McAfee AntiVirus Enterprise/ePolicy Orchestrator tips and tricks

Over the last couple of months, I’ve been helping one of my clients to gain some control over their anti-virus infrastructure using McAfee VirusScan Enterprise and ePolicy Orchestrator (ePO).

I’m more used to Symantec AntiVirus Corporate Edition with its Symantec System Center Console, but ePO was easy to install (the installation wizard will install MDAC 2.7 if required as well as MSDE if there is no SQL Server available) and although it seems a bit complex to start with, once you get your head around how the ePO directory works (and how it can integrate with Active Directory) as well as the terminology (distributed repositories, rogue system detection sensors, notification rules, etc.) then it actually seems like quite a good product (although the HTTP-based administration console can be a bit flaky at times and ePO maintains its own set of security principals). The reporting tools seem pretty good too.

For anyone trying to get to grips with ePO, there is a whole heap of high-quality product documentation, but as a starting point, I recommend a look at the ePO quick reference card. Unfortunately I can’t link all of the documentation here as you need to have purchased the product to access that part of the McAfee/Network Associates website but it is available for download if you have a valid grant number (having said that, some quick googling has turned up a copy of the English version of the quick reference card on the Danish McAfee site).

One thing that I found particularly confusing was the change in where the McAfee AntiVirus Enterprise product writes its log files, once the ePO agent is enabled. Ordinarily, McAfee AntiVirus Enterprise writes log files to %allusersprofile%\Application Data\Network Associates\VirusScan\ with the main files of interest being onaccessscan.txt (used by the VirusScan On-Access Scan), ondemandscan.txt (used by the VirusScan On-Demand Scan) and updatelog.txt (used for updates via the VirusScan console). Depending on the configuration, and the version of McAfee Enterprise in use there may also be other log files in existence (e.g. accessprotectionlog.txt, bufferoverflowprotectionlog.txt and emailondeliverylog.txt).

This all changes once the ePO agent is activated as ePO stores its logs under %allusersprofile%\Application Data\Network Associates\Common Framework\. This folder actually contains a number of useful XML files, as well as mcscript.txt (which details script engine actions, such as processing updates), updatehistory.ini (which includes details of configuration items such as the site last used for updates); but even more useful is a file in the \Db subfolder which is named agent_%computername%.xml. Formatted using frameworklog.xsl, this is the McAfee Agent Activity log, which shows policy enforcement actions along with links to four more files in the same directory – the current and previous framework service logs (agent_%computername%.log and agent_%computername%_backup.log) and the current and previous Networks Associates product manager logs (prdmgr_%computername%.log and prdmgr_%computername%_backup.log).

Together, these logs are really useful for troubleshooting, like when a really out of date client wouldn’t update because the latest anti-virus signature (.DAT) file didn’t work with the version of the engine that was installed. One of my colleagues found a superDAT to solve that problem, but it was these logs which confirmed where the issue was.

Whilst on the subject of ePO, a few months back I blogged about adding policy pages to ePO.

So that’s it, a few tips and tricks for anybody implementing a McAfee-based anti-virus management solution.

Microsoft acquires FrontBridge

Back in March, I wrote about some new e-mail message continuity services from FrontBridge. Well, according to a press release just received from Microsoft, FrontBridge is about to become Microsoft’s latest acquisition as it steps up its systems management and security capabilities. With the purchase of Giant Company (anti-spyware), Sybari (anti-virus) and now FrontBridge (anti-spam and message continuity), Microsoft’s security arsenal is starting to look good. It will be interesting to see how these purchases shape up and whether they are integrated into Windows, retained on an application service provider (ASP) basis, or developed into one or more new products, perhaps as part of the System Center family, or (in the case of FrontBridge) maybe we will see some of the new technology integrated into Exchange 12?

Watch out for cookies when using the Microsoft AntiSpyware beta

Last year I blogged about Microsoft’s acquisition of Giant Software and I’ve been using their AntiSpyware Beta since it was made available in January; but last week I was looking at the inordinate amount of spam my Dad receives and that got me thinking about the overall security on his PC (which has my e-mail addresses in the address book!). After installing Lavasoft Ad-Aware SE Personal, I found that the Microsoft AntiSpyware Beta product he had been using was doing a pretty good job, but there were a load of tracking cookies which it had not identified. Today, I ran the same tests on two of my PCs and found the same.

As the Microsoft product is based on Giant’s well-regarded software I decided to look a bit deeper…

It turns out that although the Giant version of the product scans for cookies, the Microsoft version does not as they are not regarded as a threat (despite Ad-Aware classifying them as critical objects). In their information for Giant AntiSpyware users who have active subscriptions, Microsoft says:

“Giant AntiSpyware detects and removes cookies from your computer. Because many Web sites require the use of cookies to enable a great user experience, Windows AntiSpyware (Beta) does not remove cookies.”

So are cookies a threat? The answer is both “Yes” and “No”. Quoting from an HP article on where spyware hides:

“Cookies can help users streamline online transactions, remember browsing preferences and user profiles, and personalize pages. Many users don’t realize that cookies can be used to compile data so companies can construct a profile about the websites they visit and the web banner advertisements they click through. This information is mined so companies can deliver targeted ads.

Some websites respectfully use temporary cookies (session cookies) that disappear when you close the browser. Many more websites use persistent cookies that remain on your hard drive indefinitely. Microsoft Internet Explorer and Netscape Navigator, the two most popular browsers, still send out existing cookies even if you’ve disabled cookies in your browser settings. This means you must delete cookie files manually to keep from being tracked by third-party ad networks and spyware providers.”

And from the cookie demo:

“Some common uses for Internet cookies are:

  • An anonymous code given to you so the web site operator can see how many users return at a later time. These cookies are configured to stay on your system for months or years and are called “persistent” cookies.
  • A code identifying you. This usually occurs after a registration. The site could keep a detailed account of pages visited, items purchased, etc. and even combine the information with information from other sources once they know who you are.
  • A list of items you purchased. This is often used in “shopping cart” web sites to keep track of your order. Often cookies of this type ‘expire’ as soon as you log out or after a short time. These are called “session” cookies.
  • Personal preferences. This can be anonymous or linked to personal information provided during a registration.

Cookies are supposed to be only accessible from the site that placed them there. However, in some cases cookies from other sites show up in the log files so it is not a secure way to authenticate a user.”

So you can see that session cookies are fine. So are some persistent cookies (e.g. the one which tells the BBC website where I live so it can give me localised information); but most of the ones I found were tracking cookies for advertising sites. These are not good and I urge Microsoft to include cookie detection in the release version of Microsoft AntiSpyware (perhaps using the SpyNet AntiSpyware community to distinguish between good and bad cookies?).

Finally, for anyone worrying about what happens when their version of the Microsoft AntiSpyware Beta expires at the end of July, Microsoft has started to push updates and one of my PCs upgraded itself to version 1.0.614 today, which expires at the end of December. The others are still on 10.0.501 but I expect to see them do the same over the next few weeks.

Further reading

Adware/Spyware thread (
Cookie demonstration (
Microsoft AntiSpyware: Torn Apart

Adding policy pages to McAfee ePolicy Orchestrator

After installing Networks Associates/McAfee ePolicy Orchestrator (ePO) for a client, I was mystified by the lack of a policy page for VirusScan Enterprise 7.x. VirusScan Enterprise 8.0 was there, as were competitive products (e.g. Norton Antivirus Corporate Edition v7.5x/7.6/8.0).

Eventually, I found a document on the McAfee website, which described that the policy pages (NAP) required to change settings for VirusScan 4.5.1 and VirusScan Enterprise 8.0i were added to the server repository at install time but before it is possible to change settings for other products, their policy pages must be added to the server repository. These policy pages are stored locally and contain the files needed to change policy settings and create scheduled tasks for products.

Locating the VSE710.NAP file was reasonably straightforward (it is contained with the installation source for Virus Scan Enterprise 7.1). Once I had the file, I could follow the McAfee instructions for adding policy pages to the server repository, although with the version of ePO I was using (v3.5.0) the import process was slightly different to that illustrated as the check in package and check in NAP options have been separated.

Although this information is also available in the ePO v3.5 Product Guide, it does help to know that the key to this is a .NAP file. I spent a considerable amount of time trying to find this out, so I thought I’d blog it here for the benefit of anyone else…

Spyware re-enforces the need for network segmentation and remediation

There is no doubt that malicious software (malware) is on the increase. We have learnt how to deal with the ever increasing number of viruses, worms and Trojan horses, but spyware is now a major problem too.

Earlier this month, it was widely reported how a joint investigation by law enforcement agencies in Israel and the UK foiled an attempt to use keystroke logging software to gain access codes in order to steal £220 million from the Sumitomo Mitsui bank. This is believed to be the first recorded incident of spyware being used for large scale online theft.

For some time now, IT-savvy users have been checking for spyware with products such as Spybot Search and Destroy or Lavasoft Ad-Aware. Then Microsoft bought the Giant Company and soon afterwards released its Windows AntiSpyware beta product. According to IT Week, the final release will be free for registered Windows users, but corporates will need to pay for the enterprise version of the product. Now Symantec has joined the spyware market with Symantec Client Security v3.0 and Symantec AntiVirus Corporate Edition 10, both incorporating spyware detection and removal capabilities, whilst McAfee Anti-Spyware Enterprise aims to block malware before it reaches the corporate network. Other vendors, such as Websense, have added malware detection to their products but there is still a gaping hole in many organisation’s IT strategy – mobile users returning to the network.

Whilst many corporates will specificly ban consultants and other suppliers from connecting non-managed PCs to their network, some don’t – and in any case that is still only half the issue – what about the user who takes their laptop on the train or to the airport and connects to a wireless hotspot, or even to a less-regulated business partner’s network, then returns to the “safe” corporate LAN with who-knows-what malware on their PC? It may sound paranoid, but when I started to use anti-spyware products a couple of years back I was amazed how much rubbish had infected my work PC and I am just one user on a large network.

According to IT Week, in a survey of 500 European IT Managers commissioned by Websense, 60% said that their company does not have systems in place to guard against internal threats with 35% unable to deal with spyware (and 62% unable to block phishing attacks).

Protecting the network edge is all very well, but the guiding security principle of defence in depth needs to be applied. Networks need to be segregated, with firewalls (or at the very least separate VLANs) restricting traffic between segments but the real answer to the mobile user issue is remediation.

The principle behind remediation is that on returning to the corporate network, users will not be granted full access until their device has been scanned for operating system patches, anti-virus and anti-spyware signatures and any application patches required. Only once all of these have been installed, will the user be granted full access to the network. Of course, as Dave Bailey recently commented in his article will you pass the access test? which appeared in IT Week recently, there will be occasions when patches fail to apply, or when returning users simply have too many updates to be applied and it impacts on their legitimate business operations (but not half as much as a full-blown network attack could impact on their business).

Both Microsoft and Cisco are preparing their remediation technology offerings. Cisco has it’s network admission control (NAC) technology, whilst Microsoft’s approach is network access protection (NAP) (when will they learn to read their acronyms phonetically – first WUS and now NAP). Unfortunately, NAP has been dropped from forthcoming ISA Server 2004 service/feature packs and instead will be held over for Longhorn (although Windows Server 2003 does offer network access quarantine control for users connecting via a VPN).

Microsoft buys into the anti-virus market

Following Microsoft’s recent foray into the anti-spyware market and ending months of speculation, Microsoft announced today that it is to attack another form of malware through its purchase of Sybari Software.

Whether anti-virus technologies will be included within Windows (alongside the Windows Firewall), or made available as a separate download (as for Microsoft Windows AntiSpyware) is yet to be seen but with the US Department of Justice and the European Union already investigating the bundling of middleware within Windows it will be interesting to see how Microsoft positions its new acquisition.

Microsoft’s new malware removal and anti-spyware products

This week, alongside the January security updates, Microsoft released the first version of its malware removal tool, called the Microsoft Windows Malicious Software Removal Tool (MSRT). New versions will be released on the second Tuesday of each month (with the monthly security updates) and each version will be cumulative.

Note that this is not the Microsoft Windows AntiSpyware tool (a separate beta of that product was released last week, based on the anti-spyware application gained in the purchase of Giant Company), nor is it an anti-virus tool – MSRT is simply a rollup of all the malware removal utilities that Microsoft has previously released.

Protection against mobile malware

As mobile phones offer more and more computing functionality, anti-virus technologies for smartphones have become an inevitable reality.

Back in June 2004, the Symb/Cabir-A worm was released (as reported by the BBC and others). The target is the Symbian operating system – just as for Windows on a PC, virus-writers and hackers will attack the largest user base first.

Let’s face it – no hacker will get any credit for exploiting a security hole in something obscure – that’s why Microsoft gets so much bad security press and Linux and Macintosh users say “my system is secure” – in reality they are probably no more secure than a well-configured Windows system, just not such a target.

According to an article at the PC World website, Nokia are addressing the issue by teaming up with F-Secure to offer subscription-based anti-virus protection for their Series 60 smartphones, starting with the forthcoming Nokia 6670. Quoting from Nokia:

“F-Secure Mobile Anti-Virus is available for the Nokia 6670 imaging smartphone, providing automatic, transparent real-time protection against harmful content locally on the mobile phone. Updating the phone’s virus database can be done either over an HTTPS connection or, in critical cases, by SMS message.”

Cabir uses bluejacking as a mechanism to spread and as most people are oblivious (no nice IT department managing the security of consumer mobile phones!), the best advice I can give is to set your phone to undiscoverable or hidden. There is also some advice on “mobile malware” at the Nokia website.

You can learn more about Bluejacking at the BluejackQ website. To make matters worse, a colleague of mine found this document, which suggests some people are thinking of using it as a marketing channel.