3.6.1 McAfee MOVE AntiVirus Multi-Platform McAfee MOVE AntiVirus Multi-Platform 3.6.1 Product Guide....

Product Guide

McAfee MOVE AntiVirus Multi-Platform3.6.1

COPYRIGHT

Copyright © 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee MOVE AntiVirus Multi-Platform 3.6.1 Product Guide

http://www.intelsecurity.com

Contents

Preface 7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1 Introduction 9How the software works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Components and what they do . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

New features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Before you start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2 Installation and configuration 15Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Download McAfee MOVE AV Multi-Platform packages . . . . . . . . . . . . . . . . . . . 17Install McAfee MOVE AV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Install the extension packages . . . . . . . . . . . . . . . . . . . . . . . . . 18Install the VirusScan Enterprise for Linux extension . . . . . . . . . . . . . . . . . 18Deploy the McAfee MOVE AV offload scan server . . . . . . . . . . . . . . . . . . 19Deploy the McAfee MOVE AV client . . . . . . . . . . . . . . . . . . . . . . . . 21Deploy in a XenDesktop or VMware View environment . . . . . . . . . . . . . . . . 23Install the McAfee MOVE AV client manually . . . . . . . . . . . . . . . . . . . . 23

Uninstall McAfee MOVE AV Multi-Platform . . . . . . . . . . . . . . . . . . . . . . . . 24Uninstall the client and offload scan server with ePolicy Orchestrator . . . . . . . . . . 25Remove the client or offload scan server package from ePolicy Orchestrator . . . . . . . 26Uninstall the extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Uninstall the SVA Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Troubleshooting installation issues . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3 Upgrade McAfee MOVE AV Multi-Platform 29Upgrade the extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Upgrade the MOVE AV offload scan server with ePolicy Orchestrator . . . . . . . . . . . . . 30Upgrade persistent virtual machines . . . . . . . . . . . . . . . . . . . . . . . . . . 31Upgrade non-persistent virtual machines . . . . . . . . . . . . . . . . . . . . . . . . 31Upgrade the MOVE AV client with ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . 32

Create a MOVE AV client upgrade task . . . . . . . . . . . . . . . . . . . . . . 32Assign the McAfee MOVE AV client upgrade task to virtual systems . . . . . . . . . . 33

Upgrade SVA Manager using the Debian package . . . . . . . . . . . . . . . . . . . . . 33

4 McAfee SVA Manager (OSS Manager) 35OSS assignment made easy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Set up the SVA Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Configuring SVA Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Configuring the SVA Manager policy . . . . . . . . . . . . . . . . . . . . . . . . . . 37

McAfee MOVE AntiVirus Multi-Platform 3.6.1 Product Guide 3

Add or edit an SVA Manager assignment rule using IP address . . . . . . . . . . . . 37Add or edit an SVA Manager assignment rule using McAfee ePO tag . . . . . . . . . . 39

Configure an offload scan server policy . . . . . . . . . . . . . . . . . . . . . . . . . 40Configure a client policy: Assign OSS to clients using SVA Manager . . . . . . . . . . . . . 42

5 Monitoring and management 43Integration with ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . 43Policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Configuring policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Create a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Assign a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuring permissions sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Configure permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Modify the VirusScan Enterprise compliance query results . . . . . . . . . . . . . . 47Default queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Dashboards and monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50MOVE Multi-Platform dashboard . . . . . . . . . . . . . . . . . . . . . . . . . 50Report visibility and health of the offload scan server . . . . . . . . . . . . . . . . 50

Global Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Change the Global Threat Intelligence level . . . . . . . . . . . . . . . . . . . . 52Create a policy specifying offload scan server . . . . . . . . . . . . . . . . . . . 53

Handling potentially malicious files . . . . . . . . . . . . . . . . . . . . . . . . . . 54Isolating malicious files in quarantine . . . . . . . . . . . . . . . . . . . . . . 54Change threat quarantine behavior . . . . . . . . . . . . . . . . . . . . . . . 54Restore quarantined items . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Change the primary threat response . . . . . . . . . . . . . . . . . . . . . . . 55Change when files are scanned . . . . . . . . . . . . . . . . . . . . . . . . . 56Enable and configure on-demand scans . . . . . . . . . . . . . . . . . . . . . . 58Targeted on-demand scan . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Configure deferred scan settings . . . . . . . . . . . . . . . . . . . . . . . . 61Enable and configure RAM disk . . . . . . . . . . . . . . . . . . . . . . . . . 62Scan diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Communication between virtual machines and offload scan servers . . . . . . . . . . . . . 66Change the offload scan server settings . . . . . . . . . . . . . . . . . . . . . 66Change the offload scan server port . . . . . . . . . . . . . . . . . . . . . . . 66

McAfee MOVE AV Multi-Platform client alerts . . . . . . . . . . . . . . . . . . . . . . 67Triggered events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Change the client alert behavior . . . . . . . . . . . . . . . . . . . . . . . . 67Change the offload scan server alert behavior . . . . . . . . . . . . . . . . . . . 68

Self-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

A Client command-line interface reference 71Access the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73ftypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74loglevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74pp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Password protected CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Set password for client CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Contents


B Server command-line interface reference 79Access the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81loglevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

C Install the offload scan server 83

Index 85

Contents


Contents


Preface

This guide provides the information you need to configure, use, and maintain your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

ConventionsThis guide uses these typographical conventions and icons.

Book title, term,emphasis

Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized.

User input, code,message

Commands and other text that the user types; a code sample; a displayedmessage.

Interface text Words from the product interface like options, menus, buttons, and dialogboxes.

Hypertext blue A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing anoption.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.


Find product documentationAfter a product is released, information about the product is entered into the McAfee online KnowledgeCenter.

Task1 Go to the Knowledge Center tab of the McAfee ServicePortal at http://support.mcafee.com.

2 In the Knowledge Base pane, click a content source:

• Product Documentation to find user documentation

• Technical Articles to find KnowledgeBase articles

3 Select Do not clear my filters.

4 Enter a product, select a version, then click Search to display a list of documents.

PrefaceFind product documentation


http://support.mcafee.com

1 Introduction

McAfee Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) is ananti-virus solution for virtual environments. It removes the need to install an anti-virus application onevery virtual machine (VM), yet provides the protection and performance needed for your organizationrequirements.

Traditional security solutions for virtual machines need anti-virus applications running on every virtualmachine (VM) on a hypervisor, contributing to high disk CPU and memory usage. This reduces VMdensity on each hypervisor.

McAfee MOVE AV solves this issue by offloading all on-access scanning to a dedicated VM that runsMcAfee

®

VirusScan®

Enterprise. As a result, traditional anti-virus applications are not required on eachguest VM, improving performance and increasing VM density per hypervisor.

McAfee MOVE AV brings advanced malware protection to your virtualized environments, and integratesreal-time threat intelligence with security management across your physical and virtual infrastructure.

McAfee MOVE AV provides two deployment options: Agentless and Multi-Platform. Both deploymentoptions provide consistent protection, and are managed and reported by McAfee

®

ePolicy Orchestrator®

(McAfee ePO™

).

1


Agentless

This solution integrates with VMware vShield using VMware vShield Endpoint. It addresses thechallenges of protecting your virtual environment and keeping it free of malware without a McAfee

®

Agent, resulting in easy deployment and setup.

The Agentless deployment option:

• Uses the VMware vShield Endpoint API to receive scan requests from VMs on the hypervisor

• Relies on McAfee® VirusScan® Enterprise for Linux for SVA protection and updates

• Uses McAfee ePO to manage the MOVE configuration on the SVA

• Leverages the McAfee Agent for policy and event handling

• Uses McAfee ePO for reports on viruses that are discovered on the VMs

This option is described in the product documentation for McAfee MOVE AV (Agentless).

Multi-Platform

This solution removes the need to install an anti-virus application on every VM, and it is the originalagent-based deployment option.

The Multi-Platform deployment option offloads all scanning to a dedicated VM — an offload scan server— that runs McAfee VirusScan Enterprise software. Guest VMs are no longer required to run anti-virussoftware locally, which improves performance for anti-virus scanning, and increases VM density perhypervisor.

The Multi-Platform deployment option:

• Uses McAfee ePO to manage the MOVE configuration on the client systems, offload scan server, andSVA Manager (OSS Manager).

• Leverages the McAfee Agent for policy and event handling.

• Uses McAfee ePO for reports on viruses that are discovered on the VMs.

This document covers installation, configuration, and product usage information for McAfee MOVE AV(Multi-Platform).

Contents How the software works Components and what they do Features Before you start

How the software worksTraditional security solutions for virtual environments run as an anti-virus application on every VM onthe hypervisor. This setup places a heavy burden on disk, CPU, and memory usage and results inreduced VM density per hypervisor.

The Multi-Platform deployment option offloads all scanning to a dedicated VM — an offload scan server— that runs McAfee

®

VirusScan®

Enterprise software. Guest VMs are no longer required to runanti-virus software locally, which results in improved performance for anti-virus scanning, andincreased VM density per hypervisor.

1 IntroductionHow the software works


McAfee MOVE AV Multi-Platform supports both on-access and on-demand scanning:

On-access scanning — Examines files on your computer as they are accessed, providing continuous,real-time detection of threats.

On‑demand scanning — Examines all files on virtual machines for potential threats. On‑demandscans supplement the continuous protection of on‑access scanning. You can also schedule regularscans at times that do not interfere with your work.

Components and what they doEach component performs specific functions to keep your environment protected.

IntroductionComponents and what they do 1


• ePolicy Orchestrator — Communicates with the McAfee Agent, manages the Multi-Platformconfiguration, and provides reports on malware discovered within your virtual environment.

• Hypervisor — Allows multiple operating systems to run concurrently on a hosted system. Thehypervisor is a virtual operating platform that manages the execution of the guest operatingsystem.

• McAfee Agent — Communicates with ePolicy Orchestrator, applies policies to each virtualmachine, and deploys the McAfee MOVE AV client.

• McAfee MOVE AV client — Allows virtual machines to work with the offload scan server (OSS) forfile scanning and malware detection. Enforces actions on the client when a threat is detected.

• McAfee MOVE AV Offload Scan Server — Provides offloaded scanning support for virtualmachines, which minimizes the performance impact on virtual desktops.

• McAfee SVA Manager (OSS Manager)— Automatically assigns offload scan servers to MOVEMulti-Platform clients based on configurable parameters like Scan Server load, McAfee ePO tags,and IP address ranges.

• McAfee MOVE AV client extension — Provides policies and controls for configuring andmanaging the behavior of the McAfee MOVE AV client through ePolicy Orchestrator.

• McAfee MOVE AV Offload Scan Server extension — Provides policies and controls forconfiguring and managing the behavior of the McAfee MOVE AV offload server through ePolicyOrchestrator.

• VirusScan Enterprise — Provides anti-virus protection for the offload scan server VM andcommunicates with the GTI servers.

• Data Center Connector for vSphere — Integrates the management and automation feature ofMcAfee ePO to discover and manage your guest VMs.

For information about the other products in the solution, download their documentation from theMcAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

FeaturesMcAfee® MOVE AntiVirus features are important for your organization's system security, protection,and performance.

Centralized management

McAfee MOVE AV integrates fully into McAfee ePO, leveraging its infrastructure for automated securityreporting, monitoring, deployment, and policy administration.

Optimized scanning

McAfee MOVE AV provides higher operational benefits, and minimizes the performance impact onvirtual servers with enhanced scan avoidance and scanning based on overall work load of thehypervisor.

Flexible deployment

McAfee MOVE AV offers the flexibility to choose your preferred deployment model:

• One option works across multiple virtualization platforms.

• An agentless option that leverages the VMware vShield technology.

1 IntroductionFeatures


http://mysupport.mcafee.com

Greater Data Center visibility

McAfee Data Center Connector, which is also part of the Data Center Security suite, provides acomplete view into virtual data centers and imports key properties like servers, hypervisors, virtualmachines through the McAfee ePO console.

You can register a cloud account for VMware vSphere, Amazon Web Services (AWS), or OpenStackwith McAfee ePO to discover and gain visibility into all VMs, and protect them using McAfee® MOVEAntiVirus. For details, see the product documentation for your version of Data Center Connector.

McAfee SVA Manager (OSS Manager)

McAfee SVA Manager integrates fully into McAfee MOVE AV Multi-Platform, and it automatically assignsthe MOVE Offload Scan Servers to McAfee MOVE AV Multi-Platform clients based on configurableparameters like Scan Server load, McAfee ePO tags, and IP address ranges.

The SVA Manager component:

• Simplifies administrative management by automating the assignment of clients to the offload scanservers.

• Provides visibility of scan server status by monitoring the health of the offload scan servers.

• Performs load-balancing of offload scan servers.

Scan diagnostic tool

You can run the scan diagnostic tool to easily find frequently scanned files, extensions, and VMs, thenuse these results to exclude them from being scanned. A good set of exclusions improves theperformance of the virtual infrastructure.

Restore quarantined items

McAfee MOVE AV deletes any items that are detected as threats, converts a copy of the item to anon‑executable format, and saves it in the Quarantine folder. These quarantined items can be restoredlater.

Quarantined items can include files and cookies.

Targeted on-demand scan

The targeted on-demand scan feature allows the administrator to select a system or a group ofsystems from the System Tree in McAfee ePO and assign a client task to initiate the on-demand scanimmediately.

The OSS runs the specified Maximum concurrent targeted scans per Offload Scan Server in addition to the Maximumconcurrent scans per Offload Scan Server defined in the policy.

RAM disk for scanning

RAM disk is used by the OSS for file scanning and it significantly reduces the disk I/O on the offlinescan server. You can enable the RAM disk option in the ePolicy Orchestrator server. RAM disk is createdby the OSS and it improves the OSS performance by enhancing the scan time.

IntroductionFeatures 1


New featuresThis release of the product includes these new features.

Deferred scan settings

The deferred scan feature optimizes file scanning for files where the previous scanning is timed out forreasons such as large file size, file structure, and file composition. Whenever the previous scanning istimed out, the scanning for the particular file starts again with an increased or new time-outdepending on the file size.

You can configure this time-out value and the file size using the ePolicy Orchestrator server.

Scan diagnostics using McAfee ePO

You can now run the scan diagnosis using the McAfee ePO server to easily find frequently scannedfiles, extensions, processes, and VMs, then use these results to exclude them from being scanned. Agood set of exclusions improves the performance of the virtual infrastructure.

Optimization for frequently modified files

Enabling this option reduces the scan-time for files that are modified frequently. The scan-timeoptimization is achieved by storing the cached offsets of the scan results during the first scan of a fileand passing them to the offload scan server with the required payload data.

This mechanism reduces the scan time for the subsequent scan of the file by decreasing multiplenetwork hops and payload data transfers.

By default, this option is enabled.

Before you start Perform these tasks before starting installation and configuration of McAfee MOVE AV software.

• Remove or disable any anti-virus application installed on target virtual machines, such as VirusScanEnterprise or Windows Defender, before deploying McAfee MOVE AV client software.

• If VirusScan Enterprise is installed, create an ePolicy Orchestrator product deployment client taskto uninstall it from each virtual machine that receives the McAfee MOVE AV client.

Citrix Ready

It is important to note that McAfee MOVE AV Multi-Platform is a Citrix Ready solution.

1 IntroductionBefore you start


2 Installation and configuration

To set up your environment for the Multi-Platform deployment option, download the McAfee MOVE AVMulti-Platform components, and deploy the McAfee MOVE AV client and offload scan server to targetsystems.

Contents Requirements Download McAfee MOVE AV Multi-Platform packages Install McAfee MOVE AV Uninstall McAfee MOVE AV Multi-Platform Troubleshooting installation issues

RequirementsMake sure that your environment includes these components, and that they meet these requirements.

Software requirements

• ePolicy Orchestrator 4.6.8, 5.1.0, 5.1.1, or 5.3.0

• McAfee Agent 4.8 and later

• VirusScan Enterprise 8.8

To prevent multiple DAT updates to VirusScan Enterprise from occurring at the same time, werecommend distributing the policy between primary and secondary offload scan servers.

For details about system requirements and instructions for setting up the ePolicy Orchestratorenvironment, see the McAfee ePolicy Orchestrator Installation Guide.

System requirements

The offload scan server requires a dedicated virtual machine with VirusScan Enterprise 8.8 installed.The virtual machine must meet these requirements:

Operating system • Windows 2008 R2 SP1, or

• Windows 2008 SP2 (64-bit), or

• Windows 2012 R2

CPU CPU 4 vCPU, 2 GHz or higher

Memory 6 GB RAM or higher

2


Free disk space 8 GB or higher

Other requirements Static IP address

This is required only when configuring the policies using the IP address.

The McAfee MOVE AV client software requires one of these operating systems:

• Windows XP SP3 (32-bit) • Windows 2003 R2 SP2 (32-bit)

• Windows Vista (32-bit or 64-bit) • Windows 2008 SP2 (32-bit or 64-bit)

• Windows 7 (32-bit or 64-bit) • Windows 2008 R2 SP1 (64-bit)

• Windows 8 (32-bit or 64-bit) • Windows 2012

• Windows 8.1 (32-bit or 64-bit) • Windows 2012 R2 (64-bit)

• Windows 10 (32-bit or 64-bit)

Windows XP virtual machines require 512 MB of RAM or more. All other operating systems require 1GB of RAM or more.

Requirements for SVA Manager

Operating System Ubuntu 12.04.5

Software • VirusScan Enterprise for Linux 2.0.2.29099

• McAfee Agent 4.8

Hypervisors • VMware ESXi 5.0 or above

• Citrix XenServer 6.0 or above

• Microsoft 2012 R2 Hyper-V or above

CPU 2 vCPU

Memory 2 GB RAM or higher

To deploy on Hyper-V, convert the .vmdk file, part of SVA Manager appliance, into a .vhd file, thenattach .vhd file as hard disk to a new VM in Hyper-V.

To convert .vmdk to .vhd, you can use the Microsoft Virtual Machine Converter software.

2 Installation and configurationRequirements


Download McAfee MOVE AV Multi-Platform packages You must download the McAfee MOVE AV Multi-Platform package before the components can bedeployed to virtual systems or installed on ePolicy Orchestrator.

• From the McAfee download site (http://www.mcafee.com/us/downloads/), download theseindividual packages.

Package name Description

MOVE‑AV‑MP_Offload_Scan_Server_3.6.1.zip Offload scan server package

MOVE‑AV‑MP_Client_3.6.1_WIN.zip Client deployment package

MOVE‑AV‑MP_Ext_3.6.1_Licensed.zip License extension; upgrades evaluation extensionto a fully licensed extension. This package installsall extensions for OSS, client, MOVE SVA Manager,and license.

MOVE‑AV‑MP_SVA_MANAGER_3.6.1.zip MOVE SVA Manager package

MOVE‑AV‑MP_HELP_EXT_3.6.1.zip MOVE AV Multi-Platform Help Extension

MOVE‑AV‑MP_DOCS_3.6.1.zip MOVE AV Multi-Platform documentation package

Install McAfee MOVE AV These installation tasks must be performed and can be completed in the order specified here.You can use Data Center Connector for vSphere, which discovers and imports both running andstopped machine instances from VMware vCenter to the McAfee ePO server. This product integratesthe management feature of McAfee ePO with the VMware vCenter server, displaying the importedvirtual machines security and scan status on McAfee ePO.

You can use this report to install the MOVE AV Multi-Platform product to the target virtual systems,which are discovered and imported with the Data Center Connector. For details about installing andconfiguring the Data Center Connector for vSphere, see Data Center Connector for vSphere ProductGuide.

Tasks• Install the extension packages on page 18

The McAfee MOVE AV client and offload scan server extension packages must be installed inePolicy Orchestrator before you can manage McAfee MOVE AV on your virtual machines.

• Install the VirusScan Enterprise for Linux extension on page 18Install this extension only to manage the VirusScan Enterprise for Linux policy on the SVAManager.

• Deploy the McAfee MOVE AV offload scan server on page 19After the McAfee MOVE AV offload scan server package has been added to McAfee ePO, youcan deploy the offload scan server to virtual machines.

• Deploy the McAfee MOVE AV client on page 21After the McAfee MOVE AV client package has been added to McAfee ePO, you can deploythe client to virtual machines.

• Deploy in a XenDesktop or VMware View environment on page 23When operating in a XenDesktop or VMware View environment, follow these steps to avoidcreating duplicate systems in ePolicy Orchestrator.

• Install the McAfee MOVE AV client manually on page 23It is possible to install the client manually without deploying it from ePolicy Orchestrator.

Installation and configurationDownload McAfee MOVE AV Multi-Platform packages 2


http://www.mcafee.com/us/downloads/

Install the extension packagesThe McAfee MOVE AV client and offload scan server extension packages must be installed in ePolicyOrchestrator before you can manage McAfee MOVE AV on your virtual machines.

Before you beginDownload the extension file MOVE‑AV‑MP_Ext_3.6.1_Licensed.zip from the McAfeedownload site.

TaskFor option definitions, click ? in the interface.

1 From the ePolicy Orchestrator console, click Menu | Software | Extensions | Install Extension.

2 Browse to and select the extension file, then click OK.

3 Verify that the product name appears in the Extensions list.

The license extension turns a trial client extension into a fully licensed extension.

Install the VirusScan Enterprise for Linux extensionInstall this extension only to manage the VirusScan Enterprise for Linux policy on the SVA Manager.

VirusScan for Linux is only licensed for use on the SVA Manager, and is not licensed for use on otherLinux systems in your environment.

For instructions on how to install, configure, and create a product update task, see the McAfeeVirusScan Enterprise for Linux Configuration Guide.


1 From the ePolicy Orchestrator console, click Menu | Software | Extensions | Install Extension.

2 Browse to and select each extension file, then click OK.

For extension and package details, see the product documentation for your version of VirusScanEnterprise for Linux.

3 Verify that the product name appears in the Extensions list.

2 Installation and configurationInstall McAfee MOVE AV


Deploy the McAfee MOVE AV offload scan serverAfter the McAfee MOVE AV offload scan server package has been added to McAfee ePO, you candeploy the offload scan server to virtual machines.

Tasks• Check in the offload scan server package on page 19

Check in the McAfee MOVE AV Multi-Platform offload scan server and client packages to themaster repository so that ePolicy Orchestrator can deploy it.

• Create a product deployment client task on page 20Deploying the McAfee MOVE AV offload scan server from ePolicy Orchestrator requires twotasks. You must first create a deployment client task, then assign that task to virtualmachines.

• Assign a client task on page 20The McAfee Agent must already be deployed to target virtual systems before running clienttasks.

Check in the offload scan server package Check in the McAfee MOVE AV Multi-Platform offload scan server and client packages to the masterrepository so that ePolicy Orchestrator can deploy it.


1 From the ePolicy Orchestrator console, click Menu | Software | Master Repository, then click Actions | CheckIn Package.

2 Select the Package type, then browse to and select the package file MOVE‑AV‑MP_Offload_Scan_Server_3610.zip.

3 Click Next to open the Package Options page.

4 Confirm or configure the following:

• Package info — Confirm this is the correct package.

• Branch — Select the required branch. If your environment requires testing new packages beforedeploying them throughout the production environment, we recommend using the Evaluationbranch to check in packages. Once you finish testing the packages, you can move them to theCurrent branch by clicking Menu | Software | Master Repository.

• Options — Select whether to:

• Move the existing package to the Previous branch — When selected, moves packages in the masterrepository from the Current branch to the Previous branch when a newer package of the sametype is checked in. Available only when you select Current in Branch.

• Package signing — Specifies if the package is signed by McAfee or is a third-party package.

5 Click Save to begin checking in the package, then wait while the package is checked in.

The offload scan server package appears in the Packages list on the Master Repository tab.

Installation and configurationInstall McAfee MOVE AV 2


Create a product deployment client task Deploying the McAfee MOVE AV offload scan server from ePolicy Orchestrator requires two tasks. Youmust first create a deployment client task, then assign that task to virtual machines.

Before you beginYou must check in the McAfee MOVE AV Multi-Platform offload scan server package beforeyou can create a client task.


1 From the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog.

2 Select Product Deployment in the Client Task Types menu, then click Actions | New Task.

3 Select Product Deployment from the list, then click OK to open the Client Task Builder wizard.

4 Type a name for the task you are creating, and add any descriptive information in the Descriptionfield.

5 Make sure that Windows is the only Target platform selected.

6 For Products and components:

a For offload scan server, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1 from the drop-down list.

b Set the Action to Install, set the Language to Language Neutral, and set the Branch to Current.

c Leave the Command line setting blank.

7 Review the task settings, then click Save.

The task is added to the list of client tasks for the selected client task type.

Assign a client taskThe McAfee Agent must already be deployed to target virtual systems before running client tasks.

Before you beginYou must check in the McAfee MOVE AV Multi-Platform offload scan server package beforeyou can run a client task.


1 From the ePolicy Orchestrator console, click Menu | Policy | Client Task Assignments, then click theAssigned Client Tasks tab.

2 Click Actions | New Client Task Assignment.

3 Select these settings, then click Next.• Product — McAfee Agent

• Task Type — Product Deployment

• Task Name — The name of the task you used when you created the client task



4 On the Schedule tab, enter the information appropriate to this task.

5 Examine the settings on the Summary tab, then click Save to assign the task.

Deploy the McAfee MOVE AV clientAfter the McAfee MOVE AV client package has been added to McAfee ePO, you can deploy the client tovirtual machines.

Tasks• Check in the client package on page 21

Check in the McAfee MOVE AV Multi-Platform client package to the master repository sothat ePolicy Orchestrator can deploy it.

• Create a product deployment client task on page 22Deploying the McAfee MOVE AV client from ePolicy Orchestrator requires two tasks. Youmust first create a deployment client task, then assign that task to virtual machines.

• Assign a client task on page 22The McAfee Agent must already be deployed to target virtual systems before running clienttasks.

Check in the client packageCheck in the McAfee MOVE AV Multi-Platform client package to the master repository so that ePolicyOrchestrator can deploy it.


1 From the ePolicy Orchestrator console, click Menu | Software | Master Repository, then click Actions | CheckIn Package.

2 Select the Package type, then browse to and select the package file MOVE‑AV‑MP_Client_3610_WIN.zip.

3 Click Next to open the Package Options page.

4 Confirm or configure the following:

• Package info — Confirm this is the correct package.

• Branch — Select the required branch. If your environment requires testing new packages beforedeploying them throughout the production environment, we recommend using the Evaluationbranch to check in packages. Once you finish testing the packages, you can move them to theCurrent branch by clicking Menu | Software | Master Repository.

• Options — Select whether to:

• Move the existing package to the Previous branch — When selected, moves packages in the masterrepository from the Current branch to the Previous branch when a newer package of the sametype is checked in. Available only when you select Current in Branch.

• Package signing — Specifies if the package is signed by McAfee or is a third-party package.

5 Click Save to begin checking in the package, then wait while the package is checked in.

The client package appears in the Packages list on the Master Repository tab.



Create a product deployment client taskDeploying the McAfee MOVE AV client from ePolicy Orchestrator requires two tasks. You must firstcreate a deployment client task, then assign that task to virtual machines.

Before you beginYou must check in the McAfee MOVE AV Multi-Platform client package before you can createa client task.



2 Select Product Deployment in the Client Task Types menu, then click Actions | New Task.

3 Select Product Deployment from the list, then click OK to open the Client Task Builder wizard.

4 Type a name for the task you are creating, and add any descriptive information in the Descriptionfield.



a For client, select MOVE AV [Multi-Platform] Client 3.6.1 from the drop-down list.



7 Review the task settings, then click Save.

The task is added to the list of client tasks for the selected client task type.

Assign a client taskThe McAfee Agent must already be deployed to target virtual systems before running client tasks.

Before you beginYou must check in the McAfee MOVE AV Multi-Platform client package before you can run aclient task.


1 From the ePolicy Orchestrator console, click Menu | Policy | Client Task Assignments, then click theAssigned Client Tasks tab.




• Task Name — The name of the task you used when you created the client task

4 On the Schedule tab, enter the information appropriate to this task.




The McAfee MOVE AV client is deployed to every system in the selected group in the System Tree.

6 Confirm that the McAfee MOVE AV client is successfully installed:

a Log on to the McAfee MOVE AV client system as an administrator.

b Open the McAfee MOVE AV client command prompt and enter this command: mvadm status

The command line returns protection status details if the client is successfully installed.

Deploy in a XenDesktop or VMware View environmentWhen operating in a XenDesktop or VMware View environment, follow these steps to avoid creatingduplicate systems in ePolicy Orchestrator.

Before you beginThe McAfee Agent must already be installed on the master image, and the McAfee MOVEAV client must already be in the master repository.

Task1 Deploy the McAfee MOVE AV client to the master image, then verify that it was applied successfully.

2 Configure and apply McAfee MOVE AV policies to the master image, then verify that they wereapplied successfully.

3 In the master image, delete the registry key AgentGUID from the location determined by yourWindows operating system.

• 32-bit — HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent (32‑bit)

• 64-bit — HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicyOrchestrator\Agent (64‑bit)

4 Shut down the master image and clone all virtual machines from that master image.

When cloned images are turned on, new agent GUID values are automatically restored.

Install the McAfee MOVE AV client manuallyIt is possible to install the client manually without deploying it from ePolicy Orchestrator.

Before you begin• Download the McAfee MOVE AV installer and store it in a location accessible from the

system where it will be installed.

• The McAfee Agent must be installed on the target system.

This procedure is used only when you don't want to use ePolicy Orchestrator to deploy the client to thetarget system.



Task1 From the McAfee MOVE AV client package, extract the appropriate client installer based on your

Windows operating system.

• 64-bit — setup‑win‑amd64.exe

• 32-bit — setup‑win‑x86.exe

2 Run the installer, then click Next in the Welcome screen.

3 In the License Agreement screen, accept the EULA, then click Next.

4 In the Customer information screen, enter a user name and organization, then click Next.

5 In the Destination folder screen, choose the default location or specify a different location, then clickNext.

6 In the Ready to install the program screen, click Install.

7 Click Finish to complete the installation.

8 To configure the manual installation, open the McAfee MOVE AV client command prompt: click Start| Programs | McAfee | MOVE AV client Command Prompt, and run these commands.

• mvadm status

• mvadm config set serveraddress1=<Address of offload server 1>

• mvadm config set serveraddress2=<Address of offload server 2>

The offload scan server address can be entered in FQDN or IPv4 format.

• mvadm enable

The McAfee MOVE AV client is now installed and running on the target system.

Uninstall McAfee MOVE AV Multi-PlatformA full uninstall involves removing these components: McAfee MOVE AV client, McAfee MOVE AV offloadscan server, and the McAfee MOVE AV Multi-Platform extensions.

Tasks• Uninstall the client and offload scan server with ePolicy Orchestrator on page 25

Uninstalling the McAfee MOVE AV client with ePolicy Orchestrator requires two tasks. Firstcreate an uninstallation client task, then assign that task to virtual systems.

• Remove the client or offload scan server package from ePolicy Orchestrator on page 26Remove the client or offload scan server package from the ePolicy Orchestrator console.

• Uninstall the extensions on page 26Uninstall the McAfee MOVE AV Multi-Platform extensions from ePolicy Orchestrator.

• Uninstall the SVA Manager on page 26Uninstalling the SVA Manager involves these steps.

2 Installation and configurationUninstall McAfee MOVE AV Multi-Platform


Uninstall the client and offload scan server with ePolicyOrchestratorUninstalling the McAfee MOVE AV client with ePolicy Orchestrator requires two tasks. First create anuninstallation client task, then assign that task to virtual systems.

Tasks• Create an uninstallation task on page 25

You must create an uninstallation task before you can apply it to systems and remove thesoftware from the client.

• Assign the uninstallation task to virtual systems on page 25The uninstallation task must be assigned to virtual systems to take effect.

Create an uninstallation task You must create an uninstallation task before you can apply it to systems and remove the softwarefrom the client.



2 In the left column under McAfee Agent, select Product Deployment.

3 Click Actions | New Task, select Product Deployment, then click OK.

4 Type the name of the task, like Uninstall MOVE AV client on VM client, and an optionalDescription.


6 For Products and components, select the following, then click Next.

a Select MOVE AV [Multi-Platform] client 3.6.1 or MOVE AV [Multi-Platform] Offload Scan Server 3.6.1 from the firstdrop-down list.

b Set the Action to Remove, set the Language to Language Neutral, and set the Branch to Current.

c Leave the Command Line setting blank.

7 Select the remaining options according to your environment's best practices, then click Save.

The newly created task appears in the Client Task Catalog.

Assign the uninstallation task to virtual systems The uninstallation task must be assigned to virtual systems to take effect.

Before you beginThe McAfee MOVE AV client is added to the Master Repository and your virtual systems areadded to the System Tree.


1 Select a group in the System Tree.

2 Click Menu | Policy | Client Task Assignments, then click the Assigned Client Tasks tab.

Installation and configurationUninstall McAfee MOVE AV Multi-Platform 2





• Task Name — The name of the task you created earlier

5 On the Schedule tab next to Schedule type, select Run Immediately from the drop-down list, set the Optionsas appropriate, then click Next.

6 Examine the settings displayed on the Summary tab, then click Save to assign the task.

The McAfee MOVE AV client is removed from every system in the selected group in the System Tree.

Remove the client or offload scan server package from ePolicyOrchestratorRemove the client or offload scan server package from the ePolicy Orchestrator console.


1 From the ePolicy Orchestrator console, select Menu | Software | Master Repository.

2 Select MOVE AV [Multi-Platform] client 3.6.1 or MOVE AV [Multi-Platform] Offload Scan Server 3.6.1, then click Delete.

You can also use the Windows Control Panel to remove the offload scan server.

Uninstall the extensionsUninstall the McAfee MOVE AV Multi-Platform extensions from ePolicy Orchestrator.


1 From the ePolicy Orchestrator console, click Menu | Software | Extensions.

2 From the Extensions tab under McAfee group, select MOVE-AV.

3 Click Remove next to each extension.

You must now uninstall both the base and license extensions. The license extension must beremoved first.

4 Delete reports and queries manually after uninstalling the extension.

Uninstall the SVA ManagerUninstalling the SVA Manager involves these steps.

Before you beginYou must have sudo rights to perform these actions.

2 Installation and configurationUninstall McAfee MOVE AV Multi-Platform


Task1 Log on to SVA Manager appliance (virtual machine).

2 Run the sudo poweroff command, which shuts down the appliance.

3 Log on to the hypervisor that is hosting the SVA Manager appliance, then delete the SVA ManagerVM.

4 Remove the SVA Manager entry from the McAfee ePO server.

Troubleshooting installation issuesCommon operating issues encountered in a McAfee MOVE AV deployment can be resolved byperforming these actions.

• From the offload scan server system, check that the MOVE AV server service is running and listeningon the specified port. The default port is 9053.

• Check that the McAfee MOVE AV client can communicate through any firewalls with the McAfeeMOVE AV offload scan server on the specified port.

• Verify that the McAfee MOVE AV client is enabled. Run the mvadm status command from a McAfeeMOVE AV client command-line interface with administrator rights.

• Make sure that the McAfee MOVE AV policy on ePolicy Orchestrator is configured correctly.

• Protection State is Enabled

• McAfee MOVE AV offload scan server addresses are configured correctly

• Check that VirusScan Enterprise 8.8 is installed and working properly on the McAfee MOVE AVoffload scan server virtual machine, and that a recent DAT is present.

• When configuring SVA Manager, make sure that both client and OSS are able to communicate withSVA Manager.

Installation and configurationTroubleshooting installation issues 2


2 Installation and configurationTroubleshooting installation issues


3 Upgrade McAfee MOVE AV Multi-Platform

Review this list before upgrading your environment.

• Version 3.6.1 of the MOVE AV client and the offload scan server upgrades over versions 3.5.x and3.6.0.

• To upgrade McAfee MOVE AV Multi-Platform, you need to upgrade these components in the orderspecified here:

1 Product extension

2 Offload scan server

3 MOVE AV client

The SVA Manager (OSS Manager) upgrade from 3.5.x to 3.6.x is not supported. Because of thehardening changes made in 3.6.0 release, you need to remove and redeploy the SVA Manager.However, the upgrade from 3.6.0 to 3.6.1 is supported using the Debian package.

• VirusScan Enterprise 8.8 must be installed on the target system before you deploy the offload scanserver.

We recommend that you upgrade the McAfee scanning engine to the latest 5700 engine thatprovides enhanced detection capabilities.

Contents Upgrade the extension Upgrade the MOVE AV offload scan server with ePolicy Orchestrator Upgrade persistent virtual machines Upgrade non-persistent virtual machines Upgrade the MOVE AV client with ePolicy Orchestrator Upgrade SVA Manager using the Debian package

Upgrade the extensionVersion 3.6.1 of the McAfee MOVE AV (Multi-Platform) extension upgrades the 3.5.x and 3.6.0extensions on the McAfee ePO server.

Before you beginMake sure that the extension file is in an accessible location on the network.

3



1 From the ePolicy Orchestrator console, click Menu | Software | Extensions.

2 When the Extensions page opens, click Install Extension.

3 Browse to and select the MOVE‑AV‑MP_Ext_3.6.1_Licensed.zip file, then click OK.

4 After a confirmation message, click OK.

All policies created in version 3.5.x or 3.6.0 exist after you upgrade to version 3.6.1.

Upgrade the MOVE AV offload scan server with ePolicyOrchestrator

We recommend staggering the offload scan server upgrades so that protection is maintained on thelegacy client virtual machines.

In environments that are made up primarily of persistent images, creating additional version 3.6.1offload scan servers is preferable to upgrading existing offload scan servers.


1 From the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog, select McAfee Agent |Product Deployment, then click Actions | New Task.

2 Make sure that Product Deployment is selected, then click OK.

3 Type a name for the task you are creating and add any notes.

4 Next to Target platforms, select Windows as the type of platform to use for deployment.

5 Next to Products and components, set the following:

• Select the product from the first drop-down list.

The products listed are those for which you have already checked in a package to the MasterRepository. If you do not see the product you want to deploy, you must first check in thatproduct’s package.

• Set the Action to Install, then select the Language of the package, and the Branch.

• To specify command-line installation options, type command-line options in the Command line textfield. See the product documentation for information about command-line options of the productyou are installing.

You can click + or – to add or remove products and components from the displayed list.

6 (Windows only) Next to Options, select if you want to run this task for every policy enforcementprocess, then click Save.

7 Click Menu | Systems | System Tree | Assigned Client Tasks, then select the required group in the SystemTree.

3 Upgrade McAfee MOVE AV Multi-PlatformUpgrade the MOVE AV offload scan server with ePolicy Orchestrator


8 Select the Preset filter as Product Deployment (McAfee Agent).

Each assigned client task per selected category appears in the details pane.

9 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder wizard.

10 On the Select Task page, select Product as McAfee Agent and Task Type as Product Deployment, then selectthe task you created to deploy the product.

11 Next to Tags, select the platforms to which you are deploying the packages, then click Next.• Send this task to all computers

• Send this task to only computers that have the following criteria — Use one of the edits links to configure thecriteria.

12 On the Schedule page, select whether the schedule is enabled, and specify the schedule details,then click Next.

13 Review the summary, then click Save.

Upgrade persistent virtual machinesUpgrading persistent virtual machines provides nearly seamless virus protection, but requires theoverhead of duplicate offload scan servers during the upgrade process.

We recommend this method for environments comprised primarily of persistent virtual machines,where the 2.6.2/3.5.x and 3.6.x clients require support from the offload scan server during the clientmigration process.

Task1 Install the 3.6.1 package and upgrade the extension in ePolicy Orchestrator.

2 Create a new virtual server and install VirusScan Enterprise 8.8 on that server.

3 Install the offload scan server version 3.6.1 on the virtual server.

4 Create a new McAfee MOVE AV (Multi-Platform) 3.6.1 policy that references the offload scan serveryou created in the previous step, and assign it to the virtual machines being upgraded.

The existing client policy configuration can be used during the upgrade. However, you use the newsettings specified in the client's offload scan server assignment policy, you no longer can use theexisting manual policy configuration.

5 Create an ePolicy Orchestrator client task to upgrade the McAfee MOVE AV clients to version 3.6.1.

As the upgrade task is executed on virtual machines, the VMs begin to use the 3.6.1 offloadscanner for file scanning.

6 After all clients are upgraded to version 3.6.1, shut down the version 2.6.2, 3.5.x, or 3.6.0 offloadscan servers.

Upgrade non-persistent virtual machinesUpgrading non-persistent virtual machines does not require creating additional offload scan servers,although it might result in a window of time when virtual machines are unprotected.

McAfee recommends that you perform this upgrade during scheduled downtime.

Upgrade McAfee MOVE AV Multi-PlatformUpgrade persistent virtual machines 3



1 Install the 3.6.1 Master Repository client and OSS packages and upgrade the extensions in ePolicyOrchestrator.

2 Create a new 3.6.1 client policy definition that references existing offload scan server systems.

The existing client policy configuration can be used during the upgrade. However, you use the newsettings specified in the client's offload scan server assignment policy, you no longer can use theexisting manual policy configuration.

3 From the ePolicy Orchestrator console, upgrade all offload scan servers to version 3.6.1.

Virtual machines serviced by upgraded offload scan servers do not have anti-virus protection untilafter this task is completed.

4 Change the master or golden image by deploying version 3.6.1 of the McAfee MOVE AV client fromePolicy Orchestrator, or by manually upgrading the client directly on the master image.

Upgrade the MOVE AV client with ePolicy OrchestratorUpgrading MOVE AV clients from ePolicy Orchestrator requires two tasks. You must first create anupgrade client task, then assign that task to virtual machines.

Tasks• Create a MOVE AV client upgrade task on page 32

Before you can upgrade the MOVE AV client, you must create a client upgrade task.

• Assign the McAfee MOVE AV client upgrade task to virtual systems on page 33The upgrade task must be assigned to virtual systems to take effect.

Create a MOVE AV client upgrade task Before you can upgrade the MOVE AV client, you must create a client upgrade task.


1 Open the Client Task Catalog: click Menu | Policy | Client Task Catalog.

2 In the left column under McAfee Agent, select Product Deployment.

3 Click Actions | New Task, select Product Deployment, then click OK.

4 Type the name of the task, for example, Upgrade MOVE AV client on VM client, and addinformation in the Description field.


3 Upgrade McAfee MOVE AV Multi-PlatformUpgrade the MOVE AV client with ePolicy Orchestrator



a Select MOVE AV client 3.6.1 from the first drop-down list.



7 Select the remaining options according to your environment's best practices, then click Save.

The newly created task appears in the Client Task Catalog.

Assign the McAfee MOVE AV client upgrade task to virtualsystems The upgrade task must be assigned to virtual systems to take effect.

Before you beginYou must have already added the MOVE AV client to the master repository, and added yourvirtual systems to the System Tree.


1 Select a group in the System Tree.

2 Click Menu | Policy | Client Task Assignments, then click the Assigned Client Tasks tab.




• Task Name — The name of the task you created earlier

5 On the Schedule tab next to Schedule type, select Run Immediately from the drop-down list, set the Optionsas needed, then click Next.


The McAfee MOVE AV client is upgraded on every system in the selected group in the System Tree.

Upgrade SVA Manager using the Debian packageFor upgrading MOVE AntiVirus Multi-Platform SVA Manager from 3.6.0 to 3.6.1, you need to firstupgrade the product extension, then the MOVE binaries using the Debian package.


1 Download MOVE‑AV‑MP_SVA_MANAGER_DBE_3.6.1.zip.

2 Check in the MOVE‑AV‑MP_SVA_MANAGER_DBE_3.6.1.zip package to the master repository in McAfeeePO.

Upgrade McAfee MOVE AV Multi-PlatformUpgrade SVA Manager using the Debian package 3


3 Deploy the software package and assign it to the existing SVA using the product deployment taskin McAfee ePO.

Make sure you select the Target platforms as Linux while creating the deployment task.

4 Enforce the policy.

After a successful deployment, you can verify the SVA Manager version in System Tree.

3 Upgrade McAfee MOVE AV Multi-PlatformUpgrade SVA Manager using the Debian package


4 McAfee SVA Manager (OSS Manager)

McAfee SVA Manager is a pre-packaged virtual appliance, which automatically assigns McAfee MOVEAV Multi-Platform offload scan servers to MOVE Multi-Platform clients.

This assignment is based on configurable parameters like Scan Server load, McAfee ePO tags, and IPaddress ranges.

Contents OSS assignment made easy Set up the SVA Manager Configuring SVA Manager Configuring the SVA Manager policy Configure an offload scan server policy Configure a client policy: Assign OSS to clients using SVA Manager

OSS assignment made easyAn offload scan server can generally be assigned to 200–400 endpoints, depending on the load of theendpoints.

Let us consider that your organization has about 10,000 endpoints. If you assign 200 endpoints perOSS, you need about 50 offload scan servers and 50 policies that specify which offload scan servers agroup of virtual machines uses. After you create this policy, you must assign it before it takes effect. Itis a time-consuming task to manually assign these policies to the OSS.

The McAfee SVA Manager can create IP address-based assignment rules and tag-based assignmentrules where a range of endpoints are automatically assigned to a group of OSS.

Set up the SVA ManagerYou must set up and configure the SVA Manager before registering the OSS and assigning it to a groupof clients.

Before you beginYou must have administrator rights to perform this task.

Task1 Create the SVA Manager appliance (virtual machine) by deploying the SVA Manager OVF template

and configuring a VM network for communication with the SVA Manager.

2 Turn on the VM.

4


3 At the prompt, log on with these credentials:

• User name: svaadmin

• Password: svaadmin

4 Configure the VM appliance with these details:

• IP address and host name of the McAfee ePO server

• Network — DHCP or Static

We recommend that you select Static IP address for SVA Manager.

• McAfee ePO credentials

Check for the correct format of the user name, for example: domain\\user name.

• DNS servers

• Time zone

5 Verify that these communication ports are open and reachable on the SVA Manager:

• 8080 — For communication between SVA Manager and the client

• 8081 — For communication between McAfee Agent and McAfee ePO

• 8443 — For communication between SVA Manager and the OSS

By default, these ports are already opened through the firewall installed on the appliance. However,we recommend that you verify that the firewall settings in your environment are configured to allowcommunication on these ports.

Now, the SVA Manager service can communicate with McAfee ePO through the McAfee Agent. Youmust now set the required policies in McAfee ePO.

Use this command to manually run the configuration script: sudo /home/svaadmin/.sva-config

Configuring SVA ManagerThe overall SVA Manager configuration and assignment process is made up of these stages.

This assumes that the user already installed McAfee ePO and the McAfee Agent is installed on clientsystems, which successfully communicate with the McAfee ePO server.

1 Install the MOVE‑AV‑MP_Ext_3.6.1_Licensed.zip extension into McAfee ePO.

2 Check in the McAfee MOVE AV (Multi-Platform) software packages (MOVE‑AV‑MP_Client_3.6.1_WIN.zip and MOVE‑AV‑MP_Offload_Scan_Server_3.6.1.zip) to the McAfee ePO server.

3 Deploy the MOVE AV offload scan server package to the OSS host.

4 Deploy the MOVE AV client package to the client systems.

5 Set up your SVA Manager.

6 Configure the SVA Manager policy.

4 McAfee SVA Manager (OSS Manager)Configuring SVA Manager


7 Configure the offload scan server policy and assignment.

8 Assign the offload scan servers to endpoints.

Configuring High Availability for MOVE SVA Manager

For details on configuring High Availability for MOVE SVA Manager, see https://kc.mcafee.com/corporate/index?page=content&id=PD25344.

Configuring the SVA Manager policyMcAfee SVA Manager automatically assigns offload scan servers to MOVE Multi-Platform clients basedon configurable parameters like Scan Server load, McAfee ePO tags, and IP address ranges.

Add or edit an SVA Manager assignment rule using IP addressUsing their IP address range, assign a set of endpoints to a selected OSS or a number of offload scanservers, so that those clients are protected by these OSS rules.

Before you begin• Make sure that you installed the MOVE‑AV‑MP_Ext_3.6.1_Licensed.zip extension on the

McAfee ePO server.

• Make sure that you checked in the MOVE AV Multi-Platform software packages (MOVE‑AV‑MP_Client_3.6.1_WIN.zip and MOVE‑AV‑MP_Offload_Scan_Server_3.6.1.zip) to theMcAfee ePO server.

• Make sure that you deployed the MOVE AV offload scan server package to the OSS host.

• Make sure that you deployed the MOVE AV client package to the client systems.

• Make sure that you already set up the SVA Manager.


1 Log on to McAfee ePO as an administrator.

2 Click Menu | Policy | Policy Catalog, select MOVE-AV [Multi-Platform] SVA Manager 3.6.1 from the Productdrop-down menu, then select General from the Category drop-down list.

3 Click New Policy or click the name of an existing policy to edit it.

4 Type a name for the new policy (for example, MOVE AV SVA Manager Policy), then click OK.

McAfee SVA Manager (OSS Manager)Configuring the SVA Manager policy 4


https://kc.mcafee.com/corporate/index?page=content&id=PD25344

https://kc.mcafee.com/corporate/index?page=content&id=PD25344

5 In the Assignment Rules tab on the Policy Settings page, click Add to open the Add/Edit OSS Assignment Ruledialog box and configure these settings as needed.

For this option... Do this...

Rule name Type a unique user-friendly name that can help you identify the rule.

Client IP Addresses Type the IP address or a range of IP addresses of the endpoints, whichmust be assigned to the OSS.

You can separate IP addresses or ranges with a comma (,) or a new line.

Offload Server IP Addresses Type the IP address of the OSS, which must be assigned to the client.

The Assign OSS if no rule is defined above for client option is used to assign the OSS to endpoints, which arenot defined in any of the rules. By default, this option is enabled.

6 In the MOVE SVA Manager Settings tab, configure these settings as needed, then click Save to commityour changes.

For thisoption...

Do this...

Threshold for OSSCapacity Warning

Specify the OSS capacity threshold level. A warning appears when the numberof connected endpoints is more than this level.

OSS assignment rules Prefer OSS from same subnet — Select if you have to assign the OSS from the samesubnet.

OSS Lease time Specify the interval for automatic assignment of OSS to endpoints. The defaultinterval is 240 minutes. The load balancing depends on this value.

ePO Credentials Specify the credentials of the McAfee ePO server that SVA Manager needs toconnect.

Log Settings • Number of Log Files— Specify a number to limit the number of log files allowedbefore they are rotated. This is a positive integer value. Defaults to 4.

• Log File Size — Specify a number to limit the size (in MB) of an individual logfile.

• Log Level — Select a log level from the supported log level types of McAfeeMOVE AV offload scan server modules.

Communication Ports • OSS Port — Type the port number of the OSS. This is the port where the OSSconnects to SVA Manager.

• Client Port — Type the port number of the client. This is the port where theMOVE AV Multi-Platform clients connect to SVA Manager.

Make sure that the firewall script present in the SVA Manager appliance at /etc/init.d/sva‑firewall is also updated for the specified ports. You mustrestart the firewall with the command sudo service sva-firewall, so thatthe changes are updated.

4 McAfee SVA Manager (OSS Manager)Configuring the SVA Manager policy


Add or edit an SVA Manager assignment rule using McAfee ePOtagAssign a set of endpoints to a selected OSS using their tag group, so that those clients are protectedby these OSS rules.

Before you begin• Make sure that you installed the MOVE‑AV‑MP_Ext_3.6.1_Licensed.zip extension into

McAfee ePO.

• Make sure that you checked in the McAfee MOVE AV (Multi-Platform) software packages(MOVE‑AV‑MP_Client_3610_WIN.zip and MOVE‑AV‑MP_Offload_Scan_Server_3610.zip)to the McAfee ePO server.






2 Click Menu | Policy | Policy Catalog, select MOVE-AV [Multi-Platform] SVA Manager 3.6.1 from the Productdrop-down menu, then select General from the Category drop-down list.


4 Type a name for the new policy (for example, MOVE AV SVA Manager Policy), then click OK.

5 In the Tag Assignment Rules tab on the Policy Settings page, click Add to open the Add/Edit OSS Tag AssignmentRule dialog box and configure these settings as needed.

For this option... Do this...

Rule name Type a unique user-friendly name that can help you identify therule.

Select and add to client tags Select the tag names of the endpoints, which must be assigned tothe OSS.

Select and add to offload Server Tags Select the tag name of the OSS, which must be assigned to theclient.

You can separate tag names with a comma (,).

The tag-based assignment rule takes priority over the IP address-based assignment rule.

The Assign OSS if no rule is defined above for client option assigns the OSS to endpoints, which are notdefined in any of the rules. By default, this option is enabled.

6 In the MOVE SVA Manager Settings tab, configure these settings as needed, then click Save to commityour changes.

McAfee SVA Manager (OSS Manager)Configuring the SVA Manager policy 4


For thisoption...

Do this...

Threshold for OSSCapacity Warning

Specify the OSS capacity threshold level. A warning appears when the numberof connected endpoints is more than this level.©

OSS assignment rules Prefer OSS from same subnet — Select if you need to assign the OSS from the samesubnet.

OSS Lease time Specify the interval for automatic assignment of OSS to endpoints. The defaultinterval is 240 minutes. The load balancing depends on this value.

ePO Credentials Specify the credentials of the McAfee ePO server that SVA Manager needs toconnect.

Log Settings • Number of Log Files— Specify a number to limit the number of log files allowedbefore they are rotated. This is a positive integer value. Defaults to 4.

• Log File Size — Specify a number to limit the size (in MB) of an individual logfile.

• Log Level — Select a log level from the supported log level types of McAfeeMOVE AV offload scan server modules.

Communication Ports • OSS Port — Type the port number of the OSS. This is the port where the OSSconnects to SVA Manager.

• Client Port — Type the port number of the client. This is the port where theMcAfee MOVE AV (Multi-Platform) clients connect to SVA Manager.

Make sure that the firewall script present in the SVA Manager appliance at /etc/init.d/sva‑firewall is also updated for the specified ports. Restart thefirewall with the command sudo service sva-firewall, so that the changesare updated.

Configure an offload scan server policyCreate and assign a policy that specifies which offload scan servers a group of virtual machines uses.


McAfee ePO.







2 Click Menu | Policy | Policy Catalog, select MOVE-AV [Multi-Platform] Offload Scan Server 3.6.1 from the Productdrop-down menu, then select General from the Category drop-down list.

4 McAfee SVA Manager (OSS Manager)Configure an offload scan server policy



4 Type a name for the new policy (for example, MOVE AV Server Policy), then click OK.

5 In the General tab on the Policy Settings page, configure options as needed, then click Save to commityour changes.

a Select Register this Offload Scan Server with MOVE SVA Manager to make sure that the selected OSS isregistered with the available SVA Manager.

The SVA manager works only with the offload scan servers assigned with it for assignment andreporting.

b Type the MOVE SVA Manager IP address, host name, or domain name, and the MOVE SVA Manager Port. Default is8443.

c Enter the Number of Log Files to limit the number of log files allowed before they are rotated. This isa positive integer value. Defaults to 20.

d Enter the Log File Size to limit the size (in MB) of an individual log file.

6 Click Click to view Advanced Options and configure options as needed, then click Save to commit yourchanges.

To do this... Do this...

Specify the MaximumCache Items

Enter the appropriate amount to limit the number of items that can exist inthe server cache.

Configure theConcurrent Scans

Enter the appropriate number to limit the number of available file scanrequest threads on the server.

Provide the ServerPort

Type the port number of the server, which is ready for client request.Changing the port number restarts the offload scan server.

Select the ClientLoad

Select the load type, which specifies the workload and activities onendpoints.• Low load — More clients are present to be assigned to the OSS.

• Medium load — Moderate number of clients are present to be assigned to theOSS.

• High load — Fewer clients are present to be assigned to the OSS.

For example:• A file server is high load.

• A VDI VM used by a business user is low load.

• A VM used by developer is high load.

McAfee SVA Manager (OSS Manager)Configure an offload scan server policy 4


Configure a client policy: Assign OSS to clients using SVAManager

Create and assign a policy that specifies which offload scan servers a group of virtual machines uses.


McAfee ePO.







2 Click Menu | Policy | Policy Catalog, select MOVE-AV [Multi-Platform] Client 3.6.1 from the Product drop-downmenu, then select Offload Scan Server Assignment from the Category drop-down list.


4 Type a name for the new policy (for example, OSS Assignment), then click OK.

5 Under Offload Scan Server on the Policy Settings page, configure options as needed, then click Save tocommit your changes.

• Select Assign Offload Scan Server using SVA Manager to make sure that the given OSS is assigned to aset of virtual machines.

• Enter the SVA Manager IP address, host name, or domain name, and the SVA Manager Port. Default is 8080.

Now, the clients request the SVA Manager when they require an OSS. SVA Manager serves them anOSS based on the filtering rules created in the SVA Manager policy.

4 McAfee SVA Manager (OSS Manager)Configure a client policy: Assign OSS to clients using SVA Manager


5 Monitoring and management

The McAfee MOVE AV deployment option monitors the status of virtual machines to identify problemsand change behavior from the ePolicy Orchestrator console.

Contents Integration with ePolicy Orchestrator Policy management Configuring permissions sets Queries and reports Dashboards and monitors Global Threat Intelligence Handling potentially malicious files Communication between virtual machines and offload scan servers McAfee MOVE AV Multi-Platform client alerts Self-protection

Integration with ePolicy OrchestratorThe McAfee MOVE AV deployment option uses the ePolicy Orchestrator framework to deliver andenforce policies.

This approach provides a single management solution that allows for mass deployment.

ePolicy Orchestrator communicates policy information to McAfee MOVE AV clients and the offload scanserver at regular intervals via the McAfee Agent. The McAfee Agent enforces policies, collects eventinformation, and transmits the information back to ePolicy Orchestrator. Client-side management ofthe McAfee MOVE AV client and offload scan server is available through a command line interface (CLI)on Windows-based clients.

Policy managementThrough the ePolicy Orchestrator console, you can configure both client and offload scan serverpolicies from a central location.

How policies are enforced

When you change McAfee MOVE AV Multi-Platform policies in the ePolicy Orchestrator console, thechanges take effect on the targeted managed systems at the next agent-server communication. Toenforce policies immediately, send an agent wake-up call to the targeted systems from the ePolicyOrchestrator console.

5


Policies and their categories

Policy information for the McAfee MOVE AV client and offload scan server is grouped into categories:General and Offload Scan Server Assignment. You can create, change, or delete as many policies as neededunder this category. ePolicy Orchestrator provides a preconfigured McAfee Default policy, which can't beedited or deleted, but can be copied. You then change these copies to suit your needs.

How policies are applied

Policies are applied to any System Tree group or system by inheritance or assignment. Inheritancedetermines whether the policy settings for any system are taken from its parent.

By default, inheritance is enabled throughout the System Tree. You can break inheritance by directpolicy assignment. McAfee MOVE AV Multi-Platform, as managed by ePolicy Orchestrator, enables youto create policies and assign them without regard to inheritance. When you break this inheritance byassigning a new policy to a system, all groups and systems that are children of the selected systeminherit the new policy.

Policy tracking and tuning

The deployment and management of McAfee MOVE AV Multi-Platform clients and the offload scanserver are handled from ePolicy Orchestrator. Since McAfee MOVE AV policies apply only to virtualmachines in the System Tree, you can group the virtual machines hierarchically by attributes.

We recommend grouping the virtual machines by the McAfee MOVE AV Multi-Platform configurationcriteria, including scan settings and use of the offload scan server. You can also use tags for automaticsorting into groups. Tags identify systems with similar characteristics. For more information abouttagging, see the McAfee ePolicy Orchestrator Product Guide.

Deploying McAfee MOVE AV Multi-Platform to thousands of systems is managed easily because mostvirtual machines fit into a few usage profiles. Managing a large deployment is reduced to maintaininga few policy rules. As a deployment grows, newly added virtual machines fit one or more existingprofiles, and can be placed under the correct group in the System Tree.

Configuring policiesYou can configure the McAfee MOVE AV Multi-Platform client and offload scan server behavior withpolicy settings.

Client policies

• Which offload scan server a client uses.

• When files are scanned.

• Which files and programs to exclude from scanning.

• Where to send alerts.

• What to do when a threat is found.

• How to handle quarantined files.

• How the offload scan server operates.

Server policies

• Maximum size of the server cache.

• The number of concurrent scans that an offload scan server policy can support.

5 Monitoring and managementPolicy management


• Which port the offload scan server listens to for scan requests from clients.

• The number assigned to a log file and size.

• Which types of files to scan.

• McAfee GTI sensitivity level.

• On-Demand Scan settings.

Create a policy Policies allow you to describe threat scanning behavior for specific virtual machines.

By default, policies created in McAfee ePO are not assigned to any groups or systems. When youcreate a policy, you are adding a custom policy to the Policy Catalog. You can create policies before orafter a product is deployed.



2 Click Menu | Policy | Policy Catalog, then select McAfee MOVE AV [Multi-Platform] client or McAfee MOVE AV[Multi-Platform] Offload Scan Server from the drop-down lists.

3 Click Actions | New Policy.

4 On the New Policy page, configure the policy settings, then click OK.

5 In the General tab of the Policy Settings page for the newly created policy, configure the settings tocontrol basic behavior.

6 Click Save.

Assign a policy You must assign a policy for it to take effect.



2 In the System Tree, select the group containing the virtual machines where you want to apply thepolicy.

3 Click Menu | Systems | System Tree | Assigned Policies.

4 In the Product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1 or MOVE AV [Multi-Platform]Client 3.6.1.

5 In the Actions column of the McAfee Default policy, select Edit assignments.

6 In the Inherit from list on the Policy Assignments page, select Break inheritance and assign the policy and settingsbelow.

7 In the Assigned Policy list, select the policy you created earlier.

Monitoring and managementPolicy management 5


8 Click Save.

9 To apply the policy immediately, perform an agent wake-up call.

The policies are not modified on client systems until the next agent-server communication thatincludes a Collect and Send Properties operation. This can be initiated from the agent on the client, or byperforming an agent wake-up call from within ePolicy Orchestrator.

Configuring permissions setsA permission set is a group of permissions (or access rights) granted to a user account for specificfeatures of a product. Permission sets only grant permissions — they never remove a permission.

All permissions to all products and features are assigned automatically to global administrators. Otherusers must have permission assigned manually. Global administrators can assign existing permissionsets when creating or editing user accounts and when creating or editing permission sets.

For more information on permission sets, see the McAfee ePolicy Orchestrator Product Guide.

McAfee MOVE AV Permission set

The McAfee MOVE AV Multi-Platform software adds a MOVE-AV [Multi-Platform] Client 3.6.1 Policy Permission andMOVE-AV [Multi-Platform] Offload Scan Server section to the permission sets with one setting. This definesaccess rights to the software features. The MOVE AV 3.6.1 [Multi-Platform] SVA Manager adds the MOVE SVAManager section to the permission sets. Global administrators must grant permissions to users to usethe McAfee MOVE AV deployment option, because no permissions are granted by default.

Other required permissions

The global administrator must give ePolicy Orchestrator permissions to handle other areas that workwith the McAfee MOVE AV including queries, dashboards, and the Threat Event Log.

For these features... These permissions sets are required

Dashboards Dashboards, Queries and Reports

Queries Queries and Reports

Policies System Tree access, Policy Assignment Rules

Events on virtual machines Systems, System Tree access, Threat Event Log

Configure permission setsUpdate the read/write permissions assigned to the user roles defined for your ePolicy Orchestratorenvironment.



2 Click Menu | User Management | Permission Sets.

3 Select a user role from the Permission Sets list.

4 Next to MOVE-AV [Multi-Platform] 3.6.1 Client Policy Permission or MOVE-AV [Multi-Platform] 3.6.1 Offload Scan ServerPolicy Permission, click Edit.

5 Monitoring and managementConfiguring permissions sets


5 Select the permission level.

6 Click Save.

For more information about permission sets, see the McAfee ePolicy Orchestrator Product Guide.

Queries and reportsFrom the ePolicy Orchestrator console, you can extract information about your McAfee MOVE AVMulti-Platform clients with several queries and reports.

• View events in the Threat Event Log.

• Run default McAfee MOVE AV Multi-Platform queries that show important client information.

• Create reports using data sent by the McAfee MOVE AV clients to the ePolicy Orchestratordatabase.

Modify the VirusScan Enterprise compliance query results VirusScan Enterprise queries might report virtual machines that use McAfee MOVE AV Multi-Platformas noncompliant.

We recommend that you use the VirusScan Enterprise Compliance report to determine compliance forsystems that use the offload scan server. Use the McAfee MOVE AV client status report to determine ifclient protection is enabled.

If virtual machines that use the Multi-Platform deployment option are reported incorrectly asnoncompliant in the VirusScan Enterprise 8.8 Compliance query, consider excluding those systemsfrom its results.


1 From the ePolicy Orchestrator console, click Menu | Queries and Reports.

2 Click Shared groups | VirusScan Enterprise | VSE version 8.8 Compliance.

3 Click Edit, then click the Filters tab.

4 From Available Properties, select Products Property | Installed products.

5 Select does not contain from the comparison, and type MOVE-AV in the text box.

6 Click Save to change the query.

Default queries The McAfee MOVE AV deployment option adds several queries to your ePolicy Orchestratorenvironment.

Table 5-1 MOVE AV Multi-Platform queries

Query Description

MOVE-AV [Multi-Platform]: Client Protection Status Displays the status of all MOVE clients managed by theserver.

MOVE-AV [Multi-Platform]: Client connected with agiven OSS

Displays the details of the client and OSS it is assigned.

Monitoring and managementQueries and reports 5


Table 5-1 MOVE AV Multi-Platform queries (continued)

Query Description

MOVE-AV [Multi-Platform]: DAT version Displays the DAT version of all MOVE AV clients that aremanaged by the server.

MOVE-AV [Multi-Platform]: Summary of ThreatsDetected in the Last 24 Hours

Displays threats detected in the last 24 hours.

MOVE-AV [Multi-Platform]: Threats Detected in theLast 24 Hours

Displays the number of threats detected in the last 24hours by hour.

MOVE-AV [Multi-Platform]: Top 10 Computers with theMost Detections

Displays the top ten computers with the most threatdetections in the last three months.

MOVE-AV [Multi-Platform]: Top 10 Detected Threats Displays the top ten detected threats in the last threemonths.

MOVE-AV [Multi-Platform]: Top 10 Users with the MostDetections

Displays the top ten users with the most threatdetections in the last three months.

Table 5-2 MOVE offload scan server queries and events

Query Description

OSS Load: Number of ConnectedEndpoints

This categorizes the offload scan servers into Capacity full, Capacity AboveThreshold, and Capacity Below Threshold based on the number of connectedendpoints.

OSS with Higher Average Scan Timein last 7 days

Specifies the top 10 offload scan servers, which have reached theaverage scan time threshold and they are in this state for the longesttime in the past 7 days.

OSS with MOVE SVA Manager details Lists all offload scan servers with MOVE SVA Manager details.

OSS: Average Scan Time Events Displays these scan time events of the OSS.• OSS Average Scan Time

• OSS Average Scan Time Threshold

• OSS Average Scan Time Sampling Interval

OSS Capacity Events Specifies the maximum number of endpoints with the number ofendpoints connected.• OSS Capacity Full

• OSS Capacity Restored

• OSS Capacity Threshold hit

Top 10 Scanned File Extensions Lists the top 10 file extensions scanned by the offload scan server.

Top 10 Scanned Files Lists the top 10 files scanned by the offload scan server.

Top 10 Scanned Processes Lists the top 10 processes scanned by the offload scan server.

Top 10 Scanned Virtual Machines Lists the top 10 virtual machines that are sending maximum scan andchecksum request.

5 Monitoring and managementQueries and reports


Table 5-3 SVA Manager queries and events

Query Description

MOVE SVA Manager: OSSAssignment Failed

Specifies the details and reasons of OSS assignment by the SVA Manager.This event is reported in the ePolicy Orchestrator server.

• SVA_MANAGER_OSS_ASSIGNMENT_FAILED — This event is reported when anOSS assignment request is sent from a client to the SVA Manager and itis unable to complete the client request, because no registered OSS iswith full capacity.

MOVE SVA Manager: OSSCapacity Events

Specifies the maximum number of endpoints with the number of endpointsconnected.These events are reported in the ePolicy Orchestrator server.

• SVA_MANAGER_OSS_THRESHOLD_CAPACITY_HIT — This event is reported whenan OSS assignment request is sent from a client to the SVA Manager andcumulative capacity of all offload scan servers eligible to serve that clienthas reached the threshold value, which is set in the advanced options ofthe SVA Manager policy.

• SVA_MANAGER_OSS_CAPACITY_FULL — This event is reported when an OSSassignment request is sent from a client to the SVA Manager and alloffload scan servers eligible to serve that client have reached their fullcapacity.

MOVE SVA Manager: OSSRegistration Events

Displays the OSS registration events raised by the SVA Manager.These events are reported in the ePolicy Orchestrator server.

• SVA_MANAGER_OSS_REGISTER — This event is reported whenever an OSS isregistered with SVA Manager.

• SVA_MANAGER_OSS_UNREGISTER — This event is reported whenever an OSSis unregistered from the SVA Manager because of issues like OSSshutdown, network interruptions.

SVA_MANAGER_STARTED This event is reported when the SVA Manager starts.

SVA_MANAGER_STOPPED This event is reported when the SVA Manager stops.

You can add these queries to dashboards to more efficiently track your environment by displayingseveral queries at once.

The queries are constantly refreshed, or you can run them at a specified frequency. You can add themto reports that are run on specific schedules and export them as PDF files or email messages.

The ePolicy Orchestrator Threat Event Log contains information about detections, scan failure,on-demand scan, and targeted on-demand scan events.

OSS information

A shell script, msmclient.sh, is available with SVA Manager and it is used to retrieve the OSS details.The script is available at /opt/McAfee/movesvamanger.

For these commands to work and retrieve the results, the SVA Manager application must be running.

Monitoring and managementQueries and reports 5


Run these commands with root rights from the /opt/McAfee/movesvamanager directory:

• sudo ./msmclient.sh osscount — Displays the number of offload scan servers attached to theSVA Manager.

• sudo ./msmclient.sh ossinfo — Displays some basic information about the offload scan serversattached to the SVA Manager.

• sudo ./msmclient.sh ossdetails — Displays some advanced information about the OSS: currentOSS load, OSS GUID, and last heartbeat time.

Dashboards and monitorsDashboards, which are comprised of monitors, help you track key metrics from major components ofthe MOVE AV Multi-Platform.

McAfee ePO 4.6 — Dashboards are grouped under Private Dashboards.

McAfee ePO 5.1 — Reports are grouped under McAfee Dashboards.

MOVE Multi-Platform dashboardThe MOVE Multi-Platform dashboard is added to your McAfee ePO server when you install the MOVEMulti-Platform software.

The dashboard displays a collection of monitors based on the results of the default MOVEMulti-Platform software queries.

The default monitors that appear under the MOVE Multi-Platform dashboard are:

• OSS Load: Number of Connected Endpoints — Displays the number of managed endpoints with loadcategory of the OSS.

• Capacity Full — Indicates that the OSS limit is reached when the number of endpoints is equal towhat can be assigned.

• Capacity Above Threshold — Appears when capacity of an OSS is more than its threshold value.

• Capacity Below Threshold — Appears when capacity of an OSS is less than its threshold value.

• OSS with Higher Average Scan Time in last 7 days — Specifies the top 10 offload scan servers, which havereached average scan time threshold and they are in this state for the longest time in the past 7days.

See the chapter on dashboards in the McAfee ePolicy Orchestrator Product Guide for information aboutmanaging dashboards.

Report visibility and health of the offload scan serverYou can check the product properties of MOVE AV Multi-Platform and the product component MOVEOSS using the ePolicy Orchestrator server.



2 Click Menu | Systems | System Tree | Systems tab.

5 Monitoring and managementDashboards and monitors


3 Click an OSS system to open the System Information page.

4 Click Product tab and select the product as MOVE AV [Multi-Platform].

You can now see these product properties, which can be used to determine the health details of theOSS.

Table 5-4 General

Property Description

Installed Path Offload scan server installation directory.

Language Supported language

MOVE SVA Manager IP Address/Hostname SVA Manager IP address.

MOVE SVA Manager Port SVA Manager port number.

On Demand Scan Status OSS triggered on-demand scan of Endpoints.

Plugin Version Plugin version

Server Port Port of the OSS to handle endpoint requests.

System Status Offload scan server service status.

Table 5-5 Endpoint


Connected Endpoints Number of endpoints connected to the OSS.

Connected Endpoints Threshold The offload scan server will raise an event when the number ofconnected endpoints is more than this value.

Maximum number of endpoints Maximum number of endpoints that can connect to the OSS.

Table 5-6 Scan requests


Pending Requests in Queue Total number of endpoint requests in queue.

Ram Disk Size (MB) Size of RAM disk created at the OSS.

Total AV Scan Failures Number of failed file scan and smart scan requests at AV scanner.

Total AV Scan Requests Number of file scan and smart scan requests to AV scanner.

Total File Transfer Requests Total number of file scan requests from the endpoints.

Total Request Failures Number of endpoint requests failed.

Total Response Failures Number of response failed from the OSS.

Total Scan Requests Total number of scan requests from the endpoints.

Total Scans on RAM Disk Total number of file transfer scan requests performed using RAM disk.

Total Smart File Requests Total number of smart scan request from the endpoints.

Scan request means all scan requests that include checksum, file and smart scan request.

File Scan request means the scan request where file transfer happens.

Smart Scan request means the scan request where file transfer does not happen, however, someportion of the file is transferred.

These statistical attributes under Scan requests can help in many useful implications about the healthof the OSS and its scanning performance. For example, using the attributes like Total scans on RAM Diskand Total File Transfer Requests you can easily confirm that what fraction of total file scan requests isbeing served through RAM disk.

Monitoring and managementDashboards and monitors 5


Table 5-7 Scan threads


Scan Thread Count Number of threads on the OSS to serve scan requests.

Total Idle Threads Number of idle threads on the OSS waiting to serve scan requests.

Table 5-8 Scan time


Average Request Process Time (seconds) Average time taken on the OSS to process scan requests.

Average Request Process Time (seconds) Average time taken on the OSS before scan requests are gettingserved on the OSS.

Table 5-9 Scan Cache


Checksum Cache Hits Number of checksum cache hits.

Number of Checksums in Cache Number of checksum in cache.

Global Threat Intelligence McAfee Global Threat Intelligence (GTI) File Reputation is a comprehensive, real-time, cloud-based filereputation service that enables McAfee products to protect customers against both known andemerging malware-based threats.

This cloud-based system receives billions of file reputation queries each month, and responds with ascore that reflects the likelihood that the file in question is malware. The score is based not only onthe collective intelligence from sensors querying the McAfee cloud and the analysis performed byMcAfee Labs researchers and automated tools, but also on the correlation of cross-vector intelligencefrom web, email, and network threat data. The McAfee anti-malware engine — whether deployed aspart of an endpoint anti-malware, gateway, or other solution — uses the score to determine action(such as block or quarantine) based on local policy.

These are the key benefits of GTI File Reputation:

• Compresses the threat protection time period from days to milliseconds

• Increases malware detection rates

• Reduces downtime and remediation costs associated with malware attacks

MOVE AV Multi-Platform does not support GTI Proxy.

Change the Global Threat Intelligence level You can change the Global Threat Intelligence (GTI) sensitivity level from ePolicy Orchestrator whenrequired.

Higher sensitivity levels are more secure, but can degrade performance and might cause more falsepositive results.

5 Monitoring and managementGlobal Threat Intelligence




2 Click Menu | Policy | Policy Catalog, then from the product list select MOVE AV [Multi-Platform] Offload ScanServer 3.6.1.

3 Click the name of an existing policy to edit it, then click the Scan Settings tab.

4 Select the Sensitivity level from the drop-down list. The default and recommended setting is Medium.

The GTI level is changed as specified. If the new GTI level is more sensitive than before, all previouslyscanned files are flushed from the cache.

Create a policy specifying offload scan serverCreate a policy that specifies which offload scan servers a group of virtual machines uses. After youcreate this policy, you must assign it before it takes effect.



2 Click Menu | Policy | Policy Catalog, then select MOVE AV [Multi-Platform] Client 3.6.1.

3 Click New Policy.


5 In the General tab on the Policy Settings page, configure options as needed, then click Save to commityour changes.

• Select Enable malware protection to make sure that the protection state is enabled. The protectionstate is disabled by default.

• Enter the Offload Scan Server 1 IP address, host name, or domain name, and the Offload Scan Server 1Port. Default is 9053.

McAfee MOVE AV Multi-Platform supports Fully Qualified DNS names, which allow for DNSRound-Robin Load Balancing. This type of load balancing distributes client requests acrossmultiple servers.

• Enter the Offload Scan Server 2 IP address, host name, or domain name, and the Offload Scan Server 2Port. Default is 9053.

McAfee recommends using two different addresses when setting up the primary and secondaryservers. Using the same address for both servers results in delayed coverage, which occurs whenrecovering from loss of connection to the primary server.

• Modify the Scan Timeout, Scan Result Cache, and Cache Expiration Time settings, as needed.

• Select Optimization for Frequently Modified Files to reduce the scan-time for files that are modifiedfrequently. The scan-time optimization is achieved by storing the cached offsets of the scanresults during the first scan of a file and passing them to the offload scan server with therequired payload data. This mechanism reduces the scan time for the subsequent scan of thefile by decreasing multiple network hops and payload data transfers. By default, this option isenabled.

Monitoring and managementGlobal Threat Intelligence 5


Handling potentially malicious filesPolicy settings determine what happens to a file after a scan determines it to be malicious.

The McAfee MOVE AV Multi-Platform deployment option can take three actions when dealing with apotentially malicious file.

These policy settings determine which action is taken.

Primary action Quarantinesetting

Actions taken

Delete files automatically(default)

Enabled (default) Back up the malicious file as a .VIR file in the quarantinefolder, then delete the original file.

Delete files automatically Disabled Delete the file. Nothing appears in the quarantine folderand no backup copy of the file is made.

This causes data loss if quarantine is not enabled.

Deny access to files Enabled or Disabled Deny access to the file. Nothing appears in the quarantinefolder.

Isolating malicious files in quarantine The McAfee MOVE AV Multi-Platform deployment option deals with malicious files beyond events andnotifications.

When an item is detected as a threat, an event is triggered that notifies administrators of the threat.The malicious file can also be isolated in a quarantine folder, allowing you to perform other processes,like remove and restore, on the quarantined items.

Quarantining is enabled by default, and quarantined items are placed in the C:\Quarantine folder onthe system where the file was discovered. Quarantined items are sorted in the quarantine folder bythreat category, and are automatically deleted after a configurable time. Quarantine behavior can bechanged through policy changes.

Change threat quarantine behavior Modify the default quarantine settings to suit your organizational policies.



2 Click Menu | Policy | Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Client 3.6.1.

3 Click the name of an existing policy to edit it, then click the Quarantine tab.

4 Change the threat quarantine behavior:

• Disable the quarantine functionality by deselecting Enabled.

• Change where quarantined items are stored by changing the Quarantine Directory setting.

Mapped network drives and UNC network path names are not supported.

5 Monitoring and managementHandling potentially malicious files


• If you don't want quarantined items deleted after a period, deselect Automatically delete quarantineddata after the specified number of days.

• If you want to change how long quarantined items are stored before they are deleted, changethe Number of days to keep backed-up data in the quarantine directory setting.

5 Click Save to modify the policy.

The modified policy is applied after the next agent-server communication interval. If you want thepolicy applied immediately, perform an agent wake-up call on the systems where the newly modifiedpolicy is assigned.

Restore quarantined itemsMcAfee MOVE AV deletes any items that are detected as threats, converts a copy of the item to anon‑executable format, and saves it in the Quarantine folder.

Before you beginMake sure that you installed the MOVE‑AV‑MP_Ext_3.6.1_Licensed.zip extension intoMcAfee ePO.

You can perform actions on quarantined items. For example, you might be able to restore an itemafter downloading a later version of the DAT that contains information that cleans the threat.

Quarantined items can include various types of scanned objects, such as files, cookies, or anythingMcAfee MOVE AV scans for malware.


1 Log on to the ePolicy Orchestrator server as an administrator.

2 Select Menu | Policy | Client Task Catalog.

3 From Client Task Types, select MOVE AV [Multi‑Platform] Client 3.6.1 | Restore From Quarantine.

4 Click the name of an existing client task or click New Task and confirm the task type.

5 Configure these settings on each tab and click Save.

Tab Description

Task Name Specifies a unique user‑friendly name for the task.

Description Specifies some user‑friendly description about the task.

Detection name Specifies the exact detection name of the item to restore from quarantine.

6 Click Assign, specify the servers where you want to assign the task, then click OK.

7 Click 2 Schedule to schedule the task.

Change the primary threat responseYou can modify how the Multi-Platform deployment option handles potentially malicious files after athreat is detected.

By default, the McAfee MOVE AV Multi-Platform policy backs up a potentially malicious file to aquarantine folder as a .VIR file, then deletes the original. These steps change that behavior.

Monitoring and managementHandling potentially malicious files 5





3 Click the name of an existing policy to edit it, then click the Actions tab.

4 Change the Perform this action first setting to Delete files automatically or Deny access to files, depending on yourrequirements.

The second action is set to Deny access to files if that is not the first action. Otherwise, there is nosecond action. If quarantine is on, a backup of the file is made in the quarantine folder before it isdeleted.

5 Click Save.

Systems assigned this policy are updated at the next agent-server communication interval.

Change when files are scannedYou can modify the client policy to determine which files are scanned for threats and when.

By default, all files are scanned when they are read from or written to disk, or when opened forbackup. The McAfee Agent program files and the User Profile Manager process are excluded fromscans.




3 Click the name of an existing policy to edit it, then click the Scan Items tab.

4 Change the file scanning behavior in one of these ways:



For this... Do this...

Scan files Select any combination of:• When writing to disk

• When reading from disk

• On network drives

• Opened for backup

Depending on your environment, selecting On network drives can degrade networkperformance.

File types toscan

• All files — Select to scan all files.

• Default + Additional files — Select to scan the default file types or any additional filetypes. You can add, edit, and remove any additional file types, which are includedfor scanning.

In versions 3.6 and above, this option is enabled by default. However, whenupgrading from previous versions to 3.6.x, the last selected option is retained.

• Following only — Select to specify a list of file extensions to scan. You can add, edit,and remove file extensions that are included for scanning.

Archive and MIME-encoded files are not scanned by default. This behavior is changedby modifying the offload scan server policy.

Wildcards are supported, and exact matches are required. Do not include theperiod when specifying extensions.

For more information about how to use wildcards when creating exclusions inVirusScan Enterprise or MOVE AV Multi-Platform, see McAfee KnowledgeBase articleKB54812.

PathExclusions

Add them to the Path Exclusions and Process Exclusions lists.Excluding scan items — The MOVE AV Multi-Platform product allows you tofine-tune the list of file types scanned. For example, you can exclude from scanningindividual files, folders, and disks. These exclusions might be needed because thescanners could scan and lock a file when that file is being used by a database orserver. This could cause the database or server to fail or generate errors.

For example, path exclusion pattern .ost prevents any file with the .ost extension frombeing scanned. Wildcards are supported.

Using the Import option, you can browse and select the exclusion rule file and add pathexclusions.

A path exclusion entry *.log is available, so that the log files at the client system are notscanned. This improves the scanning performance of the client system.

PublisherExclusions

You can choose to trust the authenticated and signed files from different publishers,so that the scanning performance improves by optimized use of resources at the OSSby sending less files for scan from endpoints.

In version 3.6, this option is enabled by default. However, when upgrading fromprevious versions to 3.6.x, the last specified setting is retained.

Here are the portable executable extensions, which are excluded using this option: .cpl, .exe, .dll, .ocx, .sys, .scr, .drv, .efi, .fon




https://kc.mcafee.com/corporate/index?page=content&id=KB54812

Enable and configure on-demand scansYou can modify the offload scan server policy to enable system on-demand scans, and to determinethe schedule and frequency of scans.


By default, on-demand scans are not enabled. Other scan characteristics (for example, exclusions) areinherited from the client scan policy.



2 Click Menu | Policy | Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Offload Scan Server3.6.1.

3 Click the name of an existing policy to edit it, then click the On-Demand Scan tab.

4 Configure these settings, then click Save.


Enable On-Demand Scanning Select Enabled.

Specify the Maximum concurrentscans per Offload Scan Server

Enter the appropriate amount for your environment. Werecommend 2.

Configure the MaximumOn-Demand Scan time (minutes)


Specify the On-Demand ClientScan interval (days)


Specify the Maximum concurrenttargeted scans per Offload ScanServer

Enter the appropriate amount for your environment. Werecommend that you set the default value 1.

A high value can affect scanning performance. The maximumconcurrent targeted on-demand scan value is 400.

Determine the On-Demand Scantime window

Set or clear the time slots to specify available scan times. Greenindicates a time slot when a scan can start and white indicates atime when a scan can't start.

Grid cells can be toggled between available (green) andunavailable (white) by clicking the cell, column header, or rowheader.

The log files for on-demand scans are available at:

• 32-bit — C:\Program Files\McAfee\MOVE AV Client

• 64-bit — C:\Program Files (x86)\McAfee\MOVE AV Server

In the client log file, you can search for terms like ODS: start scan and ODS: scan complete toknow the status on-demand scan.



In the OSS log file, you can find these ODS statuses:

• <UUID of VM>: ODS in ready state

• Starting scan on : <UUID of VM>

• <UUID of VM>: ODS in running state

• <UUID of VM>: ODS in finished state

You can also view the ODS status from the local system's Windows Event Log. (Event: On-DemandScan Started on winvistax64mp.moveauto.com using engine version 5600.1067 and dat version 7203.0000)

McAfee MOVE AV Multi-Platform generates various alerts around on-demand scan. These alerts canbe displayed in any of three locations: the local system's Windows Event Log, the ePolicyOrchestrator threat event log, or on the local system as a McAfee system tray pop-up menu.

Table 5-10 Server on-demand scan events

Event ID Event message

34269 On-demand scan started.

34270 On-demand scan complete.

34271 On-demand scan terminated. Scan time limit reached.

34272 On-demand scant terminated. Scan disabled in policy.

34273 On-demand scan terminated. Exceeded maximum number of concurrent scans.

34274 High on-demand scan terminated. Scan failure on client.

34275 High on-demand scan terminated. Unexpected termination.

Targeted on-demand scanThe targeted on-demand scan feature in MOVE AV Multi-Platform allows the administrator to select asystem or a group of systems from the System Tree and assign a client task to initiate the on-demandscan immediately.

The OSS runs the specified Maximum concurrent targeted scans per Offload Scan Server in addition to the Maximumconcurrent scans per Offload Scan Server defined by the administrator.

Configure targeted on-demand scansChange the offload scan server policy to enable on-demand scanning, and to set the concurrent scanvalue to the default value.

Before you beginMake sure that you have installed the MOVE‑AV‑MP_Ext_3.6.1_Licensed.zip extension intoMcAfee ePO.

By default, on-demand scans are not enabled. Other scan characteristics (for example, exclusions) areinherited from the client scan policy.



Review these assumptions before configuring targeted on-demand scans:

• If the targeted on-demand scan task is performed on more than one VM, the targeted on-demandscan clients are picked up randomly by the OSS.

• If the administrator has assigned a targeted on-demand scan task to a VM, and if the OSS hasreached the maximum number of targeted on-demand scan, the recently initiated on-demand scanis scheduled later when the targeted on-demand scan slot is available.

• The maximum number of targeted on-demand scans cannot be greater than these values:

• The configured maximum concurrent targeted on-demand scans per OSS

• The configured maximum concurrent general on-demand scans per OSS



2 Click Menu | Policy | Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Offload Scan Server3.6.1.

3 Click the name of an existing policy to edit it, then click the On-Demand Scan tab.

4 Configure these settings, then click Save.


Enable On-Demand Scanning Select Enabled.

Configure the Maximum On-DemandScan time (minutes)


Specify the Maximum concurrenttargeted scans per Offload Scan Server

Enter the appropriate amount for your environment. Werecommend that you set the default value 1.

A high value can affect scanning performance. The maximumconcurrent targeted on-demand scan value is 400.

Create and run a targeted on-demand scan client taskSelect a system or a group of systems from the System Tree and assign a client task to initiate thetargeted on-demand scan immediately.





3 From Client Task Types, select MOVE AV [Multi‑Platform] Client 3.6.1 | Targeted On Demand Scan.




5 Configure these settings on each tab and click Save.

Tab Description

Task Name Specifies a unique user‑friendly name for the task.

Description Specifies some user‑friendly description about the task.

For this task to run successfully, make sure that the On-Demand Scanning option in the MOVE-AV[Multi-Platform] Offload Scan Server 3.6.0 policy is enabled.

6 Click Assign, specify the servers where you want to assign the task, then click OK.


Configure deferred scan settingsThe deferred scan feature optimizes file scanning for files where the previous scanning is timed out forreasons such as large file size, file structure, and file composition.

Before you beginMake sure that you installed the MOVE‑AV-MP_Ext_3.6.1_Licensed.zip extension intoMcAfee ePO.

Whenever the previous scanning is timed out, the scanning for the particular file starts again with anincreased or new time-out depending on the file size. You can configure this time-out value and thefile size using the ePolicy Orchestrator server.



2 Click Menu | Policy | Policy Catalog, select MOVE-AV [Multi-Platform] Client 3.6.1 from the Product drop-downmenu, then select General from the Category drop-down list.



5 From the General tab on the Policy Settings page, click Show Advanced and configure these file size rangesand scan time-out values under Deferred Scan Settings, then click Save to commit your changes.

File size range Scan time-out

> 40 MB and <=200 MB 480 seconds

> 200 MB and <=4096 MB 900 seconds

> 4096 MB and above 1800 seconds

If the deferred scanning is incomplete after reaching the maximum time-out, access to the file isallowed.

These client notifications appear to the user at the client system for successful scanning or scantime-outs:

• Deferred scan completed for file <C:\Test\file name>. File is safe to access.

• Deferred scan is in progress for file <C:\Test\file name>. (A thread in svchost.exe processtook 45 seconds for scanning. Hence, access denied.)

• Deferred scan is timed out for file <C:\Test\file name>. Hence, access allowed.



• Deferred scan failed for file <C:\Test\file name> due to some internal error. Hence, accessdenied.

• Deferred scan failed for file <C:\Test\file name>. Hence, access denied.

• Access Denied: Deferred scan is in progress for file <C:\Test\file name>.

• Deferred scan completed for file <C:\Test\file name>. File is not accessible.

• Deferred scan completed for file <C:\Test\file name>. File is deleted.

Enable and configure RAM diskRAM disk is used by the OSS for file scanning and it significantly reduces the disk I/O on the offlinescan server. You can enable the RAM disk option in the ePolicy Orchestrator server. RAM disk is createdby the OSS and it improves the OSS performance by enhancing the scan time.




2 Click Menu | Policy | Policy Catalog, select MOVE-AV [Multi-Platform] Offload Scan Server 3.6.1 from the Productdrop-down menu, then select General from the Category drop-down list.


4 In the Scan Settings tab on the Policy Settings page, enable or disable RAM Disk Support.

By default, this option is enabled.

After enabling the RAM disk option on the ePolicy Orchestrator server, the RAM disk is created bythe OSS.

On enabling the RAM disk support, the RAM disk is created when the service starts. The RAM disksize is calculated based on the total RAM size on the OSS.

Total RAM Size on OSS RAM disk size

Less than (4 GB–100 MB) 0 MB

Equal to (4 GB+100 MB) 100 MB

Greater than 4 GB+100 MB 50% of (RAM Size – 4 GB) + 100 MB

The RAM disk volume name is “mvram”. The RAM disk is deleted when the service starts.

You can view the RAM disk size and total scans on RAM disk from the OSS product properties. Fordetails, see Report visibility and health of the offload scan server.



Scan diagnosticsYou can run the scan diagnostic tool or use McAfee ePO to calculate and display frequently scannedfiles, extensions, processes, and VMs. You can use these results to exclude them from being scanned.

Create and run a scan diagnostic task using McAfee ePOSelect one or a group of offload scan servers from the System Tree and assign a client task tocalculate and display frequently scanning files, extensions, processes, and VMs. You can include theseresults in the path exclusion policies to exclude them from being scanned.

Before you beginMake sure that you installed the MOVE‑AV-MP_Ext_3.6.1_Licensed.zip extension intoMcAfee ePO.




3 From MOVE AV [Multi-Platform] Offload Scan Server 3.6.1 under Client Task Types, select Scan Diagnostic from ePO.


5 Configure these settings on each tab and click Save.• Task Name — Specifies a unique user‑friendly name for the task.

• Description — Specifies some user‑friendly description about the task.

• Diagnosis Time — Specifies the time period, in minutes, set for calculating the frequently scannedfiles. for example 1-10 minutes.

6 Click Assign, select one or a group of offload scan servers where you want to assign the task, thenclick OK.


At the end of specified minutes, the McAfee ePO server completes the analysis and displays theresults. The default allowed time limit is 10 minutes.

8 Click Menu | Reporting | Queries & Reports and select MOVE AV [Multi-Platform] Offload Scan Server under McAfeeGroups to view and run these scan diagnostic queries:

• Top 10 Scanned File Extensions for each OSS — Lists the top 10 file extensions scanned by the offloadscan server.

• Top 10 Scanned Files for each OSS — Lists the top 10 files scanned by the offload scan server.

• Top 10 Scanned Processes for each OSS — Lists the top 10 processes scanned by the offload scanserver.

• Top 10 Scanned Virtual Machines for each OSS — Lists the top 10 virtual machines that are sendingmaximum scan and checksum requests.

This data is rolled over every 7 days.



Run the scan diagnostic tool using the command lineThe scan diagnostic tool calculates and displays frequently scanned processes, files, extensions, andVMs. You can include these files in the path and process exclusion policies. These specified files areexcluded from scans when they are written by a trusted process.

Before you beginYou must have administrator permissions to perform this task.

Access the offload scan server command-line interface (CLI) on the offload scan server virtualmachine to create and display this report.

Task1 Open the McAfee MOVE AV Offload Scan Server CLI: click Start | Programs | McAfee | MOVE AV Server

command prompt.

This command prompt has administrator rights.

At this command prompt, you can type commands that activate the mvadm utility to performadministration tasks on the Offload Scan Server.

2 To calculate the frequently scanned files, run this command:

move_diagnose /T: <Time Window> /O: < Output File>• T — The time period, in minutes, set for calculating the frequently scanned files. For example, 3

minutes.

• O — Full path of the output file for storing the results.



At the end of specified minutes, the tool completes the analysis and displays the results. Thedefault allowed time limit is 10 minutes.

You can also change the time limit by configuring the registry settings in HKLM\System\CurrentControlSet\services\mvserver\Parameters\diagnostic\FrequentlyScanMaxTimeOutWindow

This diagnostic tool captures these details:

• Top 10 file scan requests

• Top 10 file extensions

• Top 10 processes

• Top 10 virtual machines that are sending maximum scan and checksum requests.

This tool can be used with 2.6 clients as well.



Communication between virtual machines and offload scanservers

The McAfee MOVE AV client and the offload scan server communicate through a specific port to isolatethe communication channel.

To allow this communication to occur, the specific network port must be opened up on any firewallsbetween the systems.

By default, the Multi-Platform deployment option uses port 9053. This port is not generally used byother applications. If your network has other requirements, you can change this communication portby modifying the policy.

Secure communication between clients and the offload scan server by placing VMs on VLANs or by usingthe IPsec protocol suite. Both options impact product performance.

Change the offload scan server settingsYou can modify the GTI file reputation and scan archive files, unwanted programs, and MIME files fromthe Scan Settings tab.



2 Click Menu | Policy | Policy Catalog.

3 From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1.

4 Click the Scan Settings tab, then select these options as needed:

To do this... Use these settings...

Scan files with an archive Select Scan Archive Files

Scan for unwanted programs Select Scan for Unwanted Programs

By default archive files aren't saved, so make sure that you scanfor potentially unwanted programs (PUPS).

Scan for MIME files Select Scan MIME Files

Modify the GTI file reputation Select McAfee Global Threat Intelligence file reputation

Change the offload scan server port The port used by the offload scan server can be changed after installation if your network environmentrequires that the Multi-Platform deployment option use a different port.



2 Click Menu | Policy | Policy Catalog, then from the Product List select MOVE AV [Multi-Platform] Offload ScanServer 3.6.1.

3 Click the name of an existing policy to edit it, then click the General tab.

5 Monitoring and managementCommunication between virtual machines and offload scan servers


4 Enter the corresponding server port number. Default is 9053.

5 From the ePolicy Orchestrator console, modify the policy assigned to the group of virtual machinesusing this offload scan server to reflect the new port number.

See the McAfee ePolicy Orchestrator Product Guide for details on modifying policies.

6 Perform an agent wake-up call to push the modified policy to appropriate virtual machines.

The offload scan server service restarts after you receive the modified policy port number.

McAfee MOVE AV Multi-Platform client alerts McAfee MOVE AV Multi-Platform generates alerts when protection is enabled or disabled, when a filescan fails, or when a threat is detected.

These alerts can be displayed in any of three locations: the local system's Windows Event Log, theePolicy Orchestrator Threat Event Log, or on the local system as a McAfee system tray pop-up menu.

You can configure these alerts by changing the policy.

Triggered eventsMcAfee MOVE AV Multi-Platform displays one of these messages when the triggering event occurs.

Threat events for clients

Event ID Level Event message

34260 High Threat Detected34261 Medium Scan Time Out34262 Low Protection Enabled34263 Medium Protection Disabled

Threat events for Servers

Event ID Level Event message

34266 Info Offload Scan Server stopped.34269 Info On-Demand scan started.34270 Info On-Demand scan complete.34271 Info On-Demand scan terminated. Scan time limit reached.34272 Info On-Demand scant terminated. Scan disabled in policy.34273 Info On-Demand scan terminated. Exceeded maximum number of concurrent

scans.34274 High On-Demand scan terminated. Scan failure on client.34275 High On-Demand scan terminated. Unexpected termination.

Change the client alert behavior The default alert locations can be modified to suit your organizational policies.By default, McAfee MOVE AV Multi-Platform displays alerts in the local system's Windows Event Log,and the ePolicy Orchestrator threat event log. Alert notification locations can be changed by modifyingthe McAfee MOVE AV Multi-Platform policy.

Monitoring and managementMcAfee MOVE AV Multi-Platform client alerts 5





3 Click the name of an existing policy to edit it, then click the Alerts tab.

4 Change the threat alert behavior by selecting or deselecting these locations:

• Malware detections are reported to the client event log

• Malware detection events are sent to ePolicy Orchestrator

• Malware detections result in a pop-up on the client



Change the offload scan server alert behaviorThe default alert locations can be modified to suit your organizational policies.

By default, McAfee MOVE AV Multi-Platform displays alerts in the local system's Windows Event Log,and the ePolicy Orchestrator threat event log. Alert notification locations can be changed by modifyingthe McAfee MOVE AV Multi-Platform policy.



2 Click Menu | Policy | Policy Catalog, then from the Product list select MOVE-AV [Multi-Platform] Offload ScanServer 3.6.1.

3 Click the name of an existing policy to edit it, then click the Alerts tab.

4 Change the threat alert behavior by selecting or deselecting these options:

• Offload Scan Server events are reported to the Windows Event Log

• Offload Scan Server events are sent to ePolicy Orchestrator



Self-protection The self-protection feature defends files, services, and registry keys on virtual machines. Use theVirusScan Enterprise access protection rules for self-protection of the offload scan server.

The self-protection feature prevents malicious attacks on MOVE AV Multi-Platform components. Thiskeeps your virus protection active and stable.

5 Monitoring and managementSelf-protection


Protection type Protection effects

File protection These files and all parent folders are protected against deletion and renaming.

• <install_dir>\mvadm.exe• <install_dir>\mvagtsvc.exe• <install_dir>\mvagntpl.dll• <install_dir>\mvmctraypl.dll• <install_dir>\passwd

Registry protection These registry keys, all subkeys, and all values under them are protected.

• services\mvagtdrv• services\mvagtsvc• services\EventLog\Application\MOVE AV clientAll parent keys starting from services are protected from deletion and rename.

Service stopprotection

The mvagtsvc service cannot be stopped.

The self-protection feature is controlled by the IntegrityEnabled configuration parameter. By default,the parameter is set to 0x7, and all components of the feature are enabled.

The configuration parameter accepts values from 0–7, which is a decimal representation of a 3-bitbinary value.

Decimal value Binary value Definition

0 000 Protection disabled

1 001 File protection

2 010 Registry protection

3 011 File and registry protection

4 100 Service protection

5 101 Service and file protection

6 110 Service and registry protection

7 111 Service, registry, and file protection

For example, to enable file and registry protection, set the parameter to 3 (0b011) with thiscommand:

mvadm config set IntegrityEnabled=3

To enable file and Service stop protection, but not registry protection, set the parameter to 5(0b101) with this command:


To disable the self-protection feature, set the parameter to 0 with this command:


Monitoring and managementSelf-protection 5


When Service stop protection is enabled (by setting the highest bit to 1), the mvagtsvc servicedoes not accept stop commands. File protection and registry protection require the agent driver beloaded, but service stop protection does not. Use these commands to load or unload the driver.

mvadm enable

mvadm disable

McAfee MOVE AV Multi-Platform Offload Scan Server

We recommend using the following VirusScan Enterprise access protection rules for self-protection ofthe offload scan server. These must be configured manually after installation.

Protection type Protection effects

File protection (viaVirusScan Enterpriseaccess protection)

Create a File/Folder Access Protection Rule that excludes the mvserver.exeprocess, and blocks the C:\Program Files (x86)\McAfee\MOVE AV Server\** folder. Set File actions to prevent to Write access to files, New files being created andFiles being deleted.

See McAfee VirusScan Enterprise Product Guide for details.

Registry protection(VirusScan Enterpriseaccess protection)

These registry keys and all keys and values under them must be protected:

• HKCCS/Services/mvserver• HKCCS/Services/mvserver/Parameters• HKCCS/Services/mvserver/Parameters/ODS

5 Monitoring and managementSelf-protection


A Client command-line interface reference

You can access the McAfee MOVE AV Multi-Platform client command-line interface (CLI) on the agentvirtual machine to perform basic maintenance tasks.

The CLI is a series of commands that you can issue to the mvadm utility. Each command has argumentsthat can be appended to the command to modify its behavior. This reference lists each command inmvadm, and all argument variations.

Contents Access the CLI Password protected CLI

Access the CLI A shortcut to the McAfee MOVE AV Multi-Platform command-line interface (CLI) is added to theWindows Start menu during installation.

• Open the McAfee MOVE AV Multi-Platform CLI: click Start | Programs | McAfee | MOVE AV Client CommandPrompt.


At this command prompt, you can type commands that activate the mvadm utility to performadministration tasks on the virtual machine.

configUse the config command to display and edit the configuration settings that are applied to the currentinstallation.

mvadm config set NAME=VALUE

mvadm config show

Arguments Description

set NAME=VALUE Sets the value of the configuration setting NAME to VALUE.

show Lists the configuration settings.

Parameter Value Description

AllowNetworkScan 0 (off) or 1 (on). Defaults to 0. Enables or disables scanning of filesresiding on a network path.

ConnTimeout A positive integer value. Defaultsto 0 (no timeout).

Sets the connection timeout inmilliseconds.



EventSink An integer between 0 (nonotifications) and 14 (allnotifications). Defaults to 14.

Determines where threat events are sent.The total combines the values for WindowsEvent Viewer log (2), ePolicy OrchestratorThreat Event Log (4), and McAfee systemtray pop-up menu (8).

IntegrityEnabled An integer between 0 (noself-protection) and 7 representinga binary value. Defaults to 7 (allself-protections).

Determines the active self-protections. Thetotal combines the values for file (1),registry (2), and services (4).

LogFileNum A positive integer value. Defaultsto 4.

Limits the number of log files allowedbefore they are rotated.

LogFileSize An integer greater than 1024.Defaults to 2048.

Limits the size (in KB) of an individual logfile.

MaxFileSize A positive integer value. Defaultsto 40.

Limits the size (in MB) of files where scanresults are cached. Files up to this size aretransferred completely to the offload scanserver for scanning.

QuarantineEnabled 0 (off) or 1 (on). Defaults to 1. Enables or disables quarantine services.

QuarantineFolder A valid file path. Defaults to C:\Quarantine.

Determines where quarantined files arestored. Cannot be a mapped network driveor UNC file path.

QuarantineDays A positive integer. Defaults to 28. Determines the number of daysquarantined files are stored before beingdeleted. Submitting a 0 turns offquarantined file deletion.

RTEMode 0 (off) or 1 (on). Defaults to 0. Indicates protection status on the virtualmachine. This value cannot be changedthrough the config command.

ScanAllFileTypes 0 (specific extensions) or 1 (allfiles). Defaults to 1.

Determines whether to scan all files or onlyspecific extensions.

ScanFlags An integer between 0 (nooperations scanned) and 7representing a binary value.Defaults to 7 (all operationsscanned).

Determines which operations triggerscanning. The total combines the values forRead (1), Write (2), and Backup (4).

ScanTimeout A positive integer. Defaults to45000.

Limits the time (in milliseconds) allowed forfile scans after which the file can beaccessed.

ServerAddress1 An IPv4 address or FQDN. Nodefault.

Specifies the IPv4 address or FQDN of theprimary offload scan server used by thevirtual machine.

ServerAddress2 An IPv4 address or FQDN. Nodefault.

Specifies the IPv4 address or FQDN of thesecondary offload scan server used by thevirtual machine.

ServerPort1 Between 1024 and 65535.Defaults to 9053.

Specifies the port used to communicatewith the primary offload scan server.


Specifies the port used to communicatewith the secondary offload scan server.

ThreatAction1 0 (delete) or 1 (deny access).Defaults to 0.

Determines the primary action taken whena threat is detected.

ThreatAction2 0 (delete) or 1 (deny access).Defaults to 1.

Determines the secondary action takenwhen a threat is detected.

A Client command-line interface referenceAccess the CLI



SVAManagerAddress An IPv4 address or FQDN. Nodefault.

Specifies the IPv4 address or FQDN of theSVA Manager.

SVAManagerPort Between 1024 and 65535.Defaults to 8080.

Specifies the port used to communicatewith SVA Manager.

disableUse the disable command to disable the McAfee MOVE AV client on the virtual machine.

mvadm disable


default Disables the McAfee MOVE AV client on the virtual machine.

This command removes virus protection from the virtual machine.

enableUse the enable command to enable the McAfee MOVE AV client on the virtual machine.

mvadm enable


default Enables the McAfee MOVE AV client. This restores virus protection to the virtualmachine.

ftypesUse the ftypes command to display and edit the list of file extensions to be sent for anti-virusscanning.

mvadm ftypes add extn

mvadm ftypes remove extn

mvadm ftypes list

Wildcards are not supported by the ftypes command, and extensions must be an exact match.Issuing an mvadm ftypes add doc command does not cause .DOCX files to be scanned.


add extn Causes the files with extension extn to be included for anti-virus scanning.

remove extn Removes the files with extension extn from the list of files to be included for anti-virusscanning.

list Lists the file extensions to be included for anti-virus scanning.

Client command-line interface referenceAccess the CLI A


help Use the help command to display usage information for the mvadm utility.

mvadm help

mvadm help command


default Lists the summary description for the McAfee MOVE AV client CLI commands.

command Lists the detailed help for the provided command.

loglevelUse the loglevel command to view and edit the log level of the McAfee MOVE AV client modules.

mvadm loglevel

mvadm loglevel enable {MODULE_NAME | ALL} {TYPES... | ALL}

mvadm loglevel disable {MODULE_NAME | ALL} {TYPES... | ALL}


default Lists the current log level of each module that is part of the McAfeeMOVE AV client. Use this form to get a full list of modules for use withother forms of the loglevel command.

enable {MODULE_NAME |ALL} {TYPES... | ALL}

Sets the log level for module MODULE_NAME or all modules to thespecified log level types or to all types.

disable {MODULE_NAME |ALL} {TYPES... | ALL}

Clears the specified log level types or all types for module MODULE_NAMEor for all modules.

These are the supported log level types:

• Error • Detail

• Warning • Fnentry

• System • Fnexit

• Info

ppUse the pp command to specify trusted processes. All files acted upon by a trusted process areexcluded from scans.

Process passthru rule supports these path format:

• Just the process name, for example: xyz.exe

• Partial path, for example: abc\xyz.exe

• Complete path, for example: C:\abc\xyz.exe

• Windows path, for example: %windir%\abc\xyz.exe

A Client command-line interface referenceAccess the CLI


Note these points while using the ppcommand to specify trusted processes:

• If %abc% does not resolve, skip it from the list.

• This format is only valid from McAfee ePO.

• This resolves the path with respect to the system user.

mvadm pp list

mvadm pp add <process path>

mvadm pp remove <process path>

mvadm pp set <process path>


list Displays a list of all trusted processes.

add <process imagepath>

Adds the specified process (or processes) as a trusted process. As anexample:

mvadm pp add userprofilemanager.exeAll files acted upon by the userprofilemanager.exe file are excluded fromthe scan.

remove <processimage path>

Removes the specified process (or processes) as a trusted process.

set <process imagepath>

Removes all existing trusted processes and adds the specified process (orprocesses) as trusted processes.

qUse the q command to change McAfee MOVE AV Multi-Platform quarantine behavior.

mvadm q list

mvadm q restore <detected as>

mvadm q remove <detected as>


list Lists the currently quarantined files and their detection type.

restore <detected as> Restores all .VIR files from the currently configured quarantine folder withthe specified <detected as> category.

remove <detected as> Deletes all .VIR files from the currently configured quarantine folder withthe specified <detected as> category.

status Use the status command to display the current state of the McAfee MOVE AV client in terms ofoperational mode (enabled or disabled) and its McAfee MOVE AV Multi-Platform offload scan serverdetails.

mvadm status

Client command-line interface referenceAccess the CLI A



default Lists the current McAfee MOVE AV client status.

Example

C:\Program Files\McAfee\MOVE AV client>mvadm statusScan Configuration: EnabledDriver Status: Driver is loadedPrimary Server: 10.216.19.210:9053 [Active]Secondary Server: NONE:9053 [Not Configured]SVA Manager: 10.216.19.154:8080 [Connecting]Protection Status: Enabled

versionUse the version command to display the version of the McAfee MOVE AV client installed on the virtualmachine.

mvadm version


default Displays the version of the McAfee MOVE AV client installed on the virtual machine. Thisis most useful for verifying that an upgrade operation is complete, or checking if anupgrade is needed.

Password protected CLISet the password protection through the client policy to prevent users from changing the AV settings,or disabling the AV protection.

After setting the password, type the password to execute any of these commands on clients' mvadmCLI.

• config • filetypes

• disable • procpassthru

• enable • loglevel

Set password for client CLISpecify the password in the ePolicy Orchestrator server to prevent users from changing the AVsettings, or disabling the AV protection on the client.


A Client command-line interface referencePassword protected CLI



1 Log on to McAfee ePO as an administrator

2 From the ePolicy Orchestrator console, click Menu | Policy | Policy Catalog, then from the Product listselect MOVE-AV [Multi-Platform] Client 3.6.1.

3 Click the name of an existing policy to edit it, then click the General tab.

4 Type the password in Local CLI Access Password, then retype it in Confirm Password.


You can now verify on the client system that the commands are password-protected.

Client command-line interface referencePassword protected CLI A


A Client command-line interface referencePassword protected CLI


B Server command-line interface reference

You can access the command-line interface (CLI) on the offload scan server virtual machine to performbasic maintenance tasks.

The CLI is a series of commands that you can issue to the mvadm utility. Each command has argumentsthat can be appended to the command to modify the command's behavior. This reference lists eachcommand in mvadm, and all argument variations.

Access the CLIA shortcut to the command-line interface (CLI) for the offload scan server is added to the WindowsStart menu during installation.

Task• Open the McAfee MOVE AV Offload Scan Server CLI: click Start | Programs | McAfee | MOVE AV Server

Command Prompt.


At this command prompt, you can type commands that activate the mvadm utility to performadministration tasks on the offload scan server.

cache Use the cache command to perform operations on the Offload Scan Server's scan cache.

mvadm cache save cfilename

mvadm cache load cfilename

mvadm cache list

mvadm cache flush

mvadm cache info


save cfilename Save the current set of checksums from the trusted checksum cache to the filecfilename.

load cfilename Load the checksums from file cfilename to the trusted checksum cache.

list List the checksums available in the trusted checksum cache.



flush Remove all checksums from the trusted checksum cache.

info Print details of the trusted checksum cache.

configUse the config command to display and edit the configuration settings that are applied to currentinstallation.

mvadm config set NAME=VALUE

mvadm config show


set NAME=VALUE Sets the value of the configuration setting NAME to VALUE.

show Lists the configuration settings.

Parameters Value Description

ComputeCksum 0 (server) or 1 (client).Defaults to 1.

Determines whether to use theserver-computed checksum of the file or thechecksum sent by the McAfee MOVE AV client.

ConnTimeout A positive integer value.Defaults to 0 (no timeout).

Sets the connection timeout in milliseconds.

GTILevel Between 0 (disabled) and 5(Very High). Defaults to 1 (VeryLow).

Sets the Global Threat Intelligence level.

IntegrityEnabled 0 (off) or 1 (on). Defaults to 1. Enables or disables the self-protection feature.

LogFileNum A positive integer value.Defaults to 4.

Limits the number of log files allowed beforethey are rotated.

LogFileSize An integer greater than 1024.Defaults to 2048.

Limits the size (in KB) of an individual log file.

MaxCacheItems A positive integer value.Defaults to 1,000,000.

Limits the number of items that can exist inthe cache.

NumThreads Between 0 and 500. Defaults to300.

Limits the number of available scan requestthreads.

ScanArchiveFiles 0 (off) or 1 (on). Defaults to 0. Enables or disables scanning inside archivefiles.

ScanPUPS 0 (off) or 1 (on). Defaults to 0. Enables or disables checking for potentiallyunwanted programs (PUPs). Scan behavior isdetermined by VirusScan Enterprise settings.


Determines the port on which the serverlistens for client requests.

SVAManagerAddress An IPv4 address or FQDN. Nodefault.

Specifies the IPv4 address or FQDN of the SVAManager.

SVAManagerPort Between 1024 and 65535.Defaults to 8080.

Specifies the port used to communicate withSVA Manager.

RAMDiskEnabled 1 (0x1) Enables or disables the RAM disk option.

MaxNumClients 250 (0xf4240) Maximum number of clients, which can beconnected to the OSS.

OSSGUID <GUID> Unique GUID required to register it to SVAManager.

B Server command-line interface referenceAccess the CLI


helpUse the help command to display usage information for the mvadm utility.

mvadm help

mvadm help command


default Lists the summary description for the McAfee MOVE AV Offload Scan Server CLIcommands.

command Lists the detailed help for command command.

loglevelUse the loglevel command to view and edit the log level of the McAfee MOVE AV Offload Scan Servermodules.

mvadm loglevel

mvadm loglevel enable {MODULE_NAME | ALL} {TYPES... | ALL}

mvadm loglevel disable {MODULE_NAME | ALL} {TYPES... | ALL}


default Lists the current log level of each module in the McAfee MOVE AVOffload Scan Server. Use this form to get a full list of modules for usewith the other forms of the loglevel command.

enable {MODULE_NAME |ALL} {TYPES... | ALL}

Sets the log level for module MODULE_NAME or all modules to thespecified log level types or to all types.

disable {MODULE_NAME |ALL} {TYPES... | ALL}

Clears the specified log level types or all types for MODULE_NAME or forall modules.

These are the supported log level types:

• Error • Detail

• Warning • Fnentry

• System • Fnexit

• Info

statsUse the stats command to display the current statistics of the McAfee MOVE AV offload scan server.

mvadm stats


default Displays current usage and performance statistics for the McAfee MOVE AV offload scanserver. The statistics are collected in real time, and the displayed data is a snapshot ofthe information at the time the command was invoked. The full list of reported statisticsis shown in the example output.

Server command-line interface referenceAccess the CLI B


Example output

C:\>mvadm statsTotal number of cksum req: 13125Total number of file transfer req: 11825Total number of smart file req: 14Total number of scans on RAM disk: 11825Cksum cache hit: 1300Total av scan req: 11825Total av scan failure: 0Data recv failure: 0Resp send failure: 0Total scan threads: 300Total heart beat threads: 0Total idle threads: 300Number of requests in queue: 0Number of items in cache: 0Avg request process time: 0.045183 secAvg request wait time: 0.000000 sec

versionUse the version command to display the version of the McAfee MOVE AV offload scan serverapplication installed on the server virtual machine.

mvadm version


default Displays the version number of the McAfee MOVE AV offload scan server. This is mostuseful for verifying that an update has completed successfully, or checking if an updateis needed.

B Server command-line interface referenceAccess the CLI


C Install the offload scan server

Here are the steps for installing the offload scan server.

Before you begin• A copy of the McAfee MOVE AV Multi-Platform offload scan server installation file (MOVE

‑AV_Server_Setup_x86.exe) must be accessible to the virtual machine where you wantto install the McAfee MOVE AV Multi-Platform offload scan server.

• VirusScan Enterprise 8.8 must be installed on the virtual server.


1 Run the McAfee MOVE AV offload scan server installation file (MOVE‑AV_Offload_Server_Setup_x86.exe) in the folder you downloaded the file.

McAfee recommends that you run the installation with elevated rights.

2 Read the license agreement, select Accept license agreement, then click Next.

3 Enter the user name and organization, then click Next.

4 Specify the preferred port where the MOVE AV Server service listens, then click Next.

By default, the service is configured to listen on port 9053.

The installer automatically makes an exception entry in the Windows Firewall settings on the McAfeeMOVE AV offload scan server to allow communication on the specified port. If another firewallproduct is being used, configure it manually to allow communication on this port.

5 Select the Global Threat Intelligence (GTI) level.

This setting can be changed after installation using the McAfee MOVE AV offload scan servercommand-line interface (CLI). GTI is also known as Artemis, and more information on Artemis canbe found in the McAfee VirusScan Enterprise Product Guide.

6 Verify the installation settings, then click Install.

7 Verify the installation:

• Confirm that the MOVE AV Server service is running from Services control panel.

• Confirm the following CLI access menu option has been added to the Windows Start menu: Start |Programs | McAfee | MOVE AV Server Command Prompt.


C Install the offload scan server


Index

Aabout this guide 7alerts

changing behavior 67

message list 67

overview 67

anti-virus softwarepre-installation issues 14

Cclient

assign upgrade task 33

checking in 21

create uninstall task 25

deploy to XenDesktop 23

install manually 23

uninstall 25

uninstall task, create and assign 25

upgrade with ePolicy Orchestrator 4.6 33

client command-line referenceaccessing client 71

config command 71

disable command 73

enable command 73

ftypes command 73

help command 74

loglevel command 74

pp command 74

q command 75

status command 75

version command 76

client deploymentoverview 21

client tasksassign client upgrade task 33

assign uninstall task 25

create client uninstall task 25

create client upgrade task 32

create product deployment task 20, 22

command linepassword protected 76

communicationchanging ports 66

communication (continued)default port 66

config commandclient 71

offload scan server 80

configurationpolicy overview 43

conventions and icons used in this guide 7

Ddashboards

McAfee MOVE AntiVirus queries 47

deploymentoverview 11

strategy 11

disable command 73

documentationaudience for this guide 7product-specific, finding 8typographical conventions and icons 7

download locations 17

Eenable command 73

ePolicy Orchestratorinstallation 18

integration 43

restrictions 43

ePolicy Orchestrator extensionupgrade 29

examplescreating a policy 53

extensionsuninstall 26

VirusScan for Linux 18

Ffeatures 12

file protection 68

GGlobal Threat Intelligence

benefits 52


Global Threat Intelligence (continued)changing sensitivity 52

overview 52

Hhelp command

client 74


Iinstallation

assign client upgrade task 33

client deployment overview 21

common problems 27

deploy to XenDesktop 23

download software 17

manual client install 23

oss deployment overview 19

overview 17

requirements 14

strategy 11

troubleshoot 27

upgrade ePolicy Orchestrator extension 29

upgrade scenario 31

VirusScan for Linux extension 18

installation, upgradecreate client upgrade task 32

Lloglevel command

client 74


MMcAfee MOVE AntiVirus

communication with ePolicy Orchestrator 43

communication with offload scan server 66

self-protection 68

software packages 17

upgrade strategies 29

McAfee ServicePortal, accessing 8messages

list 67

overview 67

mvadmcache command 79

config command 52, 66, 71, 80

disable command 73

enable command 73

ftypes command 73

help command 74, 81

loglevel command 74, 81

pp command 74

mvadm (continued)q command 75

stats command 81

status command 75

version command 76, 82

Ooffload scan server

changing communication port 66

checking in 19

configuring 40

self-protection 68

upgrade 30

offload scan server CLIcache command 79

config command 80

help command 81

loglevel command 81

stats command 81

version command 82

offload scan serversassigning 35

oss deploymentoverview 19

Ppolicies

Alerts tab 67

application 43

applying 45

categories 43

changing quarantine behavior 54

create new 45

enforcement 43

example 53

General tab 66

inheritance 43

options summary 45

overview 43

tracking and tuning 43

Qquarantine

changing behavior 54

command-line access 75

default behavior 54

overview 54

queriesCompliance 47

list 47

McAfee MOVE AV queries 47

VirusScan Enterprise 47

Index


Rregistry protection 68

reportshealth and visibility 50

supplied queries 47

requirementsinstallation 14

operating systems 15

software 15

supported 15

Sscan diagnosis 63

scanning, deferred 61

server command-line referenceaccessing offload scan server 79

cache command 79

config command 80

help command 81

loglevel command 81

stats command 81

version command 82

service protection 68

ServicePortal, finding product documentation 8software compatibility 15

sva managersetting up 35

SVA Managerconfiguring 36

uninstalling 26

SVA Manager assignmentadding 37, 39

SVA Manager policyconfiguring 37

system requirements 15

System Tray icon 67

Ttechnical support, finding product information 8threat event log 67

troubleshootinstallation 27

Uuninstall process

assign client task 25

client in ePolicy Orchestrator 25

create client uninstall task 25

extension 26

upgrade scenarioscreate client upgrade task 32

ePolicy Orchestrator extension 29

higher downtime scenario 31

higher resource scenario 31

non-persistent VM 31


persistent VM 31

strategy 29

upgrade taskcreate and assign 32

WWindows Event Log 67

XXenDesktop

deploy client 23

Index


00

Date post:	23-Mar-2018
Category:	Documents
Upload:	vankhanh
View:	220 times
Download:	1 times

3.6.1 McAfee MOVE AntiVirus Multi-Platform McAfee MOVE AntiVirus Multi-Platform 3.6.1 Product Guide....

Documents