Vsel PG En-Us

Product Guide
McAfee VirusScan Enterprise for Linux

2.0
COPYRIGHT
Copyright 2014 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy
Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource,
VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other
names and brands may be claimed as the property of others.
Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
McAfee VirusScan Enterprise for Linux 2.0
Product Guide
Contents
Preface
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
7
7
8
Introduction
What is VirusScan Enterprise for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . 9

How the software works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
How scanning works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
What and when to scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Types of scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Installation and deployment
15
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install the software on a standalone system . . . . . . . . . . . . . . . . . . . . . . .
Install the software with the command line . . . . . . . . . . . . . . . . . . . .
Install the software in silent mode . . . . . . . . . . . . . . . . . . . . . . . .
Install and deploy the software on managed systems . . . . . . . . . . . . . . . . . . .
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Check in the package manually . . . . . . . . . . . . . . . . . . . . . . . . .
Install the extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deploy the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Send an agent wake-up call . . . . . . . . . . . . . . . . . . . . . . . . . .
Upgrade the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Upgrade the software from previous versions on RPM and Debian systems . . . . . . . .
Upgrade the managed systems using ePolicy Orchestrator . . . . . . . . . . . . . .
Test the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test the on-access scan feature on a standalone system . . . . . . . . . . . . . . .
Test the on-demand scan feature on a standalone system . . . . . . . . . . . . . .
Test the on-demand scan on managed system . . . . . . . . . . . . . . . . . . .
Uninstall the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Uninstall the software from a standalone system . . . . . . . . . . . . . . . . . .
Remove the software from managed systems . . . . . . . . . . . . . . . . . . .
Remove the software from ePolicy Orchestrator . . . . . . . . . . . . . . . . . .
Using the interface
29
Launch the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

VirusScan Enterprise for Linux interface . . . . . . . . . . . . . . . . . . . . . . . . .
Navigation pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Help pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Links bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
16
16
19
20
20
20
21
21
22
22
23
23
24
24
24
25
25
26
26
26
29
30
30
30
30
30
Product Guide
Contents
Working with the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Expanding and collapsing tables . . . . . . . . . . . . . . . . . . . . . . . . .
Sorting table columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Navigating through long tables . . . . . . . . . . . . . . . . . . . . . . . . .
Modify page settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automatically refresh information on pages . . . . . . . . . . . . . . . . . . . .
Using wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Date and time expression . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing information
35
Host summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Scanning summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recently detected items . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recently scanned items . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generate a diagnostic report . . . . . . . . . . . . . . . . . . . . . . . . . .
Detected items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Analyze the detected items . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing the results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Export the results for analysis . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing system events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Analyze the system events . . . . . . . . . . . . . . . . . . . . . . . . . . .
Export the results for analysis . . . . . . . . . . . . . . . . . . . . . . . . .
Scheduled tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Run a scheduled task immediately . . . . . . . . . . . . . . . . . . . . . . . .
Modify an existing scheduled task . . . . . . . . . . . . . . . . . . . . . . . .
Delete an existing scheduled task . . . . . . . . . . . . . . . . . . . . . . . .
Stop a running task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ExtraDAT file details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting up schedules
Using a wizard . . . . . . .
Product update schedule . . .
Create a product update
On-demand scan preferences .
Schedule an on-demand
35
36
36
37
37
38
38
38
39
40
40
40
41
41
42
42
43
43
43
45
. . . .
. . . .
schedule
. . . .
scan . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Configuring VirusScan Enterprise for Linux
45
46
46
48
48
53
General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Log levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Statistics reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Clearing statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure general settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restoration of default configuration settings . . . . . . . . . . . . . . . . . . . .
On-access settings configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .
Anti-virus scanning options . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exclude paths from scanning . . . . . . . . . . . . . . . . . . . . . . . . . .
Extension-based scanning . . . . . . . . . . . . . . . . . . . . . . . . . . .
Anti-virus actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure on-access scan settings . . . . . . . . . . . . . . . . . . . . . . . .
On-demand settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure on-demand scan settings . . . . . . . . . . . . . . . . . . . . . . .
Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SMTP notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
31
31
32
32
32
32
33
33
53
54
54
55
55
56
56
56
57
58
59
61
61
63
63
65
65
Product Guide
Contents
Configure
Repositories . .
Configure
Configure
Configure
SMTP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
the repository list . . . . . . . . . . . . . . . . . . . . . . . . . .
the local repository . . . . . . . . . . . . . . . . . . . . . . . . . .
the proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing the software with ePolicy Orchestrator
71
Setting policies within ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . .

Define policies in ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . .
Create or modify policies . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure general policy settings . . . . . . . . . . . . . . . . . . . . . . . .
Configure on-access scan policy settings . . . . . . . . . . . . . . . . . . . . .
Enforce policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Scheduling tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a product update task . . . . . . . . . . . . . . . . . . . . . . . . . .
Create an on-demand scanning task . . . . . . . . . . . . . . . . . . . . . . .
Configure the administrator password . . . . . . . . . . . . . . . . . . . . . .
Configure reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Run a default query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Advanced features
Troubleshooting
79
80
82
82
85
Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viruses and detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contact information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Index
71
71
72
72
73
74
75
75
76
77
77
78
79
Lightweight Directory Access Protocol (LDAP) Authentication . . . . . . . . . . . . . . . .

Substituting variables in notification templates . . . . . . . . . . . . . . . . . . . . . .
How the quarantine action works . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recover the quarantined items . . . . . . . . . . . . . . . . . . . . . . . . . . . .
66
67
67
67
68
85
85
85
86
87
88
88
91
Product Guide
Contents
Product Guide
Preface
This guide provides the information you need to work with your McAfee product.
Contents
About this guide
Find product documentation
About this guide

This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
Administrators People who implement and enforce the company's security program.
Users People who use the computer where the software is running and can access some or all of
its features.
Conventions
This guide uses these typographical conventions and icons.
Book title, term,
emphasis
Title of a book, chapter, or topic; a new term; emphasis.
Bold
Text that is strongly emphasized.
User input, code,

message
Commands and other text that the user types; a code sample; a displayed
message.
Interface text
Words from the product interface like options, menus, buttons, and dialog
boxes.
Hypertext blue
A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing an
option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.
Product Guide
Preface

McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the McAfee online KnowledgeBase.
Task
1
Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
Under Self Service, access the type of information you need:

To access...
Do this...
User documentation
1 Click Product Documentation.

2 Select a product, then select a version.
3 Select a product document.
KnowledgeBase
Click Search the KnowledgeBase for answers to your product questions.

Click Browse the KnowledgeBase for articles listed by product and version.
Product Guide
Introduction
McAfee VirusScan Enterprise for Linux protects your Linux systems from malware threats and other
potentially unwanted software.
Contents
What is VirusScan Enterprise for Linux
How the software works
Components
How scanning works
What and when to scan
Types of scanning
Product features
What is VirusScan Enterprise for Linux

VirusScan Enterprise for Linux is a security software that protects your Linux systems from malware
threats, such as viruses, trojan horses, spyware, keyloggers, joke programs, and other potentially
unwanted software.
Although the Linux operating system is considered a secure environment, the recent trend shows an
increase in threat codes written to attack or exploit security weaknesses in Linux-based systems.
Increasingly, Linux-based systems interact with Windows-based computers. The malware threats
designed to target Windows-based systems do not attack Linux systems directly. However, a Linux
server can harbor the malware, ready to infect any client that connects to it.
The software scans files in two scenarios:
On-access scan Scans files for malware threats when you access a file to open or write.
On-demand scan Scans files and directories for malware threats in your host system
immediately or as scheduled.
How the software works

VirusScan Enterprise for Linux runs as a daemon, which is similar to a service in Microsoft Windows. It
also provides an HTTPS-based interface that you can use to configure, manage, and monitor the
software.
VirusScan Enterprise for Linux uses Fanotify technology to perform on-access scanning, instead of
using kernel hooking modules, the technology used in earlier versions. The software does not contain
any kernel hooking modules in this version.
Product Guide
Introduction
Components
Fanotify is a Linux operating system API that sends notification for file system operations. It also gives
the capability to intercept the file. The software relies on Fanotify to intercept file IO (Input/Output)
operations.
The software receives notification on the file writing and reading, then scans files for threats and takes
necessary actions according to the scan settings.
To check the supported operating system for VirusScan Enterprise for Linux 2.0, see the Supported
Linux Kernels (operating system) section in the McAfee Knowledgebase article KB75270.
For the Action on timeout option configuration, the default action is Allow Access, and for the Action if an error
occurs during scanning options configuration, the default action is Block Access. If the action is set to Block, the
software blocks the file only in read scanning operation. It does not block the file in write scanning
operation.
The software activities can be monitored and configured through an HTTPS interface. For example, you
can configure what type of files are scanned, and define actions to take for infected files, such as
cleaning, deleting, or quarantining. Using the simple and secure web-browser interface, you can
monitor and control malware detection.
The software also maintains a record of files that it recently scanned to avoid repeated scanning.
The software begins to scan files on these events:
File open When a file is opened.
File release When a file is closed. If a process has multiple references to a file, for example,
using dup or a memory mapping, release refers to when the last reference is released.
Components
The software uses a management interface that runs on HTTPS to monitor and control scanning on a
host.
The diagram shows a web browser, connected through a secure HTTPS link to a web monitor service,
as a component of the software.
This table explains how the components operate in this simple setup.
Component Function
10
Scanner
Provides anti-malware protection and scans files as instructed by nailsd.
nailsd
Communicates between the web monitoring service and the scanner, passing
information about the anti-virus scans and configuration details.
mon
Examines the software activity on the host, and can configure the anti-virus activity.
nailswebd
Communicates with a web browser such as Konqueror, using a secure HTTPS link. A
name and password is required for user authentication.
Product Guide
Introduction
How scanning works
How scanning works

VirusScan Enterprise for Linux software contains the McAfee scanning engine and the malware
definition DAT files. The scanning engine is a complex data analyzer. The DAT files contain a great deal
of information, including thousands of different drivers, each contains detailed instructions on how to
identify malware.
VirusScan Enterprise for Linux depends on the scanning engine and the threat information in the DAT
files to identify malware threats. The scanning engine analyzes files for malware threats, then verifies
files with the known threat information stored in the DAT files. McAfee Labs regularly identifies the
new known threat information (signature) and adds it to the DAT files. That is the reason McAfee
recommends you to download the most recent version of DAT file.
For more information on DAT files, see McAfee KnowledgeBase article KB55986.
Once the engine has confirmed the identity of malware, it cleans the object. For example, the
anti-malware software can remove an infected macro from a document or delete the malware code in
an executable file. If the malware had destroyed data and the file cannot be cleaned or recovered,
VirusScan Enterprise for Linux isolates the file so that it cannot be accessed, activated, or infect other
files.
What and when to scan

The malware threat can come from infected macros, shared program files, files shared across a
network, email, disks, or files downloaded from the Internet.
Each McAfee anti-malware software product targets a specific area of vulnerability. McAfee
recommends a multi-tiered approach to provide the full range of malware detection, security, and
cleaning capability.
Configure the software according to your environmental needs. Configuring the protection options
defines how the software deals with different file types and what it does with infected or suspicious
items.
Types of scanning
The software scans files in two ways such as on-access scanning and on-demand scanning.
Both these scanning detect the same malware, but they work at different points on the network and
on the Linux systems. The types of scanning can take place at different times, and at different stages
in the handling of objects.
On-access scanning
On-access scanning is a real-time scanning that examines objects when the user or system accesses
files. For example, an on-access scanner examines a file when the user opens it.
When you first install the software, on-access scanning defaults are set but you can configure the
settings as needed. You can set global options that determine how scanning is carried out. The global
options include how the scanner deals with different types of object, specifying the actions for infected
items, and how quarantine and notification are handled.
On-demand scanning
You can run on-demand scan in two ways:
Product Guide
11
Introduction
Product features
Standard on-demand scan The user instructs the software to perform a scan. You can run a
standard on-demand scan manually.
Scheduled on-demand scan The scheduled scan runs automatically at predetermined intervals as
defined.
You can choose to schedule a scan of this type to run after the regular DAT update.
You can run an on-demand scan for many reasons, for example:
To check a file that has been downloaded from the Internet or obtained from an external source.
To check if your system is clean, following the DAT update, in case new viruses can be detected.
To check if your system is clean, following a recent single detection.
Product features
The main features of the software are listed here.
General
Native 64-bit platform support Supports only 64-bit platforms. All binaries shipped with the
product are 64-bit. This product cannot be used on 32-bit platforms.
Fanotify technology Uses Fanotify technology to perform on-access scanning instead of kernel
hooking modules, the technology used in earlier versions. Therefore, this version does not have
any kernel hooks.
Fanotify is enabled in the kernel from the kernel version 2.6.38. This release does not support the
distribution that does not have Fanotify enabled in the kernel, such as RedHat 6.
Anti-malware scanning
Protects your system from viruses, trojan horses, spyware, and potentially unwanted programs.
Supports Novell Storage Services (NSS) and Novell Cluster Services (NCS)
Supports on-access scanning for local file systems and network volumes.
Provides an option to include or exclude network-mounted volumes from on-access scanning and
on-demand scanning.
Provides an option to include or exclude archived files from on-access scanning and on-demand
scanning.
Supports regular expression-based exclusions for on-access scanning and on-demand scanning
from the interface.
Uses the latest version (5600) of the McAfee anti-malware engine.
Auto and scheduled updates for scanning engine and detection definition (DAT) files.
Software update and scanning schedule
12
Allows you to schedule on-demand scans at your convenient timings.
Allows you to schedule the scanning engine and detection definition (DAT) files update.
Product Guide
Introduction
Product features
Administration
Manages and controls systems centrally from a single management console using ePolicy
Orchestrator.
Remote administration using a browser-based interface.
Secure browser interface with authentication and HTTPS (SSL) support.
Reporting
Displays real-time statistics for recently scanned items and recently detected threats.
Creates detailed database for detected items and system events.
Provides options to query the database by date range or individual field values, for example, virus
name. You can export the results to a CSV file.
Sends email notification for detected items, out of date DAT files, configuration changes, and
system events.
Generates diagnostic report for analysis when reporting a problem with the product.
Product Guide
13
Introduction
Product features
14
Product Guide
Install the software on a standalone system, or deploy the software from ePolicy Orchestrator to
managed Linux systems.
Contents
System requirements
Install the software on a standalone system
Install and deploy the software on managed systems
Upgrade the software
Test the installation
Uninstall the software
System requirements
Make sure that your system meets these minimum requirements, and you have administrator rights.
Component
Requirements
Processors
Intel x86_64 architecture-based processor that supports Intel Extended

Memory 64 technology. (Intel EM64T)
AMD x86_64 architecture-based processor with AMD 64-bit technology
Memory
Minimum: 2 GB RAM
Recommended: 4 GB RAM
Free Disk space
Minimum: 1 GB
Product Guide
15

Component
Requirements
Operating Systems
(64-bit)
Operating system 64-bit

SUSE Linux Enterprise Server 11 SP2 64-bit
SUSE Linux Enterprise Server 11 SP3 64-bit
Ubuntu 12.04, 12.10, 13.04, and 13.10 64-bit
Amazon Linux AMI 2013.03 64-bit
SUSE and Ubuntu on Amazon Elastic Compute Cloud (Amazon EC2)
Novell Open Enterprise Server 11 SP1
This product cannot be used on 32-bit platforms.
Virtual platforms
VMware
KVM
Citrix Xen
Virtual box
Xen
Paravirtual environment
Guest operating system on Xen Hypervisor
McAfee
Management
software
McAfee ePolicy Orchestrator 4.6

McAfee Agent
McAfee Agent 4.8 Patch 2

Install the software on a standalone system manually or in silent mode.
Tasks
Install the software with the command line on page 16

The command-line installation prompts you to provide input during the installation.
Install the software in silent mode on page 19

Silent installation installs the software on your Linux systems with the default values.
Install the software with the command line

The command-line installation prompts you to provide input during the installation.
Tasks
16
Install the software on RPM based systems on page 17

Download the McAfeeVSEForLinux2.0.0.<build_number>.ZIP file from McAfee download
site, to install the software on RPM based systems.
Install the software on Debian based systems on page 17

Download the McAfeeVSEForLinux2.0.0.<build_number>.ZIP file from the McAfee
download site, to install the software on debian based systems.
Install the software on Novell Open Enterprise Server on page 18

Install the software on Novell Open Enterprise Server.
Product Guide

Install the software on RPM based systems

Download the McAfeeVSEForLinux2.0.0.<build_number>.ZIP file from McAfee download site, to install
the software on RPM based systems.
Task
1
Download McAfeeVSEForLinux2.0.0.<build_number>.ZIP to a temporary directory and execute

these commands in the given sequence:
# unzip McAfeeVSEForLinux-2.0.0.<build_number>.ZIP
# cd McAfeeVSEForLinux-2.0.0.<build_number>
# tar -zxvf McAfeeVSEForLinux-2.0.0.<build_number>-release-full.x86_64.tar.gz
# tar -zxvf McAfeeVSEForLinux-2.0.0.<build_number>-release.tar.gz
# tar -zxvf McAfeeVSEForLinux-2.0.0.<build_number>-others.tar.gz
Install McAfee Runtime:

rpm -ivh MFErt.i686.rpm
Install McAfee Agent:

rpm -ivh MFEcma.i686.rpm
Confirm that McAfee Agent is running correctly:

/etc/init.d/cma status
Install VirusScan Enterprise for Linux:

bash McAfeeVSEForLinux-2.0.0.<build_number>-installer
Answer the questions when prompted. Accept the default values, or type custom values.
When prompted to start the VirusScan services, type the default option Y.
Confirm that VirusScan Enterprise for Linux is installed and running correctly:
/etc/init.d/nails status
The message The McAfeeVSEForLinux daemon is running: process information follows appears.
Install the software on Debian based systems

Download the McAfeeVSEForLinux2.0.0.<build_number>.ZIP file from the McAfee download site, to
install the software on debian based systems.
Task
1
Download McAfeeVSEForLinux2.0.0.<build_number>.ZIP to a temporary directory and execute

these commands in the given sequence:
# unzip McAfeeVSEForLinux-2.0.0.<build_number>.ZIP
# cd McAfeeVSEForLinux-2.0.0.<build_number>
# tar -zxvf McAfeeVSEForLinux-2.0.0.<build_number>-release-full.x86_64.tar.gz
# tar -zxvf McAfeeVSEForLinux-2.0.0.<build_number>-release.tar.gz
# tar -zxvf McAfeeVSEForLinux-2.0.0.<build_number>-others.tar.gz
Install McAfee Runtime:

dpkg -i MFErt.i686.deb
Product Guide
17

Install McAfee Agent:

dpkg -i MFEcma.i686.deb


Answer the questions when prompted. Accept the default values, or type custom values.
When prompted to start the VirusScan services, type the default option Y.
Confirm that VirusScan Enterprise for Linux is installed and running correctly:
The message The McAfeeVSEForLinux daemon is running: process information follows appears.
Install the software on Novell Open Enterprise Server

Install the software on Novell Open Enterprise Server.
Task
1
From the Novell eDirectory server, use iManager to create a user, nails, and a group, nailsgroup.
Add the user nails to the group nailsgroup. Enable the user and group using the Linux User Management.
Provide nails the user with administrator rights on all NSS volumes.
rights -f /media/nss/<VOL-name> -r s trustee nails.<context>.<tree>
You must provide administrator privileges to the nails user, every time a new NSS volume is created.
Download the MFErt.i686.rpm and MFEcma.i686.rpm file.
Install McAfee Runtime and McAfee Agent:

rpm -ivh MFErt.i686.rpm
rpm -ivh MFEcma.i686.rpm

Type nailsgroup for the Linux group for the VirusScan administrator.
Type nails for the VirusScan user.
Answer the questions when prompted. Accept the default values, or specify your own.
10 When prompted to start the VirusScan services, type the default option Y.
18
Product Guide

Install the software in silent mode

Silent installation installs the software on your Linux systems with the default values.
Tasks
Install the software on RPM and Debian based systems in silent mode on page 19
Install VirusScan Enterprise for Linux on RPM and Debian systems in silent mode.
Install the software on Novell Open Enterprise Server in silent mode on page 19
Install the software on Novell Open Enterprise server in silent mode.
Install the software on RPM and Debian based systems in silent mode
Install VirusScan Enterprise for Linux on RPM and Debian systems in silent mode.
Before you begin
Before installing the software, you must have McAfee Runtime and McAfee Agent already
installed on the computer.
Task
1
Create a file, nails.options, with the following settings in the root home directory.
SILENT_ACCEPTED_EULA=yes
SILENT_INSTALLDIR=/opt/NAI/LinuxShield
SILENT_RUNTIMEDIR=/var/opt/NAI/LinuxShield
SILENT_ADMIN=admin@example.com
SILENT_HTTPHOST=0.0.0.0
SILENT_HTTPPORT=55443
SILENT_MONITORPORT=65443
SILENT_SMTPHOST=0.0.0.0
SILENT_SMTPPORT=25
SILENT_NAILS_USER=nails
SILENT_NAILS_GROUP=nailsgroup
SILENT_CREATE_USER=yes
SILENT_CREATE_GROUP=yes
SILENT_RUN_WITH_MONITOR=yes
SILENT_QUARANTINEDIR=/quarantine
SILENT_START_PROCESSES=yes
At the command prompt, type the following command:

bash McAfeeVSEForLinux-2.0.<build_number>-installer
After installation is completed, use the command passwd to assign a password to the user nails.
Install the software on Novell Open Enterprise Server in silent mode

Install the software on Novell Open Enterprise server in silent mode.
Task
1
From the Novell eDirectory server, use iManager to create a user, nails and a group, nailsgroup.
Add the user nails to the nailsgroup. Enable the user and group using the Linux User Management.
Provide nails the user with administrator rights on all NSS volumes.
rights -f /media/nss/<VOL-name> -r s trustee nails.<context>.<tree>
You must provide administrator privileges to the nails user, every time a new NSS volume is created.
Product Guide
19

In the nails.options file, make sure that the following parameters are available:
SILENT_NAILS_USER="nails"
SILENT_NAILS_GROUP="nailsgroup"
SILENT_CREATE_USER=no
SILENT_CREATE_GROUP=no
From the terminal window, type bash McAfeeVSEForLinux-2.0.0.<build number>-installer
After performing the installation, use iManager to assign a password to the user nails.

Install and manage the software using McAfee ePolicy Orchestrator for centralized policy
implementation.
Contents
Prerequisites
Check in the package manually
Install the extensions
Deploy the software
Send an agent wake-up call
Prerequisites
Before deploying VirusScan Enterprise for Linux on Novell Open Enterprise Server 2.x systems:
1
From the Novell eDirectory server, use iManager to create a user, nails, and a group, nailsgroup.
Add the user nails to the group nailsgroup. Enable the user and group using the Linux User Management.
Provide nails the user with administrator rights on all NSS volumes. For example: rights -f /
media/nss/<VOL-name> -r s trustee nails.<context>.<tree>
You must provide administrative privileges to the nails user, every time a new NSS volume is
created.
Check in the package manually

Check in the VirusScan Enterprise for Linux deployment package to the ePolicy Orchestrator Master
Repository.
Before you begin
Make sure that the McAfeeVSEForLinux2.0.0.<build_number>releaseEPO.zip file is
extracted from the package to a temporary location on the ePolicy Orchestrator server.
Task
For option definitions, click ? in the interface.
20
Log on to the ePolicy Orchestrator server as an administrator.
Click Menu | Software | Master Repository, then click Action | Check In Package.
On the Check In Package page, for Package type, select Product or Update (.ZIP).
Product Guide

Click Browse in File Path, select the file from the temporary location, then click Next.
Select McAfeeVSEForLinux-2.0.0.<build_number>-release-EPO.zip to install the software. Select
MSA-LNX_4.8.0_Package.zip to install McAfee Agent.
On the Package Options page, select a Branch, select the required options, then click Save.
Install the extensions

Install VirusScan Enterprise for Linux extensions using ePolicy Orchestrator.
Install these extensions to enable the features of the product:
EPOAGENTMETA.ZIP
LYNXSHLDMETA.ZIP
LYNXSHLDMETAPARSER.ZIP
Task
1
Click Menu | Software | Extensions.
On the Extensions page, click Install Extension.
Click Browse, select the extension file, then click OK.

To install the software Help extension, browse for the file help_vsel _200.zip and check in
the extension. You will find the Help extension under Extensions | McAfee | Help Content.
Deploy the software

Deploy VirusScan Enterprise for Linux on client computers using the ePolicy Orchestrator software.
Task
1
Create and download the agent installation package:

a
From System Tree, click System Tree Actions | New Systems.
On How to add systems, select Create and download agent installation package, click Non-Windows in Agent version,
select McAfee Agent for Linux 4.8.0 (Current), then click OK.
From Download file, right-click install, then select Save target as to download the file to your local
system.
If you are deploying the product on an Ubuntu client system, download the installdeb.sh file to
your local system.
From the Linux terminal, execute the following command, to establish a connection between
ePolicy Orchestrator and the Linux client computer:
sh install.sh i
Navigate to System Tree page, then on the Assigned Client Tasks tab, click Actions | New Client Task Assignment.
Product Guide
21

On Task to schedule, select McAfee Agent as the product, select Product Deployment as the task type, then
click Create New Task under the task name.
To configure the client task, under Client Task Catalog, select Linux 64bit as the target platform, VirusScan
Enterprise for Linux 2.0.0.<build number> as the Products and components, Install as the action, a language,
then click Save.
To deploy the software with customized settings, copy the nails.options file to the /root and /
directory on your Linux client system. For more information on creating the nails.options file, see
Silent installation.
Click Next to schedule this task immediately or as needed, Click Next to view the task summary, then
click a summary, then click Save and send an agent wake-up call. Wait for the deployment task to
complete.
Send an agent wake-up call

Send an agent wake-up call to enforce the policies from ePolicy Orchestrator.
Task
1
Navigate to System Tree, select a group or systems, then select the Computer Names of that group.
Click Actions | Agent | Wake Up Agents.
For Wake-up call type select Agent Wake-Up Call, then for Randomization select a number of minutes that
the systems must respond by.
Select Get full product properties for the agents to send complete properties instead of only properties
that have changed since the last agent-server communication.
Click OK.
To see the status of the agent wake-up call, click Menu | Automation | Server Task Log.

VirusScan Enterprise for Linux supports upgrading the software and migrating the configuration from
the previous versions of the software.
Tasks
22
Upgrade the software from previous versions on RPM and Debian systems on page 23
Upgrade the software from versions 1.7.1 or 1.9.0 to version 2.0.
Upgrade the managed systems using ePolicy Orchestrator on page 23

Upgrade your existing Linux client systems running versions 1.7.1 or 1.9 to version 2.0,
using the ePolicy Orchestrator software.
Product Guide

Upgrade the software from previous versions on RPM and

Debian systems
Upgrade the software from versions 1.7.1 or 1.9.0 to version 2.0.
Task
1
Upgrade McAfee Agent:
For RPM based systems: rpm -Uvh MFEcma.i686.rpm
For Debian based systems: dpkg -i MFEcma.i686.deb

Upgrade VirusScan Enterprise for Linux:

bash McAfeeVSEForLinux-2.0.0.<build number>-installer
Confirm that VirusScan Enterprise for Linux is running correctly:

Restart the computer:

reboot
When you upgrade the software, the existing on-access scan settings, on-demand scan settings, and
the exclusions list are migrated.
Upgrade the managed systems using ePolicy Orchestrator

Upgrade your existing Linux client systems running versions 1.7.1 or 1.9 to version 2.0, using the
ePolicy Orchestrator software.
Task
1
Check in the packages manually.

For more information, see Check in the package manually.
Install the extensions.

For more information, see Install the software extensions.
Navigate to the System Tree page. On the Assigned Client Tasks tab, click Actions | New Client Task Assignment.
On Task to schedule, select McAfee Agent as the product, select Product Deployment as the task type, then
click Create New Task under Task Name.
To configure the client task, under Client Task Catalog, select Linux 64bit as the target platform, VirusScan
Enterprise for Linux 2.0.0.<build number> as the product and component, Install as the action, a language,
then click Save.
To upgrade the McAfee Agent on the Linux client system to McAfee Agent 4.8, first add McAfee Agent for
Linux 4.8.0.x, then click the + button to add VirusScan Enterprise for Linux 2.0.0.<build_number>
to upgrade both McAfee Agent and the product.
Product Guide
23

Click Next to schedule this task immediately or as needed, click Next to view the task summary, click
Save, then send an agent wake-up call. Wait for the deployment task to complete.
Restart the client computer:

reboot

McAfee recommends that you test your installation to make sure that the software is installed properly
and can protect your systems.
Tasks
Test the on-access scan feature on a standalone system on page 24

You can test on-access scanning by accessing the European Institute of Computer
Anti-Virus Research (EICAR) standard anti-virus test file.
Test the on-demand scan feature on a standalone system on page 24

Verify the on-demand scanning by accessing the European Institute of Computer Anti-Virus
Research (EICAR) standard anti-virus test file.
Test the on-demand scan on managed system on page 25

Verify that the on-demand scan feature is working on a managed system.
Test the on-access scan feature on a standalone system

You can test on-access scanning by accessing the European Institute of Computer Anti-Virus Research
(EICAR) standard anti-virus test file.
Make sure that on-access scanning is disabled in VirusScan Enterprise for Linux On-Access settings.
Task
1
From a web-browser, go to: https://<Linux client IP address>:55443.
Log on with the user name and password provided during installation.
On the On-Access Settings page, click Edit, deselect Enable On-Access scanning, then click Apply.
From your browser, go to http://eicar.org.
Click ANTI-MALWARE TESTFILE, then click DOWNLOAD.
Click an anti-malware test file. For example, eicar.com.txt.
From the On-Access Settings page, enable On-Access scanning.
Try copying the eicar.com.txt file downloaded to your Linux client's desktop /tmp directory.
You can see that the file is not copied to the target directory and is missing from the desktop. The file
is quarantined and you can see one detected item appears on the Host Summary page.
Test the on-demand scan feature on a standalone system

Verify the on-demand scanning by accessing the European Institute of Computer Anti-Virus Research
(EICAR) standard anti-virus test file.
Make sure that On-Access scanning is disabled in VirusScan Enterprise for Linux On-Access settings.
24
Product Guide

Task
1
From your browser, go to http://eicar.org .
Click ANTI-MALWARE TESTFILE, click DOWNLOAD, then right-click eicar.com.txt and save the file to
your /tmp directory.
From the interface, click Schedule Tasks.
Create a new on-demand scan schedule using the option Immediately.
Once the scan is complete, see the results of the scan.
You can see that the EICAR test malware is detected in the scan results. You can also view these
results from Detected Items and System Events page.
Test the on-demand scan on managed system

Verify that the on-demand scan feature is working on a managed system.
Before you begin
Make sure that On-Access scanning feature is disabled on your system.
Task
1
From your managed system, using the browser, go to http://eicar.org .
Click ANTI-MALWARE TESTFILE, click DOWNLOAD, then right-click eicar.com.txt and save the file to
your /tmp directory.
From the ePolicy Orchestrator, run an on-demand scan using the option Immediately on the managed
system.
Once the scan is complete, see the results of the scan.
You can see that the EICAR test malware is detected in the scan results. You can also view these
results from Detected Items and System Events page.

Remove the software from standalone Linux systems and remove the software and its related
extensions from managed Linux systems.
Tasks
Uninstall the software from a standalone system on page 26

You can uninstall the software from your Linux system using the command line.
Remove the software from managed systems on page 26

Create a client task to remove VirusScan Enterprise for Linux from managed systems.
Remove the software from ePolicy Orchestrator on page 26

Remove the software from the ePolicy Orchestrator repository.
Product Guide
25

Uninstall the software from a standalone system

You can uninstall the software from your Linux system using the command line.
Before you begin
You must have administrator rights to uninstall the software.
Task
1
Type the following at the command prompt, then press Enter.
For RPM based systems:

1
rpm -e McAfeeVSEForLinux
rpm -e MFEcma
rpm -e MFErt
For Debian based systems:

1
dpkg --purge mcafeevseforlinux
dpkg --purge mfecma
dpkg --purge mfert
Restart the system.
Remove the software from managed systems

Create a client task to remove VirusScan Enterprise for Linux from managed systems.
Task
1
Click Menu | Systems | System Tree.
Create a client task in ePolicy Orchestrator. Click Assigned Client Tasks | Actions | New Client Task
Assignment.
Schedule a client task in ePolicy Orchestrator. Under Task to schedule, select McAfee Agent as the
product, select Product Deployment as the task type, then click Create New Task under the task name.
Configure the client task in ePolicy Orchestrator. Under Client Task Catalog, select Linux as the target
platform, VirusScan Enterprise for Linux 2.0.0.<build number> as the product and component, Remove as the
action, select a language, then click Save.
Click Next to schedule the task immediately or as needed, click Next to view task summary, click Save,
then send an agent wake-up call.
Remove the software from ePolicy Orchestrator

Remove the software from the ePolicy Orchestrator repository.
Task
26
Click Menu | Software | Master Repository to open the Packages in Master Repository page.
Product Guide

In the Actions column, click the Delete link for VirusScan Enterprise for Linux as the name and 2.0.0 as the
version.
Remove the product and reports extensions.

a
Click Menu | Software | Extensions, then from the left pane, select VirusScan Enterprise for Linux
For each extension file, click Remove, select Force removal, bypassing any checks or errors, then click OK.
Product Guide
27

28
Product Guide
Using the interface
Access the interface to define or modify the software configuration, or view information about the
software.
Contents
Launch the interface
VirusScan Enterprise for Linux interface
Working with the interface
Launch the interface

View the interface by specifying the IP address and port number in a supported web browser.
Task
1
Open a supported web browser, such as Internet Explorer, Mozilla, or Konqueror, then type the IP
address and port number in this format:
For example: https://server1:55443 or https://192.168.200.200:55443
VirusScan Enterprise for Linux regards server1 and SERVER1 as similar. The browser tries to connect
to the port on the Linux host where the VirusScan Enterprise for Linux web-monitoring service runs,
and displays the logon page. If your browser or its version is not supported, you see a warning
message. You can continue to log on, but you might experience problems later with the screen and
operation of features of the interface.
Type the default user name nails and the password that you specified during installation, then click
Log on to open the homepage.
The user name and password is case-sensitive.
On Konqueror browsers, the following message appears: Server certificate failed the authenticity test...
This message appears because the certificate is self-signed. You can ignore this message and click
Continue.
The Host Summary page displays information such as IP address, DAT and engine version, product
version, files scanned, status, and detected items for the Linux systems.
To return to this page at any time, click Home from the navigation pane on the left side.
Product Guide
29
Using the interface


VirusScan Enterprise for Linux user interface has three areas such as, navigation pane, console, and
the quickhelp pane.
When you launch the software interface, you can see these main areas:
Left The navigation pane allows you to visit each page setting.
Middle The console displays the available settings for each page you select from the navigation
pane.
Right The QuickHelp pane displays the Help content.
Navigation pane
The navigation pane appears on left side of the interface. It provides links to view summary reports,
schedule scans, update the product, and configure scan settings and notifications. Similar links are
grouped.
The name of the currently selected Linux host appears above the navigation pane as a host name and
port number, for example: server1:55443.
The groups of items in the navigation pane menu (View, Schedule, and Configure) refer to this host.
View Displays Host Summary, Scanning Summary, Detected Items, System Events, and Scheduled Tasks
information about the selected host.
Schedule Displays Product Update and On-Demand Scan information, where you can set up schedules for
running on-demand scans and updating the DAT files.
Configure Displays General Settings, On-Access Settings, On-Demand Settings, and Notifications information,
where you can configure scanning, notification, and repository settings on the selected host.
The navigation pane also includes:
Home Displays summary information about the host that is being monitored.
Show/Hide Quick Help Displays or hides the Help system which is displayed on the right pane of the
interface.
Console
The console in the middle of the interface displays each page that is selected from the navigation
pane.
Help pane
The help pane on the right side of the interface displays basic information about each page displayed
the console area.
You can configure to display or hide the Help, using the Show Quick Help or Hide Quick Help menu options in
the navigation pane.
Links bar
The links bar at the top of the interface provides quick access to information or often-used functions.
This bar contains the following links:
30
Log off Closes the current session and navigates to the software logon page.
Technical Support Navigates to the McAfee Technical Support page.
Product Guide
Using the interface

Submit a Sample Displays Instructions for submitting malware samples to McAfee labs.
Virus Information Library Links to the malware information library, which provides full information
about every malware and other potentially unwanted software that VirusScan Enterprise for Linux
can detect and clean.
About McAfee VirusScan Enterprise for Linux Displays product version and license information.
Resources Displays contact information.
Help Topics Navigates to online Help.
For the web addresses of the links, see Contact information.

Depending on the configuration that your organization requires, some of these links might not be
available or they can redirect to other locations. For more information, see Advanced features.

You can expand tables, sort details, and modify the page settings.
Expanding and collapsing tables

The interface contains several tables of information. For convenience, you can expand or collapse
some tables.
The software displays information and the available configuration options in tables.
Click
(Collapse) To hide the information.
Click
(Expand) To display the information.
You can collapse and expand tables as needed for better readability, when the interface displays
information with more rows.
For example, on the Notifications page, the SMTP Notification and SMTP Settings tables contain many options.
You might not be able to view the options in both the tables on a single page. In such cases, you can
collapse the table information that you are not using.
Sorting table columns

The interface contains several tables. For convenience, you can sort the information using the column
title.
For example, to sort rows into time order, click the column heading Time. An arrow appears on the right
side of a column heading and indicates the order of the sorting.
^ The information is displayed in ascending ordering (09, AZ).
v The information is displayed in descending ordering (90, ZA).
To reverse the order of sorting, click the column heading again.
This action does not refresh or update the contents of a table. The action does not sort all information;
it changes the order of the currently displayed rows of information only.
Product Guide
31
Using the interface

Navigating through long tables

If VirusScan Enterprise for Linux has too much information to display within a page, the interface
displays first few rows at a time.
You can use the navigation arrows and numbers that appear at the bottom of the table to display the
rest of the information.
For example: << 1 2 3 4 5 >>
To increase the number of rows of information that you can view on one page, see General settings.
VirusScan Enterprise for Linux applies a limit to the amount of information that can be viewed over
several pages. For example, on the Detected Items page and the System Events page, you can view up to 20
pages each containing up to 50 rows. You can effectively view more results by using a query to filter
the information.
Modify page settings

You can change the page settings for several pages in the interface. These pages have an Edit button
at the top right of the page.
Task
1
On the navigation pane, under Configure area, click the page you want to modify the settings, then
click Edit.
The Edit button is replaced by other buttons Apply and Cancel, and in some cases, Defaults, or Reset.
Update the fields as needed, then click Apply.
While making the changes, if you decide not to proceed, click Cancel.
To reset the settings to the defaults, click Reset. When you click Cancel or Defaults, you are prompted
to confirm that you want to do this.
Automatically refresh information on pages

The information on some pages is automatically refreshed every 10 seconds by default.
Task
1
On the navigation pane, under Configure area, click General Settings, then click Edit.
In the Browser Interface table, type the value for Refresh interval (seconds), then click Apply.
To manually refresh these pages at any time, click Refresh at the top of the page.
Using wizards
The interface uses wizards for completing complex tasks.
Using the Next and Back buttons in the top right corner enables you to move from pane to pane. You
can also move to any pane by clicking the respective tabs.
To close the wizard and complete the task, click Finish.
32
Product Guide
Using the interface

Error messages
When a fault occurs with the interface, a message appears on the current page.
The message typically has the format:
Error code
Description
25
Connection failed to host 192.168.255.200
For more information about error messages, see View system events.
Date and time expression

Date and time in the interface are expressed as the local time on the host where the software is
running.
The time is displayed in 24-hour format, and includes a UTC (Universal Time Co-ordinates) offset. For
example: May 02, 2013 12:35:00 (-8:00 UTC).
Product Guide
33
Using the interface

34
Product Guide
Viewing information
From the View area of the navigation pane, you can view the host summary, scanning summary,
detected items, system events, and scheduled tasks information.
Contents
Host summary
Scanning summary
Detected items
Viewing system events
Scheduled tasks
ExtraDAT file details
Host summary
The Host Summary page shows the information collected from the server running VirusScan Enterprise
for Linux. The information includes the number of files scanned and the detections.
To view this page, click Host Summary under View in the navigation pane.
For more information about the scanning activity on the host, click the host name in the Host column.
The Scanning Summary page contains these details.
Option
Definition
Host
Displays the name of host that is being monitored. Click the address to view the
Scanning Summary page for that host.
Status
Displays the host status:

active The host is being monitored.
connecting, disconnecting Brief changes of state.
disconnected Typically the host has been switched off, or its services are not running.
on-access disabled On-access scanning has been disabled on the host.
on-access enabled On-access scanning has been enabled on the host.
Files Scanned
Displays the number of items scanned since the software was installed, or since the
statistics counters were last reset.
Detected Items
Displays the number of detected items since the software was installed or since the
statistics counters were reset. Click the number to navigate to the Detected Items page for
that host.
DAT Version
Displays the 8-digit (XXXX.YYYY) version number for the DAT files.
DAT Date
Displays the date when the DAT files were created.

McAfee regularly provides updated DAT files. If the date is more than a day ago, your
DAT files are not up to date.
Product Guide
35
Viewing information
Scanning summary
Option
Definition
ExtraDAT
McAfee provides an ExtraDAT file to counter specific threats whenever needed. If an

ExtraDAT file is available, click Yes to navigate to the ExtraDAT page.
Engine Version
Displays the scanning engine version. Engines are updated less often than DAT files.
Product Version Displays the product version.
Scanning summary
The Scanning Summary page shows details of on-access scanning activity on the host that you selected
from the Host Summary page.
Statistics about malware detected during on-access and on-demand scans are available from the
Detected Items page, and the rest is available from System Events.
You can view the Scanning Summary page by navigating to Scanning Summary under View.
The Scanning Summary page displays the scanning statistics and scanned items details.
The Scanning Statistics table displays the on-access scan status, number of files scanned, number of
files detected, actions taken, excluded files, average scan time, and host local time details.
The Recently Detected table displays the details of the detected items such as detection time, file
name, detection type, and file path.
The Recently Scanned table displays the details of the scanned items such as detection time, file name,
detection type, and file path.
Scan statistics
The statistics are collected from the time when the software was installed, or since the statistics
counters were last reset on the General Settings page.
This table explains the information in each column.
Option
Definition
On-Access status
Indicates whether on-access scanning is enabled.
Files scanned
Displays the number of files scanned since the host started or the counters were
reset.
Detected items
Displays the number of items detected by on-access scanning since installation or

the count was last restarted.
Actions performed
Indicates actions that have been performed on files, in accordance with the
settings on the On-Access Settings page. For on-access scans, Access denied means
that all actions taken against the infection failed, or the action was set to deny
access.
Files not scanned
Displays the number of files that were not scanned for any reasons. For example,
some items are excluded because they are on specified excluded paths, or
because of the file name extension.
Average scan time (ms) Displays the average time in milliseconds taken to scan an item.
36
Scanning uptime
Indicates the time since the software was last started. Statistics about average
scanning time are based on this period.
Host local time
Time is expressed in 24-hour format as local time on the host, and with a UTC
offset.
Product Guide
Viewing information
Scanning summary
Recently detected items

View the items that are detected recently. This page is continuously updated as files are accessed,
then scanned and any malware is detected.
Although a file name appears in the list, the file itself might no longer exist if the software has deleted
the infected file. The following information is displayed under Recently Detected.
Option
Description
Time
Time when the detection occurred.
File Name
Name of the file, excluding its path.
Detected As
Name of any virus or other potentially unwanted software. For more information, click
the name to visit the Virus Information Library.
Detected Type Type of the detected item, such as:

Program A program (application) such as spyware, remote-access software, or
password cracker.
Joke A joke program.
Test A test virus such as EICAR.
Trojan A trojan horse program.
Virus Malware and other types of infection.
User
Name of the user who accessed the file.
Process
Process that accessed the file.
Path
Name of the file, including its full path. For an archive or other file types that act as a
container, the path can include the name of an item within the archive.
Recently scanned items

This information is continuously updated as files are accessed and scanned. The following information
is displayed under Recently Scanned.
Option
Description
Time
Time when the scanning occurred.
File Name
Detected As
Name of any virus or other potentially unwanted software. For more information, click
the name to visit the Virus Information Library.
This column appears only if a recently scanned file was infected.
Detected Type Type of the detected item, such as:

Program A program (application) such as spyware, remote-access software, or
password cracker.
Joke A joke program.
Test A test virus such as EICAR.
Trojan A trojan horse program.
Virus Malware and other types of infection.
This column appears only if a recently scanned file was infected.
User
Name of the user who accessed the file.
Product Guide
37
Viewing information
Detected items
Option
Description
Process
Process that accessed the file.
Path
Name of the file, including its full path. For an archive or other file types that act as a
container, the path can include the name of an item within the archive.
If the path name is long, move the horizontal scroll bar to see it all clearly.
Generate a diagnostic report

A diagnostic report contains detailed information that is useful to McAfee support when you contact
them for troubleshooting.
Task
1
In the Scanning Summary page, click Diagnostic Report. The console displays a list of system events,
configuration details, and other information.
Using the browser, you can copy the information for later analysis. Typically, you select Select All
from a right-click menu (or Ctrl+A), copy then paste the text as needed.
Detected items
The Detected Items page shows a list of items that contained malware or other potentially unwanted
software. The range of items that you see can vary because the list depends on how you navigated to
this page.
If you navigate directly to this page from the navigation pane or you select the count of Detected Items in
the Scanning Summary page, you see items detected today by on-access scanning.
If you navigate to this page from a task in the Scheduled Tasks page for an on-demand task, you see
items detected during the last run of the task.
To view this page, click Detected Items under View in the navigation pane. From this page, you can modify
the view to show information about items detected by on-access scanning or detected by an
on-demand scan.
The Detected Items page has two areas:
Query Allows you to define criteria to run a query.
Results Displays the results of the query you run. If none of the criteria matches, you get a
message No results found.
Analyze the detected items

Under Query, you can refine the information that is displayed under Results.
You can examine entries made between, before or after specified dates and times, and you can filter
the information. For example, you can find all occurrences of a particular virus. This feature is useful if
the software has detected many viruses, and it enables you to analyze trends.
38
After a short time, VirusScan Enterprise for Linux updates the information under Results.
Product Guide
Viewing information
Detected items
Task
1
On the navigation pane, click Detected Items, then select the scan option:
Click On Access to view information about detections during on-access scanning.
Click On Demand to view information about detections during on-access scanning.
To examine information after a specified date, select from. To examine information before a
specified date, select to. Select the date and time.
To examine information between two dates, select both from and to, select the dates and times,
then click Find Results.
At the where area, select the check boxes to select items such as Path, Results, and User.
The path names are case sensitive.
Click Find Results. After a short time, the software displays the updated information in the Results
page.
Viewing the results

The Results table contains several rows and columns. The number of rows is typically is 10.
The Results table contains the following information.
Option
Definition
Time
Time when the detection occurred.
File Name
Result
Result of the scan:

Quarantined
Quarantine Failed
Deleted
Delete Failed
Cleaned
Clean Failed
Renamed
Renamed Failed
Detected
Continue
Blocked No cleaning occurs but the software denies further access to the file. This
option applies to on-access scans only.
Detected As
Name of the malware or other potentially unwanted software. For more information, click
its name to view its details in our Virus Information Library.
Detected Type Type of infection, such as joke, spyware, or trojan.

User
Name of the user who accessed the file. This option is not available in the results of
on-demand scans.
Product Guide
39
Viewing information
Option
Definition
Process
Process that accessed the file. This field is not available in the results of on-demand
scans.
Path
Name of the file, including its full path. This option is not available in the results of
on-demand scans.
To view more rows of information, use the navigation arrows and numbers below the table. You can
refine the information using the Query filter. For more information, see Analyze the detected items.
If the page shows on-access scanning, or if a scheduled scan is still running, click Refresh to see the
latest detections.
Export the results for analysis

You can save all information under Results as a CSV (comma-separated values) file. Later, you can
import the information into a spreadsheet program, such as Microsoft Excel or Lotus 123, for analysis.
Task
1
Click Export to CSV.
Save the file. The default file name is detitems.csv.

The System Events page shows details of events for system errors, updates to DAT files, and
configuration changes for the host that you selected from the Host Summary page.
To view this page, click System Events under View in the navigation pane.
The page has two areas Query and Results.
The table under Results has several rows and columns. The number of rows is typically limited to 10. To
see the latest events, click Refresh.
The columns contain the following information:
Option
Definition
Time
Time at which the event occurred.
Code
Event code (a number relating to the error or information event).
Type
Type of event Error or information.
Description
Details of the event or error.
Analyze the system events

Under Query, you can refine the information that is displayed under Results.
You can examine entries made between, before, or after a specified date and time, and you can filter
the information further. For example, you can find all occurrences of a particular error code. This
feature is useful if the software has generated many events, and enables you to analyze trends.
Ranges categorize events to different parts of the product. For example, all engine-related errors are
in the range between 3000 and 3999. At Code, you can specify a single code or a range of codes, for
example:
40
Product Guide
Viewing information
Scheduled tasks
Error Code
Description
3000
Only the 3000 code event.
3001
Only the 3001 code event.
3000
All events above and including code event 3000.
3000
All events up to and including code 3000.
10003000
All events between 1000 and 3000, including 1000 and 3000.

Task
1
Specify a date and time for information you want to examine.

Using any combination of from and to options, specify a date and time for the information you want
to examine
Click Find Results. After a short time, updated information appears under Results.
Export the results for analysis

You can save all information under Results as a CSV (comma-separated values) file, then import the
information into a spreadsheet program such as Microsoft Excel or Lotus 123, for analysis.
The System Events page shows only a few rows of information, typically 10 at a time. However, the export
includes all events that match the query specification. The title line of the Results table shows the full
number, for example: (101 to 110 of 2359). The more rows included, the longer the export takes.

Task
1
Under Query, specify the information you want to view, then click Find Results.
Click Export to CSV.
Save the file. The default name is sysevents.csv.
Scheduled tasks
Update the scanning engine and DAT files, or run on-demand scans using schedules.
You can choose these tasks to run immediately, to run once, or to run on a schedule.
You can view this page by clicking Scheduled Tasks under View in the navigation pane.
The Scheduled Tasks page has two areas:
Task Summaries shows all tasks that you have scheduled.
Task Details shows the status and other details for the selected task.
The Task Summaries table has the following information:

Option
Definition
Name
Name of the task. To view the details for any task, click its name.
Type
Type of task: Update or On-Demand scan.
Product Guide
41
Viewing information
Scheduled tasks
Option
Definition
Status
Status of the task: Idle, Completed, In Progress, or Failed.
Results
Result of each task.
To see any more rows of information, use the navigation arrows and numbers below the table.
To see extra information about any task, click its name under Task Summaries.
The Task Details table has the following information:
Option Definition
Status
Status of the task: Idle (not started), Completed, Failed, In Progress, or Stopped (by the user).
Next Run Schedule for the task. This option applies to regular tasks only.
Last Run Date and time when the task was last run.
Progress Progress of the task. During an on-demand scan, this field shows the number of files
scanned, and other information such as the number of files that were excluded from
scanning.
During an update, this field shows text messages about each stage. Click any blue link to
see messages about this task in the System Events page.
Duration
The time taken for the last task, or the elapsed time on the current task.
Results
A completed on-demand scan shows as the number of detected items. For more
information, click the number to open the Detected Items page.
If an update has completed, click to open the System Events page and find more information.
If a failure occurred, click to open the System Events page and find the reason.
The buttons under Task Details enable you to run, stop, modify, or delete the task as needed. To see the
latest status of the tasks, click the Refresh button.
Run a scheduled task immediately

Execute a scheduled task immediately.
Task
1
On the Scheduled Tasks page, click the task name in Task Summaries to display its details under Task
Details.
Under Task Details, click Run Now.

The task runs immediately. The results appear in Results under Task Details.
Modify an existing scheduled task

Modify an existing scheduled task. If you no longer need a task but you want to set up a similar task,
you can modify the existing task.
Task
42
On the Scheduled Tasks page, select the existing task in the Task Summaries table.
Under Task Details, click Modify.
Make the changes in the When to Scan, What to Scan, and Choose Scan Settings pages, then click Finish.
Product Guide
Viewing information
Delete an existing scheduled task

Use this task to delete an existing scheduled task. If you no longer need a scheduled task, you can
delete it.
Task
1
Under Task Summaries, select the task name.
Under Task Details, click Delete.
Stop a running task

You can stop a scheduled task which is running using this option.
Task
1
Select the task that you want to stop, then click Stop.
This action sets the status to Stopping.
Click Stop again. This action sets the status to Stopped.

You can now run or delete the task.

An ExtraDAT is a supplemental malware definition file. McAfee releases the ExtraDAT file in response
to an outbreak of potentially unwanted software, a new malware, or a new variant of an existing
malware.
The Extra DAT page shows information about any ExtraDAT file that is in use on the selected host. The
information includes the malware name, and other potentially unwanted software that the ExtraDAT
file can detect.
To view this page, click the text for example Yes(5) under the ExtraDAT column on the Host Summary
page. If the column contains No, no ExtraDAT file is available for the host, and VirusScan Enterprise for
Linux does not display the page.
For information about any malware in the list, click its name to link to our Virus Information Library.
Product Guide
43
Viewing information
44
Product Guide
Set up schedules to update the product or to schedule an on-demand scan.

From the Schedule area of the navigation pane, you can protect your Linux hosts by running the
following tasks regularly:
Update the product. At least once per day, update the DAT files to ensure that the software can
recognize new viruses and other potentially unwanted software.
Run an on-demand scan. The software examines files as they are accessed when on-access scan is
enabled. For complete security, scan other files that are stored in the system but accessed
occasionally, using the on-demand scan.
McAfee recommends that you schedule the product update and on-demand scan at regular intervals.
The product update task keeps the scan engine and DAT file up to date, and periodic on-demand scan
ensures that all files are scanned for malware threats.
The software enables you to create multiple schedules for running these tasks at regular intervals. You
can also create a schedule for immediate scan or product update in response to a suspected malware
attack. Using the latest DAT files you can make sure that your hosts are free from the new malware
threats.
Understanding time differences

It is important to understand how to set up times for scans and updates. Suppose that you are in Los
Angeles, using a browser to control a host that is running the software in New York. When you
schedule the time and date, it is the local time in New York. The time difference between these two
locations is typically three hours. If you set an on-demand scan to run at midnight, the scan runs at
midnight in New York, and you see the scan results from 9 p.m. in Los Angeles.
Contents
Using a wizard
Product update schedule
On-demand scan preferences
Using a wizard
Each type of schedule works in a similar way, using a wizard-like process to make the task easier.
The process leads you through a few pages where you enter the following information:
When the scan or update will take place
What to scan or update
The name of the task
Product Guide
45

VirusScan Enterprise for Linux depends on information in the DAT files to identify malware.
Without updated information in the DAT file, the software cannot detect new threats or respond to
them effectively. The software that is not using the latest DAT files can compromise your malware
protection program.
More numbers of malware appear every month. To meet this challenge, McAfee release new DAT files
every day, incorporating the results of the ongoing research into the characteristics of new malware
and their variants. The update task that is provided with the software makes it easy to take advantage
of this service.
This feature allows you to download the latest DAT files or a new scanning engine, using an immediate
update or a scheduled update.
You can also create an unscheduled update. Here, you provide information about an update but do not
attach a schedule to it. You can then run the update at any time, or run it from a command line.
Within your network, you need at least one computer that can download the files from our FTP site.
The software can then access the FTP site directly or it can copy files from that computer. For more
details of the download site, see Contact information.
You can also create an unscheduled update. Here, you provide information about an update but do not
attach a schedule to it. You can then run the update at any time.
Within your network, you need at least one system that can download the files from our FTP site. For
more details of the download site, see Contact information. The software can then access the FTP site
directly or it can copy files from that system.
Create a product update schedule

VirusScan Enterprise for Linux depends on information in the DAT files to identify malware to protect
your Linux systems from latest threats.
Without updated information in the DAT file, the software cannot detect new threats or respond to them
effectively. The software that is not using the latest DAT files can compromise your malware protection
program.
To create a schedule to update the virus definition files or the scanning engine, click Product Update
under Schedule in the navigation pane.
Task
46
Launch the interface.
In the Schedule area, click Product Update.
Product Guide
On the When to update page, define these settings as needed:

Option
Definition
Unscheduled Starts the update immediately.

Immediately
Starts the update immediately.
Once
Updates the product on a defined date.

When you select this option, specify the time in the At row.
Hourly
Updates the product for every hours as you define.

For example, If you type 2 in the hours field, the product update happens for every 2
hours.
Daily
Updates the product for every day.

Weekly
Updates the product for every week for the defined number of weeks.
For example, Type 1 in every week on box, select, Monday and Friday, then, specify the time
in the At row. The product update happens every week on Monday and Friday at the
specified time.
Monthly
Updates the product on the specified day of the selected month.

For example, Select First, and Monday, select all months, then, specify the time in the At
row. The product update happens on the first Monday of every month.
At
Provides option to define the time of update when you configure the product update
for Once, Daily, Weekly, and Monthly.
This option is not available if you schedule an Unscheduled, Immediately, or Hourly product
update.
On the Choose what to update page, define these settings:
Virus definition files (also known as DAT files) To update the detection definition files with the latest
information.
By default, this option is enabled.
Virus scanning engine To update the scan engine.

McAfee recommends that you schedule the DAT files update once every day. In this way, the
software can use the latest DAT files and protect your systems from the latest threats.
On the Enter a task name page, type a unique name for the update schedule, then click Finish.
The Scheduled Tasks page appears, and the update runs at the time you defined in the schedule.
Product Guide
47

On-demand scanning examines the configured directories of your host at convenient times or at
regular intervals.
Use on-demand scans to supplement the continuous protection that the on-access scanner offers, or
to schedule regular scans.
The software scans files as they are written to or read from disk. During these scans, the installed DAT
files check for any malware or potentially unwanted software within the files.
You can perform a one-time on-demand scan when you want to scan a file or location that you suspect
of containing malware. You can perform scheduled scanning activities at convenient times or at regular
intervals.
You can also create an unscheduled scan. Here, you provide information about a scan but do not
attach a schedule to it. You can then choose to run the scan at any time, or run it from the command
line.
To use this feature, click On-Demand Scan under Schedule in the navigation pane.
Schedule an on-demand scan

Create a schedule to run an on-demand scan on the configured drives of your host system.
Task
1
On the Schedule area, click On-Demand Scan.
On When to scan, select the frequency of scan.

Option
Definition
Unscheduled Starts the scan immediately.

Immediately
Starts the scan immediately.
Once
Runs the on-demand scan at the defined date. When you select this option, specify
the time in the At row.
Hourly
Runs the on-demand scan for every hour as defined.

For example, If you type 2 in the hours field, the scanning happens for every 2 hours.
Daily
Runs the on-demand scan for every day.

Weekly
Runs the on-demand scan for every week for the defined number of weeks.
For example, Type 1 in every week on box, select Monday and Friday, then specify the time
in the At row. The scanning happens on every week Monday and Friday in the specified
time.
Monthly
Runs the on-demand scan on the specified day of the selected month.
For example, Select First, and Monday, select all months, then, specify the time in the At
row. The on-demand scan runs on the first Monday of every month.
At
48
Allows you to define the time to run on-demand scanning for Once, Daily, Weekly, and
Monthly.
Product Guide
On the What to scan page, define these settings.
Path Type the path you want to scan.
Scan Sub-Directories Select the box to include the subdirectories of the defined path.
Add To add another path for scanning.

You can remove the path from the on-demand scan by clicking Remove button.
If you selected the option to scan the subdirectories and remove the path from on-demand
scanning, the software does not perform on-demand scan for either the path or the subdirectories.
Product Guide
49
On the Choose scan settings page, define the scan settings, then click Next.
Option
Definition
Decompress archives
Scans archived file such as .tar or .tgz files.

The decompression might slow the system performance. The
malware-infected file in an archived file cannot become active until it is
extracted.
Perform heuristic virus

analysis
Uses heuristic analysis to identify any potential new macro threats in files
created by Microsoft Office products.
Perform macro analysis
Scans for potential macro threats in files are added.
Decode MIME encoded

files
Decodes email messages that are typically encoded in Multipurpose Internet

Mail Extensions MIME format.
Using this option can affect system performance. If your network has other
anti-malware software for handling email threats, you can unselect this
option. By default, this option is deselected.
Find potentially unwanted Scans for threat programs such as spyware, remote-access utilities, and
programs
password crackers.
Find joke programs
Joke programs are not harmful. They play tricks such as displaying a hoax
message.
This feature only becomes available if you have selected Find potentially unwanted
programs.
Scan files on network

mounted volumes (NFS,
CIFS/SMBFS only
Scans NFS, CIFS, or SMBFS volumes for threats. VirusScan Enterprise for
Linux treats only NFS, CIFS, or SMBFS volumes as network file systems.
When you select this option, the software scans these network-mounted
volume directories and its subdirectories for malware threats. If you unselect
this option, the software does not scan these network-mounted volumes.
If the network-mounted volumes are added to the Paths Excluded from Scanning
list, the software excludes those volumes from scanning, even if scan on
network-mounted volumes is selected.
Extension-based
scanning
Indicates how VirusScan Enterprise for Linux handles files that have
extension names (for example, .txt and .exe). By default, VirusScan Enterprise
for Linux scans all files regardless of the file name extension.
For more information, see Extension based scanning.
Maximum scan time

(seconds)
Stops scanning the file after the number of seconds is reached.

This feature prevents large files reducing overall performance, and protects
against corrupted files and denial-of-service attacks.
By default, the value is 45 seconds but you can set the value between 10
and 300 seconds.
On computers with low-specification hardware, VirusScan Enterprise for
Linux might abandon scanning of some large files because of the time taken.
In such cases, we recommend that you increase this number.
Quarantine directory
50
Allows you to specify the directory to store the infected files.
Product Guide
On the Paths Excluded From Scanning table, define these settings, then click Add.
Path
Exclude All Sub-Directories

For more information on excluding the path, see Exclude paths from scanning.
On the Extension Based Scanning table, define the required settings:
Scan all files
Default + specified
Specified
For more information on excluding the path, see Extension based scanning.
On the Anti-virus Actions table, define the required settings, then click Apply.
Option
Definition
Action for viruses and Trojan Actions to take when a virus or trojan horse program is detected.
horses
Your second choice of action is limited by your first choice. You cannot
choose both actions to be the same.
Action for applications and
joke programs
Actions to take when a potentially unwanted application or joke program

is detected.
If any action fails to work, the software uses the secondary action. If the secondary action fails, the
software uses its fallback action that is block access to the infected file.
9
On the Enter a task name field, type a unique name for the on-demand scan, then click Finish.
The unique name helps you to locate the task later in the list of scheduled tasks.
The software displays the Scheduled Tasks page, and the scan runs at the times you defined in the
schedule.
Product Guide
51
52
Product Guide
Configuring VirusScan Enterprise for

Linux
On installation, VirusScan Enterprise for Linux starts protecting your Linux systems from malware and
other potentially unwanted software with the default settings. However, you can modify these settings
as needed.
From the Configure area of the navigation pane, you can configure the following settings for the
software:
Use General Settings to configure browser interface options and log information to reset the
configuration settings to those at installation time, and to clear the statistics from the software
database.
Use On-Access Settings and On-Demand Settings page to specify the scanning options, paths to exclude
from scanning, and actions to take on infected items.
Use Notifications page to configure SMTP settings.
Use Repositories page to configure the local repository list, and proxy settings.
Contents
General settings
On-access settings configuration
On-demand settings
Notifications
Repositories
General settings
From the General Settings page, you can change the appearance of pages in the browser interface, the
behavior of logging, and the collection of statistics.
To view the settings, click General Settings under Configure in the navigation pane.
To make any changes to the settings, click Edit. To apply the new settings, click Apply. For more
information, see Configure general settings.
The page has two main areas:
Browser Interface
Logging
This page has two important buttons:
Product Guide
53

General settings
Clear Statistics
Reset Defaults
Browser interface
Under Browser interface, you can view and change settings such as the refresh interval.
This table explains the available options in each column.
Option
Definition
Refresh interval
(seconds)
The browser automatically updates the contents of pages such as the Scanning
Summary page. By default, the page is refreshed every 10 seconds, but you can
change the interval between 5 and 600 seconds.
Results per page
The number of rows to display information in certain pages under Results, namely
in the Detected Items, Scheduled Tasks, and System Events pages can be configured.
By default, 10 rows are displayed in a page, but you can set the number between
1 and 50 rows.
Display time UTC offset Wherever time values are displayed as in scheduled tasks and detections an
offset value is displayed in UTC form to help you understand any time-zone
differences.
Show Quick Help on
startup
Displays the web help on the right side area.
Log levels
Use Logging, to view, and change settings such as the level of detail that you require.
The next table explains the information in each column.
54
Product Guide

General settings
Table 6-1 Option definitions

Option
Definition
Detail level
Indicates the level of logging information that the software records in its database.
Setting the level as High can affect performance and the size the database. The
default level is Normal. The available options are
Low Logs only critical errors and system service start up and shut down
messages.
Normal Logs critical errors, system service start up and shut down messages,
internal errors such as OAS enable and disable, and crontab actions failed
messages.
High
Logs additional details such as, events for created quarantiner child, created
cleaner child, and configured with engine and DAT. It also logs critical errors,
system service start up and shut down messages, internal errors such as OAS
enable and disable, and crontab actions failed messages.
McAfee recommends setting the level as Low. Only when you troubleshoot issues, you
can set the level to High to extract complete details.
Additionally log to
SYSLOG
Indicates if information logged to the VirusScan Enterprise for Linux database is also
logged to SYSLOG. By default, this option is deselected.
VirusScan Enterprise for Linux logs information in two channels.
Logs information in the software database
Logs information in SYSLOG
To store the log information in SYSLOG additionally, you can select this option.
Detail level for

SYSLOG
This field is only available if Additionally log to SYSLOG is selected.
Limit age of log

entries
Indicates information in the log is automatically removed later, based on the age of
the log entries. By default, this option is selected.
By default, the level is Low. The available options are Low, Normal, and High.
Maximum age of log This field is only available if Limit age of log entries is selected.
entries
Limits to the age of entries in the software database to the specified days.
After the specified number of days, old entries are automatically removed to limit
the database size. Maximum age of log entries (days) - By default, the limit is 28
days, but you can adjust the limit between 1 and 999 days.
Statistics last
cleared
Indicates when statistics were removed by clicking Clear statistics.
Statistics reset
You can reset the scanning statistics for certain pages.
To reset the statistics, on the General Settings page, click Clear statistics.
The values for Files scanned and Detected items in the Scanning Summary page are reset to zero. The
information in the Recently scanned and Recently detected table are reset.
Clearing statistics
You can clear the scanning statistics for certain pages.
To clear the statistics, click Clear statistics.
Product Guide
55

The values for Files scanned and Detected items in the Scanning Summary page are reset to zero. The
information in the Recently scanned and Recently detected areas are cleared.
Configure general settings

Configure the General Settings page for the generic options such as refresh time interval, levels for log
details, and to clear the statistics.
Task
1
On the Configure area, click General Settings.
On the General Settings page, click Edit.
On the Browser Interface table, define these settings:
Refresh Interval (seconds)
Results per page
On the Logging table, define these settings:
Detail level
Limit age of log entries
Additionally log to SYSLOG
Maximum age of log entries
Detail level for SYSLOG
Click the Apply button to save the changes.

You can revoke the changes that you have made to this page by clicking the Reset button.
Restoration of default configuration settings

You can reset all configuration settings to the default settings by clicking Reset Defaults under General
Settings.
The general settings restore the default values for these pages:
On-access settings
On-demand settings
Notification settings
Settings for the browser interface and logging

The On-Access Settings page displays the available configuration to protect your Linux systems whenever
an infected file or other potentially unwanted program is detected. To view this page, click On-Access
Settings under Configure in the navigation pane.
To make any changes to the settings, click Edit. To apply the new settings, click Apply.
For more information, see Configure on-access scan settings.
The On-Access Settings page has these main areas:
56
Product Guide

Anti-virus Scanning Options
Paths Excluded From Scanning
Extension-based Scanning
Anti-virus Actions
Anti-virus scanning options

The scanning options determine which types of file the software scans. By default, all these scanning
options are available, unless stated.
The next table explains the options.
Option
Definition
Enable On-Access Scanning Scans files for malware and other potentially unwanted software, whenever a
file is accessed.
Decompress archives
Scans inside file archives such as .tar or .tgz files.

The decompression can slow the system performance. The malware-infected
file inside an archive cannot become active until it is extracted.
Find unknown program

viruses
Uses heuristic analysis to identify potential new file viruses.
Find unknown macro

viruses
Uses heuristic analysis to identify any potential new macro viruses in files
Decode MIME encoded files
Email messages are typically encoded in MIME format.

anti-virus software for handling email, you might not require this option.
Find potentially unwanted

programs
These programs might be dangerous but they are not malware. It includes
programs such as spyware, remote-access utilities, and password crackers.
Find joke programs
message. This feature only becomes available if you have selected Find
potentially unwanted programs.
Scan files when writing to

disk
Scans the contents of each file when it is closed.
Scan files when reading

from disk
Scans the contents of each file when it is opened.

mounted volumes (NFS,
CIFS/SMBFS only)
Linux treats only NFS, CIFS, or SMBFS volumes as network file systems.
When you select this option, the software scans these network-mounted
volume directories and its subdirectories for malware threats. If you unselect
this option, the software does not scan these network-mounted volumes.
If the network-mounted volumes are added to the Paths Excluded from Scanning
list, the software excludes those volumes from scanning, even if scan on
Product Guide
57

Option
Definition
Indicates how the software handles files that have extension names (for
example, .txt and .exe). By default, the software scans all files regardless of
the file name extension.
For more information, see Extension based scanning.
Maximum scan time

(seconds)

By default, this is 45 seconds but may be between 10 and 300 seconds.
On computers with low-specification hardware, the software might abandon
scanning of some large files because of the length of time taken. In such
cases, we recommend that you increase this number.
Exclude paths from scanning

VirusScan Enterprise for Linux supports excluding specific paths or files (either path or regular
expression format) from being scanned. You can add exclusions for on-access scans and on-demand
scans from the interface.
Some shares or paths might not require scanning, or you might prefer not to scan them frequently.
For example:
Directories that contain only plain text files or other file types that are not prone to infection.
Directories that contain executable files that have file permissions that prevent them being
modified.
Directories that contain large archive files and compressed files.
Directories that contain files already known to be infected (quarantined).
Task
1
On the On-Access Settings page under Configure area, click Edit.
Under Paths Excluded From Scanning, add the absolute path or regular expression for the file/folder you
want to exclude and click Apply.
For example: directory1 or directory1/subdirectory2
Enter path names in the correct case. Do not use symbolic links. For bind mounts (which appear in
more than one place in the directory), add each path that you want to exclude.
You can use regular expressions to represent the pattern matching within directory names or file
names. See Examples for Regular expression-based exclusions.
Under Paths Excluded From Scanning, add the path or regular expression for the file/folder you want to
exclude and click Apply.
For example: directory1 or directory1/subdirectory2
Enter path names in the correct case.
You can use regular expressions to represent the pattern matching for directory names or file
names.
58
To exclude the subdirectories from scanning, select the Exclude All Sub-Directories checkbox of that row.
From Choose a share from the list below category, select a share.
Product Guide

Type the regular expression under Specify sub-directories (optional) text box. For specific examples, see
Exclude paths from scanning.
Click Add in that row. An extra row is added to the table.
To remove any exclusion, click Remove in its row.
Examples for regular expression-based exclusions

Regular expression
Example
To exclude all files starting with abc available in Documents

/xyz folder
xyz/abc.*
To exclude all files with extensions .jar and .VOB under

Backups/demo share
demo/.*\.(jar|VOB)$
To exclude all files with extension .mp3 and .mp4 under

Music share
.*\.(mp3|mp4)$
Regular expression
Example
To exclude all files starting with abc available in /

media/nss
/media/nss/abc.*
To exclude all files starting with "." under /media/nss
/media/nss/\..*
To exclude all files with extensions ext and abc under /

media/nss
/media/nss/.*\.(ext|abc)
To exclude all users mailboxes folders
/home/.*/mailbox/.*
To exclude all files and folders starts with abc in the

machine
.*/abc.*
To use the regular expressions from ePolicy Orchestrator:
You should include "/" as the first character. For example: From ePolicy
Orchestrator, to exclude all files and folders starting with abc in the machine use
the regular expression: /.*/abc.*
Ensure that there are no escape sequences included in the regular expression.
For example: From ePolicy Orchestrator, to exclude all files starting with "."
under /media/nss use the regular expression: /media/nss/..*
Extension-based scanning
You can specify extension names that you want to scan. You can specify extension to scan at the same
time as the software scans the extensions in the default list and the specified list.
This table only becomes visible when you click Edit. However, you can see the chosen setting at
Extension Based Scanning in the first table.
If the software is running on a Samba file server that Microsoft Windows users can access, you might
specify the types of files to scan according to their file extension. However, McAfee recommends
scanning all files wherever possible.
You can specify extension names that you want to scan. Otherwise, you can specify extension names
to scan at the same time as the software scans those in the default list. You cannot remove extension
names from the default list. But you can build your own list of extension names based on extensions
in the current default list.
The choices available in this area are:
Product Guide
59

Scanning all files
Default + specified
Specified
For the list of default files that are scanned when Default + specified option is enabled, see McAfee
KnowledgeBase article KB79626.
Scan all files

You can scan all files from the configured directories regardless of the file name extension.
Task
To scan all files regardless of file name extension, under Extension Based Scanning, select Scan all files
Scan all files is the default settings for On-Access Settings.
Scan default files and specific files

You can configure the VirusScan Enterprise for Linux to scan the default files and specific type of files.
Task
1
Under Extension Based Scanning, select Default + specified.
At New, type the file name extension. For example AAA or aaa.
Click Add to move the name to the Specified list.

To remove names from the Specified list, select each name, then click Remove:
To select one name, click the name.
To select a range of names, click the first, then use Shift+Click to select the last.
To select several names, use Ctrl+Click.
If a new file name extension is included in the later DAT files, files with that file name extension are
also scanned.
For the list of default file extensions that VirusScan Enterprise for Linux scans when Default + specified
option is selected, see McAfee KnowledgeBase article KB79626.
Scan specific files

You can scan only specific files based on file name extension.
Task
60
Under Extension Based Scanning, select Specified.
At New, type the file name extension, for example AAA or aaa.
Click Add to move the name to the Specified list.
Product Guide

To build a list quickly, click Set Defaults to copy all names from the malware definition files into the
Specified list. You can then modify the Specified list.
The file name extensions in the Specified list do not change automatically. Therefore, if a new file
name extension is included in later malware definition files, files with that file name extension will
not be scanned.
To remove names from the Specified list, select each name, then click Remove:
To select a range of names, click the first, then use Shift+Click to select the last.
Anti-virus actions
Configure the software to take various actions when it detects malware or other potentially unwanted
software.
The actions are:
clean Cleans the infected file by removing the virus code. VirusScan Enterprise for Linux cannot
repair any damage that has occurred to the file. For example, some viruses can modify or erase
data in spreadsheets.
continue Reports the detection and continues scanning. This action is only available for
on-demand scanning.
delete Deletes the infected file.
deny access Prevents further access to the infected file. This action is only available for on-access
scanning.
quarantine Moves the infected file to the area specified in Quarantine directory. To prevent the spread
of infected files, VirusScan Enterprise for Linux prevents moving a file from a remote file system
into this area.
rename Renames the extension of the infected file, to prevent its accidental use. Renaming is
useful where the file extension such as .exe or .txt determines the application and opens the file.
If the infected file does not contain an extension, the file is renamed with the extension.vir. For
example, if the original malware file name is EICAR, it is renamed to EICAR.vir
If the infected file contains an extension name other than vir, the first letter of the extension is
renamed with v. For example, the file EICAR.COM is renamed to EICAR.VOM. If EICAR.VOM exists,
the file is renamed to EICAR.VIR.
The default primary action for infected files is Clean and the secondary option is Quarantine. However, you
can change the settings as needed.
For more information on configuring Anti-virus actions, see Configure on-access scan settings.
Configure on-access scan settings

Verify the on-access scanning default configurations and make necessary changes in the settings as
needed.
Task
1
On the Configure area, click On-Access Settings.
Product Guide
61

On the On-Access Settings page, click Edit.
On the Anti-virus Scanning Options table, define these settings:
Enable On-Access Scanning
Decompress archives
Find unknown program viruses
Find unknown macro viruses
Decode MIME encoded files
Find potentially unwanted programs
Find joke programs
Scan files when writing to disk
Scan files when reading from disk
Scan files on network mounted volumes (NFS, CIFS/SMBFS only)
Maximum scan time (seconds)
For details about these options, see anti-virus scanning options.
On the Paths Excluded From Scanning table, define the required settings.
For more information on excluding the path, see Exclude path from scanning.
On the Extension Based Scanning table, define the required settings:
Path
Exclude All Sub-Directories
Action
Action for viruses and Trojan horses
Action if an error occurs during scanning
Action for applications and joke programs
Action on time out

For more information about these options, see Anti-virus actions.
62
Product Guide

On-demand settings
On-demand settings
The On-Demand Settings page shows how the software responds when malware or other potentially
unwanted software is detected during an on-demand scan.
Settings for on-access scans and on-demand scans are similar.
This page shows the settings that are applied to all new tasks. To change the settings of an existing
on-demand scanning task, see Modify an existing scheduled task.
To view this page, click On-Demand Settings under Configure in the navigation pane. To change any settings,
click Edit. To apply the new settings, click Apply.
Any on-demand scanning tasks that you previously configured retain their own settings. If you change
the settings in the On-demand Settings page, the changes do not affect the existing on-demand scanning
task that you have already scheduled. The task that you create after changing the On-demand Settings runs
with these settings.
Configure on-demand scan settings

Configure the on-demand scan preferences before you schedule the scan on your Linux systems.
Task
1
On the Configure area, click On-Demand Settings.
On the On-Demand Settings page, click Edit.
Product Guide
63

On-demand settings
On the Anti-virus Scanning Options table, define these settings:

Option
Definition
Decompress archives
Scans archived file such as .tar or .tgz files.

The decompression might slow the system performance. The malware-infected
file in an archived file cannot become active until it is extracted.
Find unknown
program viruses
Uses heuristic analysis to identify potential new file viruses.
Find unknown macro

viruses
Uses heuristic analysis to identify any potential new macro threats in files
Decode MIME encoded Decodes email messages that are typically encoded in Multipurpose Internet
files
Mail Extensions MIME format.
anti-malware software for handling email threats, you can unselect this option.
Find potentially
unwanted programs
Scans for threat programs such as spyware, remote-access utilities, and

password crackers.
Find joke programs
message.
This feature only becomes available if you have selected Find potentially unwanted
programs.

mounted volumes
(NFS, CIFS/SMBFS
only)
Linux treats only NFS, CIFS, or SMBFS volumes as network file systems. When
you select this option, the software scans these network-mounted volume
directories and its subdirectories for malware threats. If you unselect this
option, the software does not scan these network-mounted volumes.
If the network-mounted volumes are added to the Paths Excluded from Scanning list,
the software excludes those volumes from scanning, even if scan on
Extension based
scanning
Indicates how the software handles files that have extension names (for
example, .txt and .exe). By default, the software scans all files regardless of the
file name extension.
For more information, see Extension-based scanning.
Maximum scan time

(seconds)

By default, the value is 45 seconds but you can set the value between 10 and
300 seconds.
On computers with low-specification hardware, the software might abandon
scanning of some large files because of the time taken. In such cases, we
recommend that you increase this number.
5
Type the quarantine directory name, as defined during the installation.
On the Paths Excluded From Scanning table, define path and subdirectories you want to exclude.
For more information on excluding the path, see Exclude path from scanning.
64
Product Guide

Notifications
On the Extension Based Scanning table, select one of these options as needed:
Scan all files
Default + specified
Specified
Option
Definition
Action for viruses and Trojan Actions to take when a virus or Trojan-horse program is detected.
horses
Action for applications and
joke programs
Actions to take when a potentially unwanted application or joke program

is detected.
Name of the quarantine file, as set up at installation time.
8
After defining these configurations, schedule the on-demand scanning as needed.

For more information, see Schedule an on-demand scan.
Notifications
From the Notifications page, you can specify who receives email notification of events such as virus
detection and changes to the scanning options.
The software sends the email messages using the SMTP email protocol. To view this page, click
Notifications under Configure in the navigation pane. To change the settings, click Edit. After making the
changes, to apply the new settings, click Apply.
SMTP notifications
You can define the events for which users get alert notifications.
This table explains the available settings.
Table 6-2 Option definitions
Option
Definition
Item detected
Details of a detection of a virus or other potentially unwanted software. Here, for

example, you can decide whether to issue a notification if any joke programs are
detected.
Out of date
Details of out-of-date DAT files.

Here, for example, you can decide whether to notify if DAT files are more than 10
days old.
Product Guide
65

Notifications
Table 6-2 Option definitions (continued)

Option
Definition
Configuration change Details of changes to the settings for on-access scanning, notifications, and general
settings. Changes to the settings for on-demand scans are not notified.
Here, for example, you can decide whether to notify if changes are made to the
settings for on-access scanning.
System events
Details of any important events.

Here, for example, you can specify the range of system events or event types for
which SMTP sends notification.
To enable any notification feature, select its checkbox in the left column under SMTP Notification.
For each type of notification, the software provides a default subject and a message. You can change
these messages to suit your organization. Messages can include substitution variables, such as
%hostname% to indicate the host name. To include variables in any message, see Substituting variables
in notification templates.
To restore the default message, click Reset.
Configure SMTP settings

You can define the list of users who receives notifications about the events specified in SMTP Notifications.
The SMTP Settings table provides options to configure the server, the sender, and the recipient details..
Server Name and port of the server that sends the email message. This is set up during installation.
From
Name of the sender. By default, this is the address that was given during installation.
Task
1
On the SMTP Settings table, define the Server details. This is set up during installation.
Name Name of the server
Port Port of the server
From Name of the sender. By default, this is the address that was given during installation.
To Names of the recipient. For example: user1@example.com.
On the Email field in the From row, type the name of the sender. By default, this is the address that
was given during installation.
On the To row, you can add or remove the list of recipients.

Table 6-3
To Add recipients
To remove recipients
1 Type the email address in New. For example: 1

user1@example.com
2 Click Add, to move the name to the Recipient
list.
Select each name, then click Remove

To select a range of names, click the first, then
use Shift+Click to select the last.
66
Product Guide

Repositories
Repositories
A software repository is a storage location where software packages or updates can be retrieved and
installed on systems.
To deliver products and updates throughout your network, McAfee offers several types of repositories
to create a robust update infrastructure. The repository options provide flexibility to develop an
updating strategy to ensure that your systems stay up to date.
To view this page, click Repositories under Configure in the navigation pane. To change or modify the
repository settings, click Edit and to save the new settings, click Apply.
Configure the repository list

The repository list contains the names of all repositories you are managing with the software.
The Repository List has details like repository name, type, URL, port, user name and password of the
available repositories. The repository list includes the location and network credential information that
managed systems use to select the repository and retrieve updates. The ePolicy Orchestrator server
sends the repository list to the agent during agent-server communication.
Task
1
To add, delete or modify the Repository List, click Edit.
Type the repository name, type, URL, port number, user name, and password.
You can use the following options:
Add To add a repository to the list.
Delete To remove the repository from the repository list.
Move up To shift up the selected repository one level in the repository list.
Move down To shift the selected repository one level down in the repository list.
Click Apply To save the changes, or Cancel to discard the changes.
Configure the local repository

Create a local repository and configure it to retrieve software and updates to install on your computer.
You can use the local repository to access software and updates if your system cant connect to the
ePolicy Orchestrator server or to the Internet.
Before you begin
Before configuring the local repository, you must mirror the McAfee FTP download site to
the local repository directory. To mirror the McAfee FTP download site using the wget
command, follow steps 1 to 6.
The following steps are illustrated with the assumption that the connection is available for wget to
mirror the McAfee FTP download site. Other methods of mirroring the site works only if directories and
files are renamed as illustrated.
Task
1
Create a local repository directory where you want to mirror the McAfee FTP download site.
For example: /root/LocalRepo
At the /root/LocalRepo directory, type the following command:

wget -mirror ftp://ftp.nai.com/Commonupdater
Product Guide
67

Repositories
From the commonupdater directory, rename the folder current to Current.
Rename these files in the commonupdater folder as defined:
sitestat.xml to SiteStat.xml
v2datdet.mcs to V2datdet.mcs
v2datinstall.mcs to V2datinstall.mcs
From the Current folder, rename the folder vscandat1000 to VSCANDAT1000.

a
From the VSCANDAT1000 folder, rename the folder dat to DAT.
Rename these files in the DAT/0000 folder as defined:
v2datdet.mcs to V2datdet.mcs
v2datinstall.mcs to V2datinstall.mcs
pkgcatalog.z to PkgCatalog.z
Log on to the local user interface.
From the Configure section in the navigation pane, click Repositories.
Click Add to include a local repository and define these settings:
Repository type Local
Repository URL Type the absolute path of the directory. For the given example:
/root/LocalRepo/commonupdater
The Port, Username, and Password details are not required for local repository.
10 Using the Move Up button, move the local repository item to the top of the list.
11 Click Apply.
12 Run the DAT update task to verify.
Configure the proxy settings

To access an Internet repository, such as the McAfee update sites, the repository uses proxy settings
to retrieve packages.
If your organization uses proxy servers for connecting to the Internet, you can use the proxy settings.
Task
1
To configure the Proxy Settings, click Manually configure the proxy.
Type the IP address and Port number of the HTTP or FTP server.
You can use the following options:
68
Use these settings for all proxy types Specifies the same IP address and port number for all proxy
types.
Use authentication for HTTP Specifies the user name and password of the HTTP server for
authentication.
Product Guide

Repositories
Use authentication for FTP Specifies the user name and password of the FTP server for
authentication.
Specify exceptions Bypasses a proxy server for specific domains.
Click Apply to save the changes or Cancel to discard the changes.
Product Guide
69

Repositories
70
Product Guide
Managing the software with ePolicy

Orchestrator
Integrate and manage VirusScan Enterprise for Linux using ePolicy Orchestrator management
software.
McAfee ePolicy Orchestrator provides a scalable platform for centralized policy management and
enforcement on your McAfee security products and the systems where they are installed. It also
provides comprehensive reporting and product deployment capabilities through a single point of
control.
For instructions about setting up and using ePolicy Orchestrator and McAfee Agent, see the product
guide for your version of each product.
Contents
Setting policies within ePolicy Orchestrator
Define policies in ePolicy Orchestrator
Scheduling tasks
Configure reports
Run a default query
Setting policies within ePolicy Orchestrator

The ePolicy Orchestrator console allows you to enforce policies across groups of computers or on a
single computer.
These policies override configurations set on individual computers. For information regarding policies
and how they are enforced, see the McAfee ePolicy Orchestrator Product Guide for your product
version.
Before configuring any policies, select the group of computers for which you want to modify the
policies. You can modify the software policies from the pages and tabs that are available in the details
pane of the ePolicy Orchestrator console. These pages are nearly identical to those you can access
directly from the software interface.
After you have modified the appropriate policies and saved the changes for the intended computer or
group of computers, you are ready to deploy new settings using the McAfee Agent.

VirusScan Enterprise for Linux policies allow you to configure the features, feature administration, and
to log event details.
You can find these policies on the Policy Catalog page for VirusScan Enterprise for Linux 2.0.0 under Product:
Product Guide
71

General Policies
On-Access Scanning Policy
These policies override configurations set on individual systems. Configure these policies with your
preferences, then assign it to groups of the managed systems.
Before configuring any policies, select the group of computers for which you want to modify the
policies. You can modify the policies from the pages and tabs that are available in the details pane of
the ePolicy Orchestrator console.
For more information about policies and how they are enforced on managed systems, see the product
guide of your version of ePolicy Orchestrator.
Tasks
Create or modify policies on page 72

Create a new policy or modify existing policies for a specific group in the System Tree.
Configure general policy settings on page 72

With general policies settings, you can define the log files settings, SMTP notifications,
disable the client user interface.
Configure on-access scan policy settings on page 73

With on-access Scanning policy, you can enable scans, define the directory to store the
quarantined files, set maximum scanning time for files, items to scan, type of files to scan,
and actions on detected malware.
Enforce policies on page 74

When you have created or modified policies, enforce them to multiple systems that are
managed by ePolicy Orchestrator.
Create or modify policies

Create a new policy or modify existing policies for a specific group in the System Tree.
Task
1
From the Policy Catalog, select a Product and Category.
Create or modify a policy.

To create a policy
To modify a policy
1 Click New Policy.
1 Click the policy you want to modify.
2 Type the Policy Name.
2 Modify the settings.
3 Click OK.
4 Configure the settings.
4
Click Save.
Configure general policy settings

With general policies settings, you can define the log files settings, SMTP notifications, disable the
client user interface.
You can also create or modify these policies from the System Tree, while assigning policies to selected
systems. See the product guide for your version of ePolicy Orchestrator for more information.
72
Product Guide

Task
1
From the Policy Catalog, select VirusScan Enterprise for Linux 2.0.0 as the product, then select General Policies
as the category.
Click New Policy, type a name for the policy, then click OK.
On the Troubleshooting tab, define these settings:

In...
Define...
Logging detail level
Low Logs only critical errors and system service start up and shut down
messages.
Normal Logs critical errors, system service start up and shut down
messages, internal errors such as OAS enable and disable, and crontab
actions failed messages.
High
Logs additional details such as, events for created quarantiner child, created
cleaner child, and configured with engine and DAT. It also logs critical errors,
system service start up and shut down messages, internal errors such as OAS
enable and disable, and crontab actions failed messages.
McAfee recommends setting the level as Low. Only when you troubleshoot
issues, you can set the level to High to extract complete details.
Additionally log to
SYSLOG
Indicates if information logged to the software database is also logged to

SYSLOG.
If you enable this option, define the log detail level for SYSLOG.
Limit age of log

entries
Allows the software database to store the log information for the specified days,
and removes the old entries automatically after the specified days.
Maximum age of log

entries (days)
Sets the default limit to 28 days. You can set the limit between 1 and 999 days.
On the Advance tab, define these settings:

In...
Define...
Disable client Web UI
Disables the client interface that prevents the local user to modify the scan
configuration settings.
Turn off SMTP Notifications Disables the SMTP notification on client systems.
6
Click Save.
Configure on-access scan policy settings

With on-access Scanning policy, you can enable scans, define the directory to store the quarantined
files, set maximum scanning time for files, items to scan, type of files to scan, and actions on detected
malware.
You can also create or modify these policies from the System Tree, while assigning policies to selected
systems. See the product guide for your version of ePolicy Orchestrator for more information.
Product Guide
73

Task
1
From the Policy Catalog, select VirusScan Enterprise for Linux 2.0.0 as the product, then select On-Access
Scanning Policy as the category.
Click New Policy, type a name for the policy, then click OK.
On the General tab, define these settings, then click Save.
On-access scan
Maximum Scan Time
On the Detections tab, then define these settings, then click Save.
Scan files
What to scan
What not to scan
On the Advanced tab, then define these settings, then click Save.
Heuristics
Non-viruses
Compressed files
On the Actions tab, then define these settings, then click Save.
When Viruses and Trojans are found
If the above action fails
If the above action fails
If scanning fails
When Programs and Jokes are found
If scanning times out
Enforce policies
When you have created or modified policies, enforce them to multiple systems that are managed by
ePolicy Orchestrator.
Task
1
Navigate to System Tree, select a required group or systems, then click the Assigned Policies tab.
From the Product drop-down menu, select VirusScan Enterprise for Linux 2.0.0, select the Category, then click
Edit Assignment.
Select the policy from the Assigned policy drop-down menu with the appropriate inheritance options,
then click Save.
Select the systems, then send an agent wake-up call. For instructions on sending an agent
wake-up call, see Send an agent wake-up call.
You can create and enforce policies and view reports only after adding the VirusScan Enterprise for
Linux extension files.
74
Product Guide

Scheduling tasks
Scheduling tasks
The ePolicy Orchestrator software allows you to create, schedule, and maintain client tasks that run on
the managed systems. You can define client tasks for the entire System Tree, a specific group, or an
individual system.
Tasks
Create a product update task on page 75

Schedule automatic updates on the Linux systems.
Create an on-demand scanning task on page 76

Schedule an on-demand scan on the Linux client system using ePolicy Orchestrator.
Configure the administrator password on page 77

Set the VirusScan Enterprise for Linux administrator password on client systems using
ePolicy Orchestrator.
Create a product update task

Schedule automatic updates on the Linux systems.
Your software can only provide full protection if you keep it up to date with the latest anti-virus
definitions DAT files, spam engine, and anti-malware scanning engine.
We recommend that you update DAT files daily, and regularly check the McAfee Labs website for new
DAT files.
Task
1
Navigate to System Tree, then select a required group or systems for which you want to create the
product update task.
Click the Assigned Client Tasks tab, click Actions | New Client Task Assignment.
In Task to schedule, define these settings, then click Create New Task.
Select McAfee Agent for Product.
Select Product Update for Task Type.
On the Client Task Catalog: New Task McAfee Agent: Product Update page, define these settings, then click Save
to open the Client Task Assignment Builder.
Task Name
Description
Package Selection
Package Type
For package type, select Linux Engine and DAT.
The task that you created is listed under Task Name.

6
Schedule the task that you created, then click Next.
Product Guide
75

Scheduling tasks
On the Schedule page, define these settings, then click Next.
Schedule Status
Start time
Schedule Type
Task run according to
Effective Period
Options
On the Summary page, verify the configurations you have set.

To make changes in the configurations that you have set, click Back or Schedule.
Send an agent wake-up call.
Create an on-demand scanning task

Schedule an on-demand scan on the Linux client system using ePolicy Orchestrator.
Schedule an on-demand scan for your Linux systems to find malware threats, vulnerability, or other
potentially unwanted code. It can take place immediately, at a scheduled time, or at regular intervals.
Task
1
Navigate to System Tree, then select a required group or systems for which you want to schedule
on-demand scanning.
Click the Assigned Client Tasks tab, then select Actions | New Client Task Assignment.
In Task to schedule, define these settings, then click Create New Task.
Select McAfee AgentVirusScan Enterprise for Linux 2.0.0 for Product.
Select On Demand Scan for Task Type.
On the Client Task Catalog : New Task: VirusScan Enterprise for Linux 2.0.0: On-Demand Scan page, type the Task Name
and Description, then click Save.
Task Name
Description
Click the Where tab, on the VirusScan Enterprise for Linux area, define these settings, then click Save.
Where
Detection
Advanced
Actions
The task that you created is listed under Task Name.
76
Schedule the task immediately or as needed, then click Next to view the Summary of the schedule.
Click Save.
Product Guide

Configure reports
Configure the administrator password

Set the VirusScan Enterprise for Linux administrator password on client systems using ePolicy
Orchestrator.
Task
1
Click Menu | Systems | System Tree, then select a required group or systems for which you want to
create the change password task.
On the Assigned Client Tasks tab, click Actions | New Client Task Assignment
Under Task to schedule, select VirusScan Enterprise for Linux 2.0.0 as the product, select Change VSEL
Administrator's Password as the task type, then click Create New Task under the task name.
On the Client Task Catalog: New Task - VirusScan Enterprise for Linux 2.0.0: Change VSEL Administrator's Password page,
define these settings, then click Save.
Task Name
Description
From the Change VSEL Administrator's Password* area, define these settings, then click Save.
Enter old password
Enter new password
Re-enter new password
Schedule the task immediately or as needed, click Next to view the Summary page, then click Save.

Click Edit to change the description or schedule of this task or Delete to remove it.
Configure reports
Reports are pre defined values, that query the ePolicy Orchestrator database and generate a graphical
output.
McAfee ePolicy Orchestrator contains comprehensive querying and reporting capabilities. McAfee
includes a set of default queries on the left pane. You can create a new query, edit, and manage
existing queries related to the software.
Task
1

If the predefined queries on the left side do not serve your purpose, ePolicy Orchestrator enables
you to create your own queries.
To view reports, click Menu | Reporting | Queries & Reports.
To create a new query, Click Actions | New.
On the left pane, select a Feature Group that the query should retrieve.
Select a Result Type, then click Next to open the Chart page.
Product Guide
77

Run a default query
Select and accordingly configure a display chart/table and click Next to open the Columns page.
Select columns from the Available Columns pane, then click Next to open the Filter page.
Specify the criteria by selecting properties and operators to limit the data retrieved by the query.
Click Run, then Save to open the Save Query page.
10 Type a Name and Notes (if needed) for the query, then click Save.
Run a default query

You can run the default query to view the graph with the default data settings.
Task
1
Click Menu | Reporting | Queries. A list of queries appears on the left pane.
Select VirusScan Enterprise for Linux under Shared Groups.
By default there are two queries:

Query
Description
VSEL: VirusScan Enterprise for Linux

Compliance
Shows a graphical display of the compliant and non-compliant

Linux systems in the network.
VSEL: VirusScan Enterprise for Linux

Threats
Shows a graphical display of the threat summary and action

taken on all Linux systems in the network.
Click Run. The graphical output is displayed.
78
Product Guide
Advanced features
The advanced features of VirusScan Enterprise for Linux help you to use the features effectively.
Contents
Lightweight Directory Access Protocol (LDAP) Authentication
Substituting variables in notification templates
How the quarantine action works
Recover the quarantined items
Lightweight Directory Access Protocol (LDAP) Authentication

VirusScan Enterprise for Linux requires an authenticated user name to access the interface and to
configure the software. The user can be authenticated from the local system, Active Directory, or from
an external database and locations.
The software uses the Pluggable Authentication Module (PAM) subsystem for user authentication.
The software requests the PAM subsystem to authenticate the user by providing the user credential.
The PAM subsystem verifies the credentials and confirms results whether the user credential is
authenticated or not.
Before sending the user credential to the PAM subsystem for authentication, the software ensures that
the user name matches with the name provided during the installation.
When installing the software, the installer prompts you to select the user as an administrator user.
The default user is nails and the default group is nailsgroup.
When you provide the user and group name, the installer checks whether the user exists in the
system. If the user name does not exist, it creates the user and group in the local system.
When using LDAP authentication, make sure that the user name and user group does not exist in the
local system. If exists, delete the user name and user group before proceeding.
Authentication from Active Directory

You can authenticate the user and group from the Active Directory.
Product Guide
79
Advanced features
Before installing the software, make sure that:
The user account is created in the Active Directory or the location from where you want to
authenticate before installing the software.
The user name and group does not exist in the local system. You can verify it using these
commands:
grep [username] /etc/passwd To verify the user name. A blank reply confirms that the user
name does not exist.
grep [groupname] /etc/group To verify the user group. A blank reply confirms that the user
group does not exist.
The operating system is able to resolve the user and group authentication. You can verify it using
these commands:
getent passwd [username] To verify the user name. A blank reply confirms that the user
name does not exist.
getent [groupname] To verify the user group. A blank reply confirms that the user group does
not exist.
userdel [username] To delete the user name, execute this command.
groupdel [groupname] To delete the user group, execute this command.

You can use variable to substitute in a notification.
The notification messages described in Notifications section can use variables that the software
substitutes when sending a message. For example, the template message:
File, %filename% is infected on %hostname%.
becomes
File, example.exe is infected on computer1.
The following table lists all the available variables. Some variables are valid only in particular
instances.
Table 8-1 Substitution variables
80
Valid for
Variable
Equivalent field in
the interface
Description
All alerts
%hostname%
<none>
Name of the host on which

VirusScan Enterprise for Linux is
installed.
All alerts
%hostip%
<none>
IP address of host on which

VirusScan Enterprise for Linux is
installed.
All alerts
%productversion%
Host Summary page

Product Version
Version of the product.
Item detected
%detectedas%
Detected Items page

Detected As
Name of the virus.
Item detected
%detectedby%
Detected Items page

Task
"On-Access" if detected by the

on-access process, or name of
the On-Demand task which
detected the infection.
Product Guide
Advanced features
Table 8-1 Substitution variables (continued)

Valid for
Variable
Equivalent field in
the interface
Description
Item detected
%detectedtime%
Detected Items page

Time
Date and time on the local host

for detected item.
Item detected
%detectedtype%
Detected Items page

Detected Type
Type of the virus.
Item detected
%detectedutc%
Detected Items page

Time
Date and time on the local host,

with UTC offset in brackets. For
example: May 02 2008 12:30:12
(+5:30 UTC).
Item detected
%engineversion%
Host Summary page

Engine Version
Version number of the scanning

engine.
Item detected
%extradatcount%
Host Summary page

Extra DAT
Number of signatures in the

ExtraDAT file.
Item detected
%extradatflag%
Host Summary page

Extra DAT
Yes or No to indicate if an
ExtraDAT file is present.
Item detected
%filename%
Detected Items page

File Name
Name of the file which was

scanned (excluding path).
Item detected
%path%
Detected Items page

Path
Name of the file which was

scanned (including path).
Item detected
%process%
Detected Items page

Process
Name of process resulting in the

scan.
Item detected
%result%
Detected Items page

Result
Result of any action taken for the

detected infection.
Item detected
%user%
Detected Items page

User
Name of user who caused the

scan.
Out of date, and

Item detected
%datage%
<none>
Age of the DAT files in days, from

the VirusScan Enterprise for
Linux host date and time.
Out of date, and

Item detected
%datdate%
Host Summary page

DAT Date
Date when the current DAT files

were created.
Out of date, and

Item detected
%datversion%
Host Summary page

DAT Version
Version of the DAT files.
Configuration
change
%configchange%
<none>
Configuration changes made

modified, on-access detection
enabled, or on-access detection
disabled.
System events
%eventcode%
System Events page

Code
Error code for the event.
System events
%eventdescription% System Events page

Description
Error description for the event.
System events
%eventtime%
System Events page

Time
Date and time on the local host

for event.
System events
%eventtype%
System Events page

Type
Error type for the event.
System events
%eventutc%
System Events page

Time
Date and time for the event on

the local host, with UTC offset in
brackets. For example: May 02
2008 12:30:12 (-5:00 UTC).
Product Guide
81
Advanced features

VirusScan Enterprise for Linux isolates infected files into a quarantine directory.
The processes that the software uses depend on the relative locations of the infected file and the
quarantine directory, and on the features of the file system.
In some cases, moving the infected file by copying then deleting is not suitable. In every case, the
software works to prevent loss of security and the further spread of malware and other potentially
unwanted software. The software uses the following techniques to quarantine infected files:
If the file system supports hard links and the infected file is on the same file system, the software
creates a hard link to the quarantine directory, then unlinks the infected file. If the unlink fails, the
software unlinks the copy in the quarantine directory, so that only the original infected file remains.
If the infected file is on a remote file system, the software copies the infected file into the
quarantine directory only if the quarantine directory is also on that remote file system. This method
prevents the spread of infection between hosts.
The software verifies that it can copy the infected file into quarantine directory and that it can
delete the file from the quarantine directory. This method prevents creation of a copy of an infected
file that cannot be deleted.
If the software cannot delete the original infected file, it deletes the copy of the file in the
quarantine directory so that only the original infected file remains.
If the quarantine action fails, the software uses the secondary action. If that action fails, the software
uses its fallback action. For on-access scanning, the software blocks access to the infected file. For
on-demand scanning, the software reports that the file is infected.

You can recover the quarantined items, only when you are sure that the file is not malware. You can
submit the quarantined files to McAfee Labs to make sure that the files are not malware.
Before you begin
You must have the root permission to run these commands.
82
Product Guide
Advanced features
Task
1
Log on from the terminal as root user.
List the quarantined files:

/opt/NAI/LinuxShield/bin/nails quarantine --list
For example, if the file malware_sample from the /test directory is quarantined, you get the output
as: /quarantine/QXXXXX.XXXX.XXXXX.XXXX.meta: /test/malware_sample, where each X
represents a numeric value.
Recover the file:

/opt/NAI/LinuxShield/bin/nails quarantine --recover <meta-file path> <destination-file>
The destination file is optional. If you do not specify the destination file, VirusScan Enterprise for
Linux restores the file to the directory from where it quarantined.
For example, to recover the QXXXXX.XXXX.XXXXX.XXXX.meta file, execute this command:

/opt/NAI/LinuxShield/bin/nails quarantine --recover /test/Qxxxxx.xxxx.xxxxx.xxxx.meta /home/
recover/tested_recovered_file
This command recovers the QXXXXX.XXXX.XXXXX.XXXX.meta file and stores as
tested_recovered_file in the /home/recover directory.
After recovering the file, if you access the file and the current DAT detects this file as an infected
file, it might be moved to the quarantined directory. To avoid quarantining, exclude the file or
directory from the scanning before accessing the recovered file.
Product Guide
83
Advanced features
84
Product Guide
Troubleshooting
These are tested solutions to known situations that you might encounter when installing or using the
product.
Contents
Frequently asked questions
Error messages
Contact information

Contains troubleshooting information in the form of frequently asked questions.
Installation
This section helps you with the frequently asked questions related to the software installation.
Where do I find the list of supported browsers?

1
From the product's Log on page, click
2
The supported browsers are listed in the Login Help page.

You can also refer to the product Release Notes System Requirements section.
Scanning
This section helps you with the frequently asked questions related to on-access and on-demand
scanning.
Why are some files being scanned and detected twice since the quarantine
directory was changed?
The software maintains a cache to record details of files that have been scanned. Changing the
quarantine directory flushes the cache. So the software must rescan the file to ensure that its
information is up to date.
Some large files are not scanned completely and timed out before completing
scanning.
On servers with low-specification hardware, the software abandons scanning of some large files
because of the length of time taken. You can increase the time-out value at Maximum scan time on the
On-Access Settings page and the On-Demand Settings page.
Product Guide
85
Troubleshooting
Why does a file disappear or report "access denied" when an operation (such as
cat) is performed on it?
The file is infected, and has been cleaned (or deleted or quarantined), or denied access by the
on-access scanner. View Detected Items in the browser interface to see if malware was detected in that
file.
How can I release a file where the on-access scanner has denied access?
Add the file to the list of paths excluded (on the On-Access Settings page), or create a directory on the
same file system, and add that directory to the list. Use mv to move the file to the exclusion directory.
Because mv is a meta-data change, it does not cause any on-access scanning.
If the software has blocked the file, the file is likely to be infected, and is not scanned again when in an
excluded directory.
Viruses and detection

How can I be sure that the anti-virus software is working?
You can test the operation of the anti-virus software by running a test file on any computer where you
have installed the software. The EICAR Standard AntiVirus Test File was developed by the European
Institute of Computer Anti-virus Research (EICAR), a coalition of anti-virus vendors, as a method for
their customers to test any anti-virus software.
To test scanning:
1
Open a standard text editor, then type the following character string as one line, with no spaces or
line breaks:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
The line shown above should appear as one line in your text editor window, so be sure to maximize
your text editor window and delete any line breaks. Also, be sure to type the letter O, not the
number 0, in the "X5O..." that begins the test message.
If you are reading this manual on your computer, you can copy the line directly from the
file and paste it into your text editor. If you copy the line, be sure to delete any carriage
returns or spaces.
2
Save the file with the name EICAR.COM. The file size will be between 68 and 70 bytes (depending
on end-of-line characters appended by the editor).
Upload the EICAR test file to any of the default Shares.

When your software scans this file, it reports finding the EICAR test file.
This file is not a virus it cannot spread or infect other files, or otherwise harm your computer.
Delete the file when you have finished testing your scanner to avoid alarming other users.
How can I find out more about the effect of a virus?

Visit our website. For more information, see Contact information.
What should I do if I find new malware?

If you suspect you have a file that contains malware and the scanning engine does not recognize it,
submit a sample to McAfee Labs. Click Submit a Sample on the Links bar to view the McAfee
KnowledgeBase article to submit malware samples.
86
Product Guide
Troubleshooting
Where is information about VirusScan Enterprise for Linux recorded?

By default, the software records information about detections, system events, and events related to
tasks. You can view the information at the Detected Items and System Events pages of the browser-based
interface. In addition, you can configure logging to SYSLOG from the General Settings page.
What kind of information is recorded?

The recorded information includes the following:
Detections of viruses and other potentially unwanted software, and the result of any action taken.
Events such as scanning status and errors.
Events for specific tasks such as updates to DAT files, and on-demand scanning tasks.
What happens to the log messages if the system logger is not working?
If SYSLOG logging is enabled (from the General Settings page) and syslog has stopped due to a fault, all
log messages are printed on the console. Apart from SYSLOG, VirusScan Enterprise for Linux stores
logs in the event database. You can view the information at the Detected Items and System Events pages of
the browser-based interface.
General information
This section helps you with the frequently asked questions such as general information such as
contacting technical support.
How do I contact Technical Support?

See Contact information for the address.
Before speaking to McAfee Technical Support, try to have the following information ready:
Any additional hardware that is installed.
The browser being used and its version.
A diagnostic report. You can produce this:
In the Scanning Summary page, click Diagnostic Report. You can select all the text, copy it, then paste
it in a text editor.
Where can I obtain the open source code for third-party components?
Open source code is available on the products download site. See Contact information.
Server certificate failed the authenticity test

This message appears on browsers during logon, because the certificate is self-signed. You might
ignore this message and click Continue.
Product Guide
87
Troubleshooting
Error messages
Error messages
The software error messages appear on the browser and system events log.
Error messages appear in several forms:
Messages displayed in the browser, as shown in Understanding error messages section. These are
browser problems and errors reported by the web server.
Messages logged in the system events log. For a list of categories of these messages, see the next
table.
Table 9-1 Error code ranges for System Events log

Range
Error Categories
Description
30003999
Anti-virus Engine errors
Errors which occur during scanning or cleaning reported

by the anti-virus engine.
50005999
Scan Manager
Errors reported by the nailsd process, which controls

the scanners.
60006999
Logging errors
Errors reported by the logging subsystem. If the error

logging system fails, errors are directed to SYSLOG.
70007999
Configuration errors
Errors found when parsing values in the configuration

files.
80008999
Exclusions and filtering

errors
Errors found when processing the information about

files excluded from scanning, or which extensions to
scan.
90009999
Monitoring errors
Errors reported by the monitoring processes that

provide administration of the product.
1100011999 IPC errors
Errors reported during inter-process communication.
1200012999 On-demand scanner errors
Errors reported by the on-demand scanner.
1300013999 Command processor errors
Internal errors for the commands used during

inter-process communication.
1400014999 Anti-virus Engine scan

errors
Errors reported by the anti-virus engine when

processing a specific file.
1500015999 Task Scheduler errors
Errors reported by the task scheduler.
1600016999 SMTP Alerting errors
Errors reported by the SMTP alerting component.
Contact information
Use this contact information such as the threat center, download site, technical support, customer
service, and professional services.
McAfee Threat Center

McAfee Labs: http://www.mcafee.com/us/mcafee_labs/index.html
McAfee Threat Center: http://vil.mcafeesecurity.com
McAfee Labs .DAT Notification Service Opt-In: https://secure.mcafee.com/apps/mcafee-labs/
dat-notification-signup.aspx
88
Product Guide
Troubleshooting
Contact information
McAfee download site

Homepage: http://www.mcafee.com/us/downloads/
Products and Upgrades (requires a valid grant number)
Product Documentation
Product Evaluation
McAfee Beta Program
McAfee Technical Support

Homepage: http://www.mcafee.com/us/support/index.html
KnowledgeBase Search: http://knowledge.mcafee.com
McAfee Technical Support portal (For logon credentials): https://mysupport.mcafee.com/eservice_enu/
start.swe
McAfee customer service

Web: http://www.mcafee.com/us/support/index.html or http://www.mcafee.com/us/about/contact/
index.html
Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday - Friday, 8 a.m. 8 p.m., Central Time
McAfee professional services

Enterprise: http://www.mcafee.com/us/enterprise/services/index.html
Small and Medium Business: http://www.mcafee.com/us/smb/services/index.html
Product Guide
89
Troubleshooting
Contact information
90
Product Guide
Index
A
about this guide 7
advanced features 79
agent wake-up call
create 22
analysis
detected items 38
exporting the results 40, 41
system events 40
anti-virus actions
configure 61
on-access settings 61
automatic refresh
page information 32
configuration: logging 54
configure
clear statistics 55
on-demand settings 63
console
interface 30
contact information 88
conventions and icons used in this guide 7
create schedule
run on-demand scan 48
update the product 46
creation
on-demand scan task 76
customer service 88
browser interface
configure 54
general settings 54
C
clearing statistics
general settings 55
components 10
configuration
administrator password 77
anti-virus actions 61
browser interface 54
extension based scanning 59
general settings 53, 56
local repository 67
on-access policy 73
on-access scanning 61
on-demand scanning 63
paths excluded 58
policy settings 72
proxy settings 68
reports 77
repositories 67
repository list 67
scanning options 57
SMTP notifications 65
SMTP settings 66
DAT files
scanning 11
dates and times
displaying 33
default configuration
resetting 56
default files
delete existing
scheduled tasks 43
deployment
prerequisite 20
software 20
deployment software
managed systems 15
detected items
analyze 38
export to csv 40
view 38
view results 39
diagnostic report
obtaining 38
scanning summary 38
documentation
audience for this guide 7
product-specific, finding 8
typographical conventions and icons 7
Product Guide
91
Index
download site 88
E
error messages
troubleshoot 88
understanding 33
events
trigger scanning 9
exporting the results
detected items 40
for analysis 40, 41
system events 41
extension based scanning
scan specific files 60
extension-based scanning
configure 59
scan all files 60
scan default files 60
scan specific files 60
ExtraDAT files
view 43
information (continued)
ExtraDAT files 43
viewing 35
installation
extensions 21
frequently asked questions 85
Novell server 18
silent mode 19
standalone system 16
standalone systems 15
SUSE systems 17
testing 24
Ubuntu systems 17
using command line 16
interface
console 30
navigation pane 30
opening 29
quick help pane 30
using 29
introduction 9
KnowledgeBase 88
files

frequently asked questions
general information 87
installation 85
scanning 85
troubleshoot 85
viruses and detection 86
G
general information
general settings
browser interface 54
clear statistics 55
configure 53
reset defaults 56
general settings: logging 54
H
host summary
view 35
how
quarantine action works 82
scanning works 11
I
information
expanding and collapsing tables 31
92
LDAP authentication 79
links bar 30
logging on
VirusScan Enterprise for Linux interface 29
logging: general settings 54
long tables
navigating through 32
M
malware detection
test on standalone systems 24
managed systems
upgrade 23
McAfee Labs 88
McAfee ServicePortal, accessing 8
modify existing
scheduled tasks 42
N
navigation pane 30
user interface 30
notification templates
substituting variables 80
notifications
configure 65
SMTP notifications 65
SMTP settings 66
Product Guide
Index
notifications (continued)
substitution variables 80
O
on-access scan 11
on-access scanning
test on standalone systems 24
on-access settings
anti-virus actions 61
configure 56
paths excluded 58
scanning options 57
on-demand scan 11
testing on managed systems 25
testing on standalone systems 24
on-demand scans
running 48
schedule 48
on-demand settings
configure 63
opening
interface 29
P
packages
checking in 20
page information
automatically refresh 32
page settings
changing 32
pane
navigation 30
paths excluded
configure 58
policies
create 72
modify 72
policies setting 71
policy
enforcement 74
management 71
processes 10
product
configuring 53
interact 10
updating 46
product update 46
schedule 46
professional services 88
proxy settings
configure 68
repositories 68
Q
quarantine action
how it works 82
working of 82
quarantined items
recover 82
query 78
quick help pane 30
R
recently detected items
scanning summary 37
recently scanned items
scanning summary 37
regular expression based
scanning 58
repositories
configure 67
proxy settings 68
repository list 67
repository list
configure 67
repositories 67
requirements
hardware 15
software 15
reset defaults
configure 56
general settings 56
run
on-demand scans 48
run immediately
scheduled tasks 42
running on-demand scan
creating a schedule to 48
S
scan specific files
scan types
on-access 11
on-demand 11
scanning
DAT files 11
regular expression based 58
types 11
what and when 11
scanning options
configure 57
scanning summary
diagnostic report 38
recently detected items 37
Product Guide
93
Index
scanning summary (continued)

recently scanned items 37
statistics 36
view 36
scanning works
how 11
schedule
on-demand scans 48
product update 46
scheduled tasks
delete existing 43
modify existing 42
run immediately 42
stop 43
stopping 43
view 41
schedules
create 75
setting up 45
using a wizard 45
ServicePortal, finding product documentation 8
setting up
schedules 45
silent installation
SUSE systems 19
Silent installation
Novell server 19
SMTP notifications
configure 65
notifications 65
SMTP settings
configure 66
notifications 66
software
upgrade 22
software removal 26
managed systems 26
software update
scheduling task 75
sorting tables:
VirusScan Enterprise for Linux 31
statistics
clear 55
general settings 55
scanning summary 36
stop
scheduled tasks 43
substitution variables
notifications 80
supported browsers 85
system events
analyze 40
export to csv 41
view 40
94
T
table columns
sort 31
tables
collapsing 31
expanding 31
technical support 88
Technical Support, finding product information 8
threat center 88
time differences
understanding 45
troubleshoot
error messages 88
types
scanning 11
U
understanding error messages 33
update
updating the product
creating a schedule to 46
user interface
navigation pane 30
viewing 29
using the interface 29
using wizards
V
view
detected items 38
host summary 35
scanning summary 36
scheduled tasks 41
system events 40
user interface 29
VirusScan Enterprise for Linux information 35
view results
detected items 39
viruses and detection
VirusScan Enterprise for Linux
about 9
advanced features 79
configure 53
contact information 88
logging on 29
product update 46
sorting tables 31
troubleshoot 85
using the interface 29
view information 35
Product Guide
Index
VirusScan Enterprise for Linux (continued)

wizards 32
wizards (continued)
W
WebImmune 88
wizards
using 32, 45
Product Guide
95
00

Vsel PG En-Us

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vsel PG En-Us

Uploaded by

Copyright:

Available Formats

Product Guide

McAfee VirusScan Enterprise for Linux

McAfee VirusScan Enterprise for Linux 2.0

About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

What is VirusScan Enterprise for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Installation and deployment

Using the interface

Launch the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

McAfee VirusScan Enterprise for Linux 2.0

Working with the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring VirusScan Enterprise for Linux

McAfee VirusScan Enterprise for Linux 2.0

Managing the software with ePolicy Orchestrator

Setting policies within ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . .

McAfee VirusScan Enterprise for Linux 2.0

Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Lightweight Directory Access Protocol (LDAP) Authentication . . . . . . . . . . . . . . . .

McAfee VirusScan Enterprise for Linux 2.0

About this guide

Title of a book, chapter, or topic; a new term; emphasis.

Text that is strongly emphasized.

User input, code,

A link to a topic or to an external website.

McAfee VirusScan Enterprise for Linux 2.0

Find product documentation

Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

Under Self Service, access the type of information you need:

1 Click Product Documentation.

Click Search the KnowledgeBase for answers to your product questions.

McAfee VirusScan Enterprise for Linux 2.0

What is VirusScan Enterprise for Linux

How the software works

McAfee VirusScan Enterprise for Linux 2.0

File open When a file is opened.

Provides anti-malware protection and scans files as instructed by nailsd.

McAfee VirusScan Enterprise for Linux 2.0

How scanning works

What and when to scan

McAfee VirusScan Enterprise for Linux 2.0

To check if your system is clean, following a recent single detection.

Uses the latest version (5600) of the McAfee anti-malware engine.

Software update and scanning schedule

Allows you to schedule on-demand scans at your convenient timings.

McAfee VirusScan Enterprise for Linux 2.0

Remote administration using a browser-based interface.

Secure browser interface with authentication and HTTPS (SSL) support.

Creates detailed database for detected items and system events.

McAfee VirusScan Enterprise for Linux 2.0

McAfee VirusScan Enterprise for Linux 2.0

Installation and deployment

Intel x86_64 architecture-based processor that supports Intel Extended

Free Disk space

McAfee VirusScan Enterprise for Linux 2.0

Installation and deployment

Operating system 64-bit

McAfee ePolicy Orchestrator 4.6

McAfee Agent 4.8 Patch 2

Install the software on a standalone system

Install the software with the command line on page 16

Install the software in silent mode on page 19

Install the software with the command line

Install the software on RPM based systems on page 17

Install the software on Debian based systems on page 17