing notifications on new threats under Keeping Products Up-To-Datein theHelp file.

Unread Notifications The number of unread threat notifications is listed. Onceyou mark a notification as read, it is no longer counted here.

Status The last time that new threat notifications were retrieved from the AvertLabs website and whether that task was successful appears in the Security Threatsdata monitor in addition to the server log file. For instructions, see Viewing theserver log fileon page 116.

Figure 1-4. The Security Threats data monitor

Protection Available The DAT and engine files in the server repositoryalready provide protection against all threats that are known to McAfeeAvert Labs. To determine whether each managed computer is protected,

view the compliance data from the Home section.

Protection Pending on Medium-Risk Threats The updated DAT file forthreats assessed by Avert Labs as medium risk is pending. However,updated protection is available in a supplemental virus definition

(EXTRA.DAT) file, which you can manually download if you need protectionbefore the next full DAT file is available, such as in an outbreak scenario. Formore information, see If Im not yet protected against new threats, whatcountermeasures can I take?on page 33.

Protection Pending on High-Risk Threats The updated DAT file forthreats assessed by Avert Labs as high risk is pending. However, updatedprotection is available in a supplemental virus definition (EXTRA.DAT)

file, which you can manually download if you need protection before the nextfull DAT file is available, such as in an outbreak scenario. For more information,see If Im not yet protected against new threats, what countermeasures can I take?onpage 33.

12

3

1

2

3


20/162



DatabaseThe core component of ProtectionPilot is the database, which stores all data aboutthose computers and products you are managing with the software. Typically, thedatabase is installed on the same computer as the server (local database), but youcan also install it on a different computer (remote database). You can even take

advantage of an existing database.

Figure 1-5. Local database

Figure 1-6. Remote database

Database

Server

Computer

Database

Computer

Server

Computer


21/162


22/162




23/162

Product Guide 23

2Getting Started withProtectionPilotBefore you start using the ProtectionPilot software, you might find it useful toreview these sections:

What to do after installation.

Answers to common questions.

Where to find information.

What to do after installationIf you have installed or upgraded the server and console, you might need tocomplete additional tasks to ensure proper functionality.

Automatic DAT and engine updates.

Existing update locations (first-time installation only).

Manual upgrade of the agent (upgrade only).

Novell environment.

Proxy settings for the server.

Windows Firewall exceptions on the server.

Automatic DAT and engine updatesBy default, ProtectionPilot automatically retrieves detection definition (DAT) filesand the scanning engine from McAfee hourly, then begins updating managedproducts immediately. This default setup ensures that the latest DAT and enginefiles are protecting your network as soon as they are available.

You can change how often DAT and engine files are updated. For instructions, seeChanging the frequency of DAT and engine updateson page 59.

Existing update locations (first-time installation only)If you have been using update locations (repositories) to centrally distributedetection definition (DAT) files and the scanning engine to computers, thisupdating strategy is no longer used once you install the server and console.Instead, new DAT and engine files are automatically retrieved from McAfee everyhour, and the updating of managed products begins immediately following.


24/162

Getting Started with ProtectionPilot


Although we recommend using this default updating strategy, there are situationsin which using AutoUpdate repositories are recommended. For more information,seeManaging AutoUpdate Repositorieson page 119.

Manual upgrade of the agent (upgrade only)

Any managed computer that meets the criteria for manual agent installation willbe reported as out-of-date (not up-to-date) until the updated agent is installed onit. For a list, see Criteria for Manual Agent Installation in the ProtectionPilot ReleaseNotes (ReadMe.txt). For instructions, seeManually installing the agenton page 50.

Novell environmentYou must manually install the agent to computers in Novell networks before youcan deploy McAfee products. For instructions, seeManually installing the agentonpage 50 and Deploying products to new computers and putting them under managementon page 40.

For more information on managing NetShield for NetWare, seeManagingNetShield for NetWareon page 151.

Proxy settings for the serverIf the ProtectionPilot server connects to the Internet via a proxy server, you needto add these settings before the automatic updating of detection definition (DAT)files and the scanning engine can begin. For instructions, seeAdding proxy settingsfor the serveron page 108.

Windows Firewall exceptions on the serverIf the ProtectionPilot server is running Windows XP Professional, Service Pack 2and computers being managed by that server are running an operating systemother than Windows XP, Service Pack 2, you need to add the agent-to-servercommunication port (default is 81) as an exception in the Windows Firewall on theserver computer. For instructions, seeAdding the agent-to-server communication portas a Windows Firewall exceptionon page 110.

If the ProtectionPilot server is running Windows XP Professional, Service Pack 2and you want to install a remote console, you need to add the ProtectionPilotserver service (NAIMSERV.EXE) and the console-to-server communication port

(default is 82) as exceptions in the Windows Firewall on the ProtectionPilot servercomputer. For instructions, seeAdding the server service and console-to-servercommunication port as Windows Firewall exceptionson page 111.


25/162

Product Guide 25

Answers to common questions

Answers to common questionsThis section provides answers to these commonly asked questions:

How is up-to-dateness defined?

Do I have the most current DAT and engine files available?

Whats my current level of protection?

Are my computers up-to-date?

Have there been any detections lately?

Are any of my computers still infected or impacted?

Which computers have the most detections?

What are the most prevalent detections?

Are there any new threats or updates?

Am I already protected against new threats?

If Im not yet protected against new threats, what countermeasures can I take?

When did I get the latest updates?

What happens if the maximum number of managed computers is exceeded?

What happens when multiple managed computers have the same name?

How can I provide feedback on the software?

How do I resolve a failed status in the Security Threats data monitor?


26/162



How is up-to-dateness defined?There are two items that together define product compliance, or whether acomputer is reported as up-to-date. Computers running GroupShield forExchange or AntiSpyware Enterprise must meet additional requirements to bereported as up-to-date.

The minimum compliance definition Any managed computer with one or moreproduct, agent, DAT, or engine versions that are earlier than those defined asthe minimum compliance level is reported as out-of-date (not up-of-date). Forinstructions, see Defining the minimum compliance levelon page 112.

How recently the agent has connected to the server How long its been since anagent last communicated with the server affects whether the managedcomputer is reported as up-to-date. By default, this time period is 7 days. Youcan change this time period as needed. For instructions, see Changing thedefinition of not communicatingon page 113.

GroupShield for Exchange computers must also be running VirusScan Enterprise

Computers running GroupShield for Exchange must also be runningVirusScan Enterprise 7.0 or later to be reported as up-to-date. Once thesecomputers are compliant, when you add a newer version of GroupShield forExchange to the server repository or increase its minimum compliance level,the older version of GroupShield for Exchange will be reported as out-of-date.

AntiSpyware Enterprise computers must also be running VirusScan Enterprise Computers running AntiSpyware Enterprise must also be running thecorresponding version of VirusScan Enterprise to be reported as up-to-date.Once these computers are compliant, when you add a newer version ofAntiSpyware Enterprise to the server repository or increase its minimumcompliance level, the older version of AntiSpyware Enterprise will be reportedas out-of-date.


27/162

Product Guide 27


Do I have the most current DAT and engine files available?In addition to being able to easily determine what your current level of protectionis, you can see at-a-glance whether you have the most current detection definition(DAT) files and scanning engine released by McAfee Avert Labs. This protectionstatus appears next to DAT version and Engine version under ProtectionPilot Server.

Up-to-date Indicates that the DAT or engine files in the server repository arethe most current ones.

Update Pending Indicates that Avert Labs has released updated DAT orengine files, but they havent been retrieved from the McAfee website yet.

NOTE

Although the default setup monitors the McAfee website onan hourly basis for updates and every 15 minutes onceupdates for security threats are released by Avert Labs, ittakes time for DAT and engine files to be made available on allMcAfee download servers. You can perform an immediate

update to see whether this updated protection is available orwait for the default hourly Update Server task to retrieve them.For instructions, see Performing immediate DAT and engineupdateson page 58.

Figure 2-1. Viewing DAT and engine protection status


28/162



Whats my current level of protection?

To view the DAT and engine version numbers:

From the Home section, see DAT version and Engine version underProtectionPilot Server.

From the Server section, see DAT version and Engine version under ServerStatus.

To view the version numbers of all products:

From the Server section, click the Repository tab. The product names andversion numbers are listed under Server Repository.

Figure 2-2. Viewing DAT and engine version numbers from the Home section

Figure 2-3. Viewing DAT and engine version numbers from the Server section

Figure 2-4. Viewing the version number of all products in the server repository


29/162

Product Guide 29


Are my computers up-to-date?Once you know what up-to-dateness means and how to control the definition ofproduct compliance, the question becomes: Are my managed computers actuallyup-to-date? (For more information on product compliance, seeHow isup-to-dateness defined?on page 26.) Compliance reports break this question downinto these categories:

Up-to-date All product, agent, DAT, and engine versions are equal to or laterthan those in the server repository, and the agent has communicated recently.

Pending An immediate update has been sent, but the agent has not yetreturned the update status to the server.

Not communicating The agent hasnt communicated recently.

Not up-to-date One or more product, agent, DAT, or engine versions areearlier than those in the server repository, and the agent has communicatedrecently.

You can click any of these categories to view compliance details on computers. Youcan use this data to determine why some computers are non-compliant and takeaction to bring them up-to-date. For instructions, see Resolving Compliance Issuesonpage 95.

Have there been any detections lately?Of course, before you can investigate detections, you need to know whether anyhave occurred recently. Detection reports provide this information to youat-a-glance:

Cleaned / Blocked Files where clean or block succeeded.

Deleted Files where delete succeeded.

Quarantined Files where move (quarantine) succeeded.

Error Files where access was denied, or where clean, block, delete, or move(quarantine) failed.

Warnings VirusScan Enterprise detections (including buffer overflowexclusions and blocked files, network shares, or folders) found in warningmode. No action is taken on these detections.

You can click any of these categories to view detection details on computers. Youcan use this data to determine what has been detected and which files have beenimpacted. For instructions, see Investigating Detectionson page 83.


30/162



Are any of my computers still infected or impacted?Once you determine whether there are any current detections (seeHave there beenany detections lately?on page 29), you'll want to determine whether any computersare still infected by viruses or impacted by potentially unwanted programs. Youneed to take action on any computers reported under the Quarantined or Errordetection categories.

Which computers have the most detections?You can easily find out which computers in your network have the highest numberof detections.

1 From the All Computers section, click the General tab.

2 Select a timeframe, such as Today or This week.

3 Click the Total number of detections.

4 View Detection detail grouped by computers.

What are the most prevalent detections?You can easily determine which detections are most prevalent in your network.

1 From the All Computers section, click the General tab.

2 Select a timeframe, such as Today or This week.

Figure 2-5. Viewing computers with the most detections


31/162

Product Guide 31


3 Click the Total number of detections.

4 View Detection detail grouped by detections.

Are there any new threats or updates?The Security Threats data monitor informs you of newly discovered and recentlyupdated threats, and retrieves the detection definition (DAT) files and thescanning engine that provide protection against these threats as they becomeavailable.

Click Security Threats to view details (such as risk level, discovery date, anddetection type) about each threat. For instructions, see Viewing and managingnotifications on new threats under Keeping Products Up-To-Date in theHelp file.

You can view the last time that new threat notifications were retrieved from theMcAfee Avert Labs website and whether that task (DefaultAvertAlerts) wassuccessful in the server log file. For instructions, see Viewing the server log fileonpage 116.

Figure 2-6. Viewing the most prevalent detections

Figure 2-7. Viewing the number of unread threat notifications


32/162



Am I already protected against new threats?You can easily determine whether the detection definition (DAT) files andscanning engine in the server repository provide protection against all knownthreats and, if not, the highest risk level of any new threats.

Protection Available The DAT and engine files in the server repository

already provide protection against all threats that are known to McAfeeAvert Labs. To determine whether each managed computer is protected,

view the compliance data from the Home section.

Protection Pending on Medium-Risk Threats The updated DAT file forthreats assessed by Avert Labs as medium risk is pending. However,updated protection is available in a supplemental virus definition

(EXTRA.DAT) file, which you can manually download if you need protectionbefore the next DAT file is available, such as in an outbreak scenario. Forinstructions, see Updating EXTRA.DAT files under Keeping Products Up-To-Date intheHelp file.

Protection Pending on High-Risk Threats The updated DAT file for threatsassessed by Avert Labs as high risk is pending. However, updated protectionis available in a supplemental virus definition (EXTRA.DAT) file, which you

can manually download if you need protection before the next DAT file isavailable, such as in an outbreak scenario. For instructions, see UpdatingEXTRA.DAT files under Keeping Products Up-To-Date in theHelp file.

Figure 2-8. Viewing protection status and risk assessment of new threats


33/162

Product Guide 33


If Im not yet protected against new threats, whatcountermeasures can I take?

If or (Protection Pending) appears in the Security Threats data monitor, youcan manually download a supplemental virus definition (EXTRA.DAT) file if youneed protection before the next full detection definition (DAT) file is available,

such as in an outbreak scenario. McAfee occasionally releases EXTRA.DAT files atcustomer request or in the interim before a full DAT file is released. Forinstructions, see Updating EXTRA.DAT files under Keeping Products Up-To-Date intheHelp file.

You can have only one version of an EXTRA.DAT file in the server repository orinstalled on computers at any time. By default, the EXTRA.DAT file is ignoredonce the next DAT file is available because it incorporates the supplementalinformation provided by the EXTRA.DAT file. Once all managed computers havereceived the next DAT file, we recommend removing the EXTRA.DAT file fromthe server repository. This does not affect existing installations, but prevents thefile from being distributed to new computers.

When did I get the latest updates?Regardless of whether you actively monitor the McAfee Avert Labs website fornew threats and updates, you will often want to know when the ProtectionPilotserver last checked for new detection definition (DAT) files and the scanningengine on the McAfee website, whether that task completed successfully, andwhen the site will be checked again for new updates.

From the Home section, see Last update under ProtectionPilot Server.

What happens if the maximum number of managed computers isexceeded?You can manage up to 500 computers using ProtectionPilot. You are notifiedwhenever this limit is exceeded. However once the number of managed computersreaches 600, you can no longer add new computers. You are also notifiedwhenever this upper limit is reached or exceeded. Computers above 600 areautomatically removed from management (the agent is uninstalled from thecomputers). The security products remain.

Figure 2-9. Last update answers the question When did I get the latest updates?


34/162



What happens when multiple managed computers have the samename?

If multiple managed computers have the same computer name, data for thecomputer that most recently communicated with the ProtectionPilot serverappears for all computers whose names are identical. This data includes computer

properties, all compliance and detection data, and the agent log file. In addition,all immediate client tasks (Update All, Update, Scan All, Scan, Enforce, and CheckConnection) are executed only on the computer that most recently communicatedwith the server. We recommend that all managed computers have uniquecomputer names.

How can I provide feedback on the software?The Submit Product Feedbacklink allows you to share your experiences about howthe product works in your environment and to submit feature requests. Your inputwill help us improve the product and make sure it best suits your needs.

NOTEPlease dont use the feedback form to submit requests fortechnical assistance, because it is not routed to McAfeeSupport. To resolve technical issues, contact your designatedtechnical support resources directly.

The Submit Product Feedbacklink is available from the Home section.


35/162

Product Guide 35


To open the form, click Submit Product Feedbackunder Resource Sites, selectthe language for providing feedback and the product, then click Submit.Complete the form and click Submit Feedback.

Figure 2-10. Submit Product Feedback form


36/162



How do I resolve a failed status in the Security Threats datamonitor?

If a failed status appears in the Security Threats data monitor, the ProtectionPilotserver cannot retrieve threat notifications or the detection definition (DAT) filesand scanning engine that provide protection against these threats as they become

available. We recommend that you resolve this issue so you can be informed ofnewly discovered and recently updated threats.

Use the information below to verify that the server is set up correctly to receivethreat notifications:

If you use firewall or personal firewall software, you need to ensure thatcommunication port 8801 accepts outbound communication relative to theProtectionPilot server. This is the port number that the server uses foroutbound communication to the McAfee Avert Labs website.

If the ProtectionPilot server connects to the Internet via a proxy server, youneed to add these settings to begin receiving security threat notifications. Forinstructions, seeAdding proxy settings for the serveron page 108.

If you are using the proxy settings in Internet Explorer for the server, werecommend that you define the proxy settings being used in Internet Exploreras custom proxy settings in ProtectionPilot. For instructions, seeAdding proxysettings for the serveron page 108.

If the above information doesn't resolve the issue, view the Avert Labs log file.It provides details on the specific reason that the task failed. For instructions,see Viewing the Avert Labs log fileon page 117.

Where to find informationOnce youve completed the post-installation tasks, you are ready to customize thesoftware for your environment, maintain it, and troubleshoot it:

Making Sure Computers are Managed and Protected Different ways you canensure that new computers are put under management and protected by theMcAfee security products.

Keeping Products Up-To-Date Updating detection definition (DAT) files andthe scanning engine, and upgrading existing products with service pack and

patch releases. Organizing Computers Keeping your managed computers organized.

Changing Policies How to change policy settings and restore the defaultsettings.

Scheduling Client Tasks How to schedule the client tasks used to updatemanaged products and scan managed computers.


37/162

Product Guide 37

Where to find information

Investigating Detections Investigating and responding to detections.

Resolving Compliance Issues Determining why computers are non-compliantand taking action to bring them up-to-date.

Managing the Server Tasks associated with managing the ProtectionPilotserver.

Managing AutoUpdate Repositories When to use AutoUpdate repositories andhow to manage them.

Receiving Notification of Incidents How to be notified whenever McAfeesecurity products detect activity categorized at a certain priority level.

Managing AntiSpyware Enterprise Tasks for managing AntiSpywareEnterprise are outlined here with references to the detailed steps.

Managing AntiSpyware Enterprise Standalone Tasks for managingAntiSpyware Enterprise standalone are outlined here with references to the

detailed steps. Managing GroupShield for Exchange Tasks for managing GroupShield for

Exchange are outlined here with references to the detailed steps.

Managing Earlier Versions of VirusScan Tasks for managing versions ofVirusScan Enterprise that are earlier than those deployed during installationare outlined here with references to the detailed steps.

Managing NetShield for NetWare Tasks for managing NetShield for NetWareare outlined here with references to the detailed steps.

Reference Tasks for backing up, restoring, and maintaining the

ProtectionPilot database, and reference information on predefined variablesused in the software; see the Help file.
http://referencehelponly.pdf/http://referencehelponly.pdf/


38/162




39/162

Product Guide 39

3Making Sure Computers areManaged and ProtectedThere are a number of ways you can ensure that new computers are put undermanagement and are protected by the McAfee security products.

This section covers these tasks for managing and protecting new computers:

Deploying products to new computers and putting them under management.

Putting existing McAfee products under management.

Updating groups of computers from domains.

Manually installing the agent.

Adding computers that use a system image of a managed computer.

Adding products to the server repository.

The Help file covers this additional task for managing and protecting newcomputers:

Replacing Symantec AntiVirus with VirusScan Enterprise.


40/162

Making Sure Computers are Managed and Protected


Deploying products to new computers and puttingthem under management

For option definitions, click Help or in the interface.

1 From the All Computers section on the General tab, click Add Computers under

Management Tasks.

2 Click Next in the Add Computers Wizard.

3 Select the desired domains, workgroups, or individual computers, then clickNext.

Figure 3-1. Add Computers Wizard Select computers to be managed


41/162

Product Guide 41

Deploying products to new computers and putting them under management

4 Specify how to organize the selected computers under All Computers, thenclick Next.

To Add Computers To... Select...

Existing groups with predefined IP

settings.

According to group IP settings or

domain names.

Existing groups with the same name as

the computers domain or workgroup.


domain names.

An existing group. In an existing group, then select the

desired group from the list.

A new group. In a new group, then type its name in

the box.

Figure 3-2. Add Computers Wizard Specify how the selected computers should beplaced into groups


42/162



5 Select the desired products, then click Next. If the product isnt listed here, youneed to add it to the server repository. For instructions, seeAdding products tothe server repositoryon page 51.

Figure 3-3. Add Computers Wizard Select products to deploy


43/162

Product Guide 43

Deploying products to new computers and putting them under management

6 To deploy the agent to computers, select Push agent. Not all computerssupport remote installation of the agent. For more information, see Step 7 onpage 44.

a To hide the agent installation, select Hide agent installation user interface foragent push.

b In Domain\User, type the credentials to use when installing the agent on theselected computers:

Figure 3-4. Add Computers Wizard Specify agent deployment options

If the computers are in a domain...Then, these permissions are needed... Use this format in Domain\User...

Domain administrator (in that domain) \

Example:

MAIN\ADMINISTRATOR

Local administrator (on those computers) \

Example:

SHULL\ADMINISTRATOR

Local administrator (on the ProtectionPilot

server)

.\

Example:.\ADMINISTRATOR


44/162



c Type the password associated with the user account that you provided inPassword.

7 To save the agent package (FramePkg.exe) for manual installation, selectDownload agent, then click Browse to select a location. For instructions, seeManually installing the agenton page 50.

NOTE

The agent must be manually installed on any computer thatmeets specified criteria. For a list, see Criteria for Manual AgentInstallation in the ProtectionPilot Release Notes (ReadMe.txt).

8 Click Next, then Finish. Computers appear in the console within at the most three minutes.

If the computers are in a workgroup...

Then, these permissions are needed... Use this format in Domain\User...


Example:

SHULL\ADMINISTRATOR

NOTE

We recommend setting up the same local administrator user account on all

computers, so you can put all of the computers under management at once.


server)

.\

Example:

.\ADMINISTRATOR

NOTE

The local administrator user accounts on the server and on each computer

must be the same.


45/162

Product Guide 45

Putting existing McAfee products under management

Putting existing McAfee products undermanagement


1 From the All Computers section on the General tab, click Add Computers under

Management Tasks.

2 Click Next in the Add Computers Wizard.

3 Select the desired domains, workgroups, or individual computers, then clickNext.

Figure 3-5. Add Computers Wizard Select computers to be managed


46/162



4 Specify how to organize the selected computers under All Computers, thenclick Next.

To Add Computers To... Select...

Existing groups with predefined IP

settings.


domain names.

Existing groups with the same name as

the computers domain or workgroup.


domain names.

An existing group. In an existing group, then select the

desired group from the list.

A new group. In a new group, then type its name in

the box.

Figure 3-6. Add Computers Wizard Specify how the selected computers should beplaced into groups


47/162

Product Guide 47

Putting existing McAfee products under management

5 Deselect all products, then click Next.

6 To deploy the agent to computers, select Push agent. Not all computerssupport remote installation of the agent. For more information, see Step 7 onpage 48.

a To hide the agent installation, select Hide agent installation user interface foragent push.

b In Domain\User, type the credentials to use when installing the agent on theselected computers:

Figure 3-7. Add Computers Wizard Select products to be deploy

Figure 3-8. Add Computers Wizard Specify agent deployment options


48/162



c Type the password associated with the user account that you provided inPassword.

7 To save the agent package (FramePkg.exe) for manual installation, selectDownload agent, then click Browse to select a location. For instructions, seeManually installing the agenton page 50.

NOTE

The agent must be manually installed on any computer thatmeets specified criteria. For a list, see Criteria for Manual AgentInstallation in the ProtectionPilot Release Notes (ReadMe.txt).

8 Click Next, then Finish. Computers appear in the console within at the most three minutes.

If the computers are in a domain...

Then, these permissions are needed... Use this format in Domain\User...

Domain administrator (in that domain) \

Example:

MAIN\ADMINISTRATOR


Example:

SHULL\ADMINISTRATOR


server)

.\

Example:

.\ADMINISTRATOR

If the computers are in a workgroup...

Then, these permissions are needed... Use this format in Domain\User...Local administrator (on those computers) \

Example:

SHULL\ADMINISTRATOR

NOTE

We recommend setting up the same local administrator user account on all

computers, so you can put all of the computers under management at once.


server)

.\

Example:

.\ADMINISTRATOR

NOTEThe local administrator user accounts on the server and on each computer

must be the same.


49/162

Product Guide 49

Updating groups of computers from domains

Updating groups of computers from domainsWhen computers join a domain, the Update Groups From Domains server task addsthem to the group, puts them under management, and applies the policies andtasks for that group to them. By default, this task is disabled.

NOTE

Remember, the agent must be manually installed oncomputers that meet specified criteria. For a list, see Criteria forManual Agent Installation in the ProtectionPilot Release Notes(ReadMe.txt). For instructions, seeManually installing the agenton page 50.

When computers leave a domain, they remain in the group. The agent and securityproducts remain on the computers.

You can view the names of computers that were added by this server task in theserver log file. For instructions, see Viewing the server log fileon page 116.


To update groups of computers from domains:

1 From the Server section on the Summary tab, click Update Groups FromDomains under Server Tasks to expand the task options.

2 Click Add.

3 Type the name of the domain in Domain name.

Figure 3-9. Update Groups From Domains server task


50/162



4 Type the user name of a domain administrator account in that domain inDomain User Name.

5 Type the password for the domain administrator account in Domain password,then confirm it by re-typing it in Re-Enter password.

6 Select the desired frequency options. For example, lets say you want to update

groups every day at noon. Select the Daily interval, then indicate that the taskshould run every day at 12:00 pm.

7 Be sure that the Enabled box is selected.

8 Click Apply Settings under Management Tasks to save the current entries.

Manually installing the agentYou need to distribute the agent package (FramePkg.exe) to users for them toinstall when their computers meet specified criteria. For a list, see Criteria forManual Agent Installation in the ProtectionPilot Release Notes (ReadMe.txt).

Once installed, the agent contacts the ProtectionPilot server within at the most three minutes, and the computer appears in Lost&Found.

To save agent package for manual installation:

1 From the Home section, click Download Agent Package under ManagementTasks.

2 Click Save when asked whether you want to open or save the file.

3 Specify a location, then click Save.

4 Once the file has been downloaded, click Close in the Download Completedialog box.

Figure 3-10. Adding a new domain


51/162

Product Guide 51

Adding computers that use a system image of a managed computer

To manually install the agent:

Install the agent via a logon script.

OR

Distribute the file to users using one of these methods, and ask them to install

the agent by double-clicking the FramePkg.exe file: Network directory Copy the package to a network directory (for example,

\\\) to which users have permissions.

Removable media Copy the package to removable media (for example,3.5-inch disk).

Email Attach the package to an email message.

Adding computers that use a system image of a

managed computerYou can install the agent and McAfee products on computers used to create systemimages of software. The first time you log on to a computer built using a systemimage that includes the agent the agent immediately contacts theProtectionPilot server.

If this computer meets the criteria of existing groups (domain or workgroupmembership or IP settings), it appears in those groups; otherwise, it appears inLost&Found.

Adding products to the server repositoryDuring the installation, the files you need to deploy (send and install) thoseproducts available for deployment are added to the server repository. For a list, seeProducts Available for Deployment During Installation in the ProtectionPilot ReleaseNotes (ReadMe.txt). Before you can deploy other products, you must add theirpackage (PkgCatalog.z) file to the server repository. The server repository storesproduct releases and updates, and is where managed computers retrieve them.Package files contain the Setup program and other files needed for productdeployment.


1 Locate the package (PkgCatalog.z) file on the product CD, or download it fromthe McAfee website (requires a McAfee grant number):

http://www.mcafee.com/us/downloads/

2 From the Server section, click the Repository tab. The Manage AutoUpdateRepositories page appears.
http://www.mcafee.com/us/downloads/http://www.mcafee.com/us/downloads/


52/162



3 Click Check In Package under Management Tasks.

4 Click Next in the Check In Package wizard.

5 Select Products and updates, then click Next.

6 Click Browse to select the package (PkgCatalog.z) file for the product.

7 Click Finish, then OK.

Figure 3-11. Check In Package Wizard (page 1)



53/162

Product Guide 53

4Keeping ProductsUp-To-DateThe task of keeping your security products up-to-date includes updating detectiondefinition (DAT) files and the scanning engine, and upgrading existing productswith service pack and patch releases.

This section covers these tasks for keeping products up-to-date:

Upgrading products.

Adding policy pages to the server repository.

Adding extended policy pages to the server repository.

Performing immediate DAT and engine updates. Changing the frequency of DAT and engine updates.

The Help file covers these additional tasks for keeping products up-to-date:

Downloading and updating DAT or engine files manually.

Updating DAT or engine files using SuperDAT packages.

Updating EXTRA.DAT files.

Downgrading DAT files.

Starting a program after an update.

Viewing and managing notifications on new threats.


54/162

Keeping Products Up-To-Date


Upgrading productsUse this procedure to deploy new versions of McAfee products to managedcomputers. Periodically, you might also want to upgrade existing products withservice pack or patch releases.

For option definitions, clickHelp

or in the interface.1 Locate the package (PkgCatalog.z) file on the product CD, or download it from

the McAfee website (requires a McAfee grant number):




4 Click Next in the Check In Package wizard.

5 Select Products and updates, then click Next.



55/162

Product Guide 55

Adding policy pages to the server repository

6 Click Browse to select the package (PkgCatalog.z) file for the product release.

7 Click Finish, then OK. Managed products are immediately upgraded.

Adding policy pages to the server repositoryDuring the initial installation, the policy pages (.nap), which you need to be able tochange settings for those products available for deployment are added to theserver repository. For a list, see Products Available for Deployment During Installationin the ProtectionPilot Release Notes (ReadMe.txt). Before you can change settings forother products, you must add their policy pages to the server repository. Theserver repository stores product policy pages locally. Policy pages contain the filesneeded to change policy settings and create scheduled tasks for products.


1 Locate the policy page (.nap) on the product CD, or download it from theMcAfee website (requires a McAfee grant number):






56/162



4 Select Management NAP, then click Next.

5 Click Browse to select the policy page (.nap) for the product.

6 Click Finish.




57/162

Product Guide 57

Adding extended policy pages to the server repository

Adding extended policy pages to the serverrepository

Before you can view detection and compliance data for selected products, youmust add their extended policy pages (.nap) to the server repository. The serverrepository stores extended product policy pages locally. Extended policy pagescontain the files needed to extend detection and compliance reporting for selectedproducts.


1 Locate the extended policy page (.nap) on the product CD, or download it fromthe McAfee website (requires a McAfee grant number):




4 Select Extended NAP, then click Next.



58/162



5 Click Browse to select the extended policy page (.nap) for the product.

6 Click Finish.

Performing immediate DAT and engine updatesBy default, ProtectionPilot automatically retrieves detection definition (DAT) filesand the scanning engine from McAfee hourly, then begins updating managedproducts immediately. The software also monitors the McAfee website every 15minutes once updates for security threats are released by McAfee Avert Labsbecause it takes time for DAT and engine files to be made available on all McAfeedownload servers. You can perform an immediate update to see whether thisupdated protection is available or wait for the default hourly Update Server task toretrieve them.

You can immediately update managed products by first checking the McAfeewebsite for new DAT and engine files, or by using the files that are in the serverrepository.



59/162

Product Guide 59

Changing the frequency of DAT and engine updates

To update from McAfee:

1 From the Home section, click Update All under Management Tasks. The UpdateAll Wizard appears and lists the version numbers of the most current DAT andengine files.

2 Click Finish to perform the update.

To update from the server repository:

From the All Computers section on the General tab, click Update underManagement Tasks.

Changing the frequency of DAT and engineupdates

You can change how often ProtectionPilot checks the McAfee website for updateddetection definition (DAT) files and the scanning engine.

For option definitions, clickHelp

or in the interface.1 From the Server section on the Summary tab, click Server Update under Server

Tasks to expand the task options.

2 Select the desired frequency options. For example, lets say you want toretrieve updates from McAfee every Wednesday at noon. Select the Weeklyinterval, then indicate that the task should run every Wednesday at 12:00 pm.

Figure 4-7. Update All Wizard


60/162



3 Be sure that the Enabled box is selected.

4 Click Apply Settings under Management Tasks to save the current entries.

Figure 4-8. Server Update server task


61/162

Product Guide 61

5Organizing Computers

You most likely have reasons to apply different product settings and tasks to eachdepartment, office, or computer type. How you organize your managedcomputers under All Computers can be a useful tool in their management. Forexample, you might want more restrictive product settings on server computersthan on workstations. Keeping your managed computers organized is animportant aspect in managing them efficiently.

This section covers these tasks for managing the organization of computers underAll Computers:

Defining the organization of computers.

Renaming groups.

Moving computers between groups.

Uninstalling managed products.

Removing a computer from management.

Removing an entire group of computers from management.

The Help file covers this additional information and tasks for managing theorganization of computers under All Computers:

Lost&Found.

Adding IP settings to existing groups.

Modifying IP settings of existing groups.

Deleting IP settings from existing groups.

Verifying the integrity of IP settings.

Sorting computers by IP address.


62/162

Organizing Computers


Defining the organization of computersYou define how to organize the computers you want to manage by creatinggroups. A group is a collection of computers that share common characteristics.You can create groups based on domain or workgroup membership; logicalgroupings (for example, geographic location or computer type, such as server

versus workstation); or IP address. Groups simplify management by allowing youto perform tasks on all computers in a group at once.


To create a group:

1 From the All Computers section on the General tab, click Add Group underManagement Tasks.

2 Click Next in the Add Group Wizard.

By domain or workgroup membership:

Select Domain name, select the domain or workgroup from the list box, thenclick Next.

Using logical groupings:

Select Group name, type a descriptive and unique name in the box, thenclick Next twice.

Figure 5-1. Add Group Wizard Specify group name


63/162

Product Guide 63

Defining the organization of computers

By IP address:

a Select Group name, type a descriptive and unique name in the box, thenclick Next.

b Click Add to open the IP Management dialog box. You can define multipleIP settings for a group by repeating this step.

NOTE

IP addresses cannot overlap between or within groups.

c When youre done defining the IP settings, click Next.

3 Click Finish. Groups appear in the console within at the most three minutes.

To specify an IP address range, type the beginning and ending IPaddresses in the range in IP range, then click OK. Use this format:XXX.XXX.XXX.XXX, where X is 0 255; for example, 161.69.0.0 161.69.255.255.

To specify an address mask, type the address mask and number ofsignificant bits in IP subnet mask, then click OK. Use this format:XXX.XXX.XXX.XXX/YY, where X is 0 255 and Y is 0 32.

For example, the address mask 161.69.0.0/16 equals the range161.69.0.0 161.69.255.255. The address mask 161.69.255.0/18 equalsthe range 161.69.192.0 161.69.255.255.

Figure 5-2. Add Group Wizard Specify IP settings


64/162



Renaming groupsYou can easily rename groups as you refine the organization of managedcomputers.

1 In the tree pane under McAfee ProtectionPilot | All Computers, right-click a

group, then clickRename

.2 Type the new name, then press Enter.

Moving computers between groupsYou can use cut-and-paste or drag-and-drop operations to move computers fromone group to another. Remember that if a computer belongs to a group that isbased on IP addresses, the computer will reappear in that group whenever yousort computers by IP address until you modify the groups IP settings to excludeit. For instructions, seeModifying IP settings of existing groups in the Help file.

You will most often need to move computers from the Lost&Found into the correctgroup. We recommend that you first move computers from the Lost&Found totheir respective groups before taking any other actions on them. For moreinformation on this special group, see Lost&Found in the Help file.

Drag the computer from one group to another.

OR

1 In the tree pane under McAfee ProtectionPilot | All Computers, right-click acomputer from one group, then click Cut.

2 Right-click another group, then click Paste.

Uninstalling managed productsYou can uninstall more than one managed product at a time regardless of whetherall selected computers have those products installed on them. For example, letssay the WORKSTATION group includes computers running VirusScan Enterpriseonly and computers running both VirusScan Enterprise and AntiSpywareEnterprise. You can select the WORKSTATION group, then select both VirusScanEnterprise and AntiSpyware Enterprise; the appropriate products are

automatically removed from each computer in the group.

1 In the tree pane under McAfee ProtectionPilot, select All Computers, a group ofcomputers, or an individual computer.

2 Click Uninstall Products under Management Tasks.


65/162

Product Guide 65

Removing a computer from management

3 Click Next, then select the products that you want to remove from thecomputers.

4 Click Next, then Finish. Computers are reported as pending until the selectedproducts are removed.

Removing a computer from managementWhen you delete a computer, it is removed from its group under All Computers

and removed from management (the agent is uninstalled from the computer). Youcan also uninstall managed products at the same time.

NOTE

You cannot remove the ProtectionPilot server frommanagement.

Figure 5-3. Uninstall Products Wizard


66/162



To remove a computer from management:

1 In the tree pane under McAfee ProtectionPilot | All Computers, right-click acomputer from its group, then click Delete.

2 Select the products that you want to remove from the computer and click Yes.Selected products, then the agent are uninstalled. Compute

Documents

Protection Pilot