lsh 13 config guide - McAfee

Configuration Guide

LinuxShield™

version 1.5

McAfee® System ProtectionIndustry-leading intrusion prevention solutions

COPYRIGHTCopyright © 2007 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

AttributionsThis product includes or may include:

• Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). • Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. • Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. • Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. • Software originally written by Robert Nordier, Copyright © 1996-7 Robert Nordier. • Software written by Douglas W. Sauder. • Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. • International Components for Unicode ("ICU") Copyright ©1995-2002 International Business Machines Corporation and others. • Software developed by CrystalClear Software, Inc., Copyright ©2000 CrystalClear Software, Inc. • FEAD

®

Optimizer

®

technology, Copyright Netopsystems AG, Berlin, Germany. • Outside In®

Viewer Technology ©1992-2001 Stellent Chicago, Inc. and/or Outside In

®

HTML Export, © 2001 Stellent Chicago, Inc. • Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, © 1998, 1999, 2000. • Software copyrighted by Expat maintainers. • Software copyrighted by The Regents of the University of California, © 1996, 1989, 1998-2000. • Software copyrighted by Gunnar Ritter. • Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., © 2003. • Software copyrighted by Gisle Aas. © 1995-2003. • Software copyrighted by Michael A. Chase, © 1999-2000. • Software copyrighted by Neil Winton, ©1995-1996. • Software copyrighted by RSA Data Security, Inc., © 1990-1992. • Software copyrighted by Sean M. Burke, © 1999, 2000. • Software copyrighted by Martijn Koster, © 1995. • Software copyrighted by Brad Appleton, © 1996-1999. • Software copyrighted by Michael G. Schwern, ©2001. • Software copyrighted by Graham Barr, © 1998. • Software copyrighted by Larry Wall and Clark Cooper, © 1998-2000. • Software copyrighted by Frodo Looijaard, © 1997. • Software copyrighted by the Python Software Foundation, Copyright © 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. • Software copyrighted by Beman Dawes, © 1994-1999, 2002. • Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek © 1997-2000 University of Notre Dame. • Software copyrighted by Simone Bordet & Marco Cravero, © 2002. • Software copyrighted by Stephen Purcell, © 2001. • Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). • Software copyrighted by International Business Machines Corporation and others, © 1995-2003. • Software developed by the University of California, Berkeley and its contributors. • Software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project (http:// www.modssl.org/). • Software copyrighted by Kevlin Henney, © 2000-2002. • Software copyrighted by Peter Dimov and Multi Media Ltd. © 2001, 2002. • Software copyrighted by David Abrahams, © 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. • Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, © 2000. • Software copyrighted by Boost.org, © 1999-2002. • Software copyrighted by Nicolai M. Josuttis, © 1999. • Software copyrighted by Jeremy Siek, © 1999-2001. • Software copyrighted by Daryle Walker, © 2001. • Software copyrighted by Chuck Allison and Jeremy Siek, © 2001, 2002. • Software copyrighted by Samuel Krempp, © 2001. See http://www.boost.org for updates, documentation, and revision history. • Software copyrighted by Doug Gregor ([email protected]), © 2001, 2002. • Software copyrighted by Cadenza New Zealand Ltd., © 2000. • Software copyrighted by Jens Maurer, ©2000, 2001. • Software copyrighted by Jaakko Järvi ([email protected]), ©1999, 2000. • Software copyrighted by Ronald Garcia, © 2002. • Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, ©1999-2001. • Software copyrighted by Stephen Cleary ([email protected]), ©2000. • Software copyrighted by Housemarque Oy <http://www.housemarque.com>, © 2001. • Software copyrighted by Paul Moore, © 1999. • Software copyrighted by Dr. John Maddock, © 1998-2002. • Software copyrighted by Greg Colvin and Beman Dawes, © 1998, 1999. • Software copyrighted by Peter Dimov, © 2001, 2002. • Software copyrighted by Jeremy Siek and John R. Bandela, © 2001. • Software copyrighted by Joerg Walter and Mathias Koch, © 2000-2002. • Software copyrighted by Carnegie Mellon University © 1989, 1991, 1992. • Software copyrighted by Cambridge Broadband Ltd., © 2001-2003. • Software copyrighted by Sparta, Inc., © 2003-2004. • Software copyrighted by Cisco, Inc. and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. • Software copyrighted by Simon Josefsson, © 2003. • Software copyrighted by Thomas Jacob, © 2003-2004. • Software copyrighted by Advanced Software Engineering Limited, © 2004. • Software copyrighted by Todd C. Miller, © 1998. • Software copyrighted by The Regents of the University of California, © 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek.

PATENT INFORMATIONProtected by US Patents 6,029,256; 6,230,288; 6,496,875; 6,594,686; 6,622,150; 6,668,289; 6,684,329.

Issued July 2007 / LinuxShield™ software version 1.5 DBN-009-EN

Contents

1 Introducing LinuxShield 4

Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4What’s new in this release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Getting product information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Standard documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Contact information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Before you start 9

The ePolicy Orchestrator console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Installing the NAP files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Using ePolicy Orchestrator to control LinuxShield . . . . . . . . . . . . . . . . . . . . . . . . .12

3 Configuring on-access scanning 13

Setting on-access scanning policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Matching options in LinuxShield and ePolicy Orchestrator . . . . . . . . . . . . . . . .19

Enforcing policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4 Scheduling scans and updates 21

Requesting an on-demand scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Matching options in LinuxShield and ePolicy Orchestrator . . . . . . . . . . . . . . . 27

Updating anti-virus software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Scheduling tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Enforcing policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Removing a task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

5 Viewing LinuxShield activity 33

Viewing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Viewing configuration details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Index 35

3

1 Introducing LinuxShield

From the ePolicy Orchestrator console, you can remotely control many of the features that are normally available at the LinuxShield browser interface. This guide describes how to administer those features with ePolicy Orchestrator version 3.6 and later.

This section describes:

Product features

What’s new in this release

Using this guide

Getting product information

Contact information

Product featuresThe following features are available:

Configuration of the on-access scanning settings. See Setting on-access scanning policies on page 13.

On-demand scans. See Requesting an on-demand scan on page 22.

Anti-virus software updating. See Updating anti-virus software on page 28.

Reports of the anti-virus activity and configuration details. See Viewing reports on page 33 and Viewing configuration details on page 34.

What’s new in this releaseThis release of LinuxShield includes the following new enhancements:

Redhat Enterprise Linux 5 (32-bit).

Redhat Enterprise Linux 5 (AMD 64/EM64T).

Global File System (GFS) on Redhat Enterprise Linux 5.

Novell Open Enterprise Server 2 (32-bit).

4

LinuxShield™ 1.5 Configuration Guide Introducing LinuxShieldUsing this guide

1

Novell Open Enterprise Server 2 (AMD 64/EM64T).

Kernel module versioning which provides on-access scanning on new kernels without having to recompile modules.

The latest version (5200) of the McAfee anti-virus engine.

Incremental Virus Signature (DAT) updates.

Using this guideFor system requirements and installation instructions, refer to the Installation Guide. These topics are included:

Introducing LinuxShieldAn overview of the product, including how to install the files that allow ePolicy Orchestrator to manage LinuxShield; an overview of this guide; McAfee contact information.

Configuring on-access scanning on page 13 to configure the on-access scanning settings.

Scheduling scans and updates on page 21 to update the anti-virus software.

Viewing LinuxShield activity on page 33 to view reports of the anti-virus activity and check configuration details.

AudienceThis information is intended for network administrators who are responsible for their company’s anti-virus and security program.

5

LinuxShield™ 1.5 Configuration Guide Introducing LinuxShieldUsing this guide

1

ConventionsThis guide uses the following conventions:

Bold Condensed

All words from the interface, including options, menus, buttons, and dialog box names.

Example:

Type the User name and Password of the appropriate account.

Courier The path of a folder or program; text that represents something the user types exactly (for example, a command at the system prompt).

Examples:

The default location for the program is: C:\Program Files\McAfee\EPO\3.5.0

Run this command on the client computer:scan --help

Italic For emphasis or when introducing a new term; for names of product documentation and topics (headings) within the material.

Example: Refer to the VirusScan Enterprise Product Guide for more information.

Blue A web address (URL) and/or a live link.

Example: Visit the McAfee web site at:

http://www.mcafee.com

<TERM> Angle brackets enclose a generic term.

Example: In the console tree, right-click <SERVER>.

Note

Note: Supplemental information; for example, another method of executing the same command.

Tip

Tip: Suggestions for best practices and recommendations from McAfee for threat prevention, performance and efficiency.

Caution

Caution: Important advice to protect your computer system, enterprise, software installation, or data.

Warning

Warning: Important advice to protect a user from bodily harm when using a hardware product.

6

http://www.mcafee.com

LinuxShield™ 1.5 Configuration Guide Introducing LinuxShieldGetting product information

1

Getting product informationUnless otherwise noted, product documentation comes as Adobe Acrobat .PDF files, available on the product CD or from the McAfee download site.

Standard documentationInstallation Guide — System requirements and instructions for installing and starting the software.

Product Guide — Introduction to the product and its features; detailed instructions for configuring the software; information on deployment, recurring tasks, and operating procedures.

Help — High-level and detailed information accessed from the software application.

Configuration Guide (this guide) — For use with ePolicy Orchestrator®. Procedures for managing LinuxShield through the ePolicy Orchestrator management software.

Release Notes — ReadMe. Product information, resolved issues, any known issues, and last-minute additions or changes to the product or its documentation.

License Agreement — The McAfee License Agreement booklet that includes all of the license types you can purchase for your product. The License Agreement presents general terms and conditions for use of the licensed product.

Contacts — Contact information for McAfee services and resources: technical support, customer service, Security Headquarters (AVERT), beta program, and training.

7

LinuxShield™ 1.5 Configuration Guide Introducing LinuxShieldContact information

1

Contact informationThreat Center: McAfee Avert® Labs http://www.mcafee.com/us/threat_center/default.asp

Avert Labs Threat Library http://vil.nai.com

Avert Labs WebImmune & Submit a Sample (Logon credentials required) https://www.webimmune.net/default.asp

Avert Labs DAT Notification Service http://vil.nai.com/vil/signup_DAT_notification.aspx

Download Site http://www.mcafee.com/us/downloads/ Product Upgrades (Valid grant number required)

Security Updates (DATs, engine)

HotFix and Patch Releases

For Security Vulnerabilities (Available to the public)

For Products (ServicePortal account and valid grant number required)

Product Evaluation

McAfee Beta Program

Technical Support http://www.mcafee.com/us/support/ KnowledgeBase Search

http://knowledge.mcafee.com/

McAfee Technical Support ServicePortal (Logon credentials required) https://mysupport.mcafee.com/eservice_enu/start.swe

Customer ServiceWeb http://www.mcafee.com/us/support/index.html http://www.mcafee.com/us/about/contact/index.html

Phone — US, Canada, and Latin America toll-free: +1-888-VIRUS NO or +1-888-847-8766 Monday – Friday, 8 a.m. – 8 p.m., Central Time

Professional Services Enterprise: http://www.mcafee.com/us/enterprise/services/index.html

Small and Medium Business: http://www.mcafee.com/us/smb/services/index.html

8

http://www.mcafee.com/us/threat_center/default.asp

http://vil.nai.com

https://www.webimmune.net/default.asp

http://vil.nai.com/vil/signup_DAT_notification.aspx

http://www.mcafee.com/us/downloads/

http://www.mcafee.com/us/support/

http://knowledge.mcafee.com/

https://mysupport.mcafee.com/eservice_enu/start.swe

http://www.mcafee.com/us/support/index.html

http://www.mcafee.com/us/about/contact/index.html

http://www.mcafee.com/us/enterprise/services/index.html

http://www.mcafee.com/us/smb/services/index.html

2 Before you start Installing ePolicy Orchestrator .NAP files

To control LinuxShield, the ePolicy Orchestrator server and LinuxShield hosts must be able to communicate.

Each host requires an ePolicy Orchestrator agent. The agent is normally added when LinuxShield is installed on the Linux host.

The ePolicy Orchestrator server needs extra files (NAP files) to interpret communication between ePolicy Orchestrator and its agents.

The ePolicy Orchestrator console The ePolicy Orchestrator software provides a single point of control for your McAfee anti-virus products, to manage anti-virus policies, view reports of anti-virus events and virus activity in an enterprise environment. Using ePolicy Orchestrator, you can configure LinuxShield on the target computers across your network; you do not need to configure them individually.

Figure 2-1 ePolicy Orchestrator 3.6 Console

9

LinuxShield™ 1.5 Configuration Guide Before you startInstalling the NAP files

2

Installing the NAP filesBefore you can control LinuxShield hosts remotely, you must add some files to the ePolicy Orchestrator Repository, namely the agent .NAP file, the LinuxShield 1.5 product .NAP file, and the reports .NAP file. The .NAP files are included with the LinuxShield software and are in the location where you downloaded the product software.

To install the .NAP files to the repository: 1 Log on to the ePolicy Orchestrator server with administrator rights.

2 In the ePolicy Orchestrator console tree under ePolicy Orchestrator, right-click Repository, then select Configure Repository to start a wizard.

3 In the Software Repository Configuration Wizard dialog box, select Add new software to be managed.

4 Click Next to open the Select a Software Package dialog box.

5 Locate and select the NAP file, (NWA-LNX300.NAP).

Figure 2-2 Configure Repository

Figure 2-3 Adding a .NAP file

10

LinuxShield™ 1.5 Configuration Guide Before you startInstalling the NAP files

2

6 Click Open to add the file to the Repository.

7 Click OK when complete.

To configure the repository:1 In the ePolicy Orchestrator console tree under ePolicy Orchestrator, right-click

Repository, then select Configure Repository.

2 In the Software Repository Configuration Wizard dialog box, select Add new software to be managed.

3 Click Next to open the Select a Software Package dialog box.

4 Locate and select the NAP file (LinuxShield150.nap).



7 In the ePolicy Orchestrator console tree under ePolicy Orchestrator, right-click Repository, then select Configure Repository.

8 In the Software Repository Configuration Wizard dialog box, select Add new reports.

9 Click Next to open the Add New Reports Package dialog box.

10 Locate and select the LinuxShield reports NAP file (LinuxShield150_Reports.nap).



Figure 2-4 Add new .NAP file

11

LinuxShield™ 1.5 Configuration Guide Before you startUsing ePolicy Orchestrator to control LinuxShield

2

13 Check the release notes for the version of ePolicy Orchestrator supplied with your installed packages. If ePolicy Orchestrator still has an issue that prevents the event parser being correctly registered when the reports NAP file is added, open a command window, and type the following:

cd C:\Program Files\Network Associates\ePO\3.0.2\DB\Data\LYNXSHLD1500

regsvr32 /i nailsEpo.dll

14 On each host that runs LinuxShield, install the ePolicy Orchestrator agent, by typing:

rpm -i NWA-3.0.2-<version>.i686.rpm

where <version> is a version number such as 113LM.

Using ePolicy Orchestrator to control LinuxShieldUsing ePolicy Orchestrator to configure LinuxShield policies allows you to enforce across groups of hosts, the options that define how tasks such scanning and updating will run. Group policies override configurations that are set on individual hosts. For more information about policies and how they are enforced, see the ePolicy Orchestrator product documentation.

To apply policies to any number of hosts:1 Select a group. Select the group of hosts in the ePolicy Orchestrator console tree.

2 Configure policies. Using the tabs on the LinuxShield on-access scanning policy, select many of the options that are available in the LinuxShield product for on-access scanning and on-demand scanning. For complete information about scanning options, refer to the LinuxShield Product Guide.

3 Enforce policies. After saving the configured options, enforce the policies by making them available to the ePolicy Orchestrator agents on the LinuxShield hosts. For more information, see Enforcing policies on page 20.

Note

If you have installed ePolicy Orchestrator in a different directory, the path for the cd command will be different.

12

3 Configuring on-access scanning

From the ePolicy Orchestrator console, you can configure the on-access scanning for any number of LinuxShield hosts.

For information about requesting on-demand scans, see page 22.

Setting on-access scanning policies The procedure varies depending on whether you are using ePolicy Orchestrator version 3.6. Begin by logging on to the ePolicy Orchestrator server with administrator rights.

To specify a policy for on-access scanning using ePolicy Orchestrator 3.6: 1 In the console tree under ePolicy Orchestrator | Directory, select the hosts.

The Policies, Properties, and Tasks tabs appear in the upper details pane.

2 In the upper details pane, select the Policies tab, then expand LinuxShield 1.5.0.

Figure 3-1 LinuxShield Policies

13

LinuxShield™ 1.5 Configuration Guide Configuring on-access scanningSetting on-access scanning policies

3

3 Under LinuxShield 1.5.0, select On-Access Scanning Policy to display policy pages in the lower details pane.

4 Proceed to Configuring details on the tabs on page 14.

To specify a policy for on-access scanning using ePolicy Orchestrator 3.6: From the Policy Catalog page, you can create new named policies, which by default are not assigned to any node. When you create a policy here, you are adding a custom named policy to the Policy Catalog page.

To create a new named policy in the Policy Catalog page:

1 In the console tree, select Policy Catalog. All created policies, grouped under products, are available in the details pane.

2 Click the triangle icon next to the product names to expose the policy categories.

3 Click the triangle icon next to the desired policy category to expose the named policies associated with that category.

4 Select New policy from the drop-down list to open the Create new policy dialog box.

5 Type a name (for example, on-access) for the new policy in the New policy name field, then click OK. The Policy Settings dialog box appears with the policy pages.

6 Click the name of the new named policy in the list. The Policy Settings dialog box appears with the policy pages in edit mode.

7 Proceed to Configuring details on the tabs.

Configuring details on the tabsYou can configure the scanning from the tabs on this page:

See Specifying general options. (General tab)

See Specifying the types of files and their locations on page 15. (Detection tab)

See Specifying advanced options on page 16. (Advanced tab)

See Specifying actions to take against infections on page 18. (Actions tab)

You can select the hosts and configure all options at the same time, or you can use each tab separately to configure any number of hosts.

After you have finished configuring the policy, go to Enforcing policies on page 20.

Specifying general options From the General tab, you can Enable on-access scanning and the location of the Quarantine directory.

14


3

8 Deselect Inherit.

9 Under General, choose whether to enable on-access scanning at startup, whether to enable on-access scanning when the policy is enforced, and specify the location of the quarantine directory.

10 Under Scan time, specify the maximum scanning time for all files.

11 Click Apply to save these settings.

12 Set any further details on the other tabs, and finally click OK or Close.

13 After you have finished configuring this policy, go to Enforcing policies on page 20.

Specifying the types of files and their locations At the Detection tab, you can specify which types of file to scan, and which files and directories to include or exclude when scanning.

Figure 3-2 On-Access Scanning Policy — General tab

Note

The length of the path for the quarantine directory must not exceed 256 characters.

Figure 3-3 On-Access Scanning Policy — Detection tab

15


3

14 Deselect Inherit.

15 Under Scan files, choose when to scan files.

16 Under What to scan, choose from these options:

All files

Default + additional file types

To add file types to the list of default file types, click Additions. When adding file types, do not include the “.” symbol. For example, specify “EXE”, not “.EXE”. Extension names can be up to 33 characters.

Specified file types

Click Specified to define a custom list of file types to scan.

17 Under What not to scan, specify what to exclude from scanning. Click Exclusions to define a custom list of specific files and directories to exclude from scanning.




Specifying advanced optionsAt the Advanced tab, you can specify options such as heuristic analysis.


22 Under Heuristics, choose whether to scan for unknown program viruses and unknown macro viruses.

23 Under Non-viruses, choose whether to scan for potentially unwanted programs and joke programs.

Figure 3-4 On-Access Scanning Policy — Advanced tab

16


3

24 Under Compressed files, choose whether to scan inside multiple-file archives and MIME-encoded files.




17


3

Specifying actions to take against infections At the Actions tab, you can specify actions to take against infections such as quarantine.


29 Under When a virus is found, use the drop-down lists to select the action.

30 Under If the above action fails, use the drop-down lists to select an alternative action.




Figure 3-5 On-Access Scanning Policy — Actions tab

18


3

Matching options in LinuxShield and ePolicy Orchestrator This table shows the locations of the available options as they appear on the pages at the LinuxShield browser interface and on tabs in the ePolicy Orchestrator console.

Table 3-1 Scanning options

LinuxShield option on On-Access Settings page

Equivalent option in ePolicy Orchestrator

Enable on-access scanning See General tab on page 14

Decompress archives See Advanced tab on page 16. (Scan inside multiple-file archives)

Find unknown program viruses See Advanced tab on page 16.

Find unknown macro viruses See Advanced tab on page 16.

Decode MIME encoded files See Advanced tab on page 16.

Find potentially unwanted programs See Advanced tab on page 16.

Find joke programs See Advanced tab on page 16.

Scan files when writing to disk See Detection tab on page 15.

Scan files when reading from disk See Detection tab on page 15.

Maximum scan time See General tab on page 14. (Enforce a maximum scanning time for all files)

Quarantine directory See General tab on page 14.

Extension based scanning See Detection tab on page 15.

Paths excluded from scanning See Detection tab on page 15.

Anti-virus actions See Actions tab on page 18.(When a virus is found)

19

LinuxShield™ 1.5 Configuration Guide Configuring on-access scanningEnforcing policies

3

Enforcing policies After you have finished configuring policies, you must enforce them to make them available to the ePolicy Orchestrator agents on the LinuxShield hosts.

The procedure varies depending on whether you are using ePolicy Orchestrator version 3.5 or version 3.6.

To enforce a policy on ePolicy Orchestrator 3.6: 1 In the console tree, select the required node in the Directory.

2 In the details pane, select the Policies tab.

3 Click the triangle icon next to the product or component name. The top row, above all categories, is Enforce Policies.

4 Click Edit to the right of this row.

5 Under Policy Name, select Yes or No from the drop-down list. Selecting Yes enables policy enforcement.

6 Click Apply.

The ePolicy Orchestrator software will make the policies that you configured available to the ePolicy Orchestrator agents on the LinuxShield hosts.

20

4 Scheduling scans and updates

From the ePolicy Orchestrator console, you can schedule the following tasks to run on any number of LinuxShield hosts:

On-demand scans. See Requesting an on-demand scan on page 22. For information about configuring on-access scans, see page 13.

Updates of the anti-virus software — the scanning engine and virus definition (DAT) files. See Updating anti-virus software on page 28.

Each task can be set up in a similar way:

1 Specify the details of the task — its configuration.

2 Specify when the task will run — its schedule.

3 Enforce the policy, by notifying the Linux host.

The details vary according to the type of task, but the scheduling is identical for all tasks. See Scheduling tasks on page 30. To remove a task, see page 32.

21

LinuxShield™ 1.5 Configuration Guide Scheduling scans and updatesRequesting an on-demand scan

4

Requesting an on-demand scan You can create and configure any number of on-demand scans.

To request a scan: 1 In the console tree under ePolicy Orchestrator, right-click Directory or the required site,

group, or host, then select Schedule Task to open a dialog box.

2 In the Schedule Task dialog box, enter a name in New Task Name.

3 Select LinuxShield 1.5.0 — On-Demand Scan from the Software/Task Type list.

4 Click OK.

5 On the Tasks tab in the upper details pane, right-click the task, then select Edit Task to open the ePolicy Orchestrator Scheduler dialog box.

Figure 4-1 New On-Demand Scan Task

Figure 4-2 ePolicy Orchestrator Scheduler

22


4

6 Click Settings to open the Task Settings dialog box, then configure the task from the tabs:

Specifying where to scan. (Where tab)

Specifying what to scan on page 24. (Detect tab)

Specifying advanced options on page 25. (Advanced tab)

Specifying the action to take against infected files on page 26. (Actions tab)

You can select the hosts and configure all options at the same time, or you can use each tab separately to configure any number of hosts. For extra help, see the table in Matching options in LinuxShield and ePolicy Orchestrator on page 27.

Specifying where to scan 1 Select the Where tab.

2 Deselect Inherit.

3 Under Item name, choose from these options:

To add an item such as a file or folder, click Add.

To edit an item, select it in the list, then click Edit.

To delete an item, select it in the list, then click Remove.

4 Under Scan Options, choose whether to include subdirectories.

5 Set any further details on the other tabs, and finally click OK.


Figure 4-3 On-Demand Scan Task — Where tab

23


4

Specifying what to scan At the Detection tab, you can specify what to scan and what to exclude during on-demand scanning. You can also configure options for compressed files.

1 Select the Detection tab.

2 Deselect Inherit.

3 Under What to scan, choose from these options:

All files.

Default + additional file types.

Click Additions to add file types to the list of default file types. When adding file types, do not include the “.” symbol. For example, specify “EXE”, not “.EXE” here. Extension names may be up to 33 characters.

Specified file types.

Click Specified to define a custom list of file types to scan.

4 Under What not to scan, specify what to exclude from scanning. Click Exclusions to define a custom list of specific files, directories, and drives to exclude from scanning.



Figure 4-4 On-Demand Scan Task — Detection tab

24


4

Specifying advanced options 1 Select the Advanced tab.

2 Deselect Inherit.

3 Under Heuristics, choose whether to scan for unknown program viruses and unknown macro viruses.

4 Under Non-viruses, choose whether to scan for potentially unwanted programs and joke programs.

5 Under Compressed files, choose whether to scan inside multiple-file archives, and MIME-encoded files.



Figure 4-5 On-Demand Scan Task — Advanced tab

25


4

Specifying the action to take against infected files 1 Select the Actions tab.

2 Deselect Inherit.

3 Under When a virus is found and If the above action fails, use the drop-down lists to select the action and any alternative action.

4 Specify the name of a directory to hold quarantined files.

5 Set the time when the scan will run. See Scheduling tasks on page 30.



Figure 4-6 On-Demand Scan Task — Actions tab

Note

The length of the quarantine directory path must not exceed 256 characters.

26


4

Matching options in LinuxShield and ePolicy Orchestrator This table shows the locations of the available options as they appear on the pages at the LinuxShield browser interface and the tabs seen in the ePolicy Orchestrator console.

Table 4-1 Options in ePolicy Orchestrator

LinuxShield option on On-Demand Settings page

Equivalent option in ePolicy Orchestrator

Decompress archives See Specifying advanced options on page 25(Scan inside multiple-file archives)

Find unknown program viruses See Specifying advanced options on page 25

Find unknown macro viruses See Specifying advanced options on page 25

Decode MIME encoded files See Specifying advanced options on page 25

Find potentially unwanted programs See Specifying advanced options on page 25

Find joke programs See Specifying the action to take against infected files on page 26

Extension-based scanning See Specifying what to scan on page 24

Maximum scan time Not available

Quarantine directory See Specifying the action to take against infected files on page 26

Paths excluded from scanning See Specifying what to scan on page 24

Anti-virus actions See Specifying the action to take against infected files on page 26(When a virus is found)

27

LinuxShield™ 1.5 Configuration Guide Scheduling scans and updatesUpdating anti-virus software

4

Updating anti-virus software You can create and configure as many updates as you need.

To update virus definition (DAT) files and the anti-virus engine: 1 In the console tree under ePolicy Orchestrator, right-click Directory or the site, group, or

host, then select Schedule Task. The Schedule Task dialog box opens.

2 In the Schedule Task dialog box, enter a name in New Task Name.

3 Select LinuxShield 1.5.0 — DAT and Engine Update from the Software/Task Type list.

4 Click OK to create the task.

5 On the Tasks tab in the upper details pane, right-click the task, then select Edit Task to open the ePolicy Orchestrator Scheduler dialog box.

6 Click Settings to open the Task Settings dialog box.

Figure 4-7 New On-Demand Update Task

Figure 4-8 ePolicy Orchestrator Scheduler

28

LinuxShield™ 1.5 Configuration Guide Scheduling scans and updatesUpdating anti-virus software

4

7 Select the What tab.

8 Deselect Inherit.

9 Choose which files to update — virus definition files and scanning engine.

10 In the Task Settings dialog box, select the How tab.


12 Choose the location of the updates.

13 Click OK.

14 Set the time when this update task will run. See Scheduling tasks on page 30.

Figure 4-9 Task Settings — What to update

Note

FTP Server: ftp.mcafee.com

Path to files: /commonupdater

29

LinuxShield™ 1.5 Configuration Guide Scheduling scans and updatesScheduling tasks

4

Scheduling tasksYou can schedule any task — such as an update or scan — to run at a specific date and time, or at specific intervals.

To schedule a task: 1 On the Tasks tab in the upper details pane, right-click the task that you created

earlier, then select Edit Task. The ePolicy Orchestrator Scheduler dialog box opens.

2 Select the Task tab.

3 Deselect Inherit.

4 Under Schedule Settings, select from these options:

Select Enable to allow this task to be scheduled.

Select Stop the task if it runs for to specify a time limit, in hours and minutes, for which the task can run before it is automatically cancelled.


Figure 4-10 ePolicy Orchestrator Scheduler — Task tab

Note

If you choose to stop the task after a defined amount of time, the task resumes from the point it was interrupted the next time it runs.

Note

When a task is due to run, ePolicy Orchestrator sends instructions to the selected hosts. While the task is running, the task details can be viewed from the LinuxShield interface.

30

LinuxShield™ 1.5 Configuration Guide Scheduling scans and updatesScheduling tasks

4

6 In the ePolicy Orchestrator Scheduler window, select the Schedule tab.

7 Deselect Inherit.

8 Under Schedule and Schedule Task, set the details for this task. For more information about scheduling tasks, see the ePolicy Orchestrator Product Guide.

9 Click OK when you are finished.


Figure 4-11 ePolicy Orchestrator Scheduler — Schedule tab

31

LinuxShield™ 1.5 Configuration Guide Scheduling scans and updatesEnforcing policies

4

Enforcing policiesAfter you have finished configuring policies, you must enforce them to make them available to the ePolicy Orchestrator agents on the LinuxShield hosts.

To enforce a policy: 1 In the ePolicy Orchestrator console tree, select the hosts for which you want to

enforce policies.

2 In the upper details pane, select LinuxShield 1.5.0.

3 In the lower details pane, deselect Inherit.

4 Select Enforce policies for LinuxShield 1.5.0.


The ePolicy Orchestrator software will make the policies that you configured available to the ePolicy Orchestrator agents on the LinuxShield hosts.

Removing a taskIf you no longer require a task such as a regular on-demand scan to run on a group of LinuxShield hosts, you can remove the task.

To remove a task: 1 In the ePolicy Orchestrator console tree, select the hosts.

2 In the right details pane, select the Tasks tab to display the list of task names

3 Select the task, right-click, then select Delete.

Figure 4-12 Enforce policies

Note

Although you have removed the task from the ePolicy Orchestrator side, you can still see the task on the LinuxShield hosts at the Scheduled Tasks page, under Task Summaries. To view this page, click Scheduled Tasks under View in the LinuxShield navigation pane. The removed task will not run any more on the LinuxShield hosts. However the task name remains here so that you can examine its earlier results.

32

5 Viewing LinuxShield activityReports and configuration details

From the ePolicy Orchestrator console, you can view reports that show how the LinuxShield hosts are handling infections, and you can check the configuration details that have been set up on the hosts, such as the DAT version and the type of scanning. See Viewing reports and Viewing configuration details on page 34.

Viewing reports From the ePolicy Orchestrator console, you can view reports about anti-virus activity on any host or groups of hosts, such as the top ten detected viruses.

To view the reports: In the ePolicy Orchestrator console tree, select Reports | Anti-Virus | Infection.

Figure 5-1 Typical report

33

LinuxShield™ 1.5 Configuration Guide Viewing LinuxShield activityViewing configuration details

5

Viewing configuration details From the ePolicy Orchestrator console, you can view the configuration details (or properties) that have been applied to any host or groups of hosts.

To view the properties: 1 Log on to the ePolicy Orchestrator server with administrator rights.

2 In the console tree under ePolicy Orchestrator | Directory, select a site, group, single host, or the entire Directory. The Policies, Properties, and Tasks tabs appear in the upper details pane.

3 Select the Properties tab in the upper details pane.

Figure 5-2 Typical LinuxShield properties

34

Index

A

actionson-access scanning 18

on-demand scanning 26

archives 17, 25

audience for this guide 5Avert Labs Threat Center 8Avert Labs Threat Library 8B

beta program website 8C

console, ePolicy Orchestrator 9contacting McAfee 8customer service, contacting 8D

DAT files 28

Avert Labs notification service for updates 8

updates, website 8download website 8E

enforcing policies 20, 32

ePolicy Orchestratorlayout of console 9

evaluating McAfee products, download website 8

exclusions 24

EXE 24

F

file name extension, limit to length of 16, 24

H

HotFix and Patch releases (for products and security vulnerabilities) 8

I

installation (See Installation Guide)

J

joke programs 16, 25

K

KnowledgeBase search 8

M

macro viruses 16, 25

MIME 17, 25

N

new features 4O

on-access scanning 13

configuring 13

on-demand scan taskconfiguring 23

on-demand scanning 22

optionsin ePolicy Orchestrator 19, 27

in LinuxShield 19, 27

P

policiesenforcing 20, 32

setting 13, 28

product information, where to find 7product upgrades 8professional services, McAfee resources 8

Q

quarantine 14, 26

limit on path length 15, 26

R

resources, for product information 7S

scanning time 15

scheduling tasks 30

secondary action 18

Security Headquarters (See Avert Labs)

security updates, DAT files and engine 8

security vulnerabilities, releases for 8

ServicePortal, technical support 8submit a sample, Avert Labs WebImmune 8

T

task name 28

taskscannot be seen from LinuxShield 30

on-demand scan 22

removing 32

scheduling 30

update 28

technical support, contacting 8Threat Center (See Avert Labs)threat library 8training, McAfee resources 8U

unwanted programs 16

update task 28

updatingscanning engine 28

virus definition (DAT) files 28

upgrade website 8using this guide 5

audience 5typeface conventions and symbols 6

V

virus definition files 28

Virus Information Library (See Avert Labs Threat Library)

W

WebImmune, Avert Labs Threat Center 8

35

lsh 13 config guide - McAfee

Documents

Transcript of lsh 13 config guide - McAfee